Canadian federal government needs to get its own privacy house in order

No big surprise, but the Federal Privacy Commissioner, Jennifer Stoddart, has found that the federal government is seriously lacking as far as dealing with data breaches are concerned. Incomplete data produced by the government shows more than 3,000 breaches over ten years, affecting three quarters of a million Canadians. (And I'm sure this is just the tip of the iceberg.)

From the Canadian Press:

Poor data-breach tracking, reporting concerns federal privacy commissioner - Yahoo! News Canada

OTTAWA - Canada's privacy czar has singled out several federal departments for their lacklustre approach to data breaches, citing a need for better reporting, security and tracking protocols.

Privacy commissioner Jennifer Stoddart's office has compiled a preliminary list of agencies with potentially worrisome patterns when it comes to the loss of Canadians' personal information.

The analysis is based on departmental figures tabled in Parliament in April in response to a question from New Democrat MP Charlie Angus. The response indicated there were more than 3,000 data breaches over a 10-year period affecting about 725,000 Canadians.

Upon crunching the numbers, the privacy commissioner identified nine departments and agencies that may lack adequate reporting mechanisms, have faulty security procedures or require improved tracking protocols.

Stoddart's staff cautions that the figures paint a statistical picture but do not shed full light on the kind of data involved in the breaches.

Still, the office says two departments — Fisheries and Oceans and Public Safety — "may lack adequate reporting mechanisms" for alerting the privacy commissioner of a data loss.

Fisheries reported three breaches affecting 73 people between 2002 and 2012. However, for the same period there were actually 12 lapses affecting 4,690 individuals.

None of the 28 breaches that occurred at Public Safety after 2009 was reported, says the privacy commissioner.

"A cursory comparison between institutions indicates that they do not seem to have a consistent method for reporting breaches," say notes prepared by Stoddart's office. "Some systematically report breaches, others almost never."

Institutions that "may have systematic issues in safeguard and security protocols" are Citizenship and Immigration, Passport Canada, the Correctional Service, the RCMP, the Parole Board and Veterans Affairs.

Citizenship and Immigration had 161 breaches in 2012 alone, while the passport office had 131 incidents in 2011-12, said the commissioner.

Finally, the Canada Revenue Agency was not able to present any data, suggesting a "deficiency in tracking and auditing."

The difficulty with federal data breaches is not new, Stoddart said in an interview. "We know it's a systemic problem. We've seen it for years," she said. "So I think a positive action on the part of the government to strengthen education about it, prevention, followup and so on, would be the way to go."

The commissioner's office points out that while the federal Treasury Board has published guidelines for privacy breaches, they simply recommend — not require — that institutions notify the commissioner of certain kinds of breaches.

They include ones that involve sensitive personal data such as financial or medical information, can result in identity theft, or might otherwise harm or embarrass a person, damaging their career, reputation or well-being.

"Conversely, this means that there are a number of breaches that are not deemed to be serious enough to warrant notification to our office," say the notes. "We can presume that this may partially explain the vast number of unreported breaches."

During a recent meeting, Stoddart urged Treasury Board President Tony Clement to amend the privacy law to make reporting of federal data losses mandatory.

"It was a very positive meeting," Stoddart said. "Minister Clement seemed very concerned about the question of data and very interested in ways of strengthening data breach awareness, I'd say, and proactive work to minimize data breaches."

However, she said Clement "made no commitments" about enshrining mandatory reporting. Andrea Mandel-Campbell, a spokeswoman for Clement, said Monday that the minister is taking Stoddart's comments "under consideration."

Angus says a "complete overhaul" of reporting procedures is needed. "Every breach must be reported to the privacy commissioner," he said Monday.

Government must also ensure Stoddart's office has the resources to investigate lapses and powers to effectively police both federal agencies and private companies that lose data, he said.

"She has to have the tools that she needs to protect privacy."

After Human Resources and Skills Development lost the personal information of more than half a million people who took out student loans, Angus's NDP colleague, digital issues critic Charmaine Borg, tabled a motion in February requesting a House of Commons committee study mandatory breach notification. It was defeated.

Canadian Treasury Board sets new privacy breach notification policy, but only for itself

This is interesting: The organization in the Canadian federal government -- the Treasury Board -- which sets the IT and privacy policies for the entire government is implementing a privacy breach notification policy only for itself. Treasury Board will soon have to report any privacy breaches to the Privacy Commissioner, but other departments will still be able to set their own policies, according to the Ottawa Citizen: Under new policy Treasury Board will be required to report every data breach to privacy commissioner.

It's a start, but still a bit of a head scratcher.

Don't forget that Canada is in the national security / surveillance business as well

For those Canadians whose eyes have been focused south of the border over the past few days, following the revelation of the Verizon court order and speculation about the PRISM program, it's worth remembering that Canada is in the national security / surveillance business as well.

Canada has a "Canada Patriot Act" in the form of the Anti-Terrorism Act, which amended the CSIS Act and the National Defence Act (read Part V.1). Canada has an equivalent of the American Foreign Intelligence Surveillance Court, established under the CSIS Act. In addition, Canada's Communications Security Establishment is part of the Five Eyes signals intelligence community.

This article from today's Globe & Mail is worth a read, as it lays out Canada's own "metadata collection": Data-collection program got green light from MacKay in 2011 - The Globe and Mail.

Michael Geist has a great overview of this topic in his recent post "Why Canadians should be demanding answers about secret surveillance programs".

BC Court finds that former employer is primarily responsible for patient records, not the departing therapist

In an interesting case from British Columbia (Synergy Counselling v. Dunvegan Enterprises, 2013 BCPC 101 (CanLII)) involving a dispute between a therapist and her employer, the Provincial Court had an opportunity to consider who has primary responsibility under the Personal Information Protection Act for patient files.

The therapist was an employee of the company and asserted she had primary responsibility for the patient files due to the patient-therapist relationship. The Court took a different view, which generally affirms the prevailing view that when a person is employed to provide healthcare services to others, the employer is the primary custodian of the resulting records:

[104] The Defendant expressed the view that the Claimant took the files for an improper purpose and that it was part of the Claimant’s attempt to “steal” a counselling practice from the Defendant.

[105] Both parties asserted a primary responsibility for the protection of personal information contained in the files under the provisions of the Personal Information Protection Act, [SBC 2003] Ch. 63. Both parties referred to provisions in the Act.

[106] The purpose of the Act is found in s. 2:

2 The purpose of this Act is to govern the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of individuals to protect their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

[107] Sections 4 and 34 provide as follows:

4 (1) In meeting its responsibilities under this Act, an organization must consider what a reasonable person would consider appropriate in the circumstances.

(2) An organization is responsible for personal information under its control, including personal information that is not in the custody of the organization. ….

34 An organization must protect personal information in its custody or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks.

[108] The Act requires that organizations exercise reasonable care in fulfilling their obligations with respect to the protection of personal information under their control. The Act, however, does not assist in determining who, in these circumstances, should exercise that control.

[109] In McInerney v. MacDonald 1992 CanLII 57 (SCC), [1992] 2 S.C.R. 138 the Supreme Court of Canada affirmed the common law position that although a medical file itself may be owned by a physician, the patient has a continuing equitable interest in the medical information contained within it. A patient, as a general rule, is entitled to access the medical information in her records and to inspect and copy that information. This broad principle will have application to other clinical records, such as the counselling records concerned here.

[110] It seems clear that clients who attended the KCT offices to obtain counselling services, signed KCT file opening documents, paid accounts rendered to them by KCT and received KCT receipts, no doubt understood themselves to be clients of KCT rather than of the particular counsellor they saw. These clients would reasonably have expected that their files would remain within the KCT offices or otherwise under KCT control unless other arrangements had been agreed.

[111] I’m satisfied that these client files properly belonged to KCT and not to the individual therapist, notwithstanding the therapist’s obligation to hold information in confidence. That personal undertaking did not by itself confer ownership or a right to permanent possession of the file by the therapist concerned.

[112] As for the requirements of the Personal Information Protection Act, there is no suggestion that the Defendant was not meeting its obligations under the Act. On the assumption that the Claimant and Ms. Schell also had obligations under the Act, those obligations would have been reasonably discharged by leaving the KCT files in the custody and control of their owner, the Defendant.

[113] In the absence of any agreement between the parties or their clients regarding file storage, there will be an order that all files removed from KCT offices by the Claimant shall be returned to KCT, provided that the Claimant may retain the files of those KCT clients who have since become clients of Synergy or who have otherwise requested in writing that Synergy maintain their records.

Privacy Commissioner of Canada tables annual report on private sector privacy law

The Privacy Commissioner of Canada has today tabled her annual report to Parliament on the private sector privacy law that she oversees. The report can be found here: Annual Report to Parliament 2012 - Report on the Personal Information Protection and Electronic Documents Act.

Here's her media release:

Privacy Commissioner stresses significance of online reputation and business accountability in digital age

Annual report tells tales of rental laptops that spied on users, the response to a teen smeared by a social network imposter and a dating site that left sensitive health data vulnerable.

OTTAWA, June 6, 2013 – Privacy Commissioner Jennifer Stoddart today released the Office of the Privacy Commissioner’s (OPC) annual report on the Personal Information Protection and Electronic Documents Act (PIPEDA) for 2012, which details investigations affecting individual online reputation and the growing importance of organizational accountability. This is the Commissioner’s last PIPEDA annual report before the end of her mandate and it underlines the need for changes to the law to bring it up to speed with today’s rapidly changing, digitally driven times.

“As in previous years, our annual report outlines some significant achievements as investigations led to improved privacy practices among businesses,” said Commissioner Stoddart.

“Such changes, however, often came only after long investigative and follow-up processes, and therefore at significant costs. Canadians would be better served by a law that motivates organizations to put privacy considerations up front, rather than the current situation where we’re left to trigger a mop-up after privacy is violated.”

Leering laptops

The report details the outcome of a Commissioner-initiated complaint against a Canadian franchisee of rent-to-own company Aaron’s Inc. “Detective Mode” software was installed onto its rented laptops, enabling the collection of data, including key strokes, screen shots and web cam photos without user knowledge.

While installing the software was intended to recover lost or stolen laptops, the OPC found that the extreme measure wasn’t justified, given the egregious and disproportionate loss of privacy for its clients. The franchisee agreed to delete what the software collected, and the company committed to never again using this type of tool.

Facebook fakery

This year’s report also includes the story of a teen whose reputation was imperiled by a fake Facebook account being set up in her name. She was not a Facebook member, but many of her real life friends were. They “friended” the impostor account and then received a barrage of inappropriate comments.

The teen’s mother complained to the OPC and demanded Facebook delete the account. Upon determining the account was indeed a fake, the company promptly deleted it. The teen’s reputation though remained at risk as those who had been “friended” by the account were not notified of it being a fake. As a result following negotiations with the OPC, Facebook agreed to implement a new process moving forward to help non-users notify individuals “friended” by imposter accounts.

Information on singles with STDs unprotected

The report also details our investigation into complaints by members of a dating web site for people with sexually transmitted diseases called PositiveSingles.com. They alleged that, unbeknownst to them, their profiles, including personal information detailing their individual health status, were stored in a database accessible by a wider network of affiliated sites. The investigation concluded that PositiveSingles and its parent company, SuccessfulMatch, failed to openly and clearly explain to prospective members how and to whom their personal information would be visible and disclosed. SuccessfulMatch then made changes to the web site to make its information handling practices more transparent, including informing prospective members of the broad visibility of profiles at the point of registration.

Overall, 2012 saw 220 complaints accepted by the OPC, down from 281 the previous year. The OPC also completed 145 formal investigations in 2012, marking a 21-percent increase from the year before, while also realising a 12-percent reduction in the time it took to resolve formal investigations.

Canadian Privacy Commissioner calls for significant overhaul of country's privacy laws

Today, at the International Association of Privacy Professionals Canadian conference, the Canadian Privacy Commissioner unveiled her proposals for significant privacy law reforms. Some of this is not very surprising, but there were some unexpected elements.

The full release is here: New privacy challenges demand stronger protections for Canadians - May 23, 2013 and her speech to the conference can be found here: Looking back – and ahead – after a decade as Privacy Commissioner of Canada. The full discussion paper of her proposals is here: The Case for Reforming the Personal Information Protection and Electronic Documents Act.

In a nutshell, here's what she is calling for along with some of my unsolicited comments:

Stronger enforcement powers: Options include statutory damages to be administered by the Federal Court; providing the Privacy Commissioner with order-making powers and/or the power to impose administrative monetary penalties where circumstances warrant. <- It is very interesting that she is putting forward a range of options rather than advocating one position.

Breach notification: Require organizations to report breaches of personal information to the Privacy Commissioner and to notify affected individuals, where warranted. Penalties should be applied in certain cases. A recent poll found that virtually all Canadians – 97 percent – would want to be notified of a breach involving their personal information. <- This is a bit of a no-brainer, as long as there is no requirement to notify of inconsequential breaches that would have no effect on individuals.

Increase transparency: Add public reporting requirements to shed light on the use of an extraordinary exception under PIPEDA which allows law enforcement agencies and government institutions to obtain personal information from companies without consent or a judicial warrant for a wide range of purposes, including national security; the enforcement of any laws of Canada, provinces or foreign countries; or investigations or intelligence-gathering related to the enforcement of these laws. <- I think this is a great idea. Leaders in transparency, such as Google, are already providing information such as this and Canadians should know to what extent governments and law enforcement are seeking information without a warrant.

Promote accountability: Amend PIPEDA to explicitly introduce “enforceable agreements” to help ensure that organizations meet their commitments to improve their privacy practices following an investigation or audit. <- This is an interesting proposal. I think I'll need to reflect on it a bit more before arriving at an opinion.

I expect all of this will fall on deaf ears in Ottawa, as the federal government has no appetite for any privacy law reforms.

It's an honour to be nominated: Top 25 Most Influential Lawyers in Canada 2013 Survey

Somehow, I've been nominated by Canadian Lawyer Magazine for inclusion in their annual Top 25 Most Influential Lawyers in Canada. It is truly an honour, particularly when I look at the other nominees. My category includes Michael Geist and other categories include my law partner Jack Innes QC and Professor Wayne MacKay of Dalhousie Law School. I was also delighted to see Fred Headon of Air Canada and my law school classmate, Kristi Taylor on the list.

The full list of nominees and the survey is here if you want to check it out and perhaps share your views: Top 25 Most Influential Lawyers in Canada 2013 Survey.

The Canadian government is likely the greatest threat to the privacy of Canadians

In case there was any doubt, the Canadian government is likely the greatest threat to the privacy of Canadians. Michael Geist does a great job in summing up the issue in one of his latest columns.

Michael Geist - Your Information is Not Secure: Thousands of Government Privacy Breaches Point to Need for Reform:

As Canadians focused last week on the aftermath of the Boston Marathon bombing and the RCMP arrests of two men accused of plotting to attack Via Rail, the largest sustained series of privacy breaches in Canadian history was uncovered but attracted only limited attention. Canadians have faced high profile data breaches in the past - Winners/HomeSense and the CIBC were both at the centre of serious breaches several years ago - but last week, the federal government revealed that it may represent the biggest risk to the privacy of millions of Canadians as some government departments have suffered breaches virtually every 48 hours.

The revelations came as a result of questions from NDP MP Charlie Angus, who sought information on data, information or privacy breaches in all government departments from 2002 to 2012. The resulting documentation is stunning in its breadth.

Virtually every major government department has sustained breaches, with the majority occurring over the past five years (many did not retain records dating back to 2002). In numerous instances, the Privacy Commissioner of Canada was not advised of the breach.

Some of the most vulnerable departments are those that host the most sensitive information. For example, Citizenship and Immigration Canada suffered 161 breaches in 2012 - more than three per week - affecting hundreds of people. The department only disclosed the breaches to the Privacy Commissioner of Canada on five occasions.

Human Resources and Skills Development Canada famously suffered a massive breach last year - 588,384 individuals were affected - but less well known is that the department has had thousands of other breaches over the past few years. In 2007, a breach affected 28,651 people, yet the Privacy Commissioner of Canada was not informed and the department is unsure of whether the breach resulted in criminal activity.

Virtually no department has been immune to security breaches with nearly 100,000 individuals affected by breaches at Agriculture and Agri-Food Canada since 2008, almost 5,000 individuals hit at Fisheries Canada with no reporting to the Privacy Commissioner of Canada, and just under 200 breaches at the RCMP affecting an unknown number of people.

If a similar situation occurred involving a major Canadian bank, retailer, or telecom company, there would be an immediate outcry for tougher rules on mandatory disclosure of security breaches. Yet the federal government plays by different rules, with no liability and no legal requirements to disclose the breaches.

Successive federal privacy commissioners have urged the government to reform the badly outdated Privacy Act to at least hold government to the same privacy standard that it expects from the private sector. But those calls for reform have been repeatedly ignored.

Most recently, Privacy Commissioner of Canada Jennifer Stoddart identified twelve seemingly uncontroversial reforms, including strengthening annual reporting requirements by government departments, introducing a provision for proper security safeguards for the protection of personal information, and creating legislated security breach notification requirements. None of the recommendations have been implemented.

In fact, Canadian privacy failures dot the legislative landscape. Bill C-12, the Canadian private sector privacy bill intended to implement reforms that date back to hearings conducted in 2006 lies dormant in the House of Commons. A review of the private sector privacy law that was required by law in 2011 has seemingly been forgotten. Anti-spam legislation passed in 2010 and touted as a key part of the government's cybercrime strategy is stuck as Industry Minister Christian Paradis dithers on the applicable regulations.

No institution has greater access to the personal information of Canadians than the federal government. The public entrusts it to keep their information secure and to take all appropriate action should a security breach occur. The latest revelations indicate that the failure to live up to that trust is spread across virtually all government departments and to the political leaders that have failed to introduce much-needed legislative privacy safeguards.

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.

Nova Scotia anti-cyberbullying bill is on the fast track

It really would appear that the new Nova Scotia anti-cyberbullying bill is on the fast-track (or is being jammed through the legislature). It was introduced on April 25, debated on April 26, then sent to committee. It's been on the Law Amendments Committee agenda on May 2, 3, and 6.

Some are speculating that it'll be passed and proclaimed within a few days.

Here's the official status of the Bill: Status of Bills / Bills, Statutes, Regulations / Proceedings / The Nova Scotia Legislature.

Reddit revises its privacy policy and invites comments in reddit style

The social news site, reddit.com, has revised its privacy policy. Though the new policy doesn't go into effect until May 15, 2013, the site has invited redditors to comment on it in true reddit style. Thousands of comments have been submitted and the author of the policy, Lauren Gelman, has been responding to the comments and making revisions in response.

Check out the discussion: reddit's privacy policy has been rewritten from the ground up - come check it out : blog.

As a privacy lawyer, I found the discussion to be very interesting, since you don't often get such a direct understanding of how different people approach these documents.