The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Wednesday, November 28, 2007
Fellow blogger David Canton is quoted in this interesting article that suggests reckless corporations may find themselves guilty of violating the new ID theft law:
Reckless Data Handling Could Violate ID Theft Law - Security Feed - News - CSO MagazineNov 27, 2007
Reckless Data Handling Could Violate ID Theft Law
The recently proposed amendment to the Criminal Code that would make "reckless" handling of personal information a crime can be troubling given the broad definition of the word, said one lawyer.
If Bill C-27 is passed, it will be an offense to make available or sell personal information (such as names, addresses bank account information and social insurance numbers) knowing it will be used to commit fraud -- or if the person or company selling the information is reckless as to whether the data will be used for fraud by a third party.
Bill C-27, an Act to Amend the Criminal Code (identity theft and related misconduct) was tabled in the House of Commons last week and passed first reading.
As reported by ITWorld Canada, vendors say Feds should enforce data encryption
The problem with measuring recklessness is a valid concern for organizations whose business relies on collecting customer personal information given the lack of industry standards, said Howard Simkevitz, lawyer with Toronto, Ont.-based law firm Lang Michener LLP.
Some international standards, from bodies such as the International Standards Organization (ISO), handle security compliance, but there is no equivalent for privacy, Simkevitz said.
"When we’re talking about identity theft and it’s the theft of personal information, that’s a distinct privacy-oriented term."
He added the term reckless includes the absence of precautions around securing customer personal data, so organizations should implement policies and procedures based around this. Overall, such precautions are mainly based on common sense and good corporate values around how to handle another person’s sensitive data, he said.
The privacy commissioner, he added, also makes available helpful guidelines around policies.
Actually, the Personal Information Protection and Electronic Documents Act (PIPEDA) provides a good starting point, he said, by advising organizations to determine whether the information they are collecting is personal, and if it is, to figure out if they have received consent to collect and use it for certain purposes.
"The risk of running afoul is at least minimalized, but there are tons of issues here, and the fact that now there are criminal sanctions that could be applied, is an issue," said Simkevitz.
The recklessness aspect of the bill is probably intended to capture people who do more than just act negligently, but "turn a blind eye" to securing personal information, said David Canton, a lawyer with London, Ont.-based law firm Harrison Pensa LLP.
When transferring that type of data to a third party, the organization should seek assurances that the recipient of the information is going to do what it has said it will do with the data, he said. Often, having contractual provisions to limit use of the data by a third party is useful, he added.
If companies seek such assurances, he said, "I would suspect that they haven’t crossed the reckless threshold."
But a rogue employee stealing customer personal information for the purposes of fraud could, depending on the circumstance, mean the company has been reckless, said Simkevitz. However, he said, if the company can demonstrate it took necessary actions to mitigate such risk, then it may not be held liable.
Typically, organizations are "vicariously liable" for actions of their employees, said Canton. Specifically, if the act committed falls within the ambit of that person’s job, then the organization can be held liable, he added, but "it’s not always an easy line to draw."
But given that Bill C-27 complements PIPEDA and other existing privacy legislation, said Canton, companies who have already dealt with privacy probably have dealt with the issues that this new bill presents.
The bill’s proposals do not add anything to existing legislation, said Canton, "but raises the bar and is maybe one way of putting criminal teeth in the security aspect of [PIPEDA], although it’s probably not its prime intention."
Canton said it’s hard to argue against some of the contents of the bill and it’s usually difficult to tell if such things will help deter identity theft, but it’s nonetheless a useful tool.
If anything, said Simkevitz, the bill "sensitizes corporations to the importance of protecting personal information."
In particular, he said, it’s great that it includes compensating victims of identity fraud, but it doesn’t address the issue of quantifying damages like the loss of a driver’s license versus hassle at the border because of issues with stolen identity.
"It certainly does [add teeth to PIPEDA]. Is this sufficient? I would be more reluctant to say that it is," said Simkevitz.
Besides that, he said the proposed amendment doesn’t address the use of spam to collect personal information, nor the issue of breach notification.
Labels: breach notification, privacy
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.