The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar

Archives

Links

Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by groups.yahoo.com

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Tuesday, November 17, 2009

Commissioner tables annual Privacy Act Report for 2008-2009 

The Privacy Commissioner of Canada has tabled her annual report on the public sector privacy law, the Privacy Act: Annual Report to Parliament 2008-2009 - Report on the Privacy Act.

At the same time, she has also tabled additional privacy audits, related to FINTRAC and the Canadian no-fly list:

Here's the media release that accompanied the tabling of the reports:

Audits of major national security programs raise concerns for privacy Excessive reporting of personal information to FINTRAC and potential information technology risks with Canada’s “no-fly list” are among concerns identified in audits highlighted in the Privacy Commissioner’s annual report on public sector issues.

OTTAWA, November 17, 2009 — The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) has more personal information in its database than it needs, uses or has the legislative authority to receive.

This was one of the key findings of the Privacy Commissioner of Canada’s in-depth audit of the independent agency mandated to analyze financial transactions and identify suspected money laundering and terrorist financing in Canada.

A separate audit, also published today, examined the Passenger Protect Program – better-known to Canadians as the no-fly list. It identified several concerns, such as the fact that the Deputy Minister ultimately in charge of who is on the list was not provided with complete information to allow for informed decision-making.

“Since the terrorist attacks of 9/11, we’ve seen a proliferation of new national security programs. We fully appreciate the underlying aim of many security programs – protecting Canadians. However, it is critical – a point reinforced by our new audits – for government officials to integrate privacy protections into all of these programs at the outset,” says Privacy Commissioner Jennifer Stoddart.

The findings of the two audits are highlighted in the Commissioner’s 2008-2009 report to Parliament on Canada’s federal public-sector privacy legislation, the Privacy Act.

FINTRAC Audit

Legislative changes passed in 2006 expanded the types of transactions that must be reported to FINTRAC, as well as the number of professionals and organizations that are required to collect information about clients and to report it to FINTRAC. Examples of entities required to report to FINTRAC include financial institutions, life insurance companies, accountants and casinos.

The audit found that FINTRAC needs to do more to ensure that the amount of personal information it acquires is kept to an absolute minimum. A random sample of files examined in the audit turned up several reports that did not clearly demonstrate reasonable grounds to suspect money laundering or terrorist financing. For example:

A reporting entity filed several reports stating it was “taking a conservative approach in reporting this … because there are no grounds for suspecting that this transaction is related to the commission of a money laundering offence, but there is a lack of evidence to prove that the transaction is legitimate.”

An individual deposited a government cheque for an amount less than $300 and then withdrew the entire amount. The financial institution filed a suspicious-transaction report, but did not indicate why the transaction was deemed suspicious.

A financial institution filed a report about an individual who had deposited a cheque from a law firm. The institution was satisfied that the individual had provided legitimate reasons for the source of funds, but decided to notify FINTRAC anyway because of the individual’s ethnic origin and the fact that this person had visited a particular country.

“It is clear that such reports, containing not a shred of evidence of money laundering and terrorist financing, should not be making their way into the FINTRAC database,” says Commissioner Stoddart.

“It is a bedrock privacy principle that you collect only the personal information you need for a specific purpose,” she says. “The federal government needs to have a justifiable need to collect someone’s personal information. Clearly, FINTRAC needs to do more work with organizations to ensure it does not acquire personal information that it has no legislative authority to receive – and that it does not need or use.”

The audit recommended enhanced front-end screening of reports; stronger ongoing monitoring and review to ensure that information holdings are relevant and not excessive, and the permanent deletion of information that FINTRAC did not have the statutory authority to receive.

Under amendments passed in 2006, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act requires the Privacy Commissioner to review FINTRAC every two years and report the results to Parliament.

Passenger Protect Program Audit

The “no-fly list” is a passenger screening tool introduced in 2007 to prevent people named on a “specified persons list” from boarding domestic and international flights from or to Canadian airports.

The program has sparked privacy concerns, in part because it is secretive in that it uses personal information without the knowledge of the individuals concerned. Moreover, the repercussions for a person named on the list being denied boarding on an aircraft can be profound in terms of privacy and other human rights, such as freedom of association and expression and the right to mobility.

The focus of the audit, however, was to determine whether the program has adequate controls and safeguards in place to protect personal information.

“We were concerned to learn that officials did not always provide the Deputy Minister – who is ultimately responsible for adding to or removing people’s names from the ‘specified persons’ list – all the information needed to make these sorts of decisions,” says Assistant Privacy Commissioner Chantal Bernier.

Other concerns identified during the audit included:

Transport Canada has not verified that airlines are complying with federal regulations related to the handling and safeguarding of the “specified persons list.” The risk of this information being inappropriately disclosed is particularly high for the small number of air carriers that rely on paper copies of the list.

There were no requirements that air carriers report to Transport Canada security breaches involving personal information related to the no-fly list.

Transport Canada did not demonstrate that the application used to transmit information to air carriers met government security standards.

The Passenger Protect Program and the FINTRAC audits, as well as the latest Privacy Act annual report, are available at http://www.priv.gc.ca/.

The annual report also includes details of privacy-related complaints against federal departments and agencies investigated during the 2008-2009 fiscal year. The Office received 748 formal complaints in 2008-2009, down slightly from the previous year. The most common complaints related to access to personal information and to the length of time government departments and agencies were taking to respond to access requests.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

To view the reports:

Labels: , , , ,

Friday, June 12, 2009

Privacy Act report released by parliamentary committee 

The Parliamentary Standing Committee on Access to Information, Privacy and Ethics has released its long-awaited report on proposed reforms to the Privacy Act. I appeared before the committee on behalf of the Canadian Bar Association and was pleased to see that many of our recommendations to the Committee are also recommendations made by the Committee to the government.

The report is available here.

Labels: , ,

Wednesday, September 10, 2008

Nova Scotia introduces and then drops intrusive licence renewal form 

Earlier today, the Nova Scotia government came under fire for introducing a new form for driver's licence renewals that asked applicants to say whether they had any kind of mental illness. (Critics: Don’t tie driver’s licence renewal to psychiatric history) Too much information, I say. So says the FOIPOP Review Officer, Dulcie McCallum.

Apparently anyone who checks off affirmatively will be required to provide a medical report detailing their mental illnesses, which may be referred to a medical panel to determine fitness to drive.

The question is so broad that it would capture loads of irrelevant information, including a bout of post-partum depression twenty years previously. Of course, many people will lie to keep their licences.

The form was introduced to replace a form that many called confusing.

What's most interesting is that the government promptly pulled the form and went back to the old one.

Backlash forces N.S. to drop new driver's licence form

“They should not be collecting personal information on this basis,” Dulcie McCallum, the province’s Freedom of Information and Protection of Privacy review officer, said.

“It’s completely unnecessary.”

That kind of information has historically been used against people, she said.

“It goes kind of to the heart of things that are most intimate and that people want most protected,” Ms. McCallum said. “You can’t make any assumptions about people. You can’t have a policy that automatically creates a different standard for people.

“There’s no evidence to support that somehow psychiatric challenges make you more or less of a bad driver.”

It would be more appropriate to ask if people were taking any prescription medication that could affect their driving, she said.

“That doesn’t connect it to any particular illness or disability or historically disadvantaged group and it may be a bona fide question,” she said.

David Fraser, a Halifax lawyer who specializes in privacy law, said the province deserves credit for acting quickly to fix its error but questioned whether reverting to the old form would solve the problem.

“It sounds to me like an interesting response,” he said. “I’m not sure if it’s to everybody’s benefit if they’re going back to a form that had previously been confusing.

Labels: , ,

Wednesday, August 06, 2008

Who do our privacy laws protect? 

I was intereviewed by a New Brunswick journalist last week who was writing an article on how privacy laws can be used in a knee-jerk way to limit access to government information. The article, I expect, is a reaction to a number of stories out of NB where reporters were given the excuse of privacy laws to limit their access to information about potential high-risk offenders, the investigation of a motor vehicle accident that claimed a number of lives and public sector salaries.

Here is the bit that I contributed:

nbbusinessjournal.com - Who do our privacy laws protect?

Governments must protect citizens' public information [note: I'm sure I said "private information"] while still being accountable and transparent to the public, said David Fraser, a privacy lawyer with the Atlantic Canadian law firm McInnes-Cooper.

For example, the expenses for a cabinet minister's trip to Europe would likely be made public. However, a doctor's billing records, which would essentially reveal their salary, are only made available in some provinces, he said.

And although some form of privacy legislation has existed federally for quite some time, that doesn't mean the laws regulate every activity on the internet.

"It regulates commercial activities. So it says what information your bank can ask about you and what it can do with it, or your local video store," said Fraser. "But if an individual takes a picture of another person on their camera phone in embarrassing circumstances and then they post it on the Internet that's a personal use, not a commercial use, so that's not caught by that law." There are some circumstances where personal information can be released. For example, if an individual gives consent.

As well, personal information can be disclosed if it's deemed to be for the greater good of the public.

"I think people, just as a knee-jerk reaction, they say no - it's personal information," said Fraser.

Labels: , ,

Tuesday, April 29, 2008

If you handle personal information, you'd better know the exceptions in privacy laws 

If you handle personal information and only read one privacy law article, this one should be it:

Far too often, bureaucrats, cops and others use poorly understood privacy laws as a justification for inaction. Maybe it's just that they don't fully understand the myriad rules and the multiplicity of exceptions.

Privacy laws are complicated and are not well understood, even by people whose day-to-day operations are affected by them. But they are generally sensible and coherent. And -- believe it or not -- they are laced with common sense.

I've had the opportunity to look at every privacy law in Canada and I don't think I've seen one that does not have a public interest override. A public body, in the public sector context, can disclose personal information without consent if it is in the public interest to do so. There are often other exceptions from the general rule that requires consent.

Some may recall the aftermath of the south Asian tsunami where the federal government said they couldn't name victims or survivors because of the Privacy Act. The Privacy Commissioner and others were pretty quick to point out s. 8 of the Privacy Act, which allows the government to disclose personal information where it is in the public interest:

8(2) Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed
...

(m) for any purpose where, in the opinion of the head of the institution,

(i) the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or

(ii) disclosure would clearly benefit the individual to whom the information relates.

(I wrote about it on this blog at the time: Editorial urges that naming Canadian tsunami victims is in the public interest & Fallout from naming/not naming Canadian victims)

I was recently reminded of this in a discussion about the failure of the police in Merritt BC to identify a suspect on the lam after a family was found murdered. Police blamed privacy laws. (RCMP grilled for delay in alerting town over suspect) The National Post Editorial Board called them out on the misstep:

The Post editorial board on the Allan Schoenborn case: The RCMP's high-profile failure - Full Comment

...Two days later, Ms. Clarke returned from errands to find her children murdered, and their father vanished along with his dog. The RCMP, confronted with a gruesome spectacle that may have resulted from their failed efforts to get Schoenborn under lock and key, took nearly a full day to announce to the public in Merritt that he was the prime suspect in the killings. Their excuse? "Due to privacy concerns," said RCMP Staff Sergeant Scott Tod, "we had to make sure that we had information that this was the suspect before we released his name."

"Privacy" is a popular item these days in the lexicon of justice, as it is used by the Mounties. No act of ineptitude in communicating with the public can possibly escape its reassuring cover, even though every privacy law or code written down anywhere in the last 50 years contains public-interest exemptions.

Most recently, a University in Ontario has been called to account for not notifying the parents of a mentally ill student who subsequently committed suicide. Privacy laws were pointed to as preventing such action. Anne Cavoukian and her counterparts have reminded universities that these laws are easy scapegoats, but without exception contain provisions that allow privacy rights to be overridden in certain circumstances.

Universities grapple with providing health services, protecting privacy

...University officials say they followed procedures and couldn't tell Kajouji's parents about her mental health because of the province's privacy law. They also indicated universities that don't respect the privacy of their students' health information risk driving students away from the very services designed to help them.

Ontario's privacy commissioner, Ann Cavoukian, and several of her counterparts in other provinces, say universities need to have a clearer understanding of what privacy laws allow and they cautioned that too often privacy laws are the automatic target of blame when controversy arises.

Cavoukian's office provided a fact sheet several years ago to universities explaining the law allows them to disclose personal health information in "compelling circumstances" and if they believe on reasonable grounds it would eliminate or reduce the risk of bodily harm.

Determining whether a situation warrants disclosure is a judgment call, Cavoukian said in an interview, though the law affords protection to the decision-maker as long as he or she acted in good faith.

"If you are a health-care practitioner or a university professional and you have information relating to a student that is considering suicide and you fear for that person and want to reduce the risk of suicide, absolutely you are allowed to release that information," she said. "It's not an easy decision but it is one that is permitted under our privacy laws and I'm sick and tired of people saying that it's the privacy laws that prevented the counsellors from contacting the girl's parents. That's incorrect," she said.

... Suzanne Blanchard, vice-president for student support services, said in an e-mail message the university has specific procedures to deal with students who are in "imminent danger of doing harm to themselves or others."

"Carleton University has reviewed its actions in the aftermath of Nadia's tragic death. We believe that we followed all proper procedures and provided all the support services we could for Nadia," she said. "Carleton University is always diligent in its compliance with Ontario's privacy laws and we believe that we acted, and continue to act, in accordance with those laws."

Cavoukian said some universities take their obligations under the privacy law seriously, but there is still a lot of confusion. She plans to convene a meeting with the Council of Ontario Universities in an attempt to clarify any lingering questions.

Saskatchewan's privacy commissioner agreed there is a "significant need for more education" about the flexibility that is built into privacy laws.

"Sometimes you have people who don't want to do the wrong thing and so therefore you get a kind of paralysis and they don't share information even when the law allows them to and it's appropriate to do so," said Gary Dickson.

Dickson said Kajouji's death, while tragic, provides incentive for universities to ensure they are prepared to deal with students' mental health issues and with situations where informing the parents is up for debate. "Decisions will have to be made and then there have to be people with the appropriate training and judgment who can then make that discretionary decision," he said.

Frank Work, Alberta's privacy commissioner, said it has to be kept in mind Kajouji was an adult and the university may have felt her situation was under control. All the law asks is that a standard of reasonableness be applied, said Work.

"I think it's true in just about every privacy law, the standard is always reasonableness, not perfection," he said.

People will disagree on whether Carleton made the right decision, but one thing the privacy commissioners all agree on is the decision needs to be given due consideration.

"The worst case scenario is if it's just neglect. They saw the bus coming and they didn't yell: 'Get out of the way.' We don't know here. Hopefully in this case they made a judgment call," said Work.

Ontario's commissioner similarly said university officials have to take the time to make the difficult determination and should not rely on privacy laws as the default reason for not disclosing personal information.

"I would urge people to resist the knee-jerk reaction of automatically blaming privacy laws," Cavoukian said.

Here is the moral of this story: Whenever common sense or humanity seem to bump up against privacy laws, take a close look at the law and its exceptions. You will probably find that the drafters have designed the laws to accommodate common sense and humanity.

Labels: , , ,

Monday, March 03, 2008

Ontario Commissioner releases detailed report on TTC surveillance cameras 

The Information and Privacy Commissioner of Ontario has released an extensive report on the use of video surveillance by the Toronto Transit Commission. The report can be found here: Privacy and Video Surveillance in Mass Transit Systems: A Special Investigation Report - Privacy Investigation Report MC07-68.

From the media release:

TTC’s surveillance cameras comply with privacy Act, but additional steps needed to enhance privacy protection, says Privacy Commissioner Ann Cavoukian

TORONTO – Ontario Information and Privacy Commissioner Ann Cavoukian ruled today that the Toronto Transit System’s expansion of its video surveillance system, for the purposes of public safety and security, is in compliance with Ontario’s Municipal Freedom of Information and Protection of Privacy Act – but she is calling on the TTC to undertake a number of specific steps to enhance privacy protection.

The Commissioner’s office conducted a four-month special investigation that went beyond the scope of the usual privacy investigation conducted in that it included:

  • A detailed review of the literature and analysis from various parts of the world on the effectiveness of video surveillance;
  • An examination of the role that privacy-enhancing technologies can play in mitigating the privacy-invasive nature of video surveillance cameras; and
  • A detailed investigation into a privacy complaint by U.K-based Privacy International about the expansion of the TTC’s video surveillance system.

“Video surveillance presents a difficult subject matter for privacy officials to grapple with impartially because, on its face, it is inherently privacy-invasive due to the potential for data capture – despite that fact, there are legitimate uses for video surveillance … that render it in compliance with our privacy laws,” said the Commissioner. “Mass transit systems like the TTC, that are required to move large volumes of people, in confined spaces, on a daily basis, give rise to unique safety and security issues for the general public and operators of the system.”

“The challenge we thus face is to rein in, as tightly as possible, any potential for the unauthorized deployment of the system. We have attempted to do this by ensuring that strong controls are in place with respect to its governance (policy/procedures), oversight (independent audit, reportable to my office) and, the most promising long-term measure, the introduction of innovative privacy-enhancing technologies to effectively eliminate unauthorized access or use of any personal information obtained.”

While the expectation of privacy in public places is not the same as in private places, it does not disappear. People have the right, the Commissioner stresses in her report, to expect the following when it comes to video surveillance:

  • That their personal information will only be collected for legitimate, limited and specific purposes;
  • That the collection will be limited to the minimum necessary for the specified purposes; and
  • That their personal information will only be used and disclosed for the specified purposes.

“These general principles,” said Commissioner Cavoukian, “should apply to all video surveillance systems. Where developments such as video surveillance in mass transit systems, like the TTC, can be shown to be needed for public safety, you must also ensure that threats to privacy are kept to an absolute minimum.”

Among the 13 recommendations the Commissioner is making to the TTC are the following:

  • That the TTC reduce its retention period for video surveillance images from a maximum of seven days to a maximum of 72 hours (the same standard as the Toronto Police), unless required for an investigation;
  • That the TTC’s video surveillance policy should specifically state that the annual audit must be thorough, comprehensive, and must test all program areas of the TTC employing video surveillance to ensure compliance with the policy and the written procedures. The initial audit should be conducted by an independent third party using Generally Accepted Privacy Principles, and should include an assessment of the extent to which the TTC has complied with the recommendations made in this special report;
  • That the TTC should select a location to evaluate the privacy-enhancing video surveillance technology developed by University of Toronto researchers, K. Martin and K. Plataniotis; and
  • That, prior to providing the police with direct remote access to the video surveillance images, the TTC should amend the draft memorandum of understanding (MOU) with the Toronto Police to require that the logs of disclosures be subjected to regular audits, conducted on behalf of the TTC. A copy of the revised draft MOU should be provided to the Commissioner prior to signing.

EMERGING PRIVACY-ENHANCING TECHNOLOGY

The Commissioner devotes part of her 50-page special report, and a specific recommendation, to the area of emerging privacy-enhancing video surveillance technology.

“In light of the growth of surveillance technologies, not to mention the proliferation of biometrics and sensoring devices, the future of privacy may well lie in ensuring that the necessary protections are built right into their design,” said the Commissioner. “Privacy by design may be our ultimate protection in the future, promising a positive sum paradigm instead of the unlikely obliteration of a given technology.”

As an example of the research being conducted into privacy-enhancing technologies, the Commissioner cites the work of researchers Karl Martin and Kostas Plataniotis at the University of Toronto, who used cryptographic techniques to develop a secure object-based coding approach. While the background image captured by a surveillance camera can be viewed, the sections where individuals are caught in the image would automatically be encrypted by the software. Designated staff could monitor the footage for unauthorized activity, but would not be able to identify anyone. Only a limited number of designated officials with the correct encryption key could view the full image.

The Commissioner is recommending that the TTC select a location to evaluate the video surveillance technology developed by Martin and Plataniotis.

A copy of the special report is available on the IPC’s website, www.ipc.on.ca.

Labels: , , , , ,

Wednesday, September 12, 2007

Ontario Commissioner issues unprecedented order against used goods vendors databases 

In an apparently unprecedented move, the Information and Privacy Commissioner for Ontario, Ann Cavoukian, has issued a cease and desist order and an order to destroy personal information related to the collection of personal information from people who sell second hand goods to resellers. This follows a battles in the Ontario courts, where the Commissioner's position was ultimately upheld by the Court of Appeal (See: Canadian Privacy Law Blog: Oshawa second-hand store bylaw invades privacy). For more info from the Commissioner's office, see: Privacy Commissioner Ann Cavoukian issues seminal Order to cease collecting detailed personal information from individuals selling used goods, and to destroy all existing records.

I think this is a very important move on the part of the Commissioner.

We are seeing a growing trend in Canada that forces some serious thought about privacy. Private businesses are increasingly being conscripted to collect information on behalf of law enforcement or for law enforcement purposes. For example, money laundering legislation, no-fly lists operated by airlines, "lawful access" and databases of used goods sellers. Meanwhile, the Privacy Commissioners and privacy advocates are taking a stronger stand against this. We've seen various statements and submissions to legislative committees, unanimous declarations against the no-fly list and now the exercise of dramatic coersive powers. It will be very interesting to see how this all plays out.

Labels: , , , , , ,

Monday, September 03, 2007

BC Commissioner: Student records can be shared to protect public safety 

Proably not a surprise for those who regularly work with the provincial public sector privacy laws in Canada, which usually contain a public interest and "health and safety" override:

Records of troubled B.C. students can be shared: privacy commissioner

Universities in British Columbia can share confidential medical records about troubled students if there's a perceived a threat to public safety, the province's privacy commissioner says.

Responding to a U.S. government report issued June 13 on the April 16 massacre at Virginia Tech that left 33 people dead — including the student who fired the gun — David Loukidelis said a university student's confidential medical records can be shared — regardless of the student's age.

"The laws in B.C. fully enable university and college officials to take steps to protect individual and indeed public safety," Loukidelis told CBC News on Monday.

The U.S. report says schools, doctors and police often do not share information about potentially dangerous students because they can't figure out complicated and overlapping privacy laws.

Loukidelis said there's a long list of exemptions in B.C.'s privacy laws that allow a student's private information to be shared for the good of public safety.

Tim Rahilly, senior director of student and community life at Simon Fraser University in Vancouver, said he often noticed the beginning of problems with students and wondered whether that information could be shared.

He said the university would ask the student whether it can talk to the student's parents about the concerns.

"The student can say no and if they are above the age of majority we are a little bit hamstrung," Rahilly said.

Loukidelis said if a student denies a request to share personal information with their parents or school officials, an assessment can be made.

Video

Nil Koksal reports for CBC-TV (Runs: 2:28)

Play: QuickTime »

Play: Real Media »

Labels: , , , ,

Saturday, July 07, 2007

Oshawa second-hand store bylaw invades privacy 

Earlier this week, the Ontario Court of Appeal, in Cash Converters Canada Inc. v. Oshawa (City) (July 4, 2007) (an appeal from Cash Converters Canada Inc. v. Oshawa (City), 2006 CanLII 3469 (ON S.C.)), overturned a City of Oshawa Bylaw that required sellers of second hand goods to collect detailed personal information about those who sell second hand goods to the stores. The bylaw was inconsistent with the Municipal Freedom of Information and Protection of Privacy Act.

Here's what the Toronto Star had to say about it:

TheStar.com - News - Oshawa second-hand store bylaw invades privacy: Court

Tracey Tyler

LEGAL AFFAIRS REPORTER

The Ontario Court of Appeal has struck down sections of a controversial Oshawa bylaw that require second-hand dealers to collect detailed personal information from people who sell them goods and transmit the data to police.

The bylaw conflicts with provincial privacy legislation, which requires the collection and retention of personal information to be strictly controlled, the court ruled Wedneday, The 3-0 decision could influence challenges to similar bylaws in other parts of the country, including Alberta and British Columbia.

“This decision comes at a time when cities are gaining broader law-making powers,” said David Sterns, a lawyer representing the Oshawa franchise of Cash Converters Canada Inc., a second-hand store that challenged the bylaw.

“The court has sent a strong signal that all forms of information gathering and surveillance by municipalities are subject to the public’s overriding right to privacy.”

Under the Oshawa bylaw, passed by the city in 2004 as part of a new licensing system for second-hand dealers, stores were required to record the name, address, sex, date of birth, phone number and height of their vendors, who also had to produce three pieces of identification, such as a driver’s licence, birth certificate or passport.

“This information is then transmitted and stored in a police data base and available for use and transmissions by the police without any restriction and without any judicial oversight,” said Justice Kathryn Feldman said, writing on behalf of Associate Chief Justice Dennis O’Connor and Justice Paul Rouleau.

Store owners were required to send reports to police at least daily, in some cases at the time of purchase. The city argued the bylaw was meant to protect consumers from purchasing stolen goods.

But the municipality offered no evidence of a growing problem involving the sale of stolen goods to second-hand dealers, said Feldman.

Nor is there evidence that unscrupulous people are more likely to be deterred by the electronic collection and transmission of personal information, she said.

In 2003, Cash Converters purchased more than 28,000 used items from people in 2003. About 30 of those were seized by police in connection with criminal investigations.

It’s unknown whether any were confirmed as stolen, the court said.

The bylaw did not apply to pawn shops, which are provincially regulated.

See, also, James Daw's column: TheStar.com - columnists - New ruling stands up for privacy.

Labels: , , , , , , , ,

Friday, June 22, 2007

Names of defaulted student loan debtors sent in mass e-mail 

I got a call yesterday from Lindsay Jones of the Halifax Daily News (Canada's top journalist) to discuss an interesting sitution that has popped up here in Nova Scotia. It appears that an e-mail was sent out to hundreds of defaulted student loan recipients to advise that their case officer was changing. Whoever hit the send button didn't notice that everyone was on the "TO:" line, so each receipient also got a list of all the other defaulted debtors. Not good form.

Of course, the e-mail was forwarded to the Halifax Daily News and the rest is history... (I understand that a journalist from another publication was on the list.)

I've been saying for years that security and safeguards are probably the most important principles in any privacy plan. You won't be on the front page of the newspaper for having a confusing privacy policy or for using opt-out consent instead of opt-in. But if you have a security breach like this, the odds are that you're in for a rough ride.

(Also interesting: part of the response is a hotline for personal apologies.)

Here's Lindsay's article:

Halifax, The Daily News: News Names of student-loan defaulters sent in mass e-mail

Last updated at 7:32 AM on 22/06/07

LINDSAY JONES

The Daily News

An embarrassing breach of personal privacy has led to policy changes at the provincial government department that deals with student loans.

Full names, and in many cases workplaces, were inadvertently disclosed in a mass e-mail sent by a Service Nova Scotia and Municipal Relations collection officer.

The subject line of the June 8 e-mail said "Defaulted Nova Scotia government guaranteed student loans - new contact name."

The e-mail was to inform the employee's clients that she had been reassigned.

Ian Daye, whose name appeared on the list, is annoyed at the lack of discretion.

"It's just: 'You have student loan problems. And here's a list so you can see who else has student loan problems.' This really isn't right, as far as I'm concerned," said the 33-year-old, who works for Research In Motion.

"It's something that should've been done in confidence," Daye added. "It's not really very professional of her to put everyone's addresses out there."

Some of the e-mail addresses on the list belonged to people who work in government offices, banks and local businesses.

Canada's top privacy lawyer said the e-mail is a "highly embarrassing" violation of the freedom of information and protection of privacy (FOIPOP) act.

"People's financial information is some of the most sensitive information out there," David Fraser of Halifax said.

"It really needs to be protected with measured safeguards that are appropriate to the sensitivity of the information."

Fraser said people have the right to complain to the provincial FOIPOP office, though there's no legislation for redress.

"The bigger thing is likely the embarrassment for those individuals whose information was released into the wild," he said.

While accidental privacy breaches do sometimes occur, Fraser said it's also embarrassing for the government that an employee allowed this to happen.

A spokeswoman for Service Nova Scotia and Municipal Relations said steps were taken the day after the email went out to ensure no mass communication of this nature would happen again.

"Every employee that deals with clients has received education about the ongoing importance of protecting personal information," Donna Chislett said.

The computer system for student loans is being revamped to prohibit staff from sending such mass e-mails, she added.

About one third of the e-mails were returned as undeliverable mail.

"It was certainly done inadvertently and it was an oversight. We do apologize for that," Chislett said.

Staff are providing personal apologies and explanations of the privacy breach to anyone with concerns; call 494-4961 for details.

ljones@hfxnews.ca

Labels: ,

Wednesday, January 17, 2007

Taxman moves to protect privacy 

I was interviewed today for Global National's most recent report on privacy problems at the Canada Revenue Agency (our IRS, for my American readers). Since earlier reports on misdirected tax information, many more people have come out to report they have also been the unwitting recipients of information about other taxpayers. See: Taxman moves to protect privacy and also note the many comments in which others relate receiving others' personal information.

I think you can get the video of the feature here: http://video.canada.com/VideoContent.aspx?13750&vc=1&popup=1, but it seems hit and miss to me.

Labels: , , , , , ,

Friday, January 12, 2007

Nova Scotia's new FOIPOP review officer 

As of February 5, 2007, Nova Scotia will have a new review officer under the Freedom of Information and Protection of Privacy Act:

News Release: Department of Justice

New FOIPOP Review Officer Appointed

Department of Justice

January 11, 2007 8:20


Dulcie McCallum, former Ombudsman for the Province of British Columbia, is Nova Scotia's new Freedom of Information and Protection of Privacy Review Officer.

Ms. McCallum will oversee how provincial and municipal governments protect the privacy of Nova Scotians and respond to requests for access to information.

"I'm pleased that Ms. McCallum has agreed to take on this important role," said Justice Minister Murray Scott. "The courts have recognized our legislation as being among the most open, progressive information and privacy laws in the country. Ms. McCallum brings tremendous expertise and knowledge to this office, particularly in the areas of the rights of persons with disabilities and children, constitutional matters and justice issues."

Ms. McCallum received her law degree from the University of Victoria and has expertise in administrative and human rights law. Over the past 30 years, Ms. McCallum has held positions in private practice and in the public sector. She was Ombudsman for the Province of British Columbia for seven years, until 1999. Since then, Ms. McCallum has worked for government and a number of organizations, including representative on the Canadian Delegation to the United Nations, to draft the new UN Convention on the Rights of Persons with Disabilities.

"I am thrilled to be named the new FOIPOP Review Officer and am ready to serve Nova Scotians in this important office," said Ms. McCallum. "I moved to rural Nova Scotia just over a year and a half ago from Victoria, British Columbia.

"Living in Sherbrooke has been one of the most rewarding times of my life. This new opportunity, which will enable me to work throughout the province to ensure citizens' rights of access and privacy are respected, is both a great honour and privilege."

The review officer is an independent ombudsman appointed by the Governor in Council for a term of five to seven years. The review officer will accept appeals from people and organizations who are not satisfied with the response they received from government departments or other public bodies such as hospitals, universities and school boards.

The review officer may make recommendations to the public body. The public body must respond in writing to the report. If the applicant, or a third party, is not satisfied with the outcome of a review, an appeal may be made to the Supreme Court of Nova Scotia.

The selection process for a new review officer was led by the Public Service Commission. An independent selection advisory committee, chaired by Auditor General Jacques Lapointe, recruited candidates for the position. The committee reviewed 70 applications and interviewed six candidates.

Ms. McCallum will assume office on Feb. 5.

Labels: , , , ,

Monday, January 08, 2007

More on privacy and the Canada Revenue Agency 

The Canada Revenue Agency continues to be in the news as of late.

The Canadian Press has found that the CRA official leading the investigation into the disclosure of information about high profile taxpayers, including MP and former hockey star Ken Dryden, once faced the wrath of George Radwanski:

CRA commissioner probing Dryden tax leak once dismissed privacy breach finding

Gregory Bonnell

Canadian Press

Monday, January 08, 2007

TORONTO (CP) - The senior public servant leading a probe into the leak of Ken Dryden's confidential tax information once dismissed a scathing ruling by the federal privacy commission that found Canada Revenue Agency employees had violated the Privacy Act.

Larry Hillier, the agency's assistant commissioner for the Ontario region, launched an "immediate investigation" last month after a published report that employees had violated the Income Tax Act, the Privacy Act and possibly criminal law by leaking Dryden's information.

In an internal e-mail sent to CRA employees, Hillier also warned of possible disciplinary action, including dismissal.

"When one employee breaches confidentiality, as is currently alleged, each and every one of us is impacted," he wrote.

Hillier, however, had a decidedly different response in 2003, when the federal privacy commissioner found CRA employees committed a "serious violation" of the Privacy Act by accessing and disclosing the tax information of former employee Lillian Shneidman while investigating allegations that she had violated a taxpayer's privacy rights.

In an October 2003 letter obtained by The Canadian Press, Hillier defended the actions of his employees, despite the privacy commissioner's findings.

"I offer the following regarding the above-referenced report, which concludes that we inappropriately accessed Ms. Shneidman's tax information," Hillier writes in a letter to then-CRA human resources branch assistant commissioner Dan Tucker.

"It is felt that this particular investigation warranted the accessing of Ms. Shneidman's tax information, as a taxpayer raised serious allegations."

CRA employees who are found guilty of disclosing confidential tax information - a violation of the Income Tax Act - face fines of up to $5,000 or jail time of up to 12 months. Under the Criminal Code of Canada, breach of trust by a public officer is punishable by a maximum prison sentence of five years.

Shneidman, who was fired from the CRA in 2001, had been assured in a July 2003 letter from Tucker that the agency viewed "any breach in privacy as a very serious matter."

The CRA "will ensure that appropriate corrective action will be taken," Tucker wrote.

At least one of the employees involved in the incident has been promoted, said Shneidman - who continues to fight her termination, with cases pending before the Public Service Labour Relations Board and the Federal Court of Appeal.

Former privacy commissioner George Radwanski was unequivocal in his condemnation of the CRA's treatment of Shneidman.

"Accessing that information . . . for the sole purpose of confirming your status as a (CRA) employee was, in my view, totally unnecessary and a gross misuse of taxpayer information," wrote Radwanski, who faces charges of fraud and breach of trust after resigning that same year amid an expense-abuse scandal.

"I consider the use of your (tax) information in this instance to constitute a serious violation of the confidentiality rights afforded you under . . . the Privacy Act."

...

Labels: , ,

Thursday, January 04, 2007

Incident: CRA misdirects taxpayer information 

A Halifax resident was more than slightly surprised when he went to the Canada Revenue Agency to pick up his requested notice of assessment. While the notice was conspicuously absent from the envelope, he did find a raft of information about ten complete strangers. Apparently, the CRA stuffed the wrong envelopes and handed over confidential and sensitive information to the wrong person.

When the individual who received the information was not satisfied with the CRA's reaction, he called the other taxpayers and went to the media. The story is on the front page of the Halifax Chronicle Herald.

To make matters worse, the notice of assessment was mailed but nobody knows who to.

CTV is doing a piece for the supper hour news here in Halifax, for which I was interviewed earlier today. They are hoping to get some comment from the unshuffled Minister responsible for CRA.

From today's paper:

More than he wanted to know

Government mistakenly mails other people’s tax papers to Whites Lake man

By JOHN GILLIS Staff Reporter

Andrew Doiron of Whites Lake just wanted to find out his RRSP contribution limit for the year. But what he got was a raft of personal information about 10 strangers from as far away as British Columbia.

The Canada Revenue Agency is now investigating how the confidential tax documents landed in Mr. Doiron’s mailbox and where the information he requested ended up.

"It looks like somebody just picked a handful of paper off a printer and just slipped it in an envelope with my (address) page on top," Mr. Doiron said Wednesday. "But of course they didn’t put my papers in there."

The confusion began Dec. 20 when Mr. Doiron went to the Canada Revenue Agency’s Halifax office in person to ask for a copy of his notice of assessment. He was told he had to call a toll-free number to ask for the document. Staff let him use a phone in the building.

Mr. Doiron was surprised Tuesday when he found an envelope from the agency in his mailbox, and it contained about 35 pages. The documents bore the names, addresses, social insurance numbers, income, marital status and other personal information for 10 other people. His own notice of assessment was not included.

He immediately called a toll-free Canada Revenue Agency number again but said it was tough to persuade the person who answered to let him speak to a supervisor. When he finally did, he said he was asked to mail the documents back to the agency and advised he could claim the price of the postage stamp on his tax return next year.

Mr. Doiron also called as many of the people whose tax information he’d been sent as possible.

One, Sandra Ambersley of Brampton, Ont., told CTV she was very concerned about what might have happened if someone had wanted to use that information.

"I was totally shocked yesterday when I received a call from Halifax, this man saying that he’d received all my personal information," she said Wednesday.

Mr. Doiron noted that on the same online telephone directory he used to find people’s telephone numbers, there was an ad pointing to a Capital One credit card application that required only an address and a social insurance number.

He personally returned all the strangers’ documents to the Halifax office Wednesday.

Mr. Doiron said he felt he did not get a serious response from the agency until after he began contacting the media.

Jack Lee, acting director of the Nova Scotia office, called to apologize and had a copy of the notice of assessment Mr. Doiron requested sent to him. It arrived safely.

The notice had been mailed previously, but not to him.

"Mine’s out there somewhere, floating around," Mr. Doiron said. "I hope somebody threw it away."

Canada Revenue Agency spokesman Roy Jamieson said security is the No. 1 priority for the service, but mistakes happen.

"We’re certainly scrambling to try and piece together what took place," he said. "There’s quite an active and quite an intense investigation going on right now."

He said a call to a toll-free number could be answered at any one of a number of call centres across the country, depending in part on the nature of the request. A requested document could be printed at the appropriate location and mailed from there.

The agency sends about 90 million pieces of mail per year and it’s rare that something gets mixed up, he said.

"To be misdirected in the magnitude of this case, it’s certainly unusual," Mr. Jamieson said.

He said the agency will contact all of the people whose documents were involved and will keep Mr. Doiron abreast of its investigation into the mix-up.

"There’s no question that any kind of breach of security and compromising of an individual’s privacy and confidentiality is our most significant issue in this agency," Mr. Jamieson said.

Mr. Doiron has little confidence that anything will change.

"My gut feeling is, this is government, nothing’s going to happen," he said.

Update: From CTV:

Canada Revenue investigates botched mailout

The Canada Revenue Agency is scrambling to restore public trust and has launched an internal investigation after confidential information on several Canadians was sent to a Halifax-area man.

Documents that Andy Doiron of White's Lake, N.S., were mistakenly sent include social insurance numbers, income, addresses and the marital status of 10 Canadians, including some from as far west as Edmonton.

Doiron said he called most of the people to tell them what happened, and returned the documents to Revenue Canada.

With the trust of Canadians potentially on the line and tax time just around the corner, the agency is promising tough action if necessary.

Revenue Canada spokesperson Roy Jamieson called the incident a rare case of misdirected mail, but admitted somebody in the department made a mistake.

"Certainly if we identify breaches of policy process and procedure, there are disciplinary measures that can be taken and I expect they will be looked at quite seriously," he told CTV Atlantic.

Federal Minister of National Revenue Carol Skelton said she was "disturbed" by the security breach.

"The instant that I found out about it we had launched an investigation," she told CTV News in Saskatoon. "I really can't say much more about it than that. The incident is being looked into."

The agency is still trying to determine which one of five locations was responsible for the botched mail out.

David Fraser, a legal expert in security matters, told CTV Halifax that if such information were to fall in the wrong hands, it could easily be used to commit fraud.

"There really does need to be something done in order to make sure the trust is always there. Accidents happen but so often trust is won or lost in the aftermath of how they decide to deal with it," he said.

Sandra Ambersley of Brampton, Ont. was one of the people Dorion called.

"I was totally shocked when I received the call (on Tuesday) from Halifax," Ambersley told CTV Toronto.

"This man (was) telling me that he received all my personal information. As a joke he did say 'I could duplicate you right now.'"

The confusion began when Doiron called the revenue agency on Dec. 20 requesting a copy of his notice of assessment.

On Tuesday, an envelope from the agency arrived in his mailbox, containing over 30 pages of documents with all the information. His own assessment wasn't included.

Doiron said he immediately called the toll-free Canada Revenue Agency number again and he was asked to mail the documents immediately.

With a report from CTV Atlantic reporter Marc Patrone.

Labels: , , , , , ,

Wednesday, December 20, 2006

Canada Revenue Agency investigates leaks of info on high profile taxpayers 

The Canada Revenue Agency generally takes taxpayer privacy very seriously. It's rare to hear about any leak or misuse of personal information from the federal tax department. Lately, however, the CRA, or at least some of its employees, have come under suspicion as confidential records of high-profile taxpayers have appeared online.

The Candian Press reports on a leak of information about MP and former hockey star Ken Dryden:

Tax office staff warned of disciplinary action as CRA probes Dryden tax leak

GREGORY BONNELL

TORONTO (CP) - Canada Revenue Agency workers are being warned of disciplinary action, including dismissal, following a published report that federal employees had leaked the confidential tax information of Liberal MP Ken Dryden.

"It is unsettling to consider that not all employees may be working with the degree of professionalism and integrity that the CRA expects," writes Larry Hillier, assistant commissioner for the Ontario region, in an internal e-mail to CRA employees obtained by The Canadian Press.

"As with all allegations of wrongdoing, an immediate investigation is being launched to determine if a breach of our standards has occurred," the memo reads. "If warranted, disciplinary action will be taken, up to and including termination of employment."

The tax information of Dryden and several other sports personalities, including former Toronto Maple Leaf Borje Salming, is available on the Internet courtesy of debt collectors who have been illegally leaking the information.

National Revenue Minister Carol Skelton has asked the CRA to launch an immediate investigation in the wake of the original CP report, which was published Saturday.

CRA workers are violating the Income Tax Act, the Privacy Act, and possibly criminal law by feeding information to former employee Alan Baggett, who in turn posts the disclosures to an Internet chat group.

The Dryden story, posted in May 2005, says the former Montreal Canadiens goalie and Leafs general manager once had a "small personal tax debt, which he no doubt paid." A former employee who worked on Dryden's file confirmed the debt to CP.

Neither Dryden nor Salming replied to requests for comment on the postings. The postings did not indicate Dryden's current tax situation.

CRA employees who are found guilty of disclosing tax information, a violation of the Income Tax Act, face fines of up to $5,000 or jail time of up to 12 months - a fact Hillier points out in his memo.

"When one employee breaches confidentiality, as is currently alleged, each and every one of us is impacted," Hillier writes, noting his "high level of confidence in the employees of the Ontario Region."

"You can be assured that all necessary steps are being taken to thoroughly investigate this matter."

Depending on the circumstances, the disclosure of confidential information could also constitute a criminal offence. Under the Criminal Code of Canada, breach of trust by a public officer is punishable by a maximum prison sentence of five years.

Labels: , , ,

Tuesday, December 19, 2006

Notification coming to Ontario public sector privacy laws? 

Thanks to John Gregory for passing this along ...

Bill 152 has now passed in the Ontario Legislature and is heading for royal assent. This Bill contains a number of amendments to a range of statutes, but most interestingly provides for the creation of regulations for notifications if information is disclosed contrary to the Freedom of Information and Protection of Privacy Act (and its equivalent that applies to municipalities):

9. Subsection 60 (1) of the Act is amended by adding the following clauses:
(b.1) requiring the head of an institution to assist persons with disabilities in making requests for access under subsection 24 (1) or 48 (1);

. . . . .

(d.1) providing for procedures to be followed by an institution if personal information is disclosed in contravention of this Act;

. . . . .

(f.1) respecting the disposal of personal information under subsection 40 (4), including providing for different procedures for the disposal of personal information based on the sensitivity of the personal information;

It'll be interesting to see what the regs look like.

Labels: , , ,

Monday, December 18, 2006

New money laundering law requires Privacy Commissioner to review FINTRAC's compliance 

Bill C-25, An Act to amend the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and the Income Tax Act and to make a consequential amendment to another Act, is now in force. For the purposes of attacking money laundering and the financing of terrorism, the statute expands the amount of personal financial information collected and the sources of that information. But this amendment also gives the Privacy Commissioner of Canada with a unique role. Under the statute, the Commissioner is to audit the personal information handling practices of FINTRAC every two years. We'll see how the first such audit goes ....

From the Commissioner's office:

New money laundering law requires Privacy Commissioner to review FINTRAC's compliance with Privacy Act

Ottawa, December 18, 2006 –The Privacy Commissioner of Canada, Jennifer Stoddart, has new oversight responsibilities under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (Bill C-25), which just received Royal Assent. Under this new legislation, the Commissioner's Office is now required to regularly review the Financial Transactions and Reports Analysis Centre (FINTRAC's) compliance with the Privacy Act, the federal public sector privacy law.

Under the Privacy Act, the Privacy Commissioner already has the power to audit the personal information-handling practices of federal departments and agencies. However, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act specifically mandates the Office to review and report to Parliament on FINTRAC's activities every two years. The Commissioner's Office had already planned to conduct an audit of FINTRAC in 2007-08, pursuant to its authority under the Privacy Act.

"We understand the need to address suspected money laundering and terrorist financing activities, but we do have concerns about the potential impact on privacy rights resulting from an increase in the amount of personal information collected and disclosed by FINTRAC," said Ms. Stoddart. "In light of this, I am pleased to see that we will have increased oversight over these activities."

In the recent report of the Commission of Inquiry into the Actions of Canadian Officials in Relation to Maher Arar, Justice O'Connor also generally highlighted the need for increased oversight and review of activities that touch on national security. In Justice O'Connor's report, he recognized that the sharing and disclosure of personal information by government to foreign entities raises concerns.

Providing the Privacy Commissioner with mandated review of FINTRAC's activities is an important step because, as a result of the passage of Bill C-25, the number of organizations required to monitor and to collect information about their clients and customers will increase, the amount of personal information being collected will expand and more transactions will be subject to scrutiny and reporting. FINTRAC will be able to share more information with more organizations. FINTRAC is Canada's financial intelligence unit, a specialized agency created in July 2000 to collect, analyze and disclose financial information and intelligence on suspected money laundering and terrorist activities financing.

Last week, Ms. Stoddart appeared before the Standing Senate Committee on Banking, Trade and Commerce to discuss Bill C-25. Her statement and submission are available on the Office's Web site.

The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights of Canada.

Labels: , ,

Thursday, December 07, 2006

Right to Know Coalition of Nova Scotia 

The new access to information advocacy organization for Nova Scotia, the Right to Know Coalition of Nova Scotia, has a new blog: Right to Know Coalition of Nova Scotia.

Labels: , , ,

Thursday, November 16, 2006

Saskatchewan Commissioner calls for overhaul of privacy law 

The Information and Privacy Commissioner of Saksatchewan, Gary Dickson, has released his annual report for 2005-2006, calling for a significant overhaul of the province's public sector legislation. See: Saskatchewan told to update privacy laws that expose residents to risk - Yahoo! Canada News.

From the Commissioner's media release:

Saskatchewan

Information and Privacy Commissioner

NEWS RELEASE – November 16, 2006

Saskatchewan Information and Privacy Commissioner tables 2005-2006 Annual Report.

Saskatchewan’s Information and Privacy Commissioner, Mr. Gary Dickson, has submitted his Annual Report for 2005-2006 to the Legislative Assembly. The document is available at the website: www.oipc.sk.ca.

Dickson recommends action by the Saskatchewan Government to make Deputy Ministers and CEOs of Crown corporations and local authorities explicitly accountable for access and privacy compliance in their organizations.

The Commissioner also highlights unfinished business from his last Annual Report. Of six major recommendations in his 2005 Privacy and Access: A Saskatchewan ‘Roadmap’ for Action, there has been no action taken on four recommendations, namely:

  • Extend privacy protection to private sector employees in Saskatchewan;
  • Conduct a public review of our 14 year old law, The Freedom of Information and Protection of Privacy Act, and then make the necessary changes to modernize that first- generation law;
  • Integrate two separate access and privacy laws into a single law to make it more understandable and easier to comply;
  • Ensure that public registries address the new challenges to the privacy of citizens.

The Commissioner also highlighted two emerging issues that warrant attention:

  • Development of an electronic health record for every man, woman and child in Saskatchewan poses major challenges to the protection of privacy. “It will be important to get the ‘privacy piece’ of the EHR right so that citizens will continue to be frank and candid when they deal with their family physician and other primary providers.”
  • There is a popular trend to promote ‘shared services’, whether SchoolPlus for children at risk, or multi-department delivery of services for adults. This trend requires a careful rethinking of the way access to information and privacy will be managed.

Labels: , , ,

Wednesday, November 15, 2006

Patriot Act blocking statute now the law in Nova Scotia 

The Governor-in-Council for Nova Scotia today proclaimed into force the new Personal Information International Disclosure Protection Act.

For more background, see

Here's the official release from the government of Nova Scotia:

News Release: Department of Justice

November 15, 2006 13:07


Legislation to ensure that Nova Scotians' personal information is not disclosed under the U.S. Patriot Act was proclaimed today, Nov. 15.

The new Personal Information International Disclosure Protection Act outlines a series of requirements and penalties that protect personal information from inappropriate disclosure.

"This legislation will help ensure that Nova Scotians' personal information will be protected," said Justice Minister Murray Scott. "The act outlines the responsibilities of public bodies, municipalities and service providers and the consequences if these responsibilities are not fulfilled."

The act provides protection regarding storage, disclosure and access to personal information outside of Canada or in the custody or under the control of a public body or municipality.

The legislation comes into effect for government, school boards, universities, district health authorities and other public bodies today and on Nov. 15, 2007 for municipalities.

Under the act, the minister of Justice must be notified if there is a foreign demand for disclosure of any personal information of Nova Scotians. It also requires that service providers storing information only collect and use personal information necessary for their work for a public body or municipality.

The act also address whistleblower protection for employees of external service providers to ensure they are protected if they report an offense under the act. Whistleblower protection for Nova Scotia government staff already exists under the Civil Service Act.

Penalties under the act include up to $2,000 per government employee for malicious disclosure by employees of public bodies and municipalities. The act also creates offences for service providers, with penalties of up to $2,000 for employees and $500,000 for companies.

Offences relate to the improper storage, collection, use, or disclosure, failure to notify the minister of Justice of foreign disclosure demands, and improper discipline or termination of employees.

Information sessions have been held in Truro and Halifax over the past month to educate partners and stakeholders about the provisions of the act.


FOR BROADCAST USE:

New provincial legislation which will ensure that Nova Scotians' personal information is not at risk from activities under the U-S Patriot Act has been proclaimed today (November 15th).

The new Personal Information International Disclosure Protection Act outlines a series of requirements and penalties that protect personal information from inappropriate disclosure.

The act provides protection regarding storage, disclosure and access to personal information in the custody or under the control of a public body.

Labels: , , , , , ,

Wednesday, August 30, 2006

Right to Know Forum in Nova Scotia 

Darce Fardy, former Freedom of Information and Protection of Privacy Review Officer for Nova Scotia has passed tihs announcement on to me:

RIGHT TO KNOW FORUM

University of Kings College (Alumni Hall)

September 27, 2006 6:30 - 9 pm

The Right to Know Coalition of Nova Scotia, with the support of the FOIPOP Review Office, is observing National Right to Know Week with a forum where issues related to the principles of openness and accountability in government and other public bodies will be discussed and debated.

Keynote speaker: Wayne MacKay, former Nova Scotia Human Rights Commissioner and President of Mount Allison University, now Professor of Law with Dalhousie Law School. Inducted into the Order of Canada in 2005.

Panel #1: A political look at the issues of openness and accountability and the Freedom of Information and Protection of Privacy Act. The four political parties: Michel Samson, interim leader of the Liberal party; Nick Wright, leader of the Green Party; Paul Black, Senior Researcher with the NDP Caucus; and an as yet unnamed MLA from the Progressive Conservative Party. Moderated by Darce Fardy of the RTK Coalition and former Review Officer for FOIPOP.

Panel #2: Neal Livingston, a documentary producer from Cape Breton and veteran user of the FOIPOP Act; Doug Keefe, Deputy Minister of Justice; Charles Cirtwill, Vice-President and Director of Operations of the Atlantic Institute for Market Studies; and Richard Cotter, Warden of Richmond County and President of the Union of Nova Scotia Municipalities will provide their views on transparency in public bodies. Moderator: Dean Jobb, of the Faculty of Journalism at Kings, former newspaper journalist and recognized expert in access to information legislation.

The audience will be encouraged to get involved with questions or comments. All are welcome. September 27, Kings= Alumni Hall, 630 to 9 pm

Labels: ,

Tuesday, August 29, 2006

Australian tax office fires employees over inappropriate snooping into confidential records 

Once again, Australia is in the privacy news. This time, it is the Australian Tax Office, which has recently disciplined two dozen employees over inappropriate perusal of tax records.

Australian IT - Tax office sacks 'spies' (Ben Woodhead, AUGUST 29, 2006):

A SECOND government agency has been forced to sack staff for spying on client records, with the Australian Taxation Office taking action against 27 workers for breaches of privacy.

The tax office took action against 24 employees over inappropriate access to taxpayer files last financial year, with another three cases detected this year.

ATO first assistant commissioner for people and place, Anne Ellison, said 12 of the staff caught spying last year resigned on the spot. Four were sacked, two were fined and six had their salaries reduced or were demoted.

Two were ultimately prosecuted for breaches of the Tax Administration Act, with one sentenced to community service and the other fined.

The revelations come a week after multi-millionaire former actor and producer John Cornell - who is facing allegations that he and Paul Hogan held $40 million in Swiss-administered trusts and offshore companies without declaring it to the ATO - accused the tax office of a campaign of media leaks....

Thanks to Open and Shut for the link: Open and Shut: This time it's the Tax Office named in privacy breach.

Labels: , , ,

Saturday, July 15, 2006

Nova Scotia passes USA Patriot Act blocking statute 

In one of the shortest sittings that I can recall, the Legislature of Nova Scotia has passed the Personal Information International Disclosure Protection Act, also known as Bill 19.

Nova Scotia Legislature - House Business - Status of Bills

Bill No. 19 An Act to Protect the Personal Information of Nova Scotians from Disclosure Outside Canada

Hon. Murray K. Scott Minister of Justice

First Reading June 30, 2006

Second Reading (Second Reading Debates) July 6, 2006

Law Amendments Committee July 10, 2006; July 11, 2006

Committee of the Whole House July 13, 2006

Third Reading July 14, 2006

Royal Assent July 14, 2006

I do not believe it has been proclaimed into force, so stay tuned for that part. (See update below.)

The Personal Information International Disclosure Protection Act is a response to the USA Patriot Act, specifically designed to prevent the export of personal information in the custody or control of public bodies in Nova Scotia to any other country. Though the prohibition is generic, it is clearly meant to prevent personal information from being the subject of a demand under the USA Patriot Act. It is also subject to the individual's consent, meaning that the prohibition does not apply if the individual data subject has identified the information and has specifically consented to the export of his or her information.

The Act is binding on all public bodies, their employees and specifically their service providers.

The Act requires that all public bodies ensure that all personal information in its custody or control is kept in Canada and is accessed only in Canada, unless the head of that public body has determined that storage or access outside of Canada is necessary for the public body's operations. If the head so determines, he or she has to notify the Minister of Justice for the province within ninety days of the end of the year.

The Act also contains a requirement that the Minister of Justice be notified forthwith of any "foreign demand for disclosure" or of any request that may be such a demand. The notice has to include the following:

as known or suspected,
(a) the nature of the foreign demand for disclosure;

(b) who made the foreign demand for disclosure;

(c) when the foreign demand for disclosure was received; and

(d) what information was sought by or disclosed in response to the foreign demand for disclosure.

It is an offence to disclose any personal information except in compliance with the Act and it contains specific penalties for public bodies, employees and service providers. Public sector employees may be subject to a fine of up to $2000 and imprisonment for six months. Corporate service providers may be subject to a fine of up to $500,000.

Interestingly, the Act grandfathers in contracts already entered into with service providers, but public bodies are expected to use all reasonable efforts to come into compliance with the new disclosure rules as soon as reasonably possible.

Nova Scotia is now the third Canadian province to enact such legislation, after British Columbia and Alberta.

Probably the most unmanageable portion of the Act deals with temporary exports. These are permitted (for example, in an employee's blackberry or on their laptop), but only with the permission of the head of the public body. This will be very difficult to administer because virtually every public sector employee's cell phone, laptop or briefcase contains information that is considered to be "personal information" under the statute. Every public sector employee who goes to a conference with her laptop will need the permission of the minister or university president or crown corporation president. However, given the rash of laptop thefts as of late, it may be a good thing to make public bodies think much more carefully about how information is carried around.

Interestingly, the Act is not an amendment to the Freedom of Information and Protection of Privacy Act which generally governs the collection, use and disclosure of personal information by public bodies. It is a stand-alone statute, unlike the way this was done in Alberta and BC.

For some background, see:

Update (20060717): The Bill has received Royal Assent, but is has not yet been proclaimed into force. (I've added the bold bit in the table above.)

Labels: , , , , , , , ,

Tuesday, July 11, 2006

Nova Scotia USA Patriot Act response is back on! 

After a brief recess for an election, the Nova Scotia House of Assembly is back with a new session but a boatload of bills that fell off the order paper. Among them is (newly renumbered) Bill 19, the Personal Information International Disclosure Protection Act, which I blogged about earlier.

The Bill was reintroduced on June 30 and received second reading on July 6, 2006. It is now headed to committe for consideration, with what appears to be the approval of all three parties.

Here is the Minister of Justice making the motion for second reading and the response from the opposition parties:

Handsard - July 6, 2006, p. 314

MR. SPEAKER: The honourable Minister of Justice.

HON. MURRAY SCOTT: Mr. Speaker, this legislation will strengthen protections against the disclosure of Nova Scotians' personal information, under the U.S. Patriot Act. The new Personal Information International Disclosure Protection Act outlines a series of requirements and penalties that protect personal information from inappropriate disclosure. We know that the U.S. security legislation has caused concerns about the American Government's ability to access personal information of Nova Scotians, held outside of Canada. This legislation clearly outlines responsibilities of public bodies, municipalities and technology service providers and the consequences if these responsibilities are not fulfilled.

Under the bill, the Minister of Justice must be notified if there is a foreign demand for disclosure of any personal information of Nova Scotians. The bill also requires that service providers storing information only collect and use personal information for the purposes of their work, for a public body or a municipality. In order for these measures to be successful, staff must be sure they will be protected if they come forward to report wrongdoing, under this bill. To that end, the bill will also provide whistle-blower protection for employees of external service providers to ensure they are protected if they report an offence under the bill. Whistle-blower protection for Nova Scotia Government staff already exists under the Civil Service Act.

Mr. Speaker, penalties under the Act include a fine of up to $2,000, or six months of imprisonment for malicious disclosure by employees of public bodies and municipalities. The Act also creates offences for service providers with penalties of up to $2,000 for employees and $500,000 for companies. Under this bill, these penalties will become part of any new contract. At the same time, we are working to strengthen our existing contracts with current service providers.

Mr. Speaker, this is a serious issue and this bill will help ensure that the privacy of Nova Scotians' information continues to be protected. With those few comments, I move second reading of Bill No. 19. Thank you.

MR. SPEAKER: The honourable member for Cole Harbour-Eastern Passage.

MR. KEVIN DEVEAUX: Mr. Speaker, Bill No. 19 is a bill that the NDP has been pressuring the government to pass for, I guess, two years. This is a bill that two years ago when the NDP discovered, I think it happened in British Columbia originally where the Privacy Commissioner - where they actually have a Privacy Commissioner, I may note, for the record - noticed that under the Patriot Act in the United States, an American investigating body, FBI, CIA, National Security Agency, what have you, under the Patriot Act, if there are records held

[Page 315]

by an American corporation or its subsidiary, in another country, that those organizations can go in and access those records; it may even be without a subpoena, but there's probably very little judicial review, but under the Patriot Act they have access to that information.

So, for example, in Nova Scotia, if our government contracts out the maintenance of the data for people who are on social assistance, or motor vehicle records, that information is handed over to an American corporation to manage that data, that maybe even a subsidiary of that company in this province or in Canada, the American authorities would have access to that. That is a concern, one that British Columbia addressed a while back and it's one that I know that this province, for two years we've asked this government to do this, it's one that we have introduced legislation on and it's one that we're now glad to see the government also understands, finally, that what the NDP was asking for is something we need to do.

It is abhorrent that even for two years we allowed this province to farm out information that could easily be accessed under the Patriot Act. Now even more, we've heard recently how the American authorities have been poring over telephone records, have been monitoring telephone calls. In this age in which - if you want to call it Neo-McCarthyism, in many ways - it's very important that we have an opportunity to ensure that the information in the private information and data of Nova Scotians is protected.

Now, someone raised this with me when the bill was first introduced back in the Spring, before the election, Mr. Speaker. At that time, we had an opportunity - it was asked, well, what's a $2,000 fine going to do? They're probably right. To be frank, the fines in this legislation are not punitive, are not a form that is going to look at these findings and say to themselves wow, do we pay a $2,000 fine and give them information to the FBI or do we say under this act we can't?

The real punitive measure in this is that the contract can be cancelled immediately if there's a violation, that is important. I suspect if we're talking about a long-term contract of maintaining data, I would suggest to you that it would result in that company having to think long and hard about having that contract ripped up and voided. That's the kind of punitive measure we can put in. I would also suggest to the government, for the record, that if they want to avoid this from happening it can easily be done by ensuring that the maintenance of that information remains in house within the government and isn't contracted out. When you contract it out then the opportunity arises.

Mr. Speaker, these are things that can be done, I'm glad to see this legislation coming forward, I'm glad to see the Tory government finally agreeing with us. I will note for the record that the minister's comments that there is a whistle-blower protection in the Civil Service Act is not correct. I would suggest to you that the regulations that were passed about a year ago, a year and a half ago in regard to whistle-blower, do not provide any protection for civil servants. Frankly, they only require them to basically have to report their problems higher up and God knows what will happen after that happens. I would suggest to you that this legislation is the

[Page 316]

first step, it's a good step, the NDP has asked for this for two years, we're glad to see this legislation coming forward, we're glad to see it go to the Law Amendments Committee and we're hopeful we can get it passed in this session. Thank you.

MR. SPEAKER: The honourable member for Cape Breton South.

MR. MANNING MACDONALD: Mr. Speaker, on behalf of our Leader and our Justice Critic, I stand in my place this evening and say that we too will be supporting Bill No. 19 as it moves through the House. I want to commend the minister for bringing this bill forward this evening. I believe that it's an important protection for Nova Scotians and I think all Parties in this House realize that this is a bill, as the NDP House Leader states, that may be able to be improved on over time. Certainly it's a first step to have it here and hopefully it will meet with a smooth passage throughout the Law Amendments Committee and on to third reading. Thank you.

MR. SPEAKER: If I recognize the honourable minister it will be to close the debate.

The honourable Minister of Justice.

HON. MURRAY SCOTT: Mr. Speaker, I'd like to thank the Leader of the Opposition and also the House Leader for the Liberal Party for their support of this government bill. We can stand in the House and we can all take credit for good things that have happened here. This is an initiative of government and over the next coming weeks there's going to be a pattern formed here that this government is intent on increasing the penalties and supporting the laws in this province, bringing new legislation such as this, that will make our province as safe as we possible can, and that's what Nova Scotians want.

Mr. Speaker, this is a good bill that goes a long way to doing that and with that I move to close debate on second reading of Bill No. 19.

MR. SPEAKER: The motion is for second reading of Bill No. 19. Would all those in favour of the motion please say Aye. Contrary minded, Nay.

The motion is carried.

Ordered that this bill be referred to the Committee on Law Amendments.

(See: Nova Scotia introduces amendments to thwart USA Patriot Act, Bill 16: The Personal Information International Disclosure Protection Act (Nova Scotia), Nova Scotia's Personal Information International Disclosure Protection Act to die on the order paper.)

Labels: , , , , , , ,

Radio interview on workplace privacy 

I blogged yesterday about a new report related to workplace privacy (Canadian Privacy Law Blog: Employers spying on Canadian workers, study suggests). For those who may be interested, I'm doing a series of radio interviews today for the CBC morning programs in Corner Brook, Charlottetown, Ottawa, Gander, Moncton, St. John's, Ontario AM, Regina, Edmonton, Calgary and Victoria. If you aren't there, you can listen online.

Labels: , ,

Monday, July 10, 2006

Employers spying on Canadian workers, study suggests 

According to the CBC, a researcher from Ryerson University will be releasing a study today on surveillance in the workplace. When I get a copy of the report, I'll post a link if I can. In the meantime, here's what the CBC has to say:

CBC News: Employers spying on Canadian workers, study suggests:

Last Updated Mon, 10 Jul 2006 09:32:45 EDT

CBC News

Canadian employers in a wide range of industries conduct surveillance of employees at work, suggests a report to be released on Monday.

Produced by Toronto's Ryerson University, the study called 'Under the Radar' asked Canadian businesses about surveillance of their employees.

Employers view closed-circuit television cameras, listen to recorded phone calls, monitor e-mails and scan magnetic information from security passes, said lead author Avner Levin.

Levin, a law professor at the university, said he isn't surprised at the methods, but was taken aback by employers' attitudes toward employee privacy.

'Nobody said this is a problem, or even something they have to deal with in a proactive way. It's just simply under the radar,' said Levin.

Human resources executives responsible for workplace privacy often have little knowledge of the potential intrusiveness of technologies at work in their own companies, he said.

They rarely know what information is being collected by colleagues running company computer systems, he said.

'The executives that are responsible for privacy in the workplace are not fully aware of the extent of ... the surveillance activity that is conducted,' he said.

Managers often work without guidelines about how to respond if surveillance reveals an employee behaving suspiciously, said Levin.

E-mails monitored: U.K., U.S. study

The Ryerson study follows a large workplace survey in the United States and Britain, which suggested 40 per cent of employers regularly read employees' e-mails.

University of Ottawa privacy expert Michael Geist says Canadian firms are likely close behind.

"I don’t have any doubt that we're going to find more and more companies doing it," he said. "To move directly to full-on monitoring of e-mail use is as invasive as it comes."

The founder of Ottawa e-mail security firm Roaring Penguin warns companies must carefully consider their policies on e-mail.

"If you just put the technology in place and add a whole bunch of rules without thinking about what you're trying to do, you're probably blocking a lot of mail that shouldn't be blocked, letting stuff out that should be blocked and most importantly, irritating employees," said David Skoll.

Spell out polices: privacy laws

Canada has two federal privacy laws: the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA).

The Privacy Act limits the personal information federal government departments and agencies can collect from Canadians.

Employees in federally regulated industries and the private sector are protected by PIPEDA, which says employers must let employees know what personal information is being collected and for what purpose. Employees must be able to see that information.

"At a minimum, employers should tell their employees what personal information will be collected, used, and disclosed," says the website of Canada's Privacy Commissioner.

"They should inform employees of their policies on web, e-mail, and telephone use, for example. If employees are subject to random or continuous surveillance, they need to be told so."

I have to correct one statement that appears in the article: "Employees in federally regulated industries and the private sector are protected by PIPEDA". PIPEDA only applies to employees of federal works, undertakings and businesses. It does not (NOT!) apply to private sector employees nationally. Employees in the rest of the private sector only have statutory privacy protections if they are in Quebec, British Columbia and Alberta, since PIPEDA does not apply outside of federally regulated workplaces and those provinces have set up provincial privacy laws.

Labels: , , , , ,

Saturday, July 08, 2006

Supreme Court of Canada sides with solicitor client privilege in freedom of information case 

In a freedom of information decision released yesterday, the Supreme Court of Canada came down strongly (and unanimously) in support of solicitor client privilege as an almost absolute bar to disclosure under Ontario's freedom of information law:

Goodis v. Ontario (Ministry of Correctional Services), 2006 SCC 31 (CanLII)

Rothstein J. (McLachlin C.J. and Bastarache, Binnie, LeBel, Deschamps, Fish, Abella and Charron JJ. concurring)

Access to information — Access to records — Exemption — Solicitor‑client privilege — Access to records for determination of whether they should be disclosed under Freedom of Information and Protection of Privacy Act — Whether records may be disclosed to requester’s counsel notwithstanding claim of solicitor‑client privilege — Whether Divisional Court bound by Act’s provisions prohibiting Commissioner from disclosing any records until final decision made — Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. F.31, s. 19.

A judge of the Divisional Court, who was reviewing a decision of the Ontario Information and Privacy Commissioner, granted the requester’s counsel access to records notwithstanding a claim of solicitor‑client privilege by the Ministry of Correctional Services. The judge treated the motion for access as one by the requester’s counsel, and not as one by the requester, in order to enable counsel to argue whether those records should be disclosed under the Freedom of Information and Protection of Privacy Act. The order for disclosure was made subject to a confidentiality undertaking. Panels of the Divisional Court and of the Ontario Court of Appeal upheld that decision and found that the judge had discretion to order disclosure.

Held: The appeal should be allowed.

Records subject to a claim of solicitor‑client privilege may be ordered disclosed only where absolutely necessary — a test just short of absolute prohibition. A different test is not justified for access to information cases. Here, the evidence revealed no such absolute necessity, and any records claimed to be subject to solicitor‑client privilege should not be disclosed. It is difficult to envisage circumstances where this test could be met if the sole purpose of disclosure is to facilitate argument by requester’s counsel on the question of whether privilege is properly claimed. While the principle of hearing from both sides of an issue is to be departed from only in exceptional cases, judges are well acquainted with privilege and well equipped to determine if a record is subject to it. [20‑25]

The procedural provisions of the Freedom of Information and Protection of Privacy Act apply to the Commissioner, not the courts which are bound rather by the legislation governing their procedures on judicial review. Since the provisions of the Act prohibiting the Commissioner from disclosing any records until a final decision is made are procedural, the matter of disclosure is accordingly left to the court’s discretion, subject to statutory or common law rules. Where no common law rule prescribes the manner in which to deal with records, the court must adopt a procedure which will protect the confidentiality of records until a substantive decision is made. [30‑32]

In this case, the judge of the Divisional Court considered the appropriateness of the confidentiality undertaking and that the integrity of counsel providing the undertaking had not been attacked. His approach was correct to the extent the records were not privileged and confidentiality had been claimed on some other basis. However, in the case of documents subject to solicitor‑client privilege, this approach was inappropriate unless the “absolute necessity” test was met. [33]

Labels: , , ,

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs