The computers, all slated for recycling or reuse, were mistakenly allowed to be picked up by a computer refurbishing company prior to the destruction of the hard drives.

To date, 32 hard drives have been recovered. A forensic analysis is now underway to ensure no personal or health information was stored on the drives.  An initial examination of some of the drives has found that no information contained on the drives has been accessed since the computers were picked up by the refurbishing company.

Both the province’s Privacy Commissioner and the Ministry of Health were immediately notified of the mistake.

Under existing procedures, hard drives are suppose to be removed and destroyed before any equipment is released to an outside organization. eHealth says it will use the results of the security review to strengthen safeguards and ensure appropriate checks and balances are in place.

Many of the changes from the original draft regulations are a direct result of the comments received from associations and organizations.  Thus, CASL moves ever closer to proclamation into force – all that remains is finalization of the Industry Canada Regulations, a revised version of which is expected shortly, and the selection of a vendor to run the Spam Reporting Centre contemplated by the Act.

Many complained that the original regulations demanded too much contact information to be included in an e-mail message. As a result, the CRTC is reducing the amount of contact information that must be supplied. The CRTC is also easing up on consent rules for commercial e-mails. The law’s major impact for businesses is that they must now have prior consent from a person before sending them an e-mail, but the CRTC is relaxing the rule by allowing verbal consent to suffice. Also, it is no longer a requirement to provide an ability to unsubscribe from receiving messages in just two clicks of a mouse, as this is too technology specific. Instead, the final regulations state that “any unsubscribe mechanism should be accessed without difficulty or delay, and should be simple, quick, and easy for the consumer to use.”

Labour laws as well as privacy laws in Canada are much more stringent, so Canadians have less to worry about. Asking for a Facebook password could find the hiring employer in violation of the Personal Information Protection and Electronic Documents Act (PIPEDA) or its provincial equivalents in B.C., Alberta and Quebec, as well as the Ontario Human Rights Code.

With respect to the privacy laws, obtaining a Facebook password may violate the law by collecting more information than is necessary for the employment undertaking.
Once an employer logs into a candidate’s Facebook page, they could have direct access to information such as race, religion, or sexual orientation; information which the human rights laws in Canada make illegal to collect during the hiring process.

Another concern with this practice is that you are not just opening your Facebook profile, but those of your friends. This means your boss-to-be would have access to information from other people’s profiles that you didn’t have permission to hand over.

In Ontario there is now a tort of ‘intrusion upon seclusion’ that says that if you invade someone’s privacy without lawful justification, then the employer would be committing a tort. The applicant could seek damages in an Ontario court if they felt that their privacy was invaded without just cause. The court defines ‘intrusion upon seclusion’ as the defendant acting in an intentional or reckless way, invading the plaintiff’s private affairs without justification, resulting in offence or humiliation.

Facebook is now threatening legal action against any employer who asks for an applicant’s login information, as it is a direct violation of the user’s agreement with Facebook.

The main concern being raised by most critics, including the Federal Privacy Commissioner, is how Google will now start saving user information collected from all its services in one place. For example, users who log into several different services – such as Google.ca, Gmail and YouTube – will have data about all their searches and clicks stored together.

“Our new privacy policy makes clear that, if you’re signed in, we may combine information you’ve provided from one service with information from other services. In short, we’ll treat you as a single user across all our products, which will mean a simpler, more intuitive Google experience,” wrote Alma Whitten, Google’s director of privacy, product and engineering, in a blog post to users.

Users can stop this data consolidation from happening by staying logged out when using the search engine or YouTube, or by having separate logins for each different site. In a letter to Google, Privacy Commissioner Jennifer Stoddart said the search giant’s efforts to created a more user-friendly privacy policy was “a step in the right direction.” But she raised several concerns. For one, she said users aren’t being told enough about how to effectively opt out of Google’s new plan. “We would strongly encourage you to make it clearer to users that if they are uncomfortable with these new uses of information, they can create separate accounts. This is not clearly stated in your new policy,” she wrote. The Commissioner also stated in her letter: “As we understand it, the policy changes do not mean that Google is collecting more information about its users than it currently does. They do, however, mean that you are going to be using the information in new ways – ways that may make some users uncomfortable.”

Google is also facing heat in Europe over the new privacy policy, which France’s privacy regulator said is a violation of the European Union’s data protection rules. “Our preliminary analysis shows that Google’s new policy does not meet the requirements of the European Directive on Data Protection,” reads a letter to Google from the Commission nationale de l’informatique et des libertes (CNIL).

Canada’s privacy Commissioner has received a response from Google that is being reviewed by her office.

Edmonton-based Nexopia, claims to be “the place for teens looking to express themselves to the world” and has more than 1.6 million registered users. The privacy  investigation found that Nexopia has “inappropriate default privacy settings; provided inadequate information about a number of privacy practices; and keeps personal information indefinitely – even after people select a ‘Delete Account’ option,” said Commissioner Stoddart.

The investigation was prompted by a complaint from the Ottawa-based Public Interest Advocacy Center last year. The company complied with 20 out of 24 recommendations made by Ms. Stoddart to bring the site in line with the law, though four issues related to the retention of personal information remain unresolved.

“We are disappointed with Nexopia’s position with respect to these outstanding issues,” said Commissioner Stoddart. “We are addressing these unresolved issues in accordance with my authorities under PIPEDA, which include the option of going to Federal Court to seek to have the recommendations enforced.”

Her office has urged Nexopia to develop a policy which allows users to access a “true delete option,” though the company has argued the costs of implementing such a system are “prohibitively high.” The company has also argued that archiving personal information indefinitely is helpful in the event law enforcement requests data.  In response, Commissioner Stoddart stated in a news release, “Our position is that, while such requests or warrants may justify a longer retention period in specific cases, they do not justify wholesale and indefinite retention of all records just in case there may be a request at some point in time.”

Noting more than a third of Nexopia’s active users are between the ages of
13 and 18, Ms. Stoddart said her investigation “strongly influenced her approach” to youth-oriented online services at large. “Other websites targeted at younger people also need to take note of this investigation and ensure they’ve adequately considered the privacy considerations particular to a youth context,” she said.

Her office recently published a tip sheet designed to help parents talk to their kids about online privacy.

The Saskatoon police tracked activity associated with certain keywords on peer-to-peer file-sharing networks. A user’s IP address is revealed while files are being shared and it is also possible to browse a user’s shared files. Through their keyword monitoring, the police found child pornography in the shared folder of user 207.47.225.82 and determined that SaskTel was the user’s ISP. SaskTel identified the user as Brian Trapp, and also provided his address and telephone number. Trapp challenged the disclosure of that information as an unreasonable search under s. 8 of the Charter in his appeal from conviction on charges of possessing and distributing child pornography.

Cameron JA (Jackson JA concurring) accepted that Trapp enjoyed a reasonable expectation of privacy in the IP address assigned to him by SaskTel, even though it revealed only his name and location; ‘information of this nature is potentially capable of revealing much about the individual, and the online activity of the individual inside the home’. Obtaining the information from SaskTel was a search under s. 8, but a reasonable one in that the police had asked the ISP to provide the information voluntarily and had no reason to think the ISP was not prohibited from complying with that request.

Ottenbreit JA reached the same result but through a different route: Trapp had no reasonable expectation of privacy in simple biographical information, there was no s. 8 search and no Charter violation.

See also R v Spencer, 2011 SKCA 144, where the majority (Ottenbreit JA again
dissenting) agreed with the majority in Trapp.

The 110-page bill is intended to give police and national security agencies the powers they need to combat on-line, organized crime. According to its legislative summary, the bill “requires telecommunications service providers to put in place and maintain certain capabilities that facilitate the lawful interception of information transmitted by telecommunications and to provide basic information about their subscribers to the Royal Canadian Mounted Police, the Canadian Security Intelligence Service, the Commissioner of Competition and any police service constituted under the laws of a  province.”

That means that telecommunications companies must change their networks and install the technology to comply with this bill, including being able to intercept multiple communications simultaneously and isolate it in real time. Bill C-30 will allow the minister to order telecom companies to go beyond the requirements of the bill and will compensate them for doing so.

The bill will also create new categories of warrants that police can use to compel telecommunications service providers to produce information. This will force companies to provide “subscriber information” such as “name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the internet protocol address and local service provider identifier that are associated with the subscriber’s service and equipment” if needed in an investigation.

Previously this information was obtained on a voluntary basis if no warrant was issued, but under Bill C-30, it will make it compulsory, and police will be able to access this information without a judicial warrant.

A “transmission warrant”  will also be created, meaning information “related to the transmission of information such as routing or addressing, along with all the additional header-type information created by messages” will be available to police.

In addition, the bill outlines “preservation orders”  which allows police or national security agencies to require telecommunications companies to keep data about their customers for 90 days, without a warrant. The police cannot access this information, however, unless a warrant or a “production order” is granted by a judge within 21 days in domestic investigations and 90 days in international investigations.

A “production order” forcing companies to produce the information-can contain information such as financial data, specified communications, and disclosure of transmission data.

In terms of transmission data, the government says Bill C-30 will allow police to use devices to record data about how a communication was transmitted, but not the contents of the communication, without a warrant.

Although the bill requires the Public Safety minister to report on the interceptions of private communications obtained without authorization, there is a “gag order” in the bill, which prevents telecom companies from telling Canadians if and how their personal information is used unless it is approved by the police or national security agencies that originally asked for the information.

According to the bill’s legislative summary, Bill C-30 will “permit a peace officer or a public officer, in certain circumstances, to install and make use of a number recorder without a warrant” and “extends to one-year the maximum period of validity of a warrant for a tracking device and a number recorder if the warrant is issued in respect of a terrorism offence or an offence relating to a criminal organization.”

Privately, political insiders say the bill could simply sit on the Order Paper without being moved because the government is worried not only about its base, but also because it is unsure how to proceed with the bill given the public outcry. Publicly, the government has said it will send the bill to committee, although it won’t say when.

Bill C-30 been a bill almost 10 years in the making. The former Liberal government introduced a similar bill in 2005, and the Conservatives have introduced four bills in two Parliamentary sessions on the same issues, but all these bills died on the Order Paper. Only time will tell if the same will be true now, given the intense opposition within the Conservative caucus to the bill.

The tools include a video, tip sheet or parents and a youth presentation package – they can be found at http://www.youthprivacy.ca/en/index.html.

Commissioner Stoddart explained in a news release: “Canadian kids use the Internet and online tools effortlessly, at a very young age, and many kids are way ahead of adults in adapting to new technology. Unfortunately, while they are incredibly adept when it comes to surfing, texting, posting, and chatting online, they don’t always take time to consider the privacy pitfalls these new technologies pose.”

The thief took off with a small safe, cash, cheques and electronic information. The most critical piece of information was the media storage device containing the names, social insurance numbers and personal banking information of employees who worked at University of Victoria since January 2010.

The individuals affected were notified that their personal information was stolen and told to contact their bank or credit union to advise them of the situation.  Recommendations included closing an account and opening another.

David Turpin, president of the University, said the thieves stole the back up information stored “in a locked box, in a locked safe, which was bolted to the floor, in a locked room in a locked building…” Though it may seem as though the University took the appropriate measures to protect this highly sensitive personal information, they certainly could have done better.

The information stolen was neither password protected nor encrypted, contrary to University of Victoria’s Information Security Policy. The use of data encryption has become widespread and easy to implement, to the extent that employees now question how such an incident could have ever occurred.

The University has hired security experts from Deloitte & Touche LLP to review and provide advice on the above events in order to determine and the B.C Information and Privacy Commissioner is investigating the matter – taking seriously the fact that the information was unencrypted.

Unfortunately, the unencrypted nature of the information has made it easier for fraudsters to access the stolen information.  Police have confirmed reported incidents of defrauding since the information was stolen.  One incident occurred just a day after the discovery of the break-in. An employee realized that thousands of dollars had mysteriously disappeared from her bank account.

Fears of fraudulent activity were once again heightened as the thieves decided on January 18th to return most of the stolen items – save for the media storage device containing 99% of the concerning data.

The returned data was “thoroughly and professionally destroyed”, says police, which has made it difficult to know for certain whether the devices are the same as those stolen.  University employees recognized most of the returned items as being University property, however, they were confident that the media drive returned was not the same one that had been stolen.  The drive was replaced with a new drive, resembling the old one, missing one important feature – the personal information.

The returned items contained a note stating that “the information on [the] drives was not copied, distributed or exploited.”  It went on to say that the thieves “want no part of everyday people living in fear that their personal information is being used against them to take they’re (sic) hard earned money.”  Despite these ‘assurances’ the police believe that the “situation is now more grave as far as the potential for fraud.”

The importance of encryption in the education sector can also be seen in a recent investigation into Edmonton Public Schools.  Last year a USB stick, containing the personal information of more than 7, 500 employees, was lost in the Centre for Education.  The information included employment applications, resumes, transcripts, direct-deposit forms, cheques, payroll and benefits correspondence, driver’s licences, passport information and birth certificates.

The school was found a few weeks ago to be in violation of its own policies as they did not password protect or encrypt the personal information contained on the portable device.  In their investigation into the matter, the Information and Privacy Commissioner reported that “the sensitivity of the personal information on the USB stick is high due to the types and volume of personal information involved.”  Thus, the information “required a proportionately high obligation on the part of the school district to protect it.”

Privacy watchdogs throughout Canada continue to focus on the need for encryption, and clearly the concern affects not just the health and education sectors, but spans to any industry or organization that entrusts personal information to a mobile device. Tools for encrypting devices are readily available in the market at a very reasonable cost, so there is really no excuse for exposing sensitive information that could result of identity theft, one of Canada’s fastest growing crimes.

The new tort of “intrusion upon seclusion” was held by Justice Sharpe in his judgment to be an “incremental step…consistent with the role of [the] court to develop the common law in a manner consistent with the changing needs of society.” The Court acknowledges that with modern technology in constant development, it has become essential for the law to stay current.

In this case both Jones and Tsige worked at separate branches at the Bank of Montreal. It was discovered that Tsige had been accessing Jones’ banking records through a work computer without authorization. Tsige was involved in a common-law relationship with Jones’ former husband and had accessed Jones’ records to view the amount of child support her common law spouse was paying. Tsige viewed Jones’ banking records at least 174 times over 4 years.

Tsige admitted that she had viewed the records and was reprimanded by the Bank with a suspension and denial of her bonus. It was not Jones’ intention to sue the Bank (her employer) by commencing a complaint under the federal Personal Information Protection and Electronic Documents Act (PIPEDA). She had not been wronged by the bank who had effectively communicated to all employees that financial information was only be accessed by bank employees for work-related purposes on a “need-to-know” basis. Rather, she decided to sue Tsige directly for the invasion of her privacy.

The motions judge dismissed Jones’ motion for summary judgment holding that there was no legitimate cause of action. The Court was of the view that privacy legislation was already in place to protect privacy rights and any further development should be dealt through legislation, not the common law.

The Court of Appeal reversed this decision in part and confirmed the existence of the common law tort of invasion of privacy – a tort recognized in other provinces, but never before in Ontario. Jones was subsequently awarded $10,000 in damages.

The Court recognized that the legislation as it currently stands would not allow for an individual to sue another individual based on an independent claim of invasion of privacy.  All privacy claims needed to be combined with another claim.  Justice Sharpe addressed this gap in the law by stating that in certain circumstances a common law remedy must be provided to the affected individual.

When looking at the facts of this case he stated, “while Tsige is apologetic and contrite, her actions were deliberate, prolonged and shocking. Any person in Jones’ position would be profoundly disturbed by the significant intrusion into her highly personal information…the law of this province would be sadly deficient if we were required to send Jones away without a legal remedy.”

The elements of the new tort of “intrusion upon seclusion” as introduced by the Court include:

(1)    intentional or reckless conduct on the part of the defendant;
(2)    an invasion of the plaintiff’s private affairs without lawful justification; and
(3)    an invasion that a reasonable person would regard as highly offensive and one that causes the plaintiff distress, humiliation or anguish.

In an attempt to limit the application of the tort, the Court provided examples of “highly offensive” as including intrusions into one’s financial or health records, sexual practices and orientation, employment, or diary or private correspondence. Any claims by individuals who are sensitive, referred to by the Court as “thin-skinned” plaintiffs, or unusually concerned about their privacy are not included within the confines of this tort.

No financial loss needs to be established in order to proceed with this cause of action.  As a result, damages “should be modest but sufficient to mark the wrong that has been done.”  The Court has fixed the range for damages at up to $20,000.

Jones v. Tsige is a milestone case in the development of privacy law. The creation of the tort of “intrusion upon seclusion” by Ontario’s highest court has given a direct route for individuals to sue for an invasion of their privacy without having to go through the Privacy Commissioner. The courts can now be the first point of contact.

Previously, any privacy complaint in the private sector would need to go through the PIPEDA complaint process, which does not grant an automatic right to sue for the invasion of privacy. A complaint is taken to the Privacy Commissioner of Canada who produces a non-binding report of findings and recommendations based on an investigation of the complaint at hand.  The Commissioner does not have the power to award damages.  Only if a complaint is appealed to the Federal Court may damages be granted.

The new tort essentially allows for one to pierce the corporate veil and to sue individuals themselves for an invasion of privacy rather than the organization, opening up a potential floodgates of new litigation in Ontario. There is also nothing that prevents individuals from suing a corporation or their employer directly under this tort. In reality, we are likely to see an increase in the number of settlements if the tort of “intrusion upon seclusion” is used against organizations, as defendants attempt to avoid a breach of privacy and the negative publicity associated with such a claim from being part of the public court record.

Jones v. Tsige has proven that the law can progress with changing technology by accepting that new mediums for accessing information can pose a potential risk of privacy invasion.  Certainly the use of computer databases to snoop through a colleague’s financial information is a violation of privacy rights, a violation which now gives rise to a cause of action in Ontario.  Greater clarity would help in understanding the full impact of this tort and its limitations – for example, the parameters for what constitutes “intentional” and how sensitivity will be objectively determined leave room for varied legal opinions, until we see this common law tort of “intrusion upon seclusion” evolve and interpreted by the courts over time.