The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Friday, February 06, 2009
I had the pleasure of speaking this morning at the Canadian Institutes 4th Annual Payment Card Compliance In Canada. I was on a panel with Art Dunfee, Director General of Investigations and Inquiries at the Office of the Privacy Commissioner of Canada and Sandy Stephens, Senior Manager, Legal CounselCapital One Canada. Sandy covered the new Do Not Call List and Art covered PIPEDA compliance and the new breach notification guidelines. I then presented on a few additional topics: (i) the effect of US breach notification laws on Canadian companies and (ii) the effect of provincial anti-USA PATRIOT Act laws on Canadian banks.
Here's my presetation if you're interested:
And if Google Documents isn't showing you the love, here it is as a PDF: Payment%20Card%20Compliance.pdf
Labels: breach notification, patriot act, piidpa, privacy
Tuesday, July 15, 2008
I received the following question the other day:
In terms of personal data that was captured by a healthcare company while a patient in Canada, and relayed to another city in Canada for analysis, further use, etc., does that patient data have to remain in Canada ? or is it allowed to traverse the US border at any time during its journey across the continent ? My concern is that communication networks don't seem to be restricted to intra-Canada operation or due to congestion or failure, most have to use large data highways that may cross over into the United States.In Canada, there are no restrictions on the export of personal information except for personal information that is subject to the Freedom of Information and Protection of Privacy Acts of Alberta, British Columbia and Nova Scotia, and the equivalent in Quebec. Each of those provinces have enacted laws in response to the USA Patriot Act. The Patriot Act gives American law enforcement with much easier access to information, including personal information. The laws in these provinces don't deal with information in transit, but talk about the storage and access to that information. For example, from Nova Scotia's PIIDPA:Under PIPEDA, is patient or personal data limited to just traverse within Canada ?
5 (1) A public body shall ensure that personal information in its custody or under its control and a service provider or associate of a service provider shall ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless...While there is no caselaw on this issue, I doubt that any of the privacy regulators of those provinces or the courts would find a contravention of this law if data packets containing personal information were routed through the United States on their way between two points in Canada. The information may be intercepted while in transit, but there users have little control over how this data travels. For example, a traceroute function from my home computer to ubc.ca shows that most of the data travels through the US:
Tracing route to ubc.ca [64.40.111.228] over a maximum of 30 hops:1 2 ms 1 ms 1 ms [REDACTED]
2 20 ms 9 ms 9 ms [REDACTED]
3 17 ms 12 ms 10 ms [REDACTED]
4 11 ms 8 ms 8 ms hlfx-br1.eastlink.ca [24.222.79.205]
5 18 ms 28 ms 18 ms te-3-1.car2.Boston1.Level3.net [4.79.2.89]
6 22 ms 19 ms 18 ms ae-2-5.bar2.Boston1.Level3.net [4.69.132.250]
7 19 ms 19 ms 22 ms ae-0-11.bar1.Boston1.Level3.net [4.69.140.89]
8 46 ms 54 ms 49 ms ae-5-5.ebr1.Chicago1.Level3.net [4.69.140.94]
9 44 ms 52 ms 39 ms ae-68.ebr3.Chicago1.Level3.net [4.69.134.58]
10 73 ms 72 ms 70 ms ae-3.ebr2.Denver1.Level3.net [4.69.132.61]
11 99 ms 90 ms 90 ms ae-2.ebr2.Seattle1.Level3.net [4.69.132.53]
12 90 ms 89 ms 89 ms ae-22-52.car2.Seattle1.Level3.net [4.68.105.35]
13 90 ms 89 ms 88 ms unknown.Level3.net [64.154.178.134]
14 93 ms 91 ms 102 ms p2-1.pr0.yvrx.hgtn.net [66.113.197.5]
15 93 ms 93 ms 91 ms r1-hgtn.netnation.com [64.40.127.254]
16 102 ms 95 ms 93 ms itservices.ubc.ca [64.40.111.228]
Trace complete.
This leads to the question of whether your information is safe from interception during transit through the US. It's really not safe from interception at any point on the internet. At each point above, the signals can be intercepted. There was recent speculation that a collaboration between AT&T the National Security Agency allowed national security organs of the US to vacuum international internet and telco traffic from at least one AT&T facility. (See: EFF's class action against AT&T.) Do they have the tools to single out particular traffic? Probably.
So what to do? If sensitive information is being transferred between two points on the internet, it should be encrypted and sent through a secure "tunnel".
Update: Added reference to Quebec statute. Thanks, commenter.
Labels: AskThePrivacyLawyer, health information, patriot act, piidpa, privacy
Sunday, June 29, 2008
Earlier this week, I co-chaired Insight Information's conference on electronic health records here in Halifax. I was very pleased to see a lot of expertise in privacy developing in Atlantic Canada, which is necessary as Nova Scotia, New Brunswick and Newfoundland move towards developing and implementing health privacy laws and as electronic health record projects are driving forward.
I gave a presentation on the mess and uncertainty related to the cross-border movement of personal health information in Canada. The complicated overlap of laws that we see in provinces such as Nova Scotia is compounded when the information is disclosed out of the province.
If you're interested, the presentation is here and can be flipped through below:
Labels: health information, patriot act, piidpa, presentations, privacy
Saturday, May 17, 2008
Over the past weeks, I've done a lot of travelling. First to Geneva and then to the US. On both occasions, I had to be very mindful of what information I have on my laptop and my USB drives, since I am subject to the Personal Information International Disclosure Protection Act.
This new law prohibits the export of personal information by Nova Scotia public bodies and their service providers. As a lawyer to a number of public bodies and an instructor at Dalhousie Law School, my laptop an blackberry are subject to those laws. Since I didn't want to go to the bother of asking the chief executive of each public body I work for wheter I had one-off permission to take their data with me (and since I wouldn't need their data on the road), I had to delete all traces of such personal information from my portable electronics. While this is a concern for public bodies in Nova Scotia and their service providers, it's also a concern for anyone who is crossing the border into the United States as increasingly customs officers are scrutinizing laptops at the border.
Bruce Schneier, who always has interesting things to say, has an article in the Guardian on how to secure your laptops if you're taking them into the US. It's a good read and probably something to bookmark to read next time you're crossing the frontier: Read me first: Taking your laptop into the US? Be sure to hide all your data first Technology The Guardian.
Labels: laptop, patriot act, piidpa, privacy, schneier
Tuesday, January 23, 2007
Nova Scotia's Personal Information International Disclosure Protection Act has kept a pretty low profile as of late, but the Halifax Chronicle Herald has devoted a quarter page in its technology supplement to the legislation. It includes a fair amount of content provided by yours truly, but may have the effect of making Nova Scotians more aware of this important development.
Click on the image to download the article in PDF format.
Labels: media-mention, nova scotia, patriot act, piidpa, privacy, vanity
Wednesday, November 15, 2006
The Governor-in-Council for Nova Scotia today proclaimed into force the new Personal Information International Disclosure Protection Act.
For more background, see
Here's the official release from the government of Nova Scotia:
News Release: Department of JusticeNovember 15, 2006 13:07
Legislation to ensure that Nova Scotians' personal information is not disclosed under the U.S. Patriot Act was proclaimed today, Nov. 15.The new Personal Information International Disclosure Protection Act outlines a series of requirements and penalties that protect personal information from inappropriate disclosure.
"This legislation will help ensure that Nova Scotians' personal information will be protected," said Justice Minister Murray Scott. "The act outlines the responsibilities of public bodies, municipalities and service providers and the consequences if these responsibilities are not fulfilled."
The act provides protection regarding storage, disclosure and access to personal information outside of Canada or in the custody or under the control of a public body or municipality.
The legislation comes into effect for government, school boards, universities, district health authorities and other public bodies today and on Nov. 15, 2007 for municipalities.
Under the act, the minister of Justice must be notified if there is a foreign demand for disclosure of any personal information of Nova Scotians. It also requires that service providers storing information only collect and use personal information necessary for their work for a public body or municipality.
The act also address whistleblower protection for employees of external service providers to ensure they are protected if they report an offense under the act. Whistleblower protection for Nova Scotia government staff already exists under the Civil Service Act.
Penalties under the act include up to $2,000 per government employee for malicious disclosure by employees of public bodies and municipalities. The act also creates offences for service providers, with penalties of up to $2,000 for employees and $500,000 for companies.
Offences relate to the improper storage, collection, use, or disclosure, failure to notify the minister of Justice of foreign disclosure demands, and improper discipline or termination of employees.
Information sessions have been held in Truro and Halifax over the past month to educate partners and stakeholders about the provisions of the act.
FOR BROADCAST USE:
New provincial legislation which will ensure that Nova Scotians' personal information is not at risk from activities under the U-S Patriot Act has been proclaimed today (November 15th).
The new Personal Information International Disclosure Protection Act outlines a series of requirements and penalties that protect personal information from inappropriate disclosure.
The act provides protection regarding storage, disclosure and access to personal information in the custody or under the control of a public body.
Labels: health information, nova scotia, outsourcing, patriot act, piidpa, privacy, public sector
Saturday, July 15, 2006
In one of the shortest sittings that I can recall, the Legislature of Nova Scotia has passed the Personal Information International Disclosure Protection Act, also known as Bill 19.
Nova Scotia Legislature - House Business - Status of BillsBill No. 19 An Act to Protect the Personal Information of Nova Scotians from Disclosure Outside Canada
Hon. Murray K. Scott Minister of Justice
First Reading June 30, 2006
Second Reading (Second Reading Debates) July 6, 2006
Law Amendments Committee July 10, 2006; July 11, 2006
Committee of the Whole House July 13, 2006
Third Reading July 14, 2006
Royal Assent July 14, 2006
I do not believe it has been proclaimed into force, so stay tuned for that part. (See update below.)
The Personal Information International Disclosure Protection Act is a response to the USA Patriot Act, specifically designed to prevent the export of personal information in the custody or control of public bodies in Nova Scotia to any other country. Though the prohibition is generic, it is clearly meant to prevent personal information from being the subject of a demand under the USA Patriot Act. It is also subject to the individual's consent, meaning that the prohibition does not apply if the individual data subject has identified the information and has specifically consented to the export of his or her information.
The Act is binding on all public bodies, their employees and specifically their service providers.
The Act requires that all public bodies ensure that all personal information in its custody or control is kept in Canada and is accessed only in Canada, unless the head of that public body has determined that storage or access outside of Canada is necessary for the public body's operations. If the head so determines, he or she has to notify the Minister of Justice for the province within ninety days of the end of the year.
The Act also contains a requirement that the Minister of Justice be notified forthwith of any "foreign demand for disclosure" or of any request that may be such a demand. The notice has to include the following:
as known or suspected,(a) the nature of the foreign demand for disclosure;(b) who made the foreign demand for disclosure;
(c) when the foreign demand for disclosure was received; and
(d) what information was sought by or disclosed in response to the foreign demand for disclosure.
It is an offence to disclose any personal information except in compliance with the Act and it contains specific penalties for public bodies, employees and service providers. Public sector employees may be subject to a fine of up to $2000 and imprisonment for six months. Corporate service providers may be subject to a fine of up to $500,000.
Interestingly, the Act grandfathers in contracts already entered into with service providers, but public bodies are expected to use all reasonable efforts to come into compliance with the new disclosure rules as soon as reasonably possible.
Nova Scotia is now the third Canadian province to enact such legislation, after British Columbia and Alberta.
Probably the most unmanageable portion of the Act deals with temporary exports. These are permitted (for example, in an employee's blackberry or on their laptop), but only with the permission of the head of the public body. This will be very difficult to administer because virtually every public sector employee's cell phone, laptop or briefcase contains information that is considered to be "personal information" under the statute. Every public sector employee who goes to a conference with her laptop will need the permission of the minister or university president or crown corporation president. However, given the rash of laptop thefts as of late, it may be a good thing to make public bodies think much more carefully about how information is carried around.
Interestingly, the Act is not an amendment to the Freedom of Information and Protection of Privacy Act which generally governs the collection, use and disclosure of personal information by public bodies. It is a stand-alone statute, unlike the way this was done in Alberta and BC.
For some background, see:
Update (20060717): The Bill has received Royal Assent, but is has not yet been proclaimed into force. (I've added the bold bit in the table above.)
Labels: alberta, bc, laptop, nova scotia, outsourcing, patriot act, piidpa, privacy, public sector
Tuesday, July 11, 2006
After a brief recess for an election, the Nova Scotia House of Assembly is back with a new session but a boatload of bills that fell off the order paper. Among them is (newly renumbered) Bill 19, the Personal Information International Disclosure Protection Act, which I blogged about earlier.
The Bill was reintroduced on June 30 and received second reading on July 6, 2006. It is now headed to committe for consideration, with what appears to be the approval of all three parties.
Here is the Minister of Justice making the motion for second reading and the response from the opposition parties:
Handsard - July 6, 2006, p. 314MR. SPEAKER: The honourable Minister of Justice.
HON. MURRAY SCOTT: Mr. Speaker, this legislation will strengthen protections against the disclosure of Nova Scotians' personal information, under the U.S. Patriot Act. The new Personal Information International Disclosure Protection Act outlines a series of requirements and penalties that protect personal information from inappropriate disclosure. We know that the U.S. security legislation has caused concerns about the American Government's ability to access personal information of Nova Scotians, held outside of Canada. This legislation clearly outlines responsibilities of public bodies, municipalities and technology service providers and the consequences if these responsibilities are not fulfilled.
Under the bill, the Minister of Justice must be notified if there is a foreign demand for disclosure of any personal information of Nova Scotians. The bill also requires that service providers storing information only collect and use personal information for the purposes of their work, for a public body or a municipality. In order for these measures to be successful, staff must be sure they will be protected if they come forward to report wrongdoing, under this bill. To that end, the bill will also provide whistle-blower protection for employees of external service providers to ensure they are protected if they report an offence under the bill. Whistle-blower protection for Nova Scotia Government staff already exists under the Civil Service Act.
Mr. Speaker, penalties under the Act include a fine of up to $2,000, or six months of imprisonment for malicious disclosure by employees of public bodies and municipalities. The Act also creates offences for service providers with penalties of up to $2,000 for employees and $500,000 for companies. Under this bill, these penalties will become part of any new contract. At the same time, we are working to strengthen our existing contracts with current service providers.
Mr. Speaker, this is a serious issue and this bill will help ensure that the privacy of Nova Scotians' information continues to be protected. With those few comments, I move second reading of Bill No. 19. Thank you.
MR. SPEAKER: The honourable member for Cole Harbour-Eastern Passage.
MR. KEVIN DEVEAUX: Mr. Speaker, Bill No. 19 is a bill that the NDP has been pressuring the government to pass for, I guess, two years. This is a bill that two years ago when the NDP discovered, I think it happened in British Columbia originally where the Privacy Commissioner - where they actually have a Privacy Commissioner, I may note, for the record - noticed that under the Patriot Act in the United States, an American investigating body, FBI, CIA, National Security Agency, what have you, under the Patriot Act, if there are records held
[Page 315]
by an American corporation or its subsidiary, in another country, that those organizations can go in and access those records; it may even be without a subpoena, but there's probably very little judicial review, but under the Patriot Act they have access to that information.
So, for example, in Nova Scotia, if our government contracts out the maintenance of the data for people who are on social assistance, or motor vehicle records, that information is handed over to an American corporation to manage that data, that maybe even a subsidiary of that company in this province or in Canada, the American authorities would have access to that. That is a concern, one that British Columbia addressed a while back and it's one that I know that this province, for two years we've asked this government to do this, it's one that we have introduced legislation on and it's one that we're now glad to see the government also understands, finally, that what the NDP was asking for is something we need to do.
It is abhorrent that even for two years we allowed this province to farm out information that could easily be accessed under the Patriot Act. Now even more, we've heard recently how the American authorities have been poring over telephone records, have been monitoring telephone calls. In this age in which - if you want to call it Neo-McCarthyism, in many ways - it's very important that we have an opportunity to ensure that the information in the private information and data of Nova Scotians is protected.
Now, someone raised this with me when the bill was first introduced back in the Spring, before the election, Mr. Speaker. At that time, we had an opportunity - it was asked, well, what's a $2,000 fine going to do? They're probably right. To be frank, the fines in this legislation are not punitive, are not a form that is going to look at these findings and say to themselves wow, do we pay a $2,000 fine and give them information to the FBI or do we say under this act we can't?
The real punitive measure in this is that the contract can be cancelled immediately if there's a violation, that is important. I suspect if we're talking about a long-term contract of maintaining data, I would suggest to you that it would result in that company having to think long and hard about having that contract ripped up and voided. That's the kind of punitive measure we can put in. I would also suggest to the government, for the record, that if they want to avoid this from happening it can easily be done by ensuring that the maintenance of that information remains in house within the government and isn't contracted out. When you contract it out then the opportunity arises.
Mr. Speaker, these are things that can be done, I'm glad to see this legislation coming forward, I'm glad to see the Tory government finally agreeing with us. I will note for the record that the minister's comments that there is a whistle-blower protection in the Civil Service Act is not correct. I would suggest to you that the regulations that were passed about a year ago, a year and a half ago in regard to whistle-blower, do not provide any protection for civil servants. Frankly, they only require them to basically have to report their problems higher up and God knows what will happen after that happens. I would suggest to you that this legislation is the
[Page 316]
first step, it's a good step, the NDP has asked for this for two years, we're glad to see this legislation coming forward, we're glad to see it go to the Law Amendments Committee and we're hopeful we can get it passed in this session. Thank you.
MR. SPEAKER: The honourable member for Cape Breton South.
MR. MANNING MACDONALD: Mr. Speaker, on behalf of our Leader and our Justice Critic, I stand in my place this evening and say that we too will be supporting Bill No. 19 as it moves through the House. I want to commend the minister for bringing this bill forward this evening. I believe that it's an important protection for Nova Scotians and I think all Parties in this House realize that this is a bill, as the NDP House Leader states, that may be able to be improved on over time. Certainly it's a first step to have it here and hopefully it will meet with a smooth passage throughout the Law Amendments Committee and on to third reading. Thank you.
MR. SPEAKER: If I recognize the honourable minister it will be to close the debate.
The honourable Minister of Justice.
HON. MURRAY SCOTT: Mr. Speaker, I'd like to thank the Leader of the Opposition and also the House Leader for the Liberal Party for their support of this government bill. We can stand in the House and we can all take credit for good things that have happened here. This is an initiative of government and over the next coming weeks there's going to be a pattern formed here that this government is intent on increasing the penalties and supporting the laws in this province, bringing new legislation such as this, that will make our province as safe as we possible can, and that's what Nova Scotians want.
Mr. Speaker, this is a good bill that goes a long way to doing that and with that I move to close debate on second reading of Bill No. 19.
MR. SPEAKER: The motion is for second reading of Bill No. 19. Would all those in favour of the motion please say Aye. Contrary minded, Nay.
The motion is carried.
Ordered that this bill be referred to the Committee on Law Amendments.
(See: Nova Scotia introduces amendments to thwart USA Patriot Act, Bill 16: The Personal Information International Disclosure Protection Act (Nova Scotia), Nova Scotia's Personal Information International Disclosure Protection Act to die on the order paper.)
Labels: bc, law enforcement, nova scotia, outsourcing, patriot act, piidpa, privacy, public sector
Friday, May 12, 2006
Nova Scotia's proposed Personal Information International Disclosure Protection Act is set to die on the order paper as the new Premier is expected to ask the Lieutenant Governor of Nova Scotia to disband the legislature and call an election for June 13.
For coverage of the imminent election call, see: The ChronicleHerald.ca: Premier poised for June vote: Election announcement "matter of hours now,’ Tory source says
For more on Bill 16, see The Canadian Privacy Law Blog: Bill 16: The Personal Information International Disclosure Protection Act (Nova Scotia) and The Canadian Privacy Law Blog: Nova Scotia introduces amendments to thwart USA Patriot Act.
Labels: information breaches, nova scotia, outsourcing, patriot act, piidpa, public sector
Monday, May 08, 2006
Bill 16, the proposed Personal Information International Disclosure Protection Act (Nova Scotia) was introduced in the Nova Scotia legislature last week, but the full text hasn't appeared yet on the legislature's website. For those who are too impatient to wait, here is a pdf copy of Bill 16: http://www.privacylawyer.ca/Bill_16_PIIDPA.pdf. I tried to OCR it for posting the text, but the quality of the fax isn't that great.
Update (20060508): The text of the bill is now online at the official Nova Scotia government legislature site here.
Labels: information breaches, nova scotia, outsourcing, patriot act, piidpa, public sector
Saturday, May 06, 2006
Yesterday, in the second day of the spring sitting of the provincial legislature, Nova Scotia's Justice Minister, Murray Scott, tabled Bill No. 16 - Entitled an Act to Protect the Personal Information of Nova Scotians from Disclosure Outside Canada. (Hon. Murray Scott), (the full text is not yet available online). It will amend the Freedom of Information and Protection of Privacy Act to address the perceived threat to privacy posed by the USA Patriot Act if the processing or storage of personal information is outsourced by Nova Scotia public bodies to companies operating in the US (or US companies operating in Canada).
The appearance of the bill was foreshadowed by consultations among public bodies and IT service providers (see: The Canadian Privacy Law Blog: Nova Scotia consultations on Patriot Act amendments to FOIPOP).
Here's the press release from the Nova Scotia government:
News Release: Department of Justice:"New Legislation to Protect Privacy
Department of Justice
May 5, 2006 11:15
New provincial legislation will better ensure that Nova Scotians' personal information is not disclosed under the U.S. Patriot Act.
The new Personal Information International Disclosure Protection Act outlines a series of requirements and penalties that protect personal information from inappropriate disclosure.
"We know that American security legislation has led to concerns about the ability to access personal information of Nova Scotians held outside Canada," said Murray Scott, Minister of Justice. "This legislation clearly outlines the responsibilities of public bodies, municipalities and technology service providers, and the consequences if they are not fulfilled."
The act provides protection regarding storage, disclosure and access to personal information outside of Canada in the custody or under the control of a public body or municipality.
Under the act, the minister of Justice must be notified if there is a foreign demand for disclosure of any personal information of Nova Scotians. It also requires that service providers storing information only collect and use personal information necessary for their work for a public body or municipality.
The act also address "whistleblower" protection for employees of external service providers to ensure they are protected if they report an offense under the act. Whistleblower protection for Nova Scotia government staff already exists under the Civil Service Act.
"In order for these measures to be successful, staff must be sure they will be protected if they come forward to report wrongdoing under this act," said Mr. Scott.
Penalties under the act include up to $2,000 per government employee for malicious disclosure by employees of public bodies and municipalities. The act also creates offences for service providers, with penalties of up to $2,000 for employees and $500,000 for companies.
Offences relate to the improper storage, collection, use, or disclosure, failure to notify the minister of Justice of foreign disclosure demands, and improper discipline or termination of employees.
"We are putting in place serious and significant penalties to protect the privacy of Nova Scotians," said Mr. Scott.
The minister also announced that the Wills Act is being amended. Updates will bring it more in line with other Canadian jurisdictions. The amendments respond to recommendations of the Law Reform Commission and will make it easier for people to ensure their final wishes are fulfilled by clarifying the effect divorces have on wills and the distribution of property in Nova Scotia under wills made outside the province. It will also permit handwritten wills.
The province is also introducing a number of housekeeping amendments under the Justice Administration Act.
FOR BROADCAST USE:
Justice Minister Murray Scott has introduced new provincial legislation that will help ensure Nova Scotians' personal information is not at risk from activities under the U.S. Patriot Act.
The new Personal Information International Disclosure Protection Act outlines a series of requirements and penalties that protect personal information from inappropriate disclosure.
The act provides protection regarding storage, disclosure and access to personal information in the custody or under the control of a public body or municipality.
-30-
I'll definitely have more to say about this once I've had a chance to review Bill 16 in some detail.
Labels: information breaches, nova scotia, outsourcing, patriot act, piidpa, public sector
Tuesday, March 21, 2006
The Nova Scotia Department of Justice is hosting an information gathering and consulation session about potential amendments to the Nova Scotia Freedom of Information and Protection of Privacy Act to address concerns raised by the USA Patriot Act. The session is open to companies that operate in the ICT sector in Nova Scotia and provide services to public bodies.
Passed by the United States Congress in the wake of the terrorist attacks of September 11, 2001, the USA Patriot Act significantly expands law enforcement and intelligence access to personal information. The Act requires companies to provide certain information to law enforcement upon request – in some cases without a warrant or court order – and prohibits the company from telling anyone that the information was requested.
Though this is a US law, these powers would apply to information about Canadians that is being processed in the United States and likely applies to information about Canadians being processed by US companies in Canada.
The British Columbia government has amended its public sector privacy law and the government of Nova Scotia is contemplating doing the same. Amendments to Nova Scotia’s privacy law would affect companies that provide services to Nova Scotia public bodies, including the government, municipalities, hospitals, universities and colleges.
All affected companies are invited to an information session with the Nova Scotia Department of Justice on Friday, March 31, 2006 at 2:00 p.m. in the Commonwealth B Room at the Westin Hotel in Halifax. To expedite arrangements for seating and refreshments, please RSVP by e-mailing Ms. Dominika Thompson at thompsdd@gov.ns.ca, or by phoning 424-5585 before Tuesday, March 28, 2006.
Note: Updated 20060323 to clarify the intended audience and invitees of the session.
Labels: bc, british columbia, information breaches, nova scotia, outsourcing, patriot act, piidpa, public sector
Wednesday, January 11, 2006
The Nova Scotia Auditor General released his report for 2005 in December. The fourth chapter is entitled Electronic Information Security and Privacy Protection.
In his report, he reviews the privacy and information security practices of a number of departments, including Justice and Community Services. He also touches upon the USA Patriot Act and its possible impact on the personal information of Nova Scotians. Data processing and information storage services for the province are provided by wholly-owned subsidiaries of American companies, which are undoubtedly subject to American laws. The province has carried out a study of the situation, but refused to provide it to the Auditor General, citing solicitor-client and cabinet privilege. In an interview by the Canadian Press, the provincial Minister of Justice hinted that Nova Scotia will be introducing a law in the spring sitting of the Legislature to mirror that passed by British Columbia to better protect personal information from being disclosed to foreign law enforcement.
Read the CP article here: N.S. auditor concerned citizens information could be leaked to U.S. agencies - Yahoo! News.
Labels: bc, british columbia, information breaches, nova scotia, outsourcing, patriot act, piidpa, public sector
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.