The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Wednesday, April 28, 2004
Today's Globe and Mail Careers section has an interesting article on workplace privacy. The article begins with an introduction to the first case (PIPEDA Case Summary #114) on this topic to make it to the Federal Court of Canada.
"Every time Erwin Eastmond goes to work, he is being watched.
Cameras set up around Canadian Pacific Railway Ltd.'s maintenance shop in Scarborough, Ont., make it impossible for the 200 workers in the facility to avoid having their movements tracked by an array of security cameras. And that, Mr. Eastmond says, 'makes us very uneasy.'
So uneasy that Mr. Eastmond, a diesel engine electrician, lodged a complaint last year with the Privacy Commissioner of Canada. It has led to a landmark federal court case over surveillance in the workplace that was argued before a justice last week.
The case has become the biggest test to date of Canada's legal protections for the privacy of Canadian workers from a proliferation of sophisticated and inexpensive monitoring technology."
Labels: information breaches, surveillance
Wednesday, April 21, 2004
The issue of the privacy of personal information shipped overseas in connection with outsourcing is not a new issue, but an important one ...
Duluth News Tribune | 04/18/2004 | Privacy issues develop over work done overseas:
"The growing business of shipping sensitive personal data overseas threatens the privacy rights of U.S. citizens, according to Sens. Hillary Rodham Clinton, D-N.Y., Bill Nelson, D-Fla., and other foes of outsourcing.
Clinton is pushing legislation that would make U.S. businesses legally liable if a foreign subcontractor abuses American privacy laws.
The bill also would require U.S. businesses -- such as accounting firms, physicians, hospitals and banks -- to gain consent from consumers before shipping their private data to an overseas contractor if the Federal Trade Commission has determined that the country where the contractor is based doesn't have adequate privacy laws.
The privacy issue gained the attention of lawmakers after a Pakistani woman, Lubna Baloch, who transcribed confidential medical records of patients at UC San Francisco Medical Center, threatened to post them on the Internet last October unless the hospital helped her collect an overdue bill from a man who hired her as a medical transcription subcontractor.
Baloch withdrew her threat after she was paid.
Sue Blevins, president of the Institute for Health Freedom, a nonprofit concerned with medical privacy, said if personal information like mental illness, alcoholism treatment, marriage counseling, illegal drug use or a sexually transmitted disease gets out to the public, 'it could be devastating and cause emotional pain and affect people's career, families or even the ability to get a mortgage.'"
As I've said before, nearshore outsourcing to places like Nova Scotia does not have the same risk as outsourcing to Asia. Check out Nova Scotia Business Inc.
Labels: health information, information breaches
The issue of the privacy of personal information shipped overseas in connection with outsourcing is not a new issue, but an important one ...
Duluth News Tribune | 04/18/2004 | Privacy issues develop over work done overseas:
"The growing business of shipping sensitive personal data overseas threatens the privacy rights of U.S. citizens, according to Sens. Hillary Rodham Clinton, D-N.Y., Bill Nelson, D-Fla., and other foes of outsourcing.
Clinton is pushing legislation that would make U.S. businesses legally liable if a foreign subcontractor abuses American privacy laws.
The bill also would require U.S. businesses -- such as accounting firms, physicians, hospitals and banks -- to gain consent from consumers before shipping their private data to an overseas contractor if the Federal Trade Commission has determined that the country where the contractor is based doesn't have adequate privacy laws.
The privacy issue gained the attention of lawmakers after a Pakistani woman, Lubna Baloch, who transcribed confidential medical records of patients at UC San Francisco Medical Center, threatened to post them on the Internet last October unless the hospital helped her collect an overdue bill from a man who hired her as a medical transcription subcontractor.
Baloch withdrew her threat after she was paid.
Sue Blevins, president of the Institute for Health Freedom, a nonprofit concerned with medical privacy, said if personal information like mental illness, alcoholism treatment, marriage counseling, illegal drug use or a sexually transmitted disease gets out to the public, 'it could be devastating and cause emotional pain and affect people's career, families or even the ability to get a mortgage.'"
As I've said before, nearshore outsourcing to places like Nova Scotia does not have the same risk as outsourcing to Asia. Check out Nova Scotia Business Inc.
Labels: health information, information breaches
Tuesday, April 20, 2004
Following it's widely publicized loss in the Federal Court of Canada (see previous blog entry), CRIA has filed an appeal of Justice Finckenstein's ruling. Google news links to loads of coverage, such as this from the Globe and Mail:
Globetechnology: "The Canadian Recording Industry Association has filed an appeal of the recent court decision denying CRIA's request for Internet Service Providers to reveal the identities of alleged uploaders of digital music. ...
"Today we filed an appeal of last month's court decision," CRIA General Counsel Richard Pfohl said in a statement. "We will argue that the decision was in error on a number of legal bases.
"In our view, Canadian copyright law does not allow people to make copies of hundreds or thousands of musical recordings for global copying, transmission and distribution to millions of strangers on the Internet," he said.
"Any owner of intellectual property that can be digitally transmitted has a stake in this appeal process," CRIA president Brian Robertson said.
The appeal comes at a time when news of the recording industry's profits or losses have been highly contradictory."
Labels: google, information breaches, privacy
Monday, April 19, 2004
Michael Geist, one of Canada's most respected technology lawyers, has a very interesting comment in Today's Toronto Star. He argues that the federal Privacy Commissioner needs to take some affirmative steps before privacy protection in Canada becomes more bark than bite. In many ways, the Commissioner's office is hamstrung by a lack of resources following the scandals involving the former Commissioner, George Radwanski.
TheStar.com - Weak enforcement undermines privacy laws:
"If the commissioner's office is to take the lead on cutting edge issues and increase its enforcement activity, the federal government must step up to the plate to provide it with much-needed resources.
In the wake of last year's scandal involving former privacy commissioner George Radwanski, the office has faced significant budget pressures that have constrained new hiring and sadly transformed the current privacy legislation into a complaints-only-driven process.
While there is no doubt the will at the commissioner's office to ensure that PIPEDA meets expectations, the federal government must help pave the way.
It is evident that privacy laws without effective enforcement and genuine transparency may provide Canadians with little more than placebo privacy protection.
Ensuring that this does not happen is, in the words of the privacy commissioner, a question of responsibility."
Labels: information breaches
Saturday, April 17, 2004
National Privacy Services Inc. is going to be offering its Privacy Officer Training program in Ottawa (May 19-20) and Toronto (May 17-18) next month. The two-day course is designed to provide the necessary training and tools for businesses to begin to implement privacy law compliance in their organizations. The course was originally designed by McInnes Cooper's privacy law practice group when clients regularly asked how and where privacy officers can get the training necessary to undertake the role in an informed and professional manner. The brochure [PDF] is available from the National Privacy Services Inc. website.
The two-day privacy officer training program provides an in-depth review of PIPEDA and its myriad exceptions. Key decisions of the Office of the Privacy Commissioner are reviewed, as are security and privacy issues. It also includes specific assistance for dealing with inquiries and complaints.
Labels: information breaches
Wednesday, April 14, 2004
Today's Toronto Star has a very interesting article that highlights something that I have been trying to emphasizes to my clients for some time: the most important thing that a business must do to comply with PIPEDA and to avoid complaints is to communicate with its customers. Principle 2, from the CSA Model Code, requires a business to take reasonable steps to bring to an individual's attention the purpose for which information is being collected. This communication forms the foundation for the "knowledge and consent" that are required under "Principle 3 - Consent". Many commentators emphasize that PIPEDA is about consent, but this consent has to be based on the identification of purposes. If you tell you customers what you propose to do, there won't be any uncertainty or confusion and, therefore, the business is much less likely to get a complaint.
The law requires businesses, large and small, to put systems in place that will make sure customer information is secure, accurate, gathered with consent and not used beyond a stated purpose.
Heather Black, assistant federal privacy commissioner, said Canadians are taking advantage of their newfound privacy rights but many businesses, when asked to explain how and why they collect and use customer information, aren't providing adequate answers.
'When people ask why they're being asked for this information, they're not getting very satisfactory responses,' said Black. 'So it really is a communications gap.'
The commission began noticing this trend in January, specifically in the retail sector. Black said a number of people have filed complaints against certain retail outlets that require customers to provide their names, phone numbers and addresses when goods are returned for refund or exchange."
Labels: information breaches
Monday, April 12, 2004
In today's National Post, Howard Levitt, counsel to Lang Michener, takes a pretty aggressive stand with respect to PIPEDA. His sentiments about the constitutionality are shared by others, but I was surprised to read that he suggests ignoring PIPEDA. Most privacy lawyers with whom I speak are of the view that PIPEDA should be followed until it is declared to be unconstitutional:
"4. Privacy legislation applies across Canada.
The federal privacy legislation constitutionality provided that, if similar legislation was not passed in each province by January 1, 2004, the federal legislation would apply provincially. Many provinces, including Ontario, have not yet passed Privacy Acts. However, virtually everyone is conducting themselves as if the federal privacy legislation applies. It does not. Despite the wording of that legislation, the federal government lacks the constitutional power to impose privacy legislation on the provinces and no attempt to do so would survive legal challenge. Therefore, contrary to seemingly everyone's belief, there is presently no effective, binding privacy legislation in most of Canada."
This is very aggressive and, at least to this point, many Courts have been applying PIPEDA without hesitation. It is true that the federal government has no constitutional way to regulate the provincially regulated workplace, but PIPEDA does not purport to operate there.
Labels: information breaches
Saturday, April 10, 2004
Mathew Englander, to whom I referred a while back, has e-mailed me a correction about an entry in PIPEDA and Canadian Privacy Law. I had been told that his complaint had arrived by e-mail, having been sent at the stroke of midnight 2001. Mr. Englander writes:
I just came across the reference to me on your blog (http://pipeda.blogspot.com/2004_01_04_pipeda_archive.html#107338559447219057).
It's ironic that your "sources at the Office of the Privacy Commissioner" infringed on my privacy by telling you that my complaint "was sent by e-mail on January 1, 2001 at 12:01 am." The Privacy Commissioner should not unnecessarily divulge details about complaints and complainants.
In any event the information is wrong. I did not file my complaint by e-mail.
You can post this email on your web site if you like, but of course not my email address (which is a disposable address anyway).
Mathew Englander
As they say, it is always better to get your information first hand ...
Labels: information breaches
Wednesday, April 07, 2004
Since the launch of National Privacy Services, we've gotten some quite favourable coverage in the media. ConnectIT had the following article in today's edition:
[ ConnectIT e-News Daily ]:
"Privacy officer for hire
6 April, 2004
by Liam Lahey
Security solutions provider Thor Solutions Inc. and law firm McInnes Cooper have teamed up to form National Privacy Services Inc. (NPSI) � a partnership designed to help small to mid-sized businesses (SMBs) understand and comply with Canada�s federal privacy legislation.
According to David T.S. Fraser, chair of McInnes Cooper's privacy group in Halifax, NPSI helps SMBs avoid the expense of building a solution from scratch, spending a great deal of time trying to become privacy experts themselves, and/or ignoring the legislation and risking their businesses by being identified as non-compliant. "
Labels: information breaches
Tuesday, April 06, 2004
ITBusiness.ca: "Canada's largest marketing industry group has amended its Code of Ethics and Standards of Practice to deal with the growing volume of unsolicited commercial e-mail.
The Canadian Marketing Association said the amendments would apply immediately to all 800 of its corporate members, and would be specific to e-marketing programs.
Under the new rules, CMA members must obtain a consumer�s explicit or opt-in consent before disclosing their e-mail address to a third party; use the e-mail address only for the purposes that have been disclosed to the consumer; and clearly identify the CMA member and source of the e-mail. They must also provide the recipient with a simple and easy-to-use e-mail means to opt-out from receiving further e-mail marketing communications from the marketer.
CMA communications director Ed Cartwright recently spoke with Pipeline about the changes...."
Labels: information breaches
Monday, April 05, 2004
Security and privacy go hand in hand. While this article, Security Scare for Business Laptops, primarily deals with confidential business information, the principles also hold true for personal information that an organization is obliged to safeguard under PIPEDA's dictates. Insufficiently secured Wi-Fi can be a significant vulnerability for any computer user and computer network.
The Financial Times: Security Scare for Business Laptops
Business travellers are unwittingly making company secrets available to rivals by ignoring the risks of local wireless networks, known as wi-fi hotspots, security experts warn.
IT security experts who have carried out checks at hotels, railway stations and other public places equipped with wireless internet access technology have found the networks and users' computers are often insecure. "It's actually happening: there is competitive intelligence being gathered," said Richard Hollis, chief executive of Orthus, a security firm.
Hackers - who need little specialist knowledge - can access contents of a rival's laptop because other users' files are visible to anybody using an unsecured wireless network. Hackers are also using wi-fi hotspots to store their files on other computers.
Labels: information breaches
Sunday, April 04, 2004
Most of the articles that I've written on PIPEDA are referred to on my firm's website, but I wanted to make them available to readers of this blog. So I've put together a list of them on a separate page (David T.S. Fraser's Privacy Law Articles), linked from my home page and my privacy law blog, divided by topics.
All articles are (c) David T.S. Fraser and/or McInnes Cooper
Labels: health information, information breaches, privacy, surveillance
Saturday, April 03, 2004
NEWS RELEASE
Attention Business Editors:
McInnes Cooper and Thor Solutions Team Up to Provide Affordable Privacy Solution to Small and Med-sized Businesses
April, 2004, Halifax – Thor Solutions Inc. and McInnes Cooper have formed National Privacy Services Inc. (NPSi) to provide businesses with a cost-effective solution to the new privacy legislation.
“Businesses have a long list of things to do to comply with the new legislation governing the handling of personal information,” says David T.S. Fraser, Chair of McInnes Cooper's Privacy Group. “We help them avoid the expense of building a solution from scratch, spending a great deal of time becoming privacy experts themselves, or ignoring the legislation and risking their businesses by being identified as non-compliant.”
“Our solution is cost-effective and immediate,” says Dale Telford, Chief Privacy Officer of NPSi. “It provides businesses with the tools to quickly become compliant through policies, procedures, consent strategies, a multi-media training program and their very own out-sourced privacy officer. The Common Sense Privacy Solution is very affordable for smaller organizations. “It is focused at small- and medium-sized businesses that are at high risk, such as medical practices and insurance brokers,” says Telford. “We can act as the privacy officer, helping both the business and the customers. We save our clients time and money by dealing with queries, access requests and complaints. We can answer their questions and provide critical support”
“This law applies to every business that handles personal information in the course of commercial activities. Without an effective privacy plan, businesses are at risk of having their reputation significantly damaged. NPSi is designed to give businesses the tools they need, at a price they can afford, to reduce the risk. The last thing a growing business needs is to be named as non-compliant by the Privacy Commissioner or end up in Federal Court,” says Fraser. “Addressing the new privacy law is prudent risk-management. Given the risks of non-compliance and the cost of our program, this truly is a common sense solution.”
About National Privacy Services Inc.
National Privacy Services Inc. (NPSi) (www.privlaw.com) was founded in 2003 by Thor Solutions Inc. and McInnes Cooper in order to assist businesses, professionals and industry associations in following privacy best practices, based on the information privacy requirements of the federal privacy law and similar provincial statutes.
Thor Solutions Inc. (www.thorsolutions.com) is a recognized leader in the field of information security. McInnes Cooper (www.mcinnescooper.com) is Atlantic Canada's largest single law partnership with a nationally recognized privacy practice.
NPSi's focus is to provide guidance and support to organizations as they adopt mandatory privacy best practices. We work closely with industry groups to design privacy programs that can be easily and efficiently adopted without interfering with the operations of the organizations required. In addition, we provide full support to our clients, with toll-free, on-call expertise and our privacy professionals can act as the designated privacy officer for our clients.
- 30 -
Media contacts:
David Fraser, McInnes Cooper
(902) 424-1347 cell: (902) 478-6654 david.fraser@mcinnescooper.com
Dale Telford, Thor Solutions (902)
469-8467 cell:
(902) 830-1981 dale.telford@thorsolutions.com
Labels: information breaches
The Canadian and US media have been abuzz with reports that "file sharing is legal in Canada!" (see Google News coverage). The actual decision doesn't, in my view, go that far (much of it seemed to turn on a deficient affidavit and the difficulty of connecting an IP address and a Kazaa screen name), but that's a bit ultra vires my blog. Here we deal with privacy. But fear not, there is some privacy-related analysis in the decision rendered by von Finckenstein J (2004 FCT 488).
Part of the argument advanced by the internet service providers was that they were prohibited from revealing personal information of their subscribers, absent a court order. The parties agreed in advance that the subscribers have an expectation of privacy regarding their identities, pursuant to their subscriber agreements and sections 3 and 5 of PIPEDA. They also agreed that this personal information can be released without the consent of individuals if the court so orders under section 7(3)(c) of PIPEDA.
[13] I read the Norwich and Glaxco Wellcome cases as establishing that the test for granting an equitable bill of discovery involves the following five criteria: ...
Criterion e: the public interests in favour of disclosure must outweigh the legitimate privacy concerns
[36] It is unquestionable but that the protection of privacy is of utmost importance to Canadian society. In the words of Lamer J. in R. v. Dyment, [1988] 2 S.C.R. 417 (S.C.C.): Grounded in man's physical and moral autonomy, privacy is essential for the well-being of the individual. For this reason alone, it is worthy of constitutional protection, but it also has profound significance for the public order.
[37] In respect of the internet specifically, Wilkins J. in Irwin Toy v. Doe (2000), 12 C.P.C. (5th) 103 (Ont. S.C.J.) stated at paras. 10-11: Implicit in the passage of information through the internet by utilization of an alias or pseudonym is the mutual understanding that, to some degree, the identity of the source will be concealed. Some internet service providers inform the users of their services that they will safeguard their privacy and/or conceal their identity and, apparently, they even go so far as to have their privacy policies reviewed and audited for compliance. Generally speaking, it is understood that a person's internet protocol address will not be disclosed. Apparently, some internet service providers require their customers to agree that they will not transmit messages that are defamatory or libellous in exchange for the internet service to take reasonable measures to protect the privacy of the originator of the information. In keeping with the protocol or etiquette developed in the usage of the internet, some degree of privacy or confidentiality with respect to the identity of the internet protocol address of the originator of a message has significant safety value and is in keeping with what should be perceived as being good public policy. As far as I am aware, there is no duty or obligation upon the internet service provider to voluntarily disclose the identity of an internet protocol address, or to provide that information upon request.
[38] Parliament has also recognized the need to protect privacy by enacting PIPEDA, which has as one of its primary purposes the protection of an individual’s right to control the collection, use and disclosure of personal information by private organizations (section 3).
[39] However while the law protects an individual’s right to privacy, privacy cannot be used to protect a person from the application of either civil or criminal liability. Accordingly, there is no limitation in PIPEDA restricting the ability of the Court to order production of documents related to their identity. Section 7(3)(c) allows disclosure without consent if such disclosure is: c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records. (emphasis added).
[40] Thus, both PIPEDA as well as the test set out in Norwich/Glaxco, require the Court to balance privacy rights against the rights of other individuals and the public interest.
[41] This motion is not a novel proceeding. In the past, third parties have been compelled to disclose documents identifying the name and address of a defendant previously identified solely by an Internet Protocol address. In no case have privacy or other concerns weighing against disclosure outweighed the interest in obtaining documents and information necessary to identify the defendants. See: Irwin Toy v. Doe (2000), 12 C.P.C. (5th) 103 (Ont. S.C.J.); Ontario First Nations Limited Partnership v. John Doe (3 June 2002) (Ont.S.C.J.); Canadian Blood Services/Société Canadienne du Sang v. John Doe (June 17, 2002) (Ont. S.C.J.); Wa’el Chehab v. John Doe (October 3, 2003) (Ont. S.C.J.); Kibale v. Canada, [1991] F.C.J. No. 634 (QL) (FC); Loblaw Companies Ltd. v. Aliant Telecom Inc. and Yahoo [2003] N.B.J. No.208 (N.B.Q.B.), online: QL (NBJ).
One thing that surprises me is that there is no obligation on the part of the ISPs to inform the "owners" of the IP addresses that their information is the subject of an application for an equitable bill of discovery, affording them the opportunity to retain counsel and -- anonymously - resiting the application. To do otherwise seems to put too much discretion in the hands of the ISPs. Afterall, they choose whether to resit the discovery request.
Labels: google, information breaches, ip address, privacy
Thursday, April 01, 2004
Donal Daly of the Customer Respect Group has a very interesting commentary on CNet today about the importance of privacy policies in communicating respect to customers. They conducted a survey that underscores the importance of a true, meaningful and customer-friendly privacy policy:
Turning online privacy into a joke | Perspectives | CNET News.com:
"In a survey of the adult online population, conducted by The Customer Respect Group in February 2004, the importance of respectful treatment of consumers' privacy concerns was underlined by some dramatic findings. When survey participants were asked how much they care about a company's privacy policy when invited to enter personal information to a Web site, 22.4 percent responded that in the absence of a privacy policy, they would not offer the information. A further 26.6 percent echoed this sentiment by indicating that if they were unhappy with a company's privacy policy they would leave the site. "
Labels: information breaches
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.