#CyberFLASH: Warrantless access to internet subscriber data OK sometimes, privacy czar says

daniel-therrien-privacy-commissioner-20140603The federal privacy czar says there are instances when police may not need a warrant to obtain “very limited sets” of internet customer information.

There could be a way to meet at least some law-enforcement demands for warrantless access to information while respecting a key Supreme Court of Canada ruling, privacy commissioner Daniel Therrien said in an interview.

In June last year, the Supreme Court ruled police must have a judge’s authorization to obtain customer data linked to online activities.

The high court rejected the notion the federal privacy law governing companies allowed them to hand over subscriber identities voluntarily.

Police say telecommunications companies and other service providers — such as banks and rental companies — now demand court approval for nearly all types of requests from authorities for basic identifying information.

The Supreme Court judgment came amid mounting public concern about authorities quietly gaining access to customer data with little independent scrutiny.

Read more here

#CyberFLASH: Privacy commissioner’s recommendations for B.C. government on access requests

cpt122305957VICTORIA — British Columbia’s privacy commissioner has issued a highly critical report of the government’s freedom-of-information practices. Elizabeth Denham said her investigation uncovered major issues in the FOI process and that immediate action is needed. Here is a list of her 11 recommendations:

— The Ministry of Transportation should release the 36 pages of records initially identified in an applicant’s request that set off the investigation. The request was for records related to missing women along B.C.’s so-called Highway of Tears.

— Government should develop an hourly, daily and monthly backup of data and monitor compliance.

— The Ministry of Advanced Education should release records connected to an FOI request for emails sent by the chief of staff to Minister Amrik Virk.

— Executives in the Office of the Premier should change their access to information process to ensure requests for records are communicated by email in a timely manner and properly documented.

— Government should clarify access requests with applicants where necessary to ensure it does not interpret requests too narrowly.

Read more here

#CyberFLASH: How To Discipline Cyber-Snooping Employees


In a digitized world, it can be all too easy for unauthorized employees to access confidential information in the workplace, as recent breaches at the Saskatchewan Cancer Agency and some Ontario hospitals have shown. Employers should be prepared to take appropriate disciplinary action against employees who snoop into personal information. In some instances, termination of employment may be appropriate. To minimize liability for wrongful dismissal claims, employers should take careful steps to prevent snooping in the first place and be ready to investigate and discipline employees appropriately if an incident occurs.

Privacy Commissioner: Consider Firing Employees with Prying Eyes

Employers will welcome the comments of Saskatchewan Privacy Commissioner Ron Kruzeniski, who recently took a strong stance against snooping workers, after two employees at the Saskatchewan Cancer Agency were disciplined for prying into the health records of 48 people. Health information should only be accessed by staff caring for patients, and even then, only on a need-to-know basis. The agency learned of the breaches in May and conducted an investigation. The employees were asked why they had looked at the records, but no explanations were forthcoming.

“In extreme cases, I think the firing option should be considered” when an employee pokes their nose where it doesn’t belong, Kruzeniski said. He noted, however, that the “circumstances of each case are also very relevant”. For example, unintentional access may occur when names are mis-typed.

An Ounce of Prevention

Cyber-snooping should be taken seriously, and termination of employment may indeed be appropriate in serious cases. To minimize liability for wrongful dismissal claims, employers should take careful steps to prevent snooping in the first place and be ready to investigate and discipline employees appropriately if an incident occurs. By making it clear that snooping will not be tolerated, an employer may both decrease the incidence of snooping and strengthen their case for appropriate employee discipline if the rules are broken.

Consider taking the following steps:

Read more here


#CyberFLASH: Canadian Government Amends and Strengthens PIPEDA, Adding Breach Notification Requirement and Filling Other Gaps

n-ONLINE-PRIVACY-largeJust prior to recessing for the summer, the Canadian government enacted the Digital Privacy Act. It includes a number of targeted amendments to strengthen existing provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA), but falls short of providing the Privacy Commissioner of Canada (Commissioner) with direct enforcement powers, as some stakeholders—including the former Commissioner—had proposed.

The Digital Privacy Act was introduced in April 2014 as part of the government’s “Digital Canada 150” strategy. While it was touted as providing new protections for Canadians when they surf the web and shop online, there is nothing that is particularly “digital” about the bill, which will equally affect the bricks and mortar, paper-based world.

Of particular note, the Digital Privacy Act creates a duty to report data breaches to both the Privacy Commissioner and to affected individuals “where it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.” Failure to report data breaches in the prescribed manner could result in fines of up to $100,000 for non-compliant organizations. While the majority of the new law is currently in force, the provisions relating to breach notification have yet to be proclaimed in force by the government.

Once in force, the mandatory breach-reporting regime will bring the federal law into alignment with many international laws, as well as with Alberta’s own Personal Information Protection Act, which has had a breach notification provision since 2009. However, unlike the Alberta law, the Digital Privacy Act would also require organizations to maintain records of all data breaches involving personal information under their control—even if they do not require reporting to the Commissioner or to affected individuals—and to provide these records to the Commissioner on request. Failure to comply with these requirements could also result in a fine of up to $100,000.

Read more here

#CyberFLASH: How the budget bill quietly reshapes privacy law: Geist

reedle.jpg.size.xxlarge.letterboxA budget implementation bill is an unlikely — and many would say inappropriate — place to make major changes to Canadian privacy law. Yet Bill C-59, the government’s 158-page bill that is set to sweep through the House of Commons, does just that.

The omnibus budget bill touches on a wide range of issues, including copyright term extension, and retroactive reforms to access to information laws. But there are also privacy amendments that have received little attention.

In fact, the Privacy Commissioner of Canada was not even granted the opportunity to appear before the committee that “studied” the bill, meaning that privacy was not discussed nor analyzed (the committee devoted only two sessions to external witnesses for study, meaning most issues were glossed over).

The bill raises at least three privacy-related concerns. First, the retroactive reforms to access to information, which are designed to backdate the application of privacy and access to information laws to data from the long-gun registry, has implications for the privacy rights of Canadians whose data is still contained in the registry. By backdating the law, the government is effectively removing the privacy protections associated with that information.

Second, the government plans to expand its collection of biometric information, including fingerprints and digital photos, to visitors from 150 countries. The law currently applies to 29 countries and one territory, meaning this constitutes a massive expansion in the amount of personal data the government collects.

Read more here

#CyberFLASH: Canada joins global sweep of kids’ online privacy

image-2Sometimes it can seem that kids are more digitally savvy than the adults around them. Children are playing games on mobile devices, watching videos online, and exploring various websites. But are those apps and websites taking enough precautions to protect children’s privacy?

That’s the question at the heart of a global investigation taking place this week involving privacy organizations in 21 countries, including the Office of the Privacy Commissioner of Canada (OPC).

These organizations will be examining the apps and websites that are most popular among children in each country. (In Canada, “children” means those under age 12, though this may differ in some places.)

Investigators will be looking at whether apps and sites gather personal information on kids, and if they do, whether that information is limited to what’s necessary (to create an account, for example). They will also examine whether the apps and sites prompt users to involve a parent or guardian in any registration process; and whether they take measures to make privacy policies understandable to kids. That means not just using simple language, but also using graphics or even animated characters to guide them through the information and to encourage parental involvement.

The sweep, which began Monday and runs through Friday, was initiated by the members of the Global Privacy Enforcement Network, and includes countries such as the United States, the United Kingdom, China, Germany, France and Mexico.

Read more here

#CyberFLASH: Privacy Commissioner announces funding for independent privacy research

B97375091Z.120141001155319000GS36SSNI.11GATINEAU – Independent research and knowledge translation projects supported through the Office of the Privacy Commissioner of Canada’s 2015-2016 Contributions Program will explore a wide range of emerging privacy issues, such as fitness tracking devices, lawful access and children and privacy policies.

“The projects selected this year will help build a greater understanding of new risks to privacy and also provide individuals and organizations with information about how to better protect personal information in a constantly evolving environment,” says Privacy Commissioner of Canada Daniel Therrien.

The Commissioner also announced today that the Contributions Program has been renewed for another five years following an independent evaluation of the Program.

“The Contributions Program is considered to be one of the foremost privacy research funding programs in the world and has made a significant contribution to developing privacy knowledge in Canada and beyond. We are very pleased that the Program will continue to support this important work,” says Commissioner Therrien.

The Contributions Program funds not only research but also its application in ways that have a real impact of Canadians. Some examples of this year’s projects include:

Privacy and fitness tracking devices – This project will examine the relationship between the data collection and transmission practices of fitness tracking devices, the cloud services they integrate with, and how third parties may access their personal information from the providers of these services.

Lawful access – This project will explore the implications of the Edward Snowden revelations regarding the relationships between government signals intelligence authorities and private sector telecommunications companies over access to and sharing of metadata and private communications.

Read more here

#CyberFLASH: Why Bell’s opting-out approach isn’t good enough

BCE Beats Profit Estimates as Smartphone Subscribers GainBell’s targeted advertising program, which creates customer profiles that include age, gender, account location, credit score, pricing plan, and average revenue per user, generated controversy from the moment it was announced in October 2013. The communications giant maintained that it complied with Canadian privacy laws, yet many clearly disagreed as the Privacy Commissioner of Canada received an unprecedented barrage of complaints.

While concerns about tracking Internet usage and search queries garnered headlines, the fundamental legal issue was whether Bell was entitled to force its millions of customers to opt-out of the targeted advertising program if they did not wish to participate or if the law requires an explicit, opt-in approach in which consumers must proactively ask to be included before their tracking information is used for advertising purposes.

This week the Privacy Commissioner of Canada rendered his verdict: Bell’s targeted advertising program violates the law since the consumer data used by Bell is sufficiently sensitive such that an opt-out approach does not adequately protect user privacy. Bell argued that the information it collects is non-sensitive and that opt-out was therefore good enough.

If the consumer data is taken piece by piece, Bell might have been right. Yet in an era of “big data”, the Privacy Commissioner effectively concluded that the sum of personal information is more than the parts. In the case of Bell, he placed the spotlight on the remarkable scale of the company’s data collection and usage:

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.