Privacy Commissioner of Canada releases Annual Report on Privacy Act

Canada’s Privacy Commissioner, Jennifer Stoddart, released her 2009 – 2010 Annual Report to Parliament on the Privacy Act today. In her Annual Report, Stoddart says that “[t]he federal government’s use of handheld communications devices and its practices for disposing of unneeded paper documents and surplus computers could expose the personal information of Canadians to unauthorized disclosure”.

Key lessons for the private sector from today’s Annual Report include, among other things, (1) a reminder of the need to assess the threats/risks inherent in wireless communications and to fill any gaps in policies and/or practices related to smart phones, Wi-Fi networks and data stored on mobile devices and (2) ensuring that policies and procedures are in place for paper shredding and the disposal of surplus computer equipment.

Read the full Annual Report here>>.

Laptop searches at the border…again

Over a year ago, I commented on the privacy issues related to taking a laptop, cellphone or iPod across the U.S. border.  As reported here by Computerworld, a federal court has ruled in Michigan that the U.S. government has the right to “seize and transport a computer to a secondary inspection facility”, as long as there is a reasonable suspicion. Given the proliferation of tech devices in today’s workplace, you may want to consider if your business has the necessary policies and practices in place to protect data that’s probably leaving your doors today, and possibly going over the border via laptops and other mobile devices.

Employee monitoring in today’s workplace

There’s no question that as we dive deeper into the information age technology will continue to permeate the workplace. Tech gadgets such as iPhones and Blackberries are cheaper and more convenient than ever before.  But as the workplace becomes inundated with these tech tools, businesses increasingly have to ask themselves how they can manage the corresponding legal risks inevitably raised by empowering a legion of employees armed with Smartphones. If only there was “an app for that”!

The “fuel” for many gadgets currently in the workplace is data, which may or may not relate to the employer. And I’m not just thinking of Smartphones provided by the employer.  I’m also thinking of social media websites such as Facebook and Twitter, which are often accessed after work hours on employees’ home computers.

What happens when an employer uses data gleaned from a company-owed iPhone or Blackberry to monitor an employee in the workplace? What about monitoring an employee’s Facebook page? After all, it’s not uncommon for information about an employer or its clients to appear on an employee’s Facebook page. Further, some employees have no second thoughts whatsoever about posting personal messages during paid company time. Many employers are introducing social media policies to mitigate the resulting legal risks. But how far should employers go to protect their interests?

Today’s post is the first in a series that I’ll publish in the coming weeks to provide you with an overview of legal developments regarding monitoring in the workplace, with a focus on employer monitoring of employee social media and Smartphone activities. Upcoming posts will also examine workplace privacy issues related to email, video and GPS monitoring. Stay tuned… 

In the meantime, click here to listen to my recent CJOB|68 radio interview with Human Resources specialist Barbara Bowes in which we discuss privacy issues in the workplace. You may also want to attend a complimentary Social Media in the Workplace webinar that I’ll be providing with a few of my colleagues next week (May 19th). Click here for info and to register (space is limited so register soon).

A Conversation with Gary Dickson, Q.C.

Continuing a series of blog posts that I’m calling “A Conversation with…“, I’m really pleased to post the following conversation with the Information and Privacy Commissioner of Saskatchewan, Gary Dickson, Q.C.

Gary Dickson was appointed as Saskatchewan’s first full-time Information and Privacy Commissioner back in 2003, and he was re-appointed in 2009 for a further five-year term.  That’s great news because Gary Dickson has been outstanding in his role as Commissioner. On a personal note, I’ve been thrilled to watch his many successes as Commissioner. I’ve known Gary for many years. In fact, it was he who suggested that I get involved with the Canadian Bar Association at a time when some of us were trying to form what is now the CBA’s National Privacy and Access Law Section. 

Thanks to Commissioner Dickson for agreeing to take part in this online Q & A conversation.  CFL fans may find some humour in the last Q & A below. Go Bombers! If you’d like to learn more about Commissioner Dickson or the Office of the Saskatchewan Information and Privacy Commissioner (“IPC”), I’d encourage you to visit the IPC’s website.

Q. You were previously an Alberta MLA. In that capacity, you were involved in privacy law development as the critic for the Freedom of Information and the Protection of Privacy portfolio, and also on several important privacy law committees and panels. What’s it like to now be involved with privacy as the Information and Privacy Commissioner of Saskatchewan?

A. The experience is exciting, stimulating, and almost always challenging. I am very fortunate that our office has a committed team of excellent staff who are focused on ensuring that Saskatchewan residents enjoy the full benefit of our provincial access and privacy laws. I’m very lucky to continue to be involved with such a fascinating area but from a very different perspective than that of a lawmaker. It has been very useful to have had that experience in the development of access and privacy legislation before I assumed the new Commissioner role in Saskatchewan. I hope that I am more aware and more sympathetic to the challenges and issues that arise with any access and privacy law for front line workers. It has certainly motivated me to promote wherever possible making such laws simpler and more accessible to the people who must administer them and for those who are the ‘data subjects’. I have also enjoyed the opportunity to modestly influence the way that our access and privacy laws are viewed and understood. My experience in Saskatchewan has been that those who work in public bodies or health trustee organizations genuinely want to do the ‘right thing’ in terms of transparency and privacy protection but are often unsure on where the line is drawn and are unfamiliar with best practices that have evolved over the last 26 years in Canada. As a result, a major focus for my initial five years in Saskatchewan has been on raising awareness and creating tools to assist those workers meet their statutory responsibilities.

Q. While Alberta, Quebec, British Columbia and Ontario (for personal health information only) have provincial privacy laws that are “substantially similar” to PIPEDA, Saskatchewan does not. Is it time for that to change?

A. I have for the last six years encouraged the former provincial government and now the current government to carefully consider the advantages of adopting a PIPA type law based on the B.C. and Alberta experience. As it stands, our fundraising foundations and NGOs, including those that deal with significant amounts of sensitive, prejudicial personal information are effectively unregulated. We often hear complaints from employees working in private businesses (not federal works, undertakings, etc.) who are extremely disappointed and upset when we tell them that they do not have the same privacy protection guaranteed to all public sector employees in Saskatchewan. I must acknowledge that the federal Privacy Commissioner has recently undertaken a pilot project in Saskatchewan to raise awareness of PIPEDA but this exercise also has highlighted how big the knowledge deficit is in the small and medium sized business sector. I remain of the view that Saskatchewan individuals, businesses and charitable NGOs should all benefit from a simple private sector privacy law. This could be designed to complement and harmonize with our public sector FOIP and Local Authority FOIP Acts and our Health Information Protection Act. It would allow for a more seamless kind of privacy protection that would be simpler for those organizations and for residents. I notice that the impetus for PIPA in BC and Alberta was really business organizations such as Chambers of Commerce realizing that PIPEDA is in some respects cumbersome and deficient for the SME sector. Business organizations in Saskatchewan do not appear to have adopted that view.

Q. The Saskatchewan Gaming Corporation has been recognized as a positive privacy story. What has it done, and what role has your office had in this development?

A. This is a good example of how an Information and Privacy Commission office can perhaps achieve more through consultation than by emphasizing the enforcement role. We started out a year ago with a complaint that the Casino Box Office in Regina required anyone purchasing a ticket for a show to provide name and contact information even if purchasing the ticket with cash. When we followed up with the Saskatchewan Gaming Corporation that operates the casinos in Regina and Moose Jaw, we found no senior identified FOIP Coordinator or Privacy Officer, no appropriate policies and procedures and no comprehensive training program for staff. Instead of focusing solely on the collection of personal information by the Box Office, we spent the better part of the year working with the Corporation in fundamentally reorganizing to meet its FOIP responsibilities as a ‘government institution’. With the assistance of a Portfolio Officer from our OIPC, the Corporation made a senior Vice President the new Privacy Officer and FOIP Coordinator. Comprehensive policies were put in place and a new FOIP training program rolled out. In the casino, the Box Office now only collects personal information if the ticket purchaser volunteered that information but it is no longer mandatory. In addition, prominent signage now advises customers of the Corporation’s information collection practices. There is also new literature readily available to customers. I think that as a result of our collaboration the Corporation and its leadership now view our office as a useful resource and as an office genuinely committed to operating on the basis of cooperation and collaboration.

Q. You’ve published a best practices guide for mobile device security. It’s getting easier to collect and store personal information, but are we keeping up with our privacy responsibilities in the meantime?

A. I’m afraid that privacy risks are not always top-of-mind for organizations embarking on new IT programs, systems, etc. Although we have developed a Privacy Impact Assessment tool available on our website, there is no statutory requirement that a PIA be done by a public body or health trustee before proceeding with new technology. What is perhaps even more troubling is that we see problems with old technology. Our office brought out a FAX advisory after we found a number of health information trustees didn’t appreciate that when the modern multi-use copier machine is sold as surplus equipment it likely will contain memory of the documents it has processed and perhaps substantial amount of personal health information. Look at the number of cases that have come to Information and Privacy Commissioners across the country that involved theft of unencrypted laptops. So, the short answer is that many organizations are not keeping up with their privacy responsibilities. The education and compliance challenge continues apace.

Q. Your office opened more than double the amount of case files in 2009 than it did in 2008. Is this number going up because of inadequate privacy practices, because the public is becoming more aware of its privacy rights, or both?

A. Good question. I think the answer is some of both. I believe there is significantly higher privacy awareness with the organizations that my office oversees and also greater public awareness. The difficult question is how accurately we can assess what is going with all approximate 3000 organizations that we oversee given that we are largely in a reactive role. In any given year if we are dealing with 200 organizations are these just the few ‘bad apples’ or is this indicative of widespread non-compliance. We simply don’t have the resources to be able to accurately assess and catalogue privacy compliance province wide. At the end of the day however, whatever the reason for the large increase in case files there is an indication that a lot more work is yet to be done to move to a more pervasive privacy protective culture.

Q. Looking forward, what kind of privacy developments should we watch for in 2010?

A. One of the interesting ‘growth’ areas will be the electronic health record. Our office just issued our first Investigation Report (H2010-001) dealing with our electronic health record now in development. This involved a pharmacist who entered the Pharmaceutical Information Program database on nine different occasions to view medication profiles for three individuals who were not patients/customers of that pharmacist of the pharmacy he worked for. We identified a number of problems in terms of HIPA compliance with the pharmacy, the regional health authority and the Ministry of Health. We also issued more than 20 recommendations for remedial action. Since the electronic health record is still some distance from completion, I anticipate that there may be more of this type of complaints touching on some element or another of the E.H.R. In fact, at the end of my Investigation Report, I included a Postscript which incorporated a number of broader considerations that this particular case highlighted.

We will be carefully monitoring changes to our health information regulations that enable regional health authorities to disclose certain personal health information of patients to hospital foundations without prior consent of those patients.

Finally, we are witnessing a number of new information and data-sharing initiatives with Executive Government and we expect to be busy considering these initiatives in the next few years.

Q. And, finally, how many points do you think the Winnipeg Blue Bombers will beat the Saskatchewan Roughriders this year in the Labour Day Classic game?

A. I love the fact that all of those Bomber fans come to Regina and generously spend their dollars in our hotels and restaurants and I always feel badly for their long drive back to Winnipeg. Sorry Brian but I don’t see that the return trip to Winnipeg is likely to be any more joyous in 2010!!

Cloud increasing pressure in U.S. for updated online privacy law

It appears that the growing adoption of cloud computing, combined with the outdated Electronic Communications Privacy Act, is adding pressure in the U.S. for an updated online privacy law to help better protect cloud computers.

CNET is reporting today that “a broad coalition of companies including Google, Microsoft, and AT&T, joined by liberal and conservative advocacy groups, will announce a major push [today] to update federal privacy laws to protect mobile and cloud computing users”.

Of course, in Canada cloud computers have the benefit of PIPEDA and – where they exist – substantially similar provincial privacy laws. To learn more about cloud computing, and related privacy law implications, you may want to check out this previous post.

58% of employees prepared to illegally download company/competitive data

According to a Cyber-Ark survey entitled “The Global Recession and its effect on Work Ethics” (link below), 58% of U.S. employees surveyed said that if they thought their job was at risk they would, as a pre-emptive move, be prepared to download company/competitive data. Fifty two per cent (52%) said that if they were fired tomorrow they’d take their employer’s customer and contacts data.

More disturbingly, 51% said it’s “easy” to take sensitive information out of their company and, as reported by Out-Law.com, 85% were aware that it’s illegal to download corporate information.  The favoured medium for stealing corporate information is a USB memory stick followed by e-mail. 

As I’ve mentioned in previous posts rogue employees pose a risk to privacy compliance and, as a result, corporate information requires safekeeping.  In today’s economy, information is the most valuable corporate asset.  For this reason, businesses of all sizes should take proactive steps to protect corporate data.  Whether it’s customer or supplier lists, intellectual property or employee personal information, it’s information that needs safekeeping, especially when we see statistics like those reported above.

The Global Recession and its effect on Work Ethics

Laptop Encryption: “I don’t know what we have to do to drive this message home” says Commissioner

A summer incident involving sensitive personal information on stolen laptops has brought the issue of data protection once again into the crosshairs of Frank Work, the Alberta Information and Privacy Commissioner. 

In a press release, the Commissioner expressed shock and disappointment with the fact that the stolen laptops, which contained the personal health information of more 300,000 individuals, were not encrypted. “This is shocking for me…I don’t know what we have to do to drive this message home” said the Commissioner. “The standard in Alberta for storing personal or health information on portable devices is encryption. I can’t accept anything less.” The Alberta incident is strikingly similar to an incident that occurred in Ontario back in 2007.  The Ontario incident also involved the theft of a non-encrypted laptop containing personal health information.  A review of the incident by Ann Cavoukian, Ontario’s Information and Privacy Commissioner, produced an order for information of this type to be encrypted. 

These incidents demonstrate how easily sensitive data can be compromised when stored on laptops.  Encryption is a relatively easy way to improve the security of such information.  But, where do you start? There are numerous encryption options available.  Choices range from free open source encryption software like TrueCrypt to full information security consultations from companies that offer comprehensive data protection services like Seccuris. Regardless of which course you choose, one fact remains the same, encrypting laptops significantly improves security and that’s just smart business.

The conflict between mobile devices and privacy: can’t we all just get along?

The sound of ringing telephones has caused migraines for millions ever since Alexander Graham Bell placed the first call to Mr. Watson in 1876. But thanks to some newly released technology, that’s about to change. Got a headache? There is, to borrow a phrase from a successful ad campaign, an app for that. Bellaire, Texas med-web company BetterQOL is rolling out iHeadache, an iPhone application that purports to “classify” and assist with diagnosing a user’s headache. iHeadache is one of many cutting edge applications available for use with smartphones. Don’t expect this trend to stop any time soon: thanks to programs like Apple’s iPhone Developer (only $99 for the standard edition), it’s becoming even easier for technology-savvy businesses to create their own apps.

Still not convinced? Consider this list of impressive apps for today’s traveler: Pocket Express, an app that acts as a mobile concierge; Stanza, an app that allows a user to load magazines and books to their smartphone; and GoodFood, which helps a user pick and locate a restaurant based on an array of dining preferences. It’s a good time to be a smartphone user, but perhaps even a better time to be an entrepreneur. Smartphones are increasingly offering businesses a direct window into the hearts, minds and, yes, wallets of potential customers.

But it’s not all good news, privacy advocates remind us. Many smartphone apps guzzle fuel like your Dad’s ’70 GTO, except they’re eating personal user information instead of gasoline. For example, your app may record your location, gender and birth year before it spits out the location of that perfect sale you’ve been looking for. A sizeable amount of personal information is in play, but, fortunately, Ontario’s Office of the Information and Privacy Commissioner (“IPC”) has been ahead of the curve with its call for “Privacy by Design“. Initially unveiled over 10 years ago, the concept of Privacy by Design combines privacy and security measures at the design specification stage of a project. Instead of waiting until privacy problems pop up to deal with them, Privacy by Design contemplates a proactive approach toward potential privacy issues. This methodology uses Privacy Enhancing Technology such as encryption to provide both maximum security and privacy protection. It is, as the IPC bills it, a “win-win” situation. Other examples of Privacy by Design include anonymous billing systems and depersonalization software.

It’s an exciting time to be a technologically-inclined entrepreneur, but the privacy consequences of smartphone apps cannot (and should not) be ignored. Any business that is considering creating or otherwise implementing an app should consider the privacy implications of doing so, preferably at the early stages of project development.