The tools include a video, tip sheet or parents and a youth presentation package – they can be found at http://www.youthprivacy.ca/en/index.html.

Commissioner Stoddart explained in a news release: “Canadian kids use the Internet and online tools effortlessly, at a very young age, and many kids are way ahead of adults in adapting to new technology. Unfortunately, while they are incredibly adept when it comes to surfing, texting, posting, and chatting online, they don’t always take time to consider the privacy pitfalls these new technologies pose.”

The thief took off with a small safe, cash, cheques and electronic information. The most critical piece of information was the media storage device containing the names, social insurance numbers and personal banking information of employees who worked at University of Victoria since January 2010.

The individuals affected were notified that their personal information was stolen and told to contact their bank or credit union to advise them of the situation.  Recommendations included closing an account and opening another.

David Turpin, president of the University, said the thieves stole the back up information stored “in a locked box, in a locked safe, which was bolted to the floor, in a locked room in a locked building…” Though it may seem as though the University took the appropriate measures to protect this highly sensitive personal information, they certainly could have done better.

The information stolen was neither password protected nor encrypted, contrary to University of Victoria’s Information Security Policy. The use of data encryption has become widespread and easy to implement, to the extent that employees now question how such an incident could have ever occurred.

The University has hired security experts from Deloitte & Touche LLP to review and provide advice on the above events in order to determine and the B.C Information and Privacy Commissioner is investigating the matter – taking seriously the fact that the information was unencrypted.

Unfortunately, the unencrypted nature of the information has made it easier for fraudsters to access the stolen information.  Police have confirmed reported incidents of defrauding since the information was stolen.  One incident occurred just a day after the discovery of the break-in. An employee realized that thousands of dollars had mysteriously disappeared from her bank account.

Fears of fraudulent activity were once again heightened as the thieves decided on January 18th to return most of the stolen items – save for the media storage device containing 99% of the concerning data.

The returned data was “thoroughly and professionally destroyed”, says police, which has made it difficult to know for certain whether the devices are the same as those stolen.  University employees recognized most of the returned items as being University property, however, they were confident that the media drive returned was not the same one that had been stolen.  The drive was replaced with a new drive, resembling the old one, missing one important feature – the personal information.

The returned items contained a note stating that “the information on [the] drives was not copied, distributed or exploited.”  It went on to say that the thieves “want no part of everyday people living in fear that their personal information is being used against them to take they’re (sic) hard earned money.”  Despite these ‘assurances’ the police believe that the “situation is now more grave as far as the potential for fraud.”

The importance of encryption in the education sector can also be seen in a recent investigation into Edmonton Public Schools.  Last year a USB stick, containing the personal information of more than 7, 500 employees, was lost in the Centre for Education.  The information included employment applications, resumes, transcripts, direct-deposit forms, cheques, payroll and benefits correspondence, driver’s licences, passport information and birth certificates.

The school was found a few weeks ago to be in violation of its own policies as they did not password protect or encrypt the personal information contained on the portable device.  In their investigation into the matter, the Information and Privacy Commissioner reported that “the sensitivity of the personal information on the USB stick is high due to the types and volume of personal information involved.”  Thus, the information “required a proportionately high obligation on the part of the school district to protect it.”

Privacy watchdogs throughout Canada continue to focus on the need for encryption, and clearly the concern affects not just the health and education sectors, but spans to any industry or organization that entrusts personal information to a mobile device. Tools for encrypting devices are readily available in the market at a very reasonable cost, so there is really no excuse for exposing sensitive information that could result of identity theft, one of Canada’s fastest growing crimes.

The new tort of “intrusion upon seclusion” was held by Justice Sharpe in his judgment to be an “incremental step…consistent with the role of [the] court to develop the common law in a manner consistent with the changing needs of society.” The Court acknowledges that with modern technology in constant development, it has become essential for the law to stay current.

In this case both Jones and Tsige worked at separate branches at the Bank of Montreal. It was discovered that Tsige had been accessing Jones’ banking records through a work computer without authorization. Tsige was involved in a common-law relationship with Jones’ former husband and had accessed Jones’ records to view the amount of child support her common law spouse was paying. Tsige viewed Jones’ banking records at least 174 times over 4 years.

Tsige admitted that she had viewed the records and was reprimanded by the Bank with a suspension and denial of her bonus. It was not Jones’ intention to sue the Bank (her employer) by commencing a complaint under the federal Personal Information Protection and Electronic Documents Act (PIPEDA). She had not been wronged by the bank who had effectively communicated to all employees that financial information was only be accessed by bank employees for work-related purposes on a “need-to-know” basis. Rather, she decided to sue Tsige directly for the invasion of her privacy.

The motions judge dismissed Jones’ motion for summary judgment holding that there was no legitimate cause of action. The Court was of the view that privacy legislation was already in place to protect privacy rights and any further development should be dealt through legislation, not the common law.

The Court of Appeal reversed this decision in part and confirmed the existence of the common law tort of invasion of privacy – a tort recognized in other provinces, but never before in Ontario. Jones was subsequently awarded $10,000 in damages.

The Court recognized that the legislation as it currently stands would not allow for an individual to sue another individual based on an independent claim of invasion of privacy.  All privacy claims needed to be combined with another claim.  Justice Sharpe addressed this gap in the law by stating that in certain circumstances a common law remedy must be provided to the affected individual.

When looking at the facts of this case he stated, “while Tsige is apologetic and contrite, her actions were deliberate, prolonged and shocking. Any person in Jones’ position would be profoundly disturbed by the significant intrusion into her highly personal information…the law of this province would be sadly deficient if we were required to send Jones away without a legal remedy.”

The elements of the new tort of “intrusion upon seclusion” as introduced by the Court include:

(1)    intentional or reckless conduct on the part of the defendant;
(2)    an invasion of the plaintiff’s private affairs without lawful justification; and
(3)    an invasion that a reasonable person would regard as highly offensive and one that causes the plaintiff distress, humiliation or anguish.

In an attempt to limit the application of the tort, the Court provided examples of “highly offensive” as including intrusions into one’s financial or health records, sexual practices and orientation, employment, or diary or private correspondence. Any claims by individuals who are sensitive, referred to by the Court as “thin-skinned” plaintiffs, or unusually concerned about their privacy are not included within the confines of this tort.

No financial loss needs to be established in order to proceed with this cause of action.  As a result, damages “should be modest but sufficient to mark the wrong that has been done.”  The Court has fixed the range for damages at up to $20,000.

Jones v. Tsige is a milestone case in the development of privacy law. The creation of the tort of “intrusion upon seclusion” by Ontario’s highest court has given a direct route for individuals to sue for an invasion of their privacy without having to go through the Privacy Commissioner. The courts can now be the first point of contact.

Previously, any privacy complaint in the private sector would need to go through the PIPEDA complaint process, which does not grant an automatic right to sue for the invasion of privacy. A complaint is taken to the Privacy Commissioner of Canada who produces a non-binding report of findings and recommendations based on an investigation of the complaint at hand.  The Commissioner does not have the power to award damages.  Only if a complaint is appealed to the Federal Court may damages be granted.

The new tort essentially allows for one to pierce the corporate veil and to sue individuals themselves for an invasion of privacy rather than the organization, opening up a potential floodgates of new litigation in Ontario. There is also nothing that prevents individuals from suing a corporation or their employer directly under this tort. In reality, we are likely to see an increase in the number of settlements if the tort of “intrusion upon seclusion” is used against organizations, as defendants attempt to avoid a breach of privacy and the negative publicity associated with such a claim from being part of the public court record.

Jones v. Tsige has proven that the law can progress with changing technology by accepting that new mediums for accessing information can pose a potential risk of privacy invasion.  Certainly the use of computer databases to snoop through a colleague’s financial information is a violation of privacy rights, a violation which now gives rise to a cause of action in Ontario.  Greater clarity would help in understanding the full impact of this tort and its limitations – for example, the parameters for what constitutes “intentional” and how sensitivity will be objectively determined leave room for varied legal opinions, until we see this common law tort of “intrusion upon seclusion” evolve and interpreted by the courts over time.

The Canadian Patient Privacy Survey results reveal that the impact of patient privacy is far greater than just a legal and ethical responsibility to protect patients. In fact, concerns over patient privacy affect the flow of information to providers to use in the diagnosis and care of their patients, as evidenced by some statistics found in the survey:

*    43.2% of Canadian patients stated they have withheld or would withhold information from their care provider based on privacy concerns.

*    31.3% stated they have or would postpone seeking care for a sensitive medical condition due to privacy concerns

*    More than 2 out of 5 Canadian patients, 42.9% indicated they would seek care outside of their community due to privacy concerns, with 33.7% indicating they would travel substantial distances, 50 kilometers or more, to avoid being treated at a hospital they did not trust, in order to keep sensitive information confidential, and

*    61.9% of Canadian patients reported that if there were serious or repeated breaches of patients’ personal information at a hospital where they received treatment, it would reduce their confidence in the quality of healthcare offered by the hospital.

By withholding medical information, Canadian patients are impacting the care received and hence the outcome. Accurate information is the bedrock upon which physicians assess medical conditions, and hence determines the treatment patients receive. When this information is withheld or even falsified, fundamental treatment assumptions are impacted.

The survey as a whole reveals that care providers have an opportunity to change the course of patient care by utilizing best practices for protecting patient privacy and initiating a dialog with patients regarding how they proactively protect patient privacy.

“This survey reveals that there is more work to be done to enable the free flow of pertinent medical information, and thus the best patient care outcomes,” says Kurt Long, Founder and CEO of FairWarning. Dr. Ann Cavoukian, Information and Privacy Commissioner of Ontario, stated, “The survey conducted by FairWarning confirms that Canadians take privacy into consideration when making decisions about their own healthcare – they believe there should be serious consequences for those who are responsible for privacy breaches.”

Clearly patient treatment in modern healthcare is entirely information-based. Any friction in the free flow of information between care providers and patients, such as that caused by privacy concerns, prevents the patient from receiving the best possible care. This indicates an urgent need for data custodians to establish processes to collect, use and disclose health information in a manner that preserves privacy.

For a full copy of the survey results and methodology, visit http://www.fairwarning.com/documents/Canada/2011-CanadaSurvey.pdf

Privacy complaints were initially made to the IPC by individuals who believed the
Alberta Teachers’ Association (ATA) was in contravention of PIPA.  At the time of the complaint section 50(5) of PIPA required that the inquiry be completed within 90 days of the complaint being made to the Commissioner unless the Commissioner notified the parties that he was extending the time period and he provided an anticipated date for completing the inquiry.   That time period is now one year. The Commissioner did not issue an order within the 90-day period but instead delayed 22 months before extending the estimated completion date.

Seven months later the IPC issued an order finding that the Alberta Teachers’ Association violated PIPA.  The ATA judicially reviewed the above finding by the Commissioner on the basis that he had lost jurisdiction by not extending the time period within 90-days of receiving the complaint.  The Court accepted this argument and quashed the IPC’s order.  Upon appeal, the Court of Appeal upheld the decision made by the chambers judge.

An appeal was made to the Supreme Court of Canada where three main questions were put to the Court.   First, whether the Court should have considered the issue of timelines since it was not raised before the Commissioner? Second, what would be the appropriate standard of review? And third, does the Commissioner’s continuation and conclusion of the inquiry, despite the Commissioner having provided an extension after 90-days, survive judicial review?

The Court held that the Commissioner’s order should be reinstated and the matter should be remitted to the chambers judge to consider issues not dealt with on judicial review.  The three questions were addressed as follows:

The timelines issue was subject to judicial review.  Despite the fact that the issue was not raised before the Commissioner, the Commissioner was deemed to have implicitly decided the issue based on his previous opinions in several other orders.
This form of specialized expertise of the Commissioner proved to be particularly beneficial to the Court.

The Court applied the reasonableness standard of review as the Commissioner was interpreting his own statute and was acting within his area of expertise.   As a result, deference was given to the Commissioner’s decision.

As PIPA is silent on when the extension of time must be granted, it cannot be presumed that the extension must be granted before the 90-day time limit has expired.  Therefore, the Court held that it was reasonable for the Commissioner to extend the 90-day period after the 90 days.  This decision did not terminate the inquiry.

The significance of this decision should not be understated.  The Alberta IPC has been given substantial order making powers and administrative control over the decision making process.  Based on the expertise of the Commissioner, PrivaTech believes the court justifiably welcomed his decision.

Click here for the full Supreme Court of Canada decision.

With easy access to information the risk of violating privacy laws has become heightened. In response to growing privacy concerns and inquires, Alberta’s Office of the Information and Privacy Commissioner (OIPC) has released Guidelines for Social Media Background Checks.

As stated in the Commissioner’s December, 15^th 2011 news release, the purpose of these guidelines is to “ensure that organizations are aware of their responsibilities under the Personal Information Protection Act (PIPA) when collecting personal information via social media.”

Key features of the guidelines include:

• Requirement to meet the reasonable purpose test

This test is used to determine whether obtaining personal information via social media networks could be considered “reasonable for the purposes of collection.”

• Relevancy of the personal information collected

The broad nature of social media and the various types of information posted on such networks results in employers collecting irrelevant personal information that is beyond the limited purpose for which the information was sought.

• Collection of third party personal information

The unintended collection of third party information poses a concern as it has the potential to lead to unforeseen PIPA violations.

• Obtaining consent

Employers may rely on consent to collect personal information via social media networks.  However, the potential employee/volunteer may withdraw their consent and the personal information collected cannot be used if the individual has opted out.

• Accuracy of the information

Due to outdated and incorrect information, as well as mislabeled photographs, the personal information posted on social networks cannot be considered entirely reliable or accurate.  PIPA requires employers to “make a reasonable effort to ensure that any personal information collected, used or disclosed…is accurate and complete.”

• Protection of the employee/volunteer’s rights

A right to complain to the OIPC is given to any individual who believes his or her personal information has been improperly collected.

Diane McLeod-McKay, Director of PIPA at the OIPC, notes that these guidelines do not prohibited the use of social media.  However, if a company chooses to use this method of screening they must comply with privacy laws – something Ms. McLeod-McKay believes will be very challenging.

Clearly if one does not ensure that their privacy settings are restricted, the visible information should be considered public.  However, even if one fits such information into the definition of “publicly available information” as outlined in s. 7 of the PIPA Regulation, thus claiming it to be exempt from the rule of consent, it is still a good idea to provide notice that social media sources are being used to make hiring decisions.

The OIPC guidelines clearly support the protection of personal information and individual privacy, and can even be considered revolutionary to the development of on-line privacy.  However, practically speaking, the use of social media has made it increasingly important for individuals to make conscious choices about what information they publish about themselves on-line.  It remains up to the social media user to ensure their on-line behavior doesn’t come back to haunt them.

On December 6, 2011 the Canada’s Privacy Commissioner released new Guidelines for online behavioural advertising. This form of advertising involves gathers information from internet users over time by tracking their online activities, in order to deliver advertising directed at the users’ interests.   Behavioural advertisers often build detailed personal profiles of users in order to assign them to various interest categories.

The purpose of these Guidelines is to encourage companies engaging in behavioural advertising to comply with privacy laws.  A strong focus is placed on ensuring that their information gathering methods are both fair and transparent.

The Privacy Commissioner is of the view that the information collected from behavioural advertising is “personal information,” as defined by Personal Information Protection and Electronic Documents Act (PIPEDA).  This legislation states that personal information is “information about an identifiable individual”.  The Commissioner believes that the information collected and the advertising process carries with it the “serious possibility that the information could be linked to an individual.”  In turn, this could expose your personal information to advertisers unknown to you.

With the application of PIPEDA, a company must obtain consent before personal information is collected.   The Commissioner has indicated that the type of consent need not be the same in every case.

Consent to tracking involves express (opt- in) consent when sensitive information is involved or implied (opt-out) consent when less sensitive information is involved.   If a company does not provide an option to opt-out, then no tracking technology should be engaged by the company.   In addition, the Guidelines suggest that companies should be cautious as to not track children or sensitive personal health information.

David Elder, Lawyer for the Canadian Marketing Association, critiques these Guidelines, stating that the information collected in certain cases should not be defined as “personal information.”  He sees most of the information as anonymous – information that cannot be connected to an identifiable individual.   Patricia Kosseim, General Counsel for the Federal Privacy Commissioner, responded that although Elder claims the information is anonymous; in reality it is not.  With the advancement of tracking technology and the linking of IP addresses to specific users, there remains the serious possibility of identifying an individual.

The Guidelines provide for the protection of individual privacy, as well as corporate accountability and transparency.   The Commissioner believes that “some people like to receive ads targeted to their specific interest.  Others are extremely uncomfortable with the notion of their online activities being tracked.  People’s choices must be respected.” PrivaTech supports the position that Internet users should be informed when their keystrokes are being tracked for advertising.

In a News Release, Commissioner Work is quoted as saying that the decision puts Alberta’s Personal Information Protection Act “at odds with laws in other jurisdictions such as British Columbia and Canada.  It means that we are off side with the rest of Canada on the meaning of personal information, and that puts the people of Alberta at a disadvantage.”

The Alberta Court of Appeal of Alberta overturned the decision of the Alberta Privacy Commissioner to restrict the collection of driver’s licence and licence plate numbers in the retail context.

With respect to the definition of personal information, the Court of Appeal adopted a narrow interpretation of personal information, finding that a driver’s licence number “uniquely related to an individual”, and is thus “personal information” under PIPA. However, in assessing the reasonableness of the collection of licence plate numbers, the majority found that licence plate numbers do not constitute “personal information … about an individual” under the Act. The court stated that a vehicle licence is “linked to a vehicle, not a person” and “[i]t makes no sense to effectively order, as did the adjudicator, that everyone in the world can write down the customer’s licence plate number, except the appellant.”

In assessing the reasonableness of the Privacy Commissioner’s decision, the court found that the Privacy Commissioner erred by concluding that an organization must implement the least intrusive policies. Rather, the court found that an organization must implement a reasonable approach towards the collection of personal information. The court stated:

“…the reasonableness of the adjudicator’s decision is undermined by her failure to recognize that the appellant needed to show only that its policies were ‘reasonable,’ not that they were the ‘best’ or ‘least intrusive’ approaches. Sections 3 and 11 do not create any test of ‘paramountcy’; the test is whether the use being made of the information is ‘reasonably necessary.’ That standard does not require the organization to defer in all instances to the interests of individual privacy. The respondent [Alberta Privacy Commissioner] is not empowered to direct an organization to change the way it does business, just because the respondent thinks he has identified a better way. So long as the business is being conducted reasonably, it does not matter that there might also be other reasonable ways of conducting the business.”

Finally, the court concluded that the Privacy Commissioner’s conclusion that Leon’s policy on the delivery of goods to third parties “was unreasonable is itself unreasonable”:

“The adjudicator’s [Privacy Commissioner] approach was influenced by the view that privacy rights prevail in all circumstances over the legitimate need to use information. It was also unreasonable for the adjudicator to conclude that the appellant’s policy was unreasonable, because the adjudicator thought that there were other reasonable ways that the business could be operated.”

This decision is obviously a very important win for businesses, in particular retail businesses, in Alberta. It is also important in British Columbia, which has privacy legislation similar to Alberta’s. It may have limited relevance outside Alberta and B.C., because the majority’s decision turned on a provision of the Alberta statute which is worded differently from the federal privacy legislation (PIPEDA). The reasoning is certainly contrary to the decisions of the Federal Privacy Commissioner that espouse the “least intrusive” approach.

Work stated in response to the decision: “Businesses get to do what is reasonable. If there’s a disagreement over what is reasonable between an employee (or) a customer and a business, then the commissioner will decide what is reasonable. The court has basically taken the commissioner out of that equation. We think that’s just wrong.”

Work has said he’ll write a letter to Service Alberta Minister Manmeet Bhullar, asking for “additional wording” in the act pertaining to the commissioner’s role. “The government needs to look at amending the law in order to restore it to what I think it was intended to be. That’s the immediate solution,” said Work.

Bhullar said although he hasn’t received Work’s letter, he will launch a review to determine what needs to be done. “The commissioner is an expert in this field of privacy (and) I take any concerns he has very seriously,” he remarked.

At issue in the two rulings was information Saskatoon police got from SaskTel and Shaw Communications to identify the users assigned to specific Internet addresses. After getting the name and home address of those users, police used the information for searches in two separate child pornography cases.

Because both cases touched on the same issue, the rulings were released concurrently.

One ruling stems from the case of Brian Arnold Trapp, who was convicted in
2009 of accessing child pornography, being in possession of it and making the material available to others through the Internet. After learning someone with a certain IP was sharing child pornography on the Net, an officer wrote to SaskTel to seek the identity of the person. SaskTel provided Trapp’s name, home address, phone number and email address. The Saskatoon man was sentenced to 13 months in jail, but was on bail pending the outcome of the appeal.

In the ruling on Trapp, Justice Stuart Cameron stated, “The accused enjoyed a reasonable expectation of privacy in relation to this information, because the information was private and confidential, and because information of this nature is potentially capable of revealing much about the individual, and the online activity of the individual inside the home.” However, the Charter of Rights protects people from unreasonable search and seizure, and Cameron found the search was reasonable. Police had reasonable and probable grounds to believe an offence had been committed, he found.

In January, the court heard a nearly identical appeal when Matthew David Spencer tried to overturn his 2010 conviction for possessing child pornography. The appeal court not only upheld the conviction but ordered he be retried on a charge of making child pornography available after allowing a Crown appeal of a lower court ruling that acquitted Spencer on the second charge.

Likewise, in Spencer’s case, Shaw Communications provided information about an IP registered user, which was Spencer’s sister. Using that information, police searched a residence, leading to charges against Spencer.

Justice Neal Caldwell authored the majority ruling in Spencer’s case. Unlike Cameron, he found there was no reasonable expectation of privacy from the Internet provider. However, he similarly concluded the information was properly disclosed, and so there was no Charter violation.

Interestingly, these cases come at a time when the federal government is planning for “lawful access” legislation – Bill C-50 and Bill C-51 – which many privacy advocates believe will have a profoundly negative impact on privacy rights. The legislation would make it legal for police forces to snoop on Internet users without requiring a warrant from a judge.The legislation is being proposed to make it easier for police to track and catch terrorists, counterfeiters and pedophiles.

The Commissioner, Jennifer Stoddart, also release audit reports involving the RCMP and CATSA, finding both of these public bodies have some cleaning up to do on the privacy front.

The RCMP was found to be breaching privacy law by holding onto the personal information of Canadians who have been convicted of a crime even after they have been pardoned. The issue of questionable RCMP record-keeping was discovered during a review of the Police Reporting and Occurrence System (PROS), the RCMP’s primary database. It contains records of individuals who have had run-ins with police, including suspects, victims, witnesses and offenders – from the moment an incident is reported to its resolution. About 1.6 million files are processed in the system each year.

Under privacy law, details of an individual mentioned in PROS are supposed to be scrubbed clean once they have been pardoned or wrongfully convicted. “This hasn’t been happening,” the report says.

Access to the database was also found to be poorly controlled. The RCMP’s policy requires that PROS users be blocked from the database after 14 months of inactivity. “We found there were over 1,000 users with active accounts who had not accessed PROS for a period of 14 months or longer,” wrote Ms. Stoddart.

She noted the danger of PROS security breaches because it “contains extensive sensitive personal information that, if improperly used or disclosed, could have a significant impact on the rights and freedoms of individuals as well their reputations, employability and safety.”

In a separate audit report, Stoddart found that by trying to solve crimes rather than keep airplanes safe, Canada’s airport security agents are similarly encroaching on privacy law. The Canadian Air Transport Security Authority (CATSA) “is not a police organization,” reads the 38-page report.

Of the 10,400 incidents in CATSA’s files at the time of the audit, more than half had nothing to do with aviation security. For instance, auditors found that agents would routinely call the police when they spotted passengers travelling domestically with large sums of money. “It is not an offence to travel domestically with a large sum of currency,” notes the report.

Auditors also found that personal information was poorly secured. “Documents containing sensitive personal information were left on open shelves and in plain view in a room where passengers may be taken for security checks,” the report reveals.

In one case, auditors visited the rooms where CATSA officials screen full-body scans and discovered a cellphone and a closed-circuit TV camera – even though these devices are forbidden under the agency’s operating procedures. By being loose on security procedures, “images – and potentially the identity of the passenger,” were at risk of exposure, the report says.

Both CATSA and the RCMP told the Privacy Commissioner they would take “immediate steps” to meet the recommendations in Stoddart’s audit reports.