The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar

Archives

Links

Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by groups.yahoo.com

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Monday, August 24, 2009

Privacy commissioner OKs modified Barwatch program 

According to the CBC, the Information and Privacy Commissioner of British Columbia has approved a modified version of the BarWatch program. Bars, under BC's Personal Information Protection Act, are allowed to swipe a patron's drivers license or other ID, collecting name, gender, date of birth and a photograph of the patron. The information must be deleted within 24 hours, except for "rowdies", whose information can be kept and exchanged with other bars through the BarWatch database. See: Privacy commissioner OKs Barwatch software.

For more information on this controversial practice, click on the link "ID SWIPING" below.

Labels: , ,

Friday, May 09, 2008

Ontario and B.C. Privacy Commissioners issue joint message: personal health information can be disclosed in emergencies and other urgent circumstances 

This just crossed the wires and is likely of interest to those who followed the earlier discussions about using privacy legislation as an excuse for inaction.

CNW Group OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER/ONTARIO Ontario and B.C. Privacy Commissioners issue joint message: personal health information can be disclosed in emergencies and other urgent circumstances

Ontario and B.C. Privacy Commissioners issue joint message: personal health information can be disclosed in emergencies and other urgent circumstances

TORONTO, May 9 /CNW/ - In light of recent events, such as the tragic suicide of Nadia Kajouji, a student at Carlton University, and the Virginia Tech massacre of 2007, the Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian, and the Information and Privacy Commissioner of British Columbia, David Loukidelis, are reaching out to educational institutions, students, parents, mental health counsellors and healthcare workers in both provinces: personal health information may, in fact, be disclosed in emergencies and other urgent circumstances. The two Commissioners want to ensure that people realize that privacy laws are not to blame because they do permit disclosure.

The Commissioners want to send the clear message that privacy laws do not prevent counsellors or healthcare providers from contacting a person's family if there are real concerns that they may seriously hurt themselves. "When there is a significant risk of serious bodily harm, such as suicide, privacy laws in Ontario clearly permit the disclosure of personal information without consent, regardless of age. In such situations, schools may contact parents or others if there are reasonable grounds to believe that it is necessary to do so," says Commissioner Cavoukian. Commissioner Loukidelis adds that, "If there are compelling circumstances affecting health or safety, or if an individual is ill, B.C.'s privacy laws allow disclosure to next of kin and others, including school officials and health care providers. Individual cases can be fuzzy, but if someone uses common sense and in good faith discloses information, my office is not going to come down on them. Privacy is important, but preserving life is more important."

In Ontario, the Personal Health Information Protection Act (PHIPA) allows health care providers, such as mental health counsellors, to disclose personal health information when necessary to eliminate or reduce a significant risk of serious bodily harm. This would include disclosure to a physician or parent if there are reasonable grounds to believe it is necessary to do so. In fact, PHIPA specifically allows for this kind of disclosure in emergency or urgent situations. Commissioner Cavoukian clarified this in a Fact Sheet she issued in 2005 entitled, Disclosure of Information Permitted in Emergency or other Urgent Circumstances, available at http://www.ipc.on.ca/.

In British Columbia, Commissioner Loukidelis underscored, the public sector Freedom of Information and Protection of Privacy Act allows universities, schools, hospitals and other public institutions to disclose personal information where someone's health or safety is at risk. He also noted that the private sector Personal Information Protection Act contains similar authority to disclose personal information for health and safety reasons.

Both Commissioners are today announcing their joint project to issue a new publication aimed at clarifying the role that privacy laws play when workers are trying to decide whether they can disclose personal health information. Commissioner Cavoukian said of the joint project, "Our goal is to ensure that educational institutions understand the legislative framework in advance of problems occurring. We are looking forward to working further with the educational community - stay tuned."

Commissioners Cavoukian and Loukidelis are urging those responsible for the health and safety of others to educate themselves about how the privacy laws covering them apply to their work and familiarize themselves with the provisions allowing them to disclose personal health information in emergency situations. Commissioner Loukidelis says, "I know that frontline decisions have to be made quickly and sometimes the facts may not be as clear as you'd like. But there's no doubt that privacy laws support disclosures to protect health and safety." Commissioner Cavoukian agrees that privacy laws are not at fault. "To infer that privacy laws were responsible for someone's death is to completely misunderstand the role that privacy laws are designed to play. The tragedy here lies if you take a default position of non-disclosure and inaction," says Commissioner Cavoukian. She also adds that, "However, Commissioner Loukidelis and I both recognize that the decision to notify someone's family without their consent can be extremely difficult, requiring very sound judgment. We are also clear that notification cannot be done on a routine basis and that students need to feel reassured that their privacy will be protected when they seek counselling or other health care services."

Labels: , , , ,

Monday, April 21, 2008

PIPA review released in BC 

The Special Committee of the BC Legislature reviewing the Personal Information Protection Act has recently released its report:

April 17, 2008: Special Committee Recommends Changes to Streamline B.C.’s Private-Sector Privacy Law Media Releases Special Committee to Review the Personal Information Protection Act 4th Session 38th Parliament Committees

SPECIAL COMMITTEE RECOMMENDS CHANGES TO STREAMLINE B.C.’S PRIVATE-SECTOR PRIVACY LAW

VICTORIA – The Special Committee to Review the Personal Information Protection Act submitted its Report to the Legislature this afternoon. The all-party committee was appointed in 2007 by the Legislative Assembly to review the act that regulates the collection, use and disclosure of personal information by private-sector organizations in the province. During the past year, the committee received 39 submissions.

The key findings from the consultations are that the act seems to be working well overall for private-sector organizations operating in British Columbia, while the public is not as aware of the purpose, rules and scope of the act. The act also aligns with the federal and Alberta private-sector privacy laws.

The report, titled Streamlining British Columbia’s Private Sector Privacy Law, was unanimously adopted by all committee members. The report contains 31 recommendations, including:

  • Making private-sector organizations accountable for personal information they transfer for processing outside Canada
  • Requiring organizations to notify affected individuals of privacy breaches in certain circumstances
  • Banning the use of blanket consent forms by provincially regulated financial institutions
  • Revising consent exceptions to better address business practices in the insurance industry
  • Permitting disclosure of personal contact information for health research
  • Retaining the minimal fee for access to personal information
  • Streamlining the complaints process in the province’s privacy laws
  • Strengthening the Information and Privacy Commissioner’s oversight powers

“Keeping personal information private is vitally important,” said committee chair Ron Cantelon, MLA. “We want to enhance safeguards, but at the same time, balance that goal against imposing unnecessary regulations on business, particularly small businesses.”

The members of the Special Committee to Review the Personal Information Protection Act are:

Ron Cantelon, MLA Nanaimo-Parksville

Harry Lali, MLA Yale-Lillooet

Leonard Krog, MLA Nanaimo

Mary Polak, MLA Langley

John Rustad, MLA Prince George-Omineca

Information about the committee’s work can be found on its website at http://www.leg.bc.ca/cmt/pipa/index.asp, or by contacting the committee chair, Ron Cantelon, MLA, or any committee member.

Labels: , , , ,

Friday, April 11, 2008

B.C. introduces law governing access, privacy of electronic health records 

British Columbia's government has just recently introduced legislation specifically tailored for privacy and access to electronic health records.

E-HEALTH STATUTE INCREASES PATIENT ACCESS AND PRIVACY

April 10, 2008

Ministry of Health

E-HEALTH STATUTE INCREASES PATIENT ACCESS AND PRIVACY

VICTORIA – A new e-Health (Personal Health Information Access and Protection of Privacy) Act introduced today moves British Columbia a step closer to the goal of giving citizens access to their health records and medical information, while strengthening privacy protection, said Health Minister George Abbott.

“This new e-Health legislation moves us forward in meeting our throne speech commitment to give citizens better access to their health records and medical information so they can engage in a more informed role in their own health-care choices,” said Abbott. “eHealth will give patients faster, safer and better health care by providing authorized health-care professionals with secure access to patients’ information to make the best and most timely clinical decisions.”

British Columbia is the first province in Canada to create a specific legislative framework governing access and privacy for electronic health information databases. While other provinces have access and privacy legislation governing personal health information, British Columbia will be going above and beyond the provisions of the Freedom of Information and Protection of Privacy Act with new legislation containing specific provisions to address access to information and protection of privacy of electronic health information.

“As e-Health information becomes a more widely accessible and used tool in our health-care system, we want to ensure British Columbia has a framework that allows for the most effective medical and health-research related use of electronic health database information,” said Abbott. “But we also have to ensure that the framework surrounding use of electronic health information is to the highest standards of privacy protection.”

Individuals will be able to block access to their own information in Health Information Banks from all health professionals, with the only overriding clause being in the case that the person is incapacitated in an emergency or with the person’s consent. Maximum fines for violations of the act have been increased from $2,000 under the Pharmacists, Pharmacy Operations and Drug Scheduling Act to $200,000 under the new act.

The act specifically prohibits disclosing information from electronic databases for market research, while creating a Data Stewardship Committee that will evaluate requests for the disclosure of data for health research or planning purposes.

The e-Health (Personal Health Information Access and Protection of Privacy) Act will also introduce legislative changes so medical researchers can approach individuals regarding health research studies, while respecting personal privacy and patient confidentiality. Individual requests by researchers to contact persons for health research from database information will require the specific approval of the Information and Privacy Commissioner.

“Patients and former patients can provide invaluable information in chronic disease research,” said Barbara Kaminsky, CEO of the Canadian Cancer Society. “Previously, researchers we fund could not even contact individuals who were willing to assist us in this vital work. Now we have a viable way to expand our research while respecting individual privacy.”

The Province recognizes that medical research and the privacy of British Columbians are equally important. The legislation will create an effective balance between individual rights and public responsibilities. It will also enable government to make objective decisions on the appropriate disclosure of health information for secondary purposes.

Amendments are also being made to the Pharmacists, Pharmacy Operations and Drug Scheduling Act to provide similar access, privacy and penalty provisions regarding PharmaNet. PharmaNet is internationally recognized as a world-class secure electronic network that protects patient safety. It protects patients from potentially dangerous medication errors, duplications and dangerous combinations of different medications. It records all prescriptions dispensed at B.C. community pharmacies in a central database and checks for interactions.

From the Canadian Press:

The Canadian Press: B.C. introduces law governing access, privacy of electronic health records

B.C. introduces law governing access, privacy of electronic health records

1 day ago

VICTORIA — British Columbians will soon be able to use their computers to view their health records, Health Minister George Abbott said Thursday after introducing legislation governing access and privacy for electronic health information databases.

British Columbia became the first province in Canada to create a legislative framework with specific provisions to address access and protection of electronic health information.

The e-Health Personal Health and Information Access and Protection of Privacy Act could eventually create paperless medical offices, allowing physicians to store information about patients on their computers as opposed to the banks of individual file folders in most offices, Abbott said.

"I'm pretty confident we got it right here," he said. "I'm very pleased with the balance with the legitimate access to personal information that a physician may require and the protection of the sanctity of those records that is so important to the patient."

The e-Health law gives medical researchers access to the electronic health database but ensures privacy, Abbott said.

Individuals can block access to the their own information in health data banks, except in cases where the person is incapacitated in an emergency or with the individual's consent.

Abbott said the new law prohibits disclosing information from electronic health databases for market research. The government will create a committee that evaluates requests for data for health research or planning purposes.

Maximum fines for violating the act have been will be $200,000.

The Opposition New Democrats said they want patient privacy ensured. They also said the act suffers from credibility issues.

Opposition health critic Adrian Dix wondered whether the bidding process for a $108 million contract for the software to store electronic medical records was tainted by alleged conflict of interest by a former top bureaucrat.

"The electronic medical records process is mired, unfortunately, in problems with the bidding process and problems with conflict of interest," he said. "We're talking about access to personal medical records and the credibility of that process is put in jeopardy."

The Health Ministry received a letter of concern about the bid process from an unnamed company whose bid for the electronic medical records contract was rejected.

And Dr. Tom Elliott, of Vancouver, went public with his concerns, saying his electronic records software met more than 95 per cent of the bid guidelines but didn't make the shortlist.

Other concerns involved the relationship between Ron Danderfer, a former assistant deputy minister of health, and Dr. Jonathan Burns, a Fraser Valley emergency room doctor and health contractor who developed and promoted a widely used health records device.

Danderfer and Burns were members of a steering committee overseeing the $108 million contract, aimed at getting the province's doctors on common software for medical records.

Only six companies were chosen to be involved and last year Burns listed one of the winning companies as a partner on his website.

The company, Wolf Medical, denied there had ever been a financial link between the two.

Abbott has said a government review found Danderfer was not involved in the selection or evaluation process for the health records project.

An internal government letter addressed to the Health Ministry from the Labour Ministry said last year the bid process was not influenced by Danderfer and Burns.

"While news media reports appear to link the Burns/Danderfer matter with the electronic medical record procurement, we can confirm that neither of these individuals were involved in evaluating proponent proposals or proponent software demonstrations and testing at any stage of the evaluation process," said the Nov. 7 letter from Richard Poutney, assistant deputy labour minister.

"We have not received any information that would link this matter to the electronic medical record procurement," it said.

In December, RCMP confirmed an investigation involving Danderfer while he was employed at the Health Ministry. The Mounties also asked the government to withhold results of an internal audit until their probe is complete.

Danderfer was placed on mandatory leave last July and retired last October after 35 years of service with the B.C. government.

Labels: , , ,

Monday, April 07, 2008

Incident: Tax files, private info turn up in Vancouver dumpster 

In case you needed further proof that you must shred all personal information that you're disposing. Loads of personal tax information has surfaced after a high-profile accountant in Vancouver chucked it into a locked dumpster outside his offices:

CTV British Columbia- Tax files, private info turn up in dumpster - CTV News, Shows and Sports -- Canadian Television

... Many of the documents -- marked with phrases such as "personal and confidential" -- come from the office of Peter Roberts, a well-known accountant.

"Oh my gosh," said one of Roberts' clients, David Weinberg, whose name was on several files.

"I'll have him either return this to me or assure me that he will be changing his privacy practices going forward to assure that not just this but all of his clients' documents are properly shredded."

When reached by phone, Roberts said that he put a bag full of the documents in the dumpster on Saturday.

He said he doesn't own a shredder and believed the documents would be safe because the dumpster is secured by a padlock.

But to Vancouver's large and innovative homeless population, a lock isn't much of a safeguard....

Thanks to a regular reader from the west coast for pointing me to this incident.

Labels: , ,

Tuesday, April 01, 2008

BC Commissioner's submissions on PIPA Review 

The British Columbia Information and Privacy Commissioner has submitted a report to the Special Committee of the British Columbia Legislature to Review the Personal Information Protection Act (BC). The Commissioner has found that the Act was a balanced and effective law that did not require major changes.

Labels: , ,

Thursday, March 06, 2008

Privacy Commissioners Release New Video Surveillance Guidelines 

The Privacy Commissioners of Canada, British Columbia and Alberta today have released Guidelines for Overt Video Surveillance in the Private Sector to help businesses consider privacy matters when deciding whether to and how to implement overt video surveillance. (I wonder whether they'll also produce guidelines on covert surveillance?)

From the media release:

Privacy Commissioners Release New Video Surveillance Guidelines

Privacy Commissioners Release New Video Surveillance Guidelines

OTTAWA, March 6, 2008 — Private-sector organizations considering video surveillance systems must take specific steps to minimize the impact on people’s privacy, say video surveillance guidelines released today.

The new guidelines set out how companies should evaluate the use of video surveillance and ensure any surveillance they undertake is conducted in a way that respects privacy rights and complies with the law.

These guidelines have been endorsed by Jennifer Stoddart, the Privacy Commissioner of Canada, Frank Work, the Information and Privacy Commissioner of Alberta, and David Loukidelis, the Information and Privacy Commissioner for British Columbia.

“We have seen a dramatic increase in the use of surveillance cameras by private-sector organizations. Many of our day-to-day activities are now captured by these cameras,” says Commissioner Stoddart.

“There are some legitimate reasons to conduct video surveillance, but privacy laws in Canada impose restrictions and obligations when, where and how businesses can conduct this kind of surveillance,” says Commissioner Loukidelis.

“These guidelines make it clear that businesses must carefully evaluate why they are installing video surveillance equipment, and what they will do with the information that is collected,” says Commissioner Work.

The Commissioners say it is disturbing to hear stories about video surveillance operators deliberately pointing cameras to ogle women, as well as surveillance images of people caught in unflattering situations finding their way onto video sharing sites like YouTube and Vimeo.

The new guidelines are aimed at businesses subject to the Personal Information Protection and Electronic Documents Act, or PIPEDA. They are also targeted at businesses subject to the provincial Personal Information Protection Acts in Alberta and British Columbia.

The overarching principle for video surveillance – which stems from the key legal test under the federal and provincial laws – is that it should be used only for purposes that a reasonable person would consider appropriate in the circumstances.

The guidelines state that, in order to limit the impact on privacy, cameras should be positioned to avoid capturing the images of people not being targeted (e.g., someone walking outside a store). As well, cameras should not be used in areas where people have a heightened expectation of privacy, such as washrooms, and through building windows.

The guidelines also say:

  • People should be notified about the use of cameras before they enter the premises.
  • Individuals whose images are captured on videotape should, upon request, be given access to this recorded personal information.
  • Organizations must ensure that video surveillance equipment and videotapes are secured and used for authorized purposes only.
  • Individuals who operate video surveillance systems should understand the privacy issues related to surveillance and their obligations under the law.
  • Video surveillance recordings should be retained only as long as necessary and destroyed securely.

The complete guidelines for private-sector organizations are available at www.privcom.gc.ca, www.oipc.ab.ca and www.oipc.bc.ca. The Office of the Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner for British Columbia have previously published guidelines for the use of video surveillance in public places by police and law enforcement authorities.

All three privacy commissioners are statutorily mandated to oversee compliance with the Acts and are advocates and guardians of privacy and the protection of personal information rights of Canadians.

Labels: , , , , , ,

Wednesday, February 06, 2008

Privacy Commissioners come out against national (RF)ID cards 

The Federal, Provincial and Territorial Privacy Commissioners came out yesterday against proposed RFID embedded super drivers licenses designed to facilitate border crossings:

Nova Scotia News - TheChronicleHerald.ca

Keep drivers' information in Canada — officials

Privacy commissioners slam plan to produce national identity cards

By DIRK MEISSNER

The Canadian Press

Wed. Feb 6 - 6:15 AM

VICTORIA — Personal information about Canadian drivers must stay in the country as plans are developed to introduce high-tech driver’s licences in Canada that will be accepted as identification at United States border crossings, Canada’s privacy commissioners said Tuesday.

The commissioners issued a joint statement that called on Ottawa and provincial and territorial governments participating in the so-called enhanced driver’s licence programs to ensure the personal information of participating drivers stays in Canada.

The commissioners also said they continue to voice their opposition to any plans to introduce national identity cards and systems.

British Columbia and the federal government reached an agreement last month to start issuing the enhanced driver’s licences on a trial basis. Ontario is examining a similar licensing program.

The enhanced licences, equipped with radio frequency chips, allow border officials to access personal identity information. They can be used as an alternative to a Canadian passport.

Jennifer Stoddart, Canada’s privacy commissioner, said her office is monitoring the progress of the enhanced driver’s licence program and recently received a government privacy-impact analysis. She said her office is not yet ready to give the green light to the licence program.

"Maybe our positions are more nuanced than that when we say with all these progressive and incremental steps towards measures that increasingly limit Canadians’ privacy, this is what you should be looking for," Stoddart said.

"These are the steps you need to follow," she said. "Have you chosen the least privacy-invasive route?"

David Loukidelis, B.C.’s privacy commissioner, said Canadians need to be reminded that a Canadian passport is a well-established, highly secure identification document.

"These enhanced driver’s licences or EDL programs do raise concerns about security and privacy of personal information on a number of fronts," Loukidelis said.

There are concerns that the radio frequency technology on the chips embedded into the licences could be skimmed by others or used to track individuals, he said.

The commissioners are concerned about the transfer across borders of databases containing personal information about Canadians, Loukidelis said.

"We don’t do that now with passport databases and we don’t see why we would need to do anything differently when it comes to enhanced driver’s licences."

The B.C. government has received 800 volunteers for the enhanced driver’s licence program within the first two days of the pilot project.

John van Dongen, Intergovernmental Affairs Minister, said 500 licences will be issued in British Columbia.

He said the information contained in the licences provides border officials with proof of citizenship, a photograph to confirm identity and status to legally cross the border.

"They do not access medical records," he said. "They do not access driver’s records. They do not access fines, tickets, penalties. They do not access accident history. None of that information is of any interest to the border agencies in either country."

Labels: , , ,

Thursday, January 31, 2008

Atlantic Canadian police want local ISPs to loosen up to nab suspected online predators 

Earlier this week, the RCMP organized a conference of police, internet service providers and other "stakeholders" on internet safety. I wrangled an invite, but had to go out of town at the last minute. One of the topics under discussion was whether ISPs should disclose subscriber information without a warrant.

My opinion on the topic is well known to readers of this blog (see tag: lawful authority).

Today's Hailifax Daily News has an article on the fact that the two leading ISPs in Atlantic Canada, Eastlink and Aliant, have a policy of requiring a warrant. Interestingly, the article focuses on the word "may" and not "lawful authority" in PIPEDA:

Halifax, The Daily News: Local News Police want local ISPs to loosen up to nab suspected online predators

Police want local ISPs to loosen up to nab suspected online predators

Crime

PAUL MCLEOD

Police in Nova Scotia are at a disadvantage compared to the rest of Canada when it comes to tracking down online sexual predators. Partly it's because of a single word in a piece of legislation.

When someone posts child pornography online, police have to go through Internet service providers - or ISPs - to get the person's name and address.

Most ISPs - over 70 per cent across the country - give police basic information without making them get a warrant. But Cpl. Dave Fox of the RCMP Internet Child Exploitation Unit said the majority of those that require warrants are in Atlantic Canada.

Both of Nova Scotia's two main providers, Aliant and EastLink, make police get warrants before handing over information. It's a process that takes a week on average, police say, and eats up desperately needed resources.

"We're not looking for shortcuts. If we took a shortcut and we were breaching someone's charter rights ... We would risk all the evidence we obtained by this warrantless searches being ruled inadmissible at trial," Fox said.

When contacted by The Daily News, Aliant said it would share information with police in emergency situations, but otherwise ask for a warrant.

"This is how we approach it. We work with them. This is what's in place in terms of our practice," said Aliant communications director Kelly Gallant.

For EastLink, the reluctance comes from the wording of the Personal Information Protection and Electronic Documents Act.

The act states ISPs "may disclose personal information" to police without a warrant.

At issue is the word "may," which some ISPs see as being too vague.

Though the federal government has endorsed pre-warrant requests as complying with the legislation, a minority of companies say handing over personal information without a warrant could expose them to lawsuits.

"The way the law is dictated today it is not clear, so we're erring on the side of the law," said Paula Sibley, communications specialist for EastLink.

"If the legislation was to be clarified, we would fully work within that."

No company has been successfully sued for handing information over to police, though there are two suits in early stages - one in Ontario and one in British Columbia.

Labels: , , , ,

Monday, January 14, 2008

Alberta privacy commission to rule on bar scans 

Personal information practices of bars and nightclubs are coming under increasing scrutiny, particularly with repect to video surveillance in Nova Scotia and the practice of scanning identification documents. Complaints related to the latter practice are pending in British Columbia and Alberta. It appears that a decision of the Alberta Commissioner is to be expected shortly: Alberta privacy commission to rule on bar scans.

Labels: , , , , , ,

Wednesday, January 09, 2008

Privacy law freezes health research in British Columbia 

The Vancouver Sun is reporting that recent amendments to BC's privacy laws are making it difficult for researchers to recruit participants:

Privacy law freezes Health research

Numerous B.C. health studies are not proceeding, languishing on hold or facing long delays because privacy legislation prevents researchers from actively recruiting participants.

A sample of taxpayer-funded studies actually or potentially affected by the legislation include ones on Parkinson's disease, back injuries, prostate cancer, breast cancer, ovarian cancer, multiple myeloma, and the quality of life and health-care needs of childhood cancer survivors.

Scientists say the problem is a 2003 amendment to the B.C. Freedom of Information and Protection of Privacy Act prohibiting government from releasing information to scientists for the purpose of contacting individuals about participating in research.

Previously, the legislation allowed the government to disclose contact information to research scientists, without the consent of individuals, as long as confidentiality was protected.

The reasons for the amendment are not clear, but prior to 2003, scientists were allowed to collect a random sample of names from data banks such as the Medical Services Plan (MSP) registry and election lists to recruit control subjects for studies.

Medical studies have yielded important findings and led to major shifts in human behaviour, such as smoking cessation, more exercise and dietary changes....

Labels: , ,

Saturday, January 05, 2008

Allowing medical device reps into surgeries questioned 

British Columbia has recently changed the rules to prohibit representatives of medical device manufacturers from scrubbing in for surgeries. As far as I know, this is the first such rule in Canada and company reps are routinely permitted into surgeries in other provinces.

I got a call from CBC just before New Years to comment on the practice and the quotes they used pretty well sum up my view:

'Time-honoured' medical practice questioned

David Fraser, a privacy lawyer in Halifax, said patients should have a say.

"When an individual is undergoing surgery, they're sedated. They're not aware of what's going on around them and they're completely vulnerable to the surroundings and what's happening to them," Fraser said.

"There's a higher obligation on the part of health care professionals to make sure that consent is properly obtained."

Wedge said despite privacy concerns in other provinces there are no plans to bring in new policies on P.E.I.

Labels: ,

Wednesday, January 02, 2008

Happy birthday to the Canadian Privacy Law Blog 

Today marks the fourth anniversary of the Canadian Privacy Law Blog. Four years ago, on January 2, 2004, I put fingers to keyboard and joined the interesting conversation that was beginning to take shape on the internet among veteran bloggers and I'm glad I did. (Welcome to the Canadian Privacy Law blog.) According to Blogger, this will be my 2740th post to the blog.

Forgive me if I get a bit melancholic and wistful as I look back on the past four years, but it has been a very eventful one for me and for the world of privacy. And both are related, I think. (I mean the changes in the world of privacy have influenced me, not the other way around.)

The day before my first posting, the Personal Information Protection and Electronic Documents Act ("PIPEDA") came fully into force for all commercial activities in Canada. That day, the Personal Information Protection Acts of British Columbia and Alberta came into force, but were not declared to be "substantially similar" to PIPEDA until ten months later (Alberta and British Columbia privacy laws declared to be substantially similar.) Also on the legislative front, Ontario passed the Personal Health Information Protection Act and it became law in May, 2004 (Ontario's Personal Health Information Protection Act receives royal assent.) Perhaps as importantly, it was declared substantially similar on November 28, 2005. (PHIPA declared substantially similar.)

Much attention has been paid to the continuing erosion of privacy rights in the United States and Canada. In 2004, the Information and Privacy Commissioner of British Columbia brought the USA Patriot Act under scrutiny. (U.S. Patriot Act worries Privacy Commissioner and BC Information and Privacy Commissioner releases his report: Patriot Act contravenes BC privacy laws.) In response, British Columbia, Alberta and Nova Scotia have passed laws or amendments to existing laws to closely regulate the export of personal information outside of Canada. In the US, the USA Patriot Act has been subject to many judicial challenges with some success.

Perhaps the area that has been most visible to laypeople is the growing trend of requiring companies to report data breaches. California led the way and now more than thirty US states have such requirements. We haven't seen it in Canada (except in PHIPA in Ontario) but advocates are calling for such a requirement in Canada's privacy laws of general application. Coming clean has led to the public disclosure of a number of huge breaches, including Cardsystems, TJX/Winners, Department of Veterans Affairs and the UK Revenue and Customs Service. Whether we see a change in Canadian law has yet to be seen. Despite the huge publicity given to these breaches, business built on personal information -- such as Facebook -- thrive.

On the professional front, I've been very fortunate to have been invited to speak on the topic of privacy on more occasions than I can estimate. Highlights have been speaking at the Canadian Bar Association general meeting in Winnipeg in 2005, Canadian IT Law Association for the past few years and innumerable professional organizations. The blog has also led to innumerable media interviews and some amazing awards (I'd like to thank the academy. And my blog ... and An honour to even be considered.)

Perhaps more satisfying is that I've been fortunate to have met (in some cases, in the flesh) and to have been inspired by some great fellow legal bloggers. This list includes Connie Crosby, Rob Hyndman, David Canton, Michael Geist, Michael Fitzgibbon and the amazing Slawyers.

To my readers, thank you very much for taking the time to drop by. I hope it has been informative and useful. Please pass along any suggestions or your thoughts, either in the comments to my posts or via e-mail at david.fraser@mcinnescooper.com.

Birthday cake graphic used under a creative commons license from K. Pierce.

Labels: , , , , , , , , ,

Saturday, September 22, 2007

Guidance on asking for ID in credit card transactions 

The Information and Privacy Commissioners of Alberta and British Columbia, along with the Privacy Commissioner of Canada, have released a guidance document on requiring photo ID of individuals paying for goods and services by credit card. All three have concluded it is reasonable.

See the OIPC website and the guidance document: Photo Identification Guidance.

Labels: , , ,

Monday, September 03, 2007

BC Commissioner: Student records can be shared to protect public safety 

Proably not a surprise for those who regularly work with the provincial public sector privacy laws in Canada, which usually contain a public interest and "health and safety" override:

Records of troubled B.C. students can be shared: privacy commissioner

Universities in British Columbia can share confidential medical records about troubled students if there's a perceived a threat to public safety, the province's privacy commissioner says.

Responding to a U.S. government report issued June 13 on the April 16 massacre at Virginia Tech that left 33 people dead — including the student who fired the gun — David Loukidelis said a university student's confidential medical records can be shared — regardless of the student's age.

"The laws in B.C. fully enable university and college officials to take steps to protect individual and indeed public safety," Loukidelis told CBC News on Monday.

The U.S. report says schools, doctors and police often do not share information about potentially dangerous students because they can't figure out complicated and overlapping privacy laws.

Loukidelis said there's a long list of exemptions in B.C.'s privacy laws that allow a student's private information to be shared for the good of public safety.

Tim Rahilly, senior director of student and community life at Simon Fraser University in Vancouver, said he often noticed the beginning of problems with students and wondered whether that information could be shared.

He said the university would ask the student whether it can talk to the student's parents about the concerns.

"The student can say no and if they are above the age of majority we are a little bit hamstrung," Rahilly said.

Loukidelis said if a student denies a request to share personal information with their parents or school officials, an assessment can be made.

Video

Nil Koksal reports for CBC-TV (Runs: 2:28)

Play: QuickTime »

Play: Real Media »

Labels: , , , ,

Monday, August 13, 2007

BC auto body shops object to auto insurer's credit-card policy 

Auto body repair shops in British Columbia are complaining to the province's privacy commissioner about the public auto insurer requiring that the shops hand over customer credit card information in the course of routine audits.

I wonder whether there's anything in the customer's policy allowing ICBC to collect this information?

Check it out:

Auto body shops take aim at ICBC's credit-card policy

Neal Hall, Vancouver Sun

Published: Monday, August 13, 2007

An association representing auto body shops and automotive glass repair companies has filed a complaint with B.C.'s information and privacy commissioner about having to hand over customer credit card numbers to the Insurance Corp. of B.C.

The United Auto Trades Association of B.C. says disclosure of a customer's personal and financial information during ICBC audits should not be done without a customer's written consent.

The complaint, obtained by The Vancouver Sun, says the disclosure without written consent is "clearly unlawful."

"It's of concern to us," said Gerry Preddy, vice-president of the association. "We've had examples of files being lost [by ICBC]."

The association, in its complaint, cites the federal Personal Information Protection Act, which states: "An organization must not, as a condition of supplying a product or service, require an individual's consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service."

ICBC demands such information during audits of auto body and glass repair shops that participate in ICBC's Glass Express Program to make sure shops are charging the vehicle insurance deductible amount.

"When a customer makes a claim, they are required to pay a deductible," explained ICBC spokeswoman Kate Best, "so repair shops provide ICBC with credit card information to confirm the payment of the deductible."

ICBC's position is that audits of repair shops are reasonable to verify payments, she said.

"The matter is currently before the information and privacy commissioner and ICBC will await the ruling," Best said.

The association says while membership in the glass express program is voluntary -- about 700 businesses and 60 per cent of glass repair shops participate in the program -- shops would suffer a drastic loss in business if they withdrew or refused to hand over the financial information of customers during ICBC audits.

The association made a final submission to the privacy commissioner on July 30, pointing out a recent B.C. Court of Appeal decision "confirmed that the collection and disclosure must be authorized by law."

The appeal court, in its ruling involving Royal City Jewellers & Loans Ltd., struck down a New Westminster bylaw allowing police to collect financial and personal information about people selling or pawning items to second-hand stores and pawn shops. The shops still collect the information but take the position they won't hand it over to police without a court order or search warrant.

Royal City Jewellers launched the court challenge, stating it was an invasion of privacy for law-abiding customers.

Labels: , , ,

Tuesday, August 07, 2007

Cameras coming to BC buses 

Video cameras are coming to public transportation in British Columbia. Probably not breaking news, but I find the following quote to be interesting:

"Many proponents of the system say the public is already recorded on video in malls, ATM machines, and various other areas. Cameras on buses and other public areas, they believe, is simply a natural extension."

With cameras in many places, where is it not a natural extension? Once they are commonplace in one public area, it's very easy to justify putting them in another locale.

BCNG Portals Page (R)

Closed-circuit TV cameras coming to buses

By Kevin Diakiw Black Press

Aug 03 2007

Cameras will be installed on all buses in the coming months, but privacy watch-dogs are concerned about how they’ll be used.

TransLink will spend $4 million for camera installation, primarily as a measure for driver safety. However, TransLink spokesman Ken Hardie said cameras will be placed on various areas of the bus, and will not simply be focused at the driver.

“I believe actually there will be more than one camera on the bus, there will be a number of different views,” Hardie said Wednesday.

The expansion of Closed Circuit Television cameras (CCTV) onto buses has been sold primarily as a device to prevent assaults on drivers.

Hardie said they will have several uses.

“Let’s say taggers, who can create mayhem inside a bus, just by leaving graffiti and other damage,” Hardie said. “... now buses might not leave them the kind of anonymity that they love to have when they do their work.”

It’s that kind of “function creep” that concerns civil libertarians.

“I am concerned about this notion ... now that we’ve got them on the bus ... let’s point them all over the bus and let’s catch the kids with crayons in the back seat while we’re at it,” said Micheal Vonn, policy director for B.C. Civil Liberties Association.

She’s also concerned about who would have access to the images.

Hardie said the video will be “recorded on board” to a hard drive and overwritten every week. A special team with Coast Mountain Bus Ltd. would be the only people with access to the video, unless required by police or court.

Many proponents of the system say the public is already recorded on video in malls, ATM machines, and various other areas. Cameras on buses and other public areas, they believe, is simply a natural extension.

“The question is to what degree are we becoming immune to the idea we should not be on film whenever we’re outside of our house,” Vonn said.

With scores of people already on any particular bus witnessing what’s going on, many feel the public expectation of privacy is low.

Vonn has heard the argument and disagrees.

“If I’m in a restaurant having a private conversation with a friend, a server can overhear snatches of what I’m saying,” Vonn said. “It’s quite different than having my Waldorf salad bugged and my entire conversation recorded.”

Hardie said TransLink is working with the B.C. Privacy Commissioner and will be submitting a privacy impact assessment as part of the process.

At the end of the day, the public will be safer with the presence of cameras on the region’s buses, he said.

“For one element, to know their actions are being recorded will make them think twice, there will be a deterrent effect in some respects,” Hardie said.

TransLink is hoping it will serve not only as an effective investigative tool for police, but will lead to stiffer penalties when perpetrators go to court.

Labels: , , , ,

Friday, August 03, 2007

Federal Privacy Commissioner releases privacy breach guidelines 

The Federal Privacy Commissioner has just released privacy breach guidelines, which are similar to guidelines produced by the Ontario and British Columbia commissioners. Here is the press release, with links to the guidelines:

News Release: Privacy Commissioner releases privacy breach guidelines (August 1, 2007) - Privacy Commissioner of Canada

Privacy Commissioner releases privacy breach guidelines

Ottawa, August 1, 2007 – New guidelines will help organizations take the right steps after a privacy breach, including notifying people at risk of harm after their information has been stolen, lost or mistakenly disclosed, says the Privacy Commissioner of Canada, Jennifer Stoddart.

The guidelines outline some of the key steps in responding to a breach, such as containing the breach, evaluating the risks associated with it, notifying the people affected and preventing future breaches.

“It’s clear that most businesses take seriously their responsibilities under Canada’s private-sector privacy law. I want to thank the industry groups, civil societies groups and privacy commissioners' offices that helped my office in developing these,” Commissioner Stoddart says.

The Office of the Privacy Commissioner (OPC) has become increasingly concerned about privacy breaches and breach notification following some major data breaches in recent months. Earlier this year, Commissioner Stoddart urged the federal government to amend the Personal Information Protection and Electronic Documents Act (PIPEDA) to make it mandatory for businesses to notify people when their personal information has been breached.

“Our new voluntary guidelines do not take away from the need for breach notification legislation,” the Commissioner says. “I would once again urge the Minister of Industry and his cabinet colleagues to help better protect Canadians by making breach notification a legal requirement for businesses.” The guidelines call on businesses to notify people that their personal information has been compromised in cases where the breach raises a risk of harm. For example, there may be a risk of identity theft or fraud in cases where sensitive personal information has been lost or stolen.

Organizations are also encouraged to inform the appropriate privacy commissioner(s) of a privacy breach. (In British Columbia, Alberta and Quebec, provincially regulated businesses should speak to their provincial privacy commissioners. In Ontario, breaches involving personal health information must be reported to the provincial commissioner.)

The OPC is currently investigating two high-profile privacy breach cases involving large amounts of personal information.

In one case, the Canadian Imperial Bank of Commerce reported to the OPC the disappearance of a hard drive containing the personal information and financial data of close to half a million clients of its subsidiary, Talvest Mutual Funds.

The other investigation, being conducted jointly with the Information and Privacy Commissioner of Alberta, is looking at a breach at TJX Companies Inc., which affected thousands of Canadians who shopped at TJX’s Winners and HomeSense stores.

The new guidelines as well as a privacy breach checklist and a list of organizations which participated in the consultation process to develop the guidelines are available on the OPC website, http://www.privcom.gc.ca/.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

Labels: , , , , , , ,

Saturday, July 07, 2007

Oshawa second-hand store bylaw invades privacy 

Earlier this week, the Ontario Court of Appeal, in Cash Converters Canada Inc. v. Oshawa (City) (July 4, 2007) (an appeal from Cash Converters Canada Inc. v. Oshawa (City), 2006 CanLII 3469 (ON S.C.)), overturned a City of Oshawa Bylaw that required sellers of second hand goods to collect detailed personal information about those who sell second hand goods to the stores. The bylaw was inconsistent with the Municipal Freedom of Information and Protection of Privacy Act.

Here's what the Toronto Star had to say about it:

TheStar.com - News - Oshawa second-hand store bylaw invades privacy: Court

Tracey Tyler

LEGAL AFFAIRS REPORTER

The Ontario Court of Appeal has struck down sections of a controversial Oshawa bylaw that require second-hand dealers to collect detailed personal information from people who sell them goods and transmit the data to police.

The bylaw conflicts with provincial privacy legislation, which requires the collection and retention of personal information to be strictly controlled, the court ruled Wedneday, The 3-0 decision could influence challenges to similar bylaws in other parts of the country, including Alberta and British Columbia.

“This decision comes at a time when cities are gaining broader law-making powers,” said David Sterns, a lawyer representing the Oshawa franchise of Cash Converters Canada Inc., a second-hand store that challenged the bylaw.

“The court has sent a strong signal that all forms of information gathering and surveillance by municipalities are subject to the public’s overriding right to privacy.”

Under the Oshawa bylaw, passed by the city in 2004 as part of a new licensing system for second-hand dealers, stores were required to record the name, address, sex, date of birth, phone number and height of their vendors, who also had to produce three pieces of identification, such as a driver’s licence, birth certificate or passport.

“This information is then transmitted and stored in a police data base and available for use and transmissions by the police without any restriction and without any judicial oversight,” said Justice Kathryn Feldman said, writing on behalf of Associate Chief Justice Dennis O’Connor and Justice Paul Rouleau.

Store owners were required to send reports to police at least daily, in some cases at the time of purchase. The city argued the bylaw was meant to protect consumers from purchasing stolen goods.

But the municipality offered no evidence of a growing problem involving the sale of stolen goods to second-hand dealers, said Feldman.

Nor is there evidence that unscrupulous people are more likely to be deterred by the electronic collection and transmission of personal information, she said.

In 2003, Cash Converters purchased more than 28,000 used items from people in 2003. About 30 of those were seized by police in connection with criminal investigations.

It’s unknown whether any were confirmed as stolen, the court said.

The bylaw did not apply to pawn shops, which are provincially regulated.

See, also, James Daw's column: TheStar.com - columnists - New ruling stands up for privacy.

Labels: , , , , , , , ,

Tuesday, June 26, 2007

MySpace posting good enough for cross-examination 

In case you were wondering, you really shouldn't expect that anything you post on your MySpace page will be kept private. If you are in the middle of litigation alleging that you're disabled, don't post pictures of your skiing vacation.

This recent case from earlier this month in Ontario is, I think, the first Canadian case to mention MySpace. The defendants attempted to use info from the plaintiff's MySpace page as a basis for further discoveries.

Weber v. Dyck, 2007 CanLII 22348 (ON S.C.)

PDF Format

Date: 2007-06-12

Docket: 05-CV-4343CM

2007

Weber v. Dyck

Ontario Master

Master L.A.M. Pope

Judgment: June 12, 2007

Docket: 05-CV-4343CM

Master L.A.M. Pope:

1 This action was scheduled for trial at a settlement conference held on December 1, 2006. The trial is number one on the trial list to commence the week of June 18, 2007. The defendants seek leave to bring this motion and for production from the plaintiff of information and documents pursuant to Rule 48.04(1). The information and documents relate to three activities of the plaintiff that took place subsequent to the plaintiff's examination for discovery on October 13, 2005.

2 The relief sought subparagraphs 1 (iv) and (v) of the Moving Party's Record are no longer in issue for the purposes of this motion.

3 This action arises out of a motor vehicle accident that took place on February 11, 2003 in which the plaintiff alleges that she sustained serious and permanent injuries to her left wrist and to her body, as well as emotional and psychic trauma. The action is governed by the Bill 59 insurance regime and as such the plaintiff has the onus to establish that her injuries meet the "threshold"; that is, that she has sustained a permanent serious impairment of an important physical, mental or psychological function within the meaning of section 267.5(5) of the Insurance Act in order for her to be entitled to damages.

4 At that time of her examination for discovery on October 13, 2005, the plaintiff was enrolled in year one of the Masters of Business Administration (Co-op) program ("MBA") at the University of Windsor. She testified at her examination that she earned part-time income by teaching piano and playing piano at weddings and other functions, what her plans were for employment after graduation and her vacation plans.

5 The following is the defendants' evidence that gave rise to this motion. The defendants learned that the plaintiff had a MySpace web page wherein she posted photographs of herself and announced certain information about herself. The undated photographs are of the plaintiff, for example, involved in what can be described as a somewhat physical activity in the Swiss Alps, in Paris, playing piano and at her graduation. The information exchange on the web page indicates that the plaintiff resides in Toronto and has a "new job." Further investigation revealed that the plaintiff worked as a Brand & Marketing Analyst for Level 5 Strategic Brand Advisors, that she recently completed her MBA specializing in marketing and international strategy and that she earned an ARCT (Associate of Royal Conservatory Teachers) designation. By letter dated March 30, 2007, the defendants requested production from the plaintiff of certain documents and information arising out of the information on the MySpace web page. Having received no response to that letter, Mr. Dycha wrote again to Mr. Leschied by letter dated May 2, 2007 and in that letter, Mr. Dycha added to his request for production additional documents and information.

Should leave be granted pursuant to Rule 48.04(1)?

6 The defendants seek leave to bring this motion for production pursuant to Rule 48.04(1) which provides that the consequence of a party setting an action down for trial or a party consenting to an action being placed on a trial list (as is the case here), is that the party shall not initiate or continue any motion or form of discovery without leave of the court. (emphasis added).

7 As this case is subject to the civil case management rules of Rule 77, it was placed on the trial list at the settlement conference held on December 1, 2006. There is no evidence that either party did not consent to the action being placed on the trial list. In my view, the consequences of placing a case managed action on a trial list are more serious than with a non-case managed case. This is evidenced by comparing the provisions of Rule 48.07 with subrules 77.14(2) and (4). The latter rules require a certification by the plaintiff that all examinations, production of documents and motions arising out of examinations and production of documents have been completed before the settlement conference date. Essentially, the parties who consent to an action being placed on the trial list declare that they are ready for trial. Subrules 77.14(2) and (4) support the purpose of the civil case management rules of reducing unnecessary cost and delay, facilitating early and fair settlements and bringing proceedings expeditiously to a just determination while allowing sufficient time for the conduct of the proceeding. In this case, the parties consented to the case being placed on the trial list with two exceptions as requested by the defendants and as ordered by Justice Nolan; firstly that the plaintiff deliver her x-rays by December 15, 2006, and secondly that the case be assigned an alternate trial date in the event the defendants did not have their expert reports by the June 18, 2007 trial list. The x-rays were delivered by the date ordered.

8 In order for the plaintiff to succeed in obtaining the right to further production of information and documents after a case has been placed on a trial list, they must first meet the requirements of Rule 48.04(1). The test for granting leave was aptly described by E.M. Macdonald J. in Hill v. Ortho Pharmaceutical (Canada) Ltd., [1992] 11 C.P.C. (3d) 236 (Ont. Gen. Div.) at 239, as follows:

The authorities make it clear that setting a matter down for trial is not a mere technicality of procedure. Before it can be vacated to permit any further discovery or other interlocutory proceedings, there must be a substantial or unexpected change in circumstances such that a refusal to make an order under s. 48.04(1) would be manifestly unjust.(emphasis added)

9 Plaintiff's counsel argues that the defendants were aware at the time of the mediation on July 26, 2006 and at settlement conference on December 1, 2006, that the plaintiff had graduated and therefore they should have brought this motion before agreeing to place the matter on the trial list. They further argue that given that the defendants consented to placing this matter on the trial list with the knowledge of the plaintiff's graduation, they should not be granted leave.

10 Firstly, there is no evidence before me of the above-noted allegations of the plaintiff. Secondly, it appears that Mr. Leschied provided Mr. Dycha with a copy of the plaintiff's transcript by letter dated December 20, 2006, several weeks following the settlement conference, (when the matter was placed on the trial list.) Moreover, the only evidence before me is that the defendants learned that the plaintiff had graduated on or about December 20, 2006, and that she had obtained a job and moved to Toronto when they discovered her MySpace web page. Therefore, it is my view that not only has the plaintiff had a substantial change in circumstances since this mater was placed on the trial list relating to her educational status, there has been a substantial change relating to her career, employment status and her place of residence. Albeit not all of these changes could be considered unexpected given her educational status at the time of her examinations for discovery, the test for leave does not require that the change in circumstances be substantial and unexpected. Therefore, I find that because there has been a substantial change in circumstances of the plaintiff since placing this matter on the trial list, it would be manifestly unjust in these circumstances not to grant leave for the defendants to bring this motion.

Rule 48.04(2)(b)(i) exception

11 The defendants submit that this motion falls within the exception set out in subrules 48.04(2)(b)(i). That rule provides that notwithstanding this matter being placed on the trial list, the plaintiff has a continuing obligation, pursuant to Rule 30.07, to disclose further relevant documents that come into her possession after serving an affidavit of documents or discovers that the affidavit is inaccurate or incomplete. If the plaintiff fails to make production of relevant documents she will be subject to the consequences set out in Rule 30.08. Rule 1.03 provides that a "document" includes data and information in electronic form.

12 The exception allowed in Rule 48.04(2)(b)(i) relates to subsequently discovered documents. The reason for this exception was explained by Master Dash in White v. Winfair Management Ltd., (2006) 16 C.P.C. (6th) (S.C.J.) at 48 as follows:

If a document is discovered and produced by the defendant after the plaintiff has completed his oral and documentary discovery and set the action down, it would constitute an unexpected change in circumstance that could mandate leave for further discovery thereon.

13 The defendants have requested the following documents:

1. a copy of the plaintiff's file from any employment placement agencies;

2. a copy of the plaintiff's current employment file and contact information relative to her immediate supervisor and individual in charge of Human Resources;

3. all photographs and video recordings from trips.

14 The defendants clarified that they were only seeking these documents for the last year and a half.

15 The first two documents set out above were not in the plaintiff's possession at the time of her examination for discovery on October 13, 2005 because they would have been created as a result of her graduating in the summer of 2006 and her subsequent job search. I am inclined to order production of these documents given the change in circumstances in the plaintiff's employment status and the fact that her income and job responsibilities are relevant to the threshold issue and the assessment of damages. Furthermore, there is no evidence before me that the defendants were aware that the plaintiff had graduated and/or had obtained a job at the time of the settlement conference on December 1, 2006. In fact, the plaintiff's evidence is that she did not provide the defendants with a copy of her transcript until December 20, 2006, following the settlement conference, as evidenced by Mr. Lescheid's letter of that date.

16 Regarding the third request above, clearly the photographs and video recordings requested were not in the plaintiff's possession at her examination for discovery such that the defendants could have requested them. The defendants urge me to grant the order based on the reasoning of the Master in the British Columbia case of Watt v. Meier , 2005 CarswellBC 3302 (S.C.) wherein it was the Master's opinion that in the hypothetical case where the main issue were a broken leg, where the plaintiff was claiming a significant disability and the defendant wanting to challenge the extent of the disability, then it would seem inherently possible that photographs from a vacation, where you may find somebody swimming or playing beach volleyball or all sorts of activities traditional on holidays, might be highly relevant to the question of the degree of a broken leg disability. I agree with the Master's reasoning; however, based on the reasons for my decision which follow, I have distinguished the Master's hypothetical case.

17 The defendants also rely on another case from the British Columbia Supreme Court of Tupper (Guardian ad litem of) v. Holding, [2003] B.C.J. No. 216wherein the plaintiff was ordered to produce vacation photographs. In that case the plaintiff sought damages for loss of her ability to enjoy life. The court stated that the documents sought include photographs of the plaintiff on vacation, posing or sitting with friends on the beach, and in front of various tourist sites; that is, they show her enjoying life. The court held that it was reasonable to conclude that the vacation photographs may assist the defendant in its defence of the plaintiff's claim. In both this case, as well as the Watt case, the motions were brought before the actions were set down for trial; therefore, the test for leave was not an issue before those courts.

18 I decline to order production of the photographs and video recordings for several reasons. Firstly, the parties consented to this action being placed on the trial list; therefore, they were deemed to admit that they were ready for trial. Secondly and more importantly, the defendants did not request production of the plaintiff's photographs and video recordings of her trip to Vancouver which she took the year before the examination. I fail to understand how the defendants would be entitled to photographs and video recordings of trips the plaintiff took after her examination for discovery when they did not see the relevancy in seeking production of photographs and video recordings of her pre-examination trips. The change in circumstances of the plaintiff relate to her career and employment status and has no relationship to her ability to travel which she testified to the fact that her injuries do not impact on her ability to travel. Lastly, the defendants have several images of the plaintiff from her MySpace web page with which they can cross examine the plaintiff at trial. This appears to be a form of further discovery to which the defendant is not entitled.

Rule 48.04(2)(b)(iv) exception

19 The defendants submit that this motion falls within the exception set out in subrule 48.04(2)(b)(iv). That rule provides that subrule (1) does not relieve a party from any obligation imposed by Rule 31.09 to correct answers given at an examination for discovery notwithstanding that the case was placed on the trial list. They further submit that in addition to the threshold issue at trial, another issue will be to what extent, if any, the plaintiff's avocational pursuits have been affected by her alleged injuries.

20 The information sought by the defendants is as follows:

1. a list of places the plaintiff sought employment;

2. details of the plaintiff's piano performances and piano lessons including sufficient details to identify and locate the persons for whom the plaintiff performed, along with the amounts received in compensation for services;

3. details of the plaintiff's travels for recreation or otherwise including particulars engaged in during her travels.

21 The defendants clarified that they were only seeking the above information for the last year and a half.

22 The questions and answers at issue are as follows:

Re: Career goals

154. Q. What's your ultimate ambition in terms of a career?

A. I'd like to get into international marketing, work for an international firm.

155. Q. Well, what do you mean by "international marketing"?

A. Global brand strategy.

156. Q. Okay. I'm going to guess that in order to do that you're going to have to potentially move from the city?

A. Yes.

157. Q. And do you have any objection to doing that?

A. No.

Re: Travel since the accident

377. Q. And have you had to travel anywhere since the accident for recreation or otherwise?

A. yes. I've travelled --

378. Q. (Interposing) Where have you been?

A. -- last September. I went to Vancouver last September.

Re: Piano

45. Q. Right, and the material that we've been given indicates that you also like to play piano. You teach piano --

A. (Interposing) I teach piano part-time.

387. Q. And you've got, you're still teaching the kids, right?

A. Correct.

388. Q. And how many hours?

A. Between 12 and 15. It's three, three evenings a week.

23 There is no evidence before me to suggest that these answers were not correct or were incomplete when given and that any time thereafter they became incorrect. Certainly certain aspects of the plaintiff's life have changed since her examination but that alone does not mean that her answers were incorrect or incomplete when made on October 13, 2005.

24 In particular, regarding the request for a list of the places the plaintiff sought employment, it is my view that notwithstanding the fact that there has been a substantial change in circumstances, this information is not relevant to any of the issues in this action therefore it is not to be produced. Regarding the requests for production of information about the plaintiff's piano performances, piano lessons and trips, I refuse to grant these orders because it can hardly be said that the defendants are now entitled to this information when they failed to ask for the same information for the period of time prior to the examination for discovery. To order production of this information would constitute a further form of discovery to which the defendant is not entitled.

Costs

25 Both parties filed Cost Outlines, however neither of them were complete in failing to specify the partial indemnity rate and actual rate or any of the points listed which are to be made in support of the costs sought. Both counsel attached a billing statement; however, a billing statement is not a substitute for setting out the partial indemnity and actual rates. These rates are some of the considerations in determining the cost order and without them an appropriate amount for costs cannot be determined. The Court cannot be expected to extrapolate the hourly rates from the billing statement and then calculate the partial indemnity rates. As the Costs Outlines were essentially useless for the purpose intended by the Rules, and given that the defendants were successful, at least in part, with their motion, costs are fixed at $750.00 payable by the plaintiff and the defendants forthwith.

Order

26 There shall be an order as follows:

1. The plaintiff shall produce the following within 7 days;
a) a copy of the plaintiff's file from any employment placement agencies; and

b) a copy of the plaintiff's current employment file and contact information relative to her immediate supervisor and individual in charge of Human Resources;

2. Costs to the defendants fixed in the amount of $750.00 payable forthwith.

END OF DOCUMENT

Labels: , , , ,

Tuesday, June 12, 2007

Google's uphill privacy battle 

I spoke with Briony Smith of IT Business about the recent Privacy International report that put Google at the bottom of their study on the privacy practices of online businesses. She also spoke with Phillipa Lawson and Richard Rosenberg.

Here's a bit:

IT Business: The public life of Google's private data

David T.S. Fraser, a privacy lawyer with the Halifax-based McInnes-Cooper, is unsurprised that Google is coming under fire. Said Fraser: “This is probably inevitable because of their size and the diversity of their business interests: e-mail, social networking, search, classified ads, Google Documents.”

There are also no overarching privacy laws, comparable to PIPEDA, in the United States, according to the Vancouver-based Richard Rosenberg, president of the British Columbia Freedom of Information and Privacy Association.

Lawford said that Google’s business seems to be set up to cull the maximum amount of information about its users, and that he wouldn’t be at all surprised to find that Google was farming out profiled information to outside parties. Proving this can be difficult, according to Lawford. “Following the information through the chain can be hard,” he said.

Fraser suggests that Google’s privacy policies be made much more transparent, and that it tells its users as well just how long their information will be retained for (which, in North America, is indefinitely, according to Rosenberg).

One minor correction: Google has recently announced their retention schedule for their log information, but it still is likely beyond what's reasonably necessary (Canadian Privacy Law Blog: Why does Google remember information about searches?).

Labels: , , , , ,

Saturday, June 02, 2007

B.C. privacy commissioner probes tenant database firm 

Today's Globe & Mail is reporting that the British Columbia Information and Privacy Commissioner has started an investigation into TVS Tenant Verification Services, a company that provides reports on prospective tenants. See: globeandmail.com: B.C. privacy commissioner probes tenant database firm.

Labels: , ,

Thursday, May 03, 2007

Parliamentary review of PIPEDA: Report 

The Parliamentary Committee on Access to Information, Privacy and Ethics has just released its report following the five year PIEDA review:

ETHI (39-1) — Fourth Report: STATUTORY REVIEW OF THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) — Standing Committee on ACCESS TO INFORMATION, PRIVACY AND ETHICS - Committees of the House of Commons

The Standing Committee onACCESS TO INFORMATION, PRIVACY AND ETHICS

has the honour to present its

Fourth Report

Pursuant to its mandate under Standing Order 108(2), the Committee has studied a Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA) and agreed to the following report:

The HTML version of this report will be available soon. In the meantime, the Committee is pleased to make available the report entitled STATUTORY REVIEW OF THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) (.PDF, 262 KB) in printable format.

Here are the recommendations:

47

Recommendation 1

The Committee recommends that a definition of “business contact information” be added to PIPEDA, and that the definition and relevant restrictive provision found in the Alberta Personal Information Protection Act be considered for this purpose.

Recommendation 2

The Committee recommends that PIPEDA be amended to include a definition of “work product” that is explicitly recognized as not constituting personal information for the purposes of the Act. In formulating this definition, reference should be added to the definition of “work product information” in the British Columbia Personal Information Protection Act, the definition proposed to this Committee by IMS Canada, and the approach taken to professional information in Quebec’s An Act Respecting the Protection of Personal Information in the Private Sector.

Recommendation 3

The Committee recommends that a definition of “destruction” that would provide guidance to organizations on how to properly destroy both paper records and electronic media be added to PIPEDA.

Recommendation 4

The Committee recommends that PIPEDA be amended to clarify the form and adequacy of consent required by it, distinguishing between express, implied and deemed/opt-out consent. Reference should be made in this regard to the Alberta and British Columbia Personal Information Protection Acts.

Recommendation 5

The Committee recommends that the Quebec, Alberta and British Columbia private sector data protection legislation be considered for the purposes of developing and incorporating into PIPEDA an amendment to address the unique context experienced by federally regulated employers and employees.

Recommendation 6

The Committee recommends that PIPEDA be amended to replace the “investigative bodies” designation process with a definition of “investigation” similar to that found in the Alberta and British Columbia Personal Information Protection Acts thereby allowing for the collection, use and disclosure of personal information without consent for that purpose .

Recommendation 7

The Committee recommends that PIPEDA be amended to include a provision permitting organizations to collect, use and disclose personal information without consent, for the purposes of a business transaction. This amendment should be modeled on the Alberta Personal Information Protection Act in conjunction with enhancements recommended by the Privacy Commissioner of Canada.

Recommendation 8

The Committee recommends that an amendment to PIPEDA be considered to address the issue of principal-agent relationships. Reference to section 12(2) of the British Columbia Personal Information Protection Act should be made with respect to such an amendment.

Recommendation 9

The Committee recommends that PIPEDA be amended to create an exception to the consent requirement for information legally available to a party to a legal proceeding, in a manner similar to the provisions of the Alberta and British Columbia Personal Information Protection Acts.

Recommendation 10

The Committee recommends that the government consult with the Privacy Commissioner of Canada with respect to determining whether there is a need for further amendments to PIPEDA to address the issue of witness statements and the rights of persons whose personal information is contained therein.

Recommendation 11

The Committee recommends that PIPEDA be amended to add other individual, family or public interest exemptions in order to harmonize its approach with that taken by the Quebec, Alberta and British Columbia private sector data protection Acts.

Recommendation 12

The Committee recommends that consideration be given to clarifying what is meant by “lawful authority” in section 7(3)(c.1) of PIPEDA and that the opening paragraph of section 7(3) be amended to read as follows: “For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization shall disclose personal information without the knowledge or consent of the individual but only if the disclosure is […]”

Recommendation 13

The Committee recommends that the term “government institution” in sections 7(3)(c.1) and (d) be clarified in PIPEDA to specify whether it is intended to encompass municipal, provincial, territorial, federal and non-Canadian entities.

Recommendation 14

The Committee recommends the removal of section 7(1)(e) from PIPEDA.

Recommendation 15

The Committee recommends that the government examine the issue of consent by minors with respect to the collection, use and disclosure of their personal information in a commercial context with a view to amendments to PIPEDA in this regard.

Recommendation 16

The Committee recommends that no amendments be made to PIPEDA with respect to transborder flows of personal information.

Recommendation 17

The Committee recommends that the government consult with members of the health care sector, as well as the Privacy Commissioner of Canada, to determine the extent to which elements contained in the PIPEDA Awareness Raising Tools document may be set out in legislative form.

Recommendation 18

The Committee recommends that the Federal Privacy Commissioner not be granted order-making powers at this time.

Recommendation 19

The Committee recommends that no amendment be made to section 20(2) of PIPEDA with respect to the Privacy Commissioner’s discretionary power to publicly name organizations in the public interest.

Recommendation 20

The Committee recommends that the Federal Privacy Commissioner be granted the authority under PIPEDA to share personal information and cooperate in investigations of mutual interest with provincial counterparts that do not have substantially similar private sector legislation, as well as international data protection authorities.

Recommendation 21

The Committee recommends that any extra-jurisdictional information sharing, particularly to the United States, be adequately protected from disclosure to a foreign court or other government authority for purposes other than those for which it was shared.

Recommendation 22

The Committee recommends that PIPEDA be amended to permit the Privacy Commissioner to apply to the Federal Court for an expedited review of a claim of solicitor-client privilege in respect of the denial of access to personal information (section 9(3)(a)) where the Commissioner has sought, and been denied, production of the information in the course of an investigation.

Recommendation 23

The Committee recommends that PIPEDA be amended to include a breach notification provision requiring organizations to report certain defined breaches of their personal information holdings to the Privacy Commissioner.

Recommendation 24

The Committee recommends that upon being notified of a breach of an organization’s personal information holdings, the Privacy Commissioner shall make a determination as to whether or not affected individuals and others should be notified and if so, in what manner.

Recommendation 25

The Committee recommends that in determining the specifics of an appropriate notification model for PIPEDA, consideration should be given to questions of timing, manner of notification, penalties for failure to notify, and the need for a “without consent” power to notify credit bureaus in order to help protect consumers from identity theft and fraud.

Labels: , , , , , , , , ,

Friday, January 12, 2007

Nova Scotia's new FOIPOP review officer 

As of February 5, 2007, Nova Scotia will have a new review officer under the Freedom of Information and Protection of Privacy Act:

News Release: Department of Justice

New FOIPOP Review Officer Appointed

Department of Justice

January 11, 2007 8:20


Dulcie McCallum, former Ombudsman for the Province of British Columbia, is Nova Scotia's new Freedom of Information and Protection of Privacy Review Officer.

Ms. McCallum will oversee how provincial and municipal governments protect the privacy of Nova Scotians and respond to requests for access to information.

"I'm pleased that Ms. McCallum has agreed to take on this important role," said Justice Minister Murray Scott. "The courts have recognized our legislation as being among the most open, progressive information and privacy laws in the country. Ms. McCallum brings tremendous expertise and knowledge to this office, particularly in the areas of the rights of persons with disabilities and children, constitutional matters and justice issues."

Ms. McCallum received her law degree from the University of Victoria and has expertise in administrative and human rights law. Over the past 30 years, Ms. McCallum has held positions in private practice and in the public sector. She was Ombudsman for the Province of British Columbia for seven years, until 1999. Since then, Ms. McCallum has worked for government and a number of organizations, including representative on the Canadian Delegation to the United Nations, to draft the new UN Convention on the Rights of Persons with Disabilities.

"I am thrilled to be named the new FOIPOP Review Officer and am ready to serve Nova Scotians in this important office," said Ms. McCallum. "I moved to rural Nova Scotia just over a year and a half ago from Victoria, British Columbia.

"Living in Sherbrooke has been one of the most rewarding times of my life. This new opportunity, which will enable me to work throughout the province to ensure citizens' rights of access and privacy are respected, is both a great honour and privilege."

The review officer is an independent ombudsman appointed by the Governor in Council for a term of five to seven years. The review officer will accept appeals from people and organizations who are not satisfied with the response they received from government departments or other public bodies such as hospitals, universities and school boards.

The review officer may make recommendations to the public body. The public body must respond in writing to the report. If the applicant, or a third party, is not satisfied with the outcome of a review, an appeal may be made to the Supreme Court of Nova Scotia.

The selection process for a new review officer was led by the Public Service Commission. An independent selection advisory committee, chaired by Auditor General Jacques Lapointe, recruited candidates for the position. The committee reviewed 70 applications and interviewed six candidates.

Ms. McCallum will assume office on Feb. 5.

Labels: , , , ,

Thursday, January 04, 2007

Incident: CRA misdirects taxpayer information 

A Halifax resident was more than slightly surprised when he went to the Canada Revenue Agency to pick up his requested notice of assessment. While the notice was conspicuously absent from the envelope, he did find a raft of information about ten complete strangers. Apparently, the CRA stuffed the wrong envelopes and handed over confidential and sensitive information to the wrong person.

When the individual who received the information was not satisfied with the CRA's reaction, he called the other taxpayers and went to the media. The story is on the front page of the Halifax Chronicle Herald.

To make matters worse, the notice of assessment was mailed but nobody knows who to.

CTV is doing a piece for the supper hour news here in Halifax, for which I was interviewed earlier today. They are hoping to get some comment from the unshuffled Minister responsible for CRA.

From today's paper:

More than he wanted to know

Government mistakenly mails other people’s tax papers to Whites Lake man

By JOHN GILLIS Staff Reporter

Andrew Doiron of Whites Lake just wanted to find out his RRSP contribution limit for the year. But what he got was a raft of personal information about 10 strangers from as far away as British Columbia.

The Canada Revenue Agency is now investigating how the confidential tax documents landed in Mr. Doiron’s mailbox and where the information he requested ended up.

"It looks like somebody just picked a handful of paper off a printer and just slipped it in an envelope with my (address) page on top," Mr. Doiron said Wednesday. "But of course they didn’t put my papers in there."

The confusion began Dec. 20 when Mr. Doiron went to the Canada Revenue Agency’s Halifax office in person to ask for a copy of his notice of assessment. He was told he had to call a toll-free number to ask for the document. Staff let him use a phone in the building.

Mr. Doiron was surprised Tuesday when he found an envelope from the agency in his mailbox, and it contained about 35 pages. The documents bore the names, addresses, social insurance numbers, income, marital status and other personal information for 10 other people. His own notice of assessment was not included.

He immediately called a toll-free Canada Revenue Agency number again but said it was tough to persuade the person who answered to let him speak to a supervisor. When he finally did, he said he was asked to mail the documents back to the agency and advised he could claim the price of the postage stamp on his tax return next year.

Mr. Doiron also called as many of the people whose tax information he’d been sent as possible.

One, Sandra Ambersley of Brampton, Ont., told CTV she was very concerned about what might have happened if someone had wanted to use that information.

"I was totally shocked yesterday when I received a call from Halifax, this man saying that he’d received all my personal information," she said Wednesday.

Mr. Doiron noted that on the same online telephone directory he used to find people’s telephone numbers, there was an ad pointing to a Capital One credit card application that required only an address and a social insurance number.

He personally returned all the strangers’ documents to the Halifax office Wednesday.

Mr. Doiron said he felt he did not get a serious response from the agency until after he began contacting the media.

Jack Lee, acting director of the Nova Scotia office, called to apologize and had a copy of the notice of assessment Mr. Doiron requested sent to him. It arrived safely.

The notice had been mailed previously, but not to him.

"Mine’s out there somewhere, floating around," Mr. Doiron said. "I hope somebody threw it away."

Canada Revenue Agency spokesman Roy Jamieson said security is the No. 1 priority for the service, but mistakes happen.

"We’re certainly scrambling to try and piece together what took place," he said. "There’s quite an active and quite an intense investigation going on right now."

He said a call to a toll-free number could be answered at any one of a number of call centres across the country, depending in part on the nature of the request. A requested document could be printed at the appropriate location and mailed from there.

The agency sends about 90 million pieces of mail per year and it’s rare that something gets mixed up, he said.

"To be misdirected in the magnitude of this case, it’s certainly unusual," Mr. Jamieson said.

He said the agency will contact all of the people whose documents were involved and will keep Mr. Doiron abreast of its investigation into the mix-up.

"There’s no question that any kind of breach of security and compromising of an individual’s privacy and confidentiality is our most significant issue in this agency," Mr. Jamieson said.

Mr. Doiron has little confidence that anything will change.

"My gut feeling is, this is government, nothing’s going to happen," he said.

Update: From CTV:

Canada Revenue investigates botched mailout

The Canada Revenue Agency is scrambling to restore public trust and has launched an internal investigation after confidential information on several Canadians was sent to a Halifax-area man.

Documents that Andy Doiron of White's Lake, N.S., were mistakenly sent include social insurance numbers, income, addresses and the marital status of 10 Canadians, including some from as far west as Edmonton.

Doiron said he called most of the people to tell them what happened, and returned the documents to Revenue Canada.

With the trust of Canadians potentially on the line and tax time just around the corner, the agency is promising tough action if necessary.

Revenue Canada spokesperson Roy Jamieson called the incident a rare case of misdirected mail, but admitted somebody in the department made a mistake.

"Certainly if we identify breaches of policy process and procedure, there are disciplinary measures that can be taken and I expect they will be looked at quite seriously," he told CTV Atlantic.

Federal Minister of National Revenue Carol Skelton said she was "disturbed" by the security breach.

"The instant that I found out about it we had launched an investigation," she told CTV News in Saskatoon. "I really can't say much more about it than that. The incident is being looked into."

The agency is still trying to determine which one of five locations was responsible for the botched mail out.

David Fraser, a legal expert in security matters, told CTV Halifax that if such information were to fall in the wrong hands, it could easily be used to commit fraud.

"There really does need to be something done in order to make sure the trust is always there. Accidents happen but so often trust is won or lost in the aftermath of how they decide to deal with it," he said.

Sandra Ambersley of Brampton, Ont. was one of the people Dorion called.

"I was totally shocked when I received the call (on Tuesday) from Halifax," Ambersley told CTV Toronto.

"This man (was) telling me that he received all my personal information. As a joke he did say 'I could duplicate you right now.'"

The confusion began when Doiron called the revenue agency on Dec. 20 requesting a copy of his notice of assessment.

On Tuesday, an envelope from the agency arrived in his mailbox, containing over 30 pages of documents with all the information. His own assessment wasn't included.

Doiron said he immediately called the toll-free Canada Revenue Agency number again and he was asked to mail the documents immediately.

With a report from CTV Atlantic reporter Marc Patrone.

Labels: , , , , , ,

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs