#CyberFLASH: Financial players weigh risks of digital relationships in Canada’s consent-based compliance regime

Local Input~ FOR NATIONAL POST USE ONLY - NO POSTMEDIA - Hacker using laptop. Lots of digits on the computer screen. Credit fotolia.How is it that you can ever truly know someone?

That’s the question that various members of the financial sector asked today at a roundtable event hosted by ITWC and sponsored by Equifax Inc.

The relationship between business and customer used to be easy – when someone wanted to open up an account, they walked into a branch. Pen was put to paper and the organizational relationship with the customer came with the warmth offered by a firm shake of the hand and good eye contact. When that’s replaced by the cold transactional endpoint offered by an ATM, or a web portal, can that same relationship still be maintained?

Everyone is trying to balance the mix of traditional channels of communication with the customer with the newer digital options available to them, says Chris Briggs, the chief marketing officer at Equifax. “Whether it’s someone that can answer the phones or someone that’s at the branch, combined with the ability to personalize through digital channels.”

Financial institutions are collecting “cold, impersonal” data about their customers and even prospective customers, said Jim Love, chief content officer at ITWC and host of the roundtable event. But people want to be treated with a personal touch, and in a way that they don’t feel their consent wasn’t considered.

At one credit union with several branches throughout Ontario, business leaders are working on the goal of issuing more personal loans to their members. The opportunity to cross-sell their members on more of their services is a driving reason behind looking at the digital channel as a way to increase their wallet share.

Even with an older demographic, at least 20 per cent of the customer base is accessing the credit union’s digital channels, a marketing manager shared.

“How do we get them onto our platform and off of other people’s platforms?” he asked. “That’s our problem.”

Concerns with consent

But the credit union was concerned about the type of consent it had from its clients and what that allowed it to do to market other products to them. It seemed the more that was done to protect themselves as an institution from a regulatory standpoint, the harder it was to understand from a customer point of view.

Read more here

#CyberFLASH: Privacy Commissioner Targets IoT Health Devices in Sweep


What rumours is your fitness tracker spreading about you? In its latest Internet of Things themed sweep, the Office of the Privacy Commissioner of Canada reviews what personal information is being collected about Canadians by “smart” health and fitness devices.

Many of us will remember Time Magazine’s audaciously titled September 2013 issue, which splashed the following headline across its cover page: “Can Google Solve Death?”

At the time, there were more than a few skeptics who might have dismissed Google’s investment in Calico, a biotech subsidiary, as another moonshot investment by the tech giant or as part of a long-term expansion strategy.

Fast-forward less than three years. Regulators continue to play catch-up with the burgeoning industry at the intersection of data analytics and user-generated personal health data. The ballooning number of connected devices that make up the so-called internet of things (“IoT”) has accelerated in scale at a heart-clutching rate. The Office of the Privacy Commissioner of Canada (“OPC”) quoting estimates that, by 2020, there will be between 20 and 30 billion connected devices.[1] While devices that generate data specific to the function and use of the human body represent a subset of these devices, it is hard to deny the growth in the sophistication and potential use (and misuse) of the datasets generated from users’ health and biometric data.

Connected health technology has come a long way since the days of telephonic medical alert systems infamously portrayed in infomercials featuring “help, I’ve fallen” pushbutton necklaces. While application driven smart-phones, watches and fitness wearables are top of mind, the healthcare industry has adopted a range of smart devices that quietly gather and amass a steady stream of data about their users: baby monitors, respiratory and glucose meters, scales, pillboxes, thermometers, contact lenses, heart-monitors, and even band-aids are but a few of the previously inert devices that have become IoT-enabled. For individual consumers, health practitioners, and public health officials, there are extremely compelling use cases to prevent regulatory authorities from stifling the innovation in this sector. For individual patients and clinicians, the devices open what was previously a black-box allowing insight into the lives of individuals outside a clinical setting. The data gathered will enable the healthcare industry to open new service lines focusing on early detection and intervention as well as ongoing health monitoring. Similarly, public health authorities can benefit from large-N data-mining that could potentially offer new insights into determinants of disease, healthy aging processes, and general population wellness.

Read more here

#CyberFLASH: Privacy enforcement chiefs bringing IoT in for a few questions

15660875_s-300x120The Global Privacy Enforcement Network (GPEN) is putting the Internet of Things (IoT) world in its crosshairs during its 2016 global privacy “Sweep.” The group – a worldwide union of national privacy and law enforcement agencies seeking to tackle transnational privacy and data security issues – said they plan to vet all sorts of manufacturers on data privacy and security practices to see what issues, if any, are prevalent in this new connected industry.

It comes at the perfect time, as more homes and businesses start to adopt IoT devices and platforms. Knowing the potential privacy issues that companies could be neglecting will make the industry as a whole safer and secure, if IoT developers and manufacturers fix any issues identified in the GPEN report.

See Also: Could massive consumer fear kill the Internet of Things?

“Connected devices, such as fitness trackers, smart scales, sleep monitors and other health related products, are capable of capturing some of our most intimate data,” said commissioner Daniel Therrien, for Canada’s Office of the Privacy Commissioner (OPC), a member agency of GPEN.

“Given the sensitivity of the information, it is imperative that the companies behind such devices are transparent about what they collect, how the information will be used and with whom the data will be shared. I’m pleased the Sweep will focus on this important area under the Internet of Things banner,” he said.

Read more here

#CyberFLASH: Privacy watchdog to study impact of personal Internet devices

image-3Connected devices that can track our behaviour and surroundings – often collectively referred to as “The Internet of Things” – have the potential to make our lives more convenient and efficient, and even improve our health. But when those things are tracking us, they are also collecting a great deal of information about our location, shopping habits and other extremely personal details.

As the market for such connected devices grows, the Office of the Privacy Commissioner (OPC) of Canada announced Monday that it is joining a global study of their privacy implications.

The Global Privacy Enforcement Network – which is a joint effort among privacy organizations in many countries including the United States, the United Kingdom, members of the European Union, China, and others – is co-ordinating a worldwide “privacy sweep,” examining connected devices. Canada’s contribution, which will take place this week, will look at health devices such as sleep monitors and fitness trackers. The results will be announced in the fall.

“The Internet of Things” is a buzzed-about phrase that actually covers a wide range of technologies, including Internet-connected cars; “smart” TVs that connect to the Internet and sometimes include voice and gesture recognition; exercise trackers; home security systems; smart meters that monitor energy use in homes; and safety devices to allow elderly or disabled people to contact a caregiver if help is needed, provide medication reminders, and detect falls or other mishaps.

Read more here

#CyberFLASH: Holding The Black Bag: Personal Health Information And Bankruptcy Proceedings

image-4A recent decision of the Ontario Information and Privacy Commissioner (OPC) highlights the potentially broad application of the Personal Health Information Protection Act (PHIPA).1

The vast majority of PHIPA’s obligations are imposed upon “health information custodians” – those individuals and organizations that collect information from patients – doctors, clinics and hospitals.2 But what happens when the custodian goes bankrupt? The recent decision in Viterna Health Centre Inc. indicates that whoever is left in possession of the information is “it”. This could potentially affect a number of unsuspecting commercial parties.

A copy of the decision can be found here.

Where did all the health information custodians go?

The Viterna case involved a number of health clinics that closed their doors and entered bankruptcy proceedings. The problem, however, was that the companies running the clinics simply left patient records in boxes, in the leased premises across Toronto. While under bankruptcy proceedings, the companies were no longer allowed to conduct any business and are subject to a stay under the Bankruptcy and Insolvency Act (BIA).3 The result was that the clinics avoided responsibility for securing the records.

In November 2015, the OPC issued a Notice of Review to the clinics’ former landlords and trustee in bankruptcy, asking for representations about a potential order to secure the records. As it made clear in its decision, the OPC’s concern was that “the Records were at imminent risk of being lost, destroyed, disclosed, or disposed of in contravention of [PHIPA]…” 

Read more here

#CyberFLASH: New airline passenger vetting could amount to racial profiling: watchdog

CPT500317455_highThe federal border agency’s new system for scrutinizing incoming air passengers could open the door to profiling based on race or other personal factors, warns Canada’s privacy czar.

Privacy Commissioner Daniel Therrien is pressing the Canada Border Services Agency to explain the program’s rationale and build in safeguards to protect civil liberties.

Canadian law requires commercial airlines to provide the border agency with specific information about passengers flying to Canada, including name, birthdate, citizenship, seat number and other data.

For years the border agency has used the information to try to zero in on terrorists or other serious international criminals. Travellers are assessed for risk, allowing the agency to single out those with high-risk scores for closer examination at the airport.

The border agency is moving to a system known as scenario-based targeting, already used by the United States, as part of Canada’s commitment to work closely with Washington under a perimeter security pact forged in 2011.

The border agency says the new scheme will be more efficient, effective and accurate, directing the focus to a smaller segment of the travelling population who represent a potential high risk.

The new scenario-based method uses Big Data analytics — extensive number-crunching to identify patterns — to evaluate all data collected from air carriers, says Therrien’s office, which reviewed the border agency’s privacy impact assessment of the project.

Read more here

#CyberFLASH: There Has Been a ‘Sea Change’ in Privacy Rights in Canada, Warns Watchdog


The man tasked with defending Canadians’ personal information, once decried as a government stooge, directly chastised the federal government over its efforts to track and surveil Canadians — and recommended that the new government put safeguards on how the government uses “big data” to spy on its citizens.

In his annual report, Daniel Therrien, the Privacy Commissioner of Canada, looked at three pieces of legislation that “taken together, these initiatives have resulted in what can only be described as a sea change for privacy rights in Canada.”

The first, C-44, allows Canadian spies to operate abroad and gives them more ability to obtain information without disclosing its origins; C-13, which creates new legal authority for cops and public servants to obtain Canadians’ personal data without a warrant; and C-51, the anti-terrorism legislation that opens the door for wide new intelligence-gathering and sharing.

All three bills, which are now law, were introduced by the Conservatives, but supported by the Liberals.

The Liberals have said they will change aspects of C-51, but have said little about the other two pieces of legislation.

In his report, released last week, Therrien recommended fixes for each bill — that the government include language to prevent CSIS from obtaining and using data that has been obtained through torture; that the law be updated to clarify when police are allowed to obtain Canadians’ data from their internet or cellphone companies without a warrant; and that legislation be introduced to toughen protections for Canadians’ privacy when departments want to share their information.

C-51 especially raised the ire of the commissioner.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.