Home / Privacy Resources / Article Search / PrivaTalk - September 2004

PrivaTalk - September 2004

PrivaTalk

September 2004
Volume 4
Issue 5

Personal Data on Old Computers Poses Significant Security Risks

Every year millions of computers sign off permanently. Just how many millions is unknown. The U.S. Environmental Protection Agency predicts that within the next five years 250 million PCs will become obsolete in the U.S. alone, ripe for replacement.  


Whatever the exact number, it’s staggering. Even more staggering is that less than one fifth of those machines are reused or recycled. The rest end up in landfills or in storage, often at the cost of hundreds of dollars each per year. Now a number of computer manufacturers, including IBM, are recycling – even buying and reselling older computers. Using such asset recovery programs, however, requires addressing certain security issues.  


Many companies and people give little thought to the data that lingers on old PCs, even after deleting files or reformatting the drive. But privacy laws and regulations are putting new focus on old data. Most often, such sensitive data pertains to patient information, financial and personnel data, proprietary documents and government data.  


IBM experts say there are only two ways to “sanitize” a drive adequately. One is to de-gaus, or erase, the entire drive, rendering it both unreadable and useless. The other is a process called data overwrite, which as its name implies, replaces existing data with new, nonsensical content.  IBM Asset Recovery Solutions has dedicated facilities for overwriting large quantities of disk drives.  To do that inside a company is typically just too time consuming for IT staff.  IBM overwrites using a standard established by the U.S. Department of Defense.  


Resellers of old computer equipment say they will no longer accept used equipment without charging for erasing hard drives to ensure they aren’t held liable for exposing sensitive data.  It seems logical that liability for any data exposed through the resale of technology equipment rests squarely on the company that created the data.  


Examples of the necessity of data protection abound. For instance, in January 2003 a disk drive with 176,000 insurance policies was stolen from Guelph, Ontario-based Co-operators Life Insurance Co.  


In response to such events, California adopted a new law, SB 1386, which went into effect last month. It requires any company that stores information about California residents to publicly divulge any breach of security affecting that data within 48 hours.  

Complying with Ontario's New Personal Health Information Act

The Personal Health Information Protection Act, 2004 (“PHIPA”) was recently passed by the Ontario government and will come into force on November 1, 2004.  The primary aim of PHIPA is to regulate the collection, use and disclosure of personal health information by health information custodians.   


In particular, PHIPA prohibits a health information custodian (HIC) from collecting, using or disclosing personal health information unless:


(a)   the HIC has the individual’s consent under PHIPA and the collection, use or disclosure, to the best of the HIC’s knowledge, is necessary for a lawful purpose; or


(b)  such collection, use or disclosure is permitted or required by PHIPA.  


This article provides general guidance on complying with the PHIPA and highlights the major elements of this new health privacy law.   


Step 1:  Determine if PHIPA applies to you


PHIPA applies to:    



  • HICs that collect, use and disclose personal health information (PHI).  A HIC is defined as one of a number of persons or organizations outlined in PHIPA, and includes health care practitioners; long-term care providers; hospitals (public and private); and pharmacies.  PHI includes identifying information about an individual relating to the physical or mental health of the individual, the provision of health care to the individual, payments or eligibility for health care, and the individual’s health number.
  • Non-health information custodians that receive PHI from a HIC.    

Step 2:  If PHIPA applies, complete a privacy audit or assessment.  



  • Form a privacy team or task force. 
  • The team or task force should review existing policies, procedures, and practices on information management. ·      
  • Appoint a contact person (to ensure compliance with PHIPA, and respond to inquiries, access requests and complaints from the public).

Step 3:  Based on the results of Step 2, put in place information practices that comply with PHIPA.


The following summary highlights the key obligations of PHIPA:  


Consent: 



  • Where consent is required, it must be the direct consent of the individual; be knowledgeable (i.e. it is reasonable in the circumstances to believe that the individual knows the purposes of the collection/use/disclosure and the individual may give or withhold consent); relate to the information; and not be obtained through deception or coercion.
  • While consent may be express or implied, express consent is required for a HIC to disclose PHI outside the “circle of care” (i.e. disclose to a non-HIC or to another HIC for a purpose other than health care).  Implied consent is generally acceptable where a HIC discloses PHI to another HIC for the purpose of health care.

Withdrawal of Consent:


An individual may withdraw consent (express or implied) by providing notice to the HIC, although such withdrawal cannot have a retroactive effect.  Accordingly, implement processes for capturing the withdrawal of consent (and the dates of withdrawal) by individuals.    


Lockbox Principle:


An individual can give an express instruction to a HIC not to use or disclose certain PHI, even if such use or disclosure is necessary.  However, this provision does not apply to hospitals until November 1, 2005.  


Fundraising & Marketing:



  • Where information consists of only the individual’s name and the prescribed types of contact information, HICs can rely on implied consent for the collection, use or disclosure of this information for fundraising purposes.  Otherwise, express consent is required.
  • HICs must obtain express consent from individuals to collect, use or disclose PHI for marketing or market research purposes.

Other Obligations:      



  • HICs must take reasonable steps to ensure the accuracy of PHI.
  • HICs must maintain the security of PHI in its custody or control.
  •  HICs must make available to the public a written statement on information practices and contact information.  
  • Where an individual’s PHI is stolen, lost or accessed by unauthorized persons, HICs must notify the affected individual.
  • HICs must grant individuals general access rights to their personal health information, except under certain enumerated circumstances.[20]  

A complete copy of PHIPA can be obtained from the government of Ontario website [http://www.elaws.gov.on.ca/DBLaws/Statutes/English/04p03_e.htm].  Ontario's Ministry of Health has also published a guide to PHIPA, designed for health information custodians. The 38-page guide is quite a comprehensive overview of the Act’s requirements as they apply to HICs.Source: ON - Ministry of Health, "Personal Health Information Protection Act, 2004: An Overview for Health Information Custodians," August 18, 2004. The guide can be found online at:  (http://www.health.gov.on.ca/english/providers/project/priv_legislation/info_custodians.pdf)

Police want Greater Access to Individuals’ E-mail

Canadian police chiefs want the federal government to change the Criminal Code to give police greater access to e-mail and the Internet.  


Police argue the wiretap provisions written in 1974, when rotary-dial telephones were still in use, need to be amended so that police can monitor (through lawful access with warrants) e-mail, Internet use, instant messaging, cell phones and other communication mediums using advanced technology.  


According to Edgar MacLeod, president of the Canadian Association of Chiefs of Police, police are especially concerned about crimes such as child pornography, exploitation of children, and organized crime which are increasingly carried out using technology that police are currently unable to lawfully access or intercept.  Since 1974 the technology has advanced while the police ability to keep up has not kept pace.  The outdated wiretap provisions thus pose a significant threat to public safety.    


Police want a new law that would require Internet and cell phone companies to save data, build systems that are intercept-capable, and provide free access to police when a search warrant is granted.  


Currently, for more serious investigations such as child pornography, police can obtain permission from a judge and get information from Internet companies.  However, not every Internet company has technology that is intercept-capable.  Moreover, Internet companies are concerned over the costs of providing such access to the police.


The federal government, which is considering major changes to its Lawful Access laws, seems to be giving increasing support to the changes proposed by police.  The Public Safety Minister Anne McLellan, in a speech to the Canadian Association of Police Board last week, said the issue is “something my department is actively working on”. 


While police assure the new law is about changing procedures to give police “lawful access”, not more powers, privacy groups disagree.  Many privacy groups feel the new law would give police increased powers and would unnecessarily undermine privacy of Canadians.


John Gratle of the B.C. Civil Liberties Association feels police already have adequate investigative powers and any changes to the law are unnecessary.  Given the huge databases of personal information stored in electronic mediums such as e-mail accounts, he feels the changes to the law severely threaten the privacy of Canadians.

Impact of the USA Patriot Act on Canadian Privacy

The U.S. Patriot Act was passed by the United States Congress, shortly after the 9/11 terrorist attacks, to give expanded investigative powers to U.S. law enforcement officials.


In particular, section 215 of the Patriot Act allows the FBI to secretly request and obtain from a special court an order requiring the production of any tangible things from individuals and organizations.  In addition, any individual or organization served with such an order is prohibited from disclosing the existence of or compliance with the order.


The Patriot Act clearly applies to companies operating in the U.S. that hold (in the U.S.) personal information about Canadians.  Companies operating only in Canada that hold (in Canada) personal information about Canadians would be subject to PIPEDA or equivalent provincial laws, and would not be subject to the Patriot Act.


Of particular interest and difficulty is the application and impact of the Patriot Act on personal information of Canadians held in Canada by subsidiaries of U.S. parent companies and by Canadian parent companies with subsidairies in the United States.


In May 2004, B.C.'s Information and Privacy Commissioner David Loukidelis called for public consultation on whether or not the Patriot Act permits U.S. authorities to access personal information of Canadians in the custody or under the control of a Canadian subsidiary or a Canadian parent company.


To date, over 500 submissions have been made in response to the B.C. Commissioner's call for public consultation.


Notably, the Canadian Privacy Commissioner Jennifer Stoddart has responded by arguing that “if [an] organization in [a] foreign country has a related organization in Canada that holds personal information about Canadians in Canada, an order by a foreign court cannot compel the disclosure of the information that is held in Canada” and “the organization in Canada will [only] be subject to PIPEDA and/or its provincial equivalent”.


However, Professor Michael Geist, the Canadian Research Chair in Internet and E-commerce Law at the University of Ottawa, disagrees.  According to the submission made by Professor Geist and his associate, the Patriot Act applies to both U.S. companies with Canadian subsidiaries and Canadian companies with U.S. subsidiaries.  From his research and analysis of U.S. cases, Professor Geist found that U.S. courts have repeatedly ruled that records of a foreign parent corporation may be reached by an order against a U.S. subsidiary, even if the records are held by a foreign company in a country where such disclosure is illegal.  Similarly, U.S. courts have obtained records in possession of subsidiaries abroad by compelling disclosure from U.S. parent companies.  It seems that U.S. courts will compel disclosure of documents held in foreign countries if they find they have personal jurisdiction over the company in control (or possession) of the documents.  Accordingly, as long as personal information is controlled by a company with sufficient U.S. ties, U.S. courts are likely to apply the Patriot Act and compel the disclosure of personal information of Canadians held in Canada.


Professor Geist also argues that the compelled disclosure under the Patriot Act may not even be a violation under PIPEDA.  PIPEDA includes several exceptions for disclosure of personal information without knowledge or consent. Section 7(3)(c) enables an organization to disclose personal information where it is required “to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information”. The statute does not address whether foreign orders, such as those made by a U.S. court or a grand jury can be considered as made by “a court, person or body with jurisdiction to compel” so as to fall within this exception. The statute is silent on the jurisdictional distinction making it possible that U.S. orders validly made under U.S. personal jurisdiction can be considered an exception. None of the previous PIPEDA findings that address section 7 (3) (c) shed light on the question of foreign orders. In Finding #96, the Commissioner considered whether a subpoena by a lawyer in Quebec (allowed under Quebec Civil Law) constitutes a proper subpoena under 7(3)(c). The Commissioner found that the subpoena was not proper because the powers granted to lawyers under Quebec Civil Law do not include compelling disclosure of records. Section 7 (3) c.1 permits disclosure without consent where the disclosure is made to a government institution where (ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law. The inclusion of foreign laws within this exception indicates that disclosure for U.S. counter-terrorism investigations might qualify under the PIPEDA exceptions. The issue once again is whether “government institution” is limited to a Canadian government institution or if a foreign government institution could suffice. If the exception is limited to Canadian government institutions, U.S. authorities would likely need to tender their requests for disclosure through the Canadian Security Intelligence Service (CSIS) or the Canadian Department of Justice to qualify.  None of the Commissioner’s findings focusing on section 7(3)(c.1) address foreign requests. The language found in at least one decision indicates that the exception may not preclude foreign government request, however. The Commissioner opined in Finding #62 that it is “incumbent” on businesses “not to take the submissions of any government organization at face value”.


The submissions made to the B.C. Commissioner are currently available on [http://www.oipc.bc.ca/sector_public/usa_patriot_act/submissions.htm].  In addition, the B.C. Commissioner’s report on the impact of the Patriot Act on Canadian privacy is expected to be released in mid-September of 2004 and will be available on the B.C. Office of the Information and Privacy Commissioner website [http://www.oipcbc.org].


In my opinion, Canadian subsidiary and parent companies with their counterparts in the U.S. will likely be compelled to disclose information when faced with a court order under the Patriot Act, and doing so would not be in violation of PIPEDA.  

Study shows Consumers are More Privacy Aware and Companies’ Internet Privacy Policies are Lagging Behind

Consumers taking privacy-assertive actions are up almost 30% since 1999, according to the latest Consumer Privacy Activism Survey commissioned by Privacy & American Business (P&AB) and fielded by Harris Interactive. These survey findings link the privacy concerns consumers are expressing with real consumer actions. Companies should be aware that:  


*    87% of respondents say they have asked a company to remove their name and address from marketing lists compared to 58% in 1999 (up 29 percentage points).  


*    83% of respondents say they have refused to give information to a company because they felt it was not really needed or was too personal, compared to 78% in 1999 (up 5%).  


*    81% of respondents say they have asked a company not to sell or give their name and address to another company, compared to 53% in 1999 (up 28%).  


*    60% of respondents say they have decided not to use a company because they weren't sure how their personal information would be used, compared to 54% in 1999 (up 6%).  


The 2004 survey also asked respondents who identified themselves as online users if they have ever decided not to register at a Web site because they found the privacy policy presented there to be too complicated or unclear. 65% said yes, representing over 94 million U.S. adult online users.  


These findings demonstrate that instead of having been dampened by the enactment and enforcement of new privacy laws in the States, American consumers, much like Canadians, are taking privacy protection into their own hands.  


The survey’s results show that companies must not only continue to improve their online privacy protections for consumers, but make it clear to consumers that they’re doing so.  


Meanwhile, a review of the Internet privacy policies for the 100 biggest U.S. companies found that more than half share their users’ data with affiliates, subsidiaries or business partners without explicit permission.  


The report, released this week by the Customer Respect Group, a Bellevue, Washington-based research firm, found that 93 of the Fortune 100 companies posted privacy policies on their site, up from 90 last year.  Of those 93 companies, 30 percent said they use customer data only for the purpose for which it was provided or for internal marketing efforts. But 58 percent of the companies with privacy policies are not so guarded. Thirty-five percent share information with affiliates or subsidiaries; 23 percent give data to business partners.  


The Customer Respect Group said 12 percent of the companies’ privacy policies are unclear on the subject of data sharing.  


The privacy rankings were part of a broader study by the Customer Respect Group to analyze the customer-friendliness of corporate Web sites, incorporating such criteria as simplicity, responsiveness, attitude, transparency and other similar principles.

The Internet Facilitates ID Theft

“Identity theft is one of the fast growing crimes in North America” and “criminals are increasingly using technology to steal identities as well as illicitly obtain funds”, a recently released report by Criminal Intelligence Service Canada says.


“Technology facilitates criminals in targeting thousands of victims in multiple jurisdictions.. .before a victim or law enforcement is aware the crimes have taken place.” Consequently, the scope and potential impact of such crimes are greatly increased.    


Indeed, figures released by PhoneBusters show losses from identity theft in Canada have almost doubled from $11 million in 2002 to $21 million in 2003. Ontario alone has suffered losses of$12 million in 2003.


The Internet has not only made it easier for criminals to obtain personal information, it has also enabled criminals to devise new and elaborate schemes for identity theft.


A popular and highly successful scam used by criminals is “phishing” (also known as “spoofing”). Phishing is when criminals send emails that appear to be from legitimate businesses (e.g. financial institutions) and solicit personal information from consumers. Often, consumers are directed to websites that again appear to belong to the legitimate business.


Another common scam is known as “skimming”. Skimming is when criminals “skim” (or "swipe") credit cards, using an electronic device, to record personal information from the magnetic stripes on the cards. The data is used to produce fraudulent credit cards.


Here are just a few examples of how you can minimize the risk of identity theft: .



  • Carefully check your monthly credit card statements.

  • Shred any documents containing personal information that you no longer need.

  • Do not give personal information over the phone, email, or the Internet, unless you initiated the communication or know the person/organization you are dealing with, and know the communication channel is secure.

  • Order a copy of your credit report from major credit reporting agencies at least annually.

  • Be especially careful about your SIN.

  • Before giving your credit card number or other personal information online, ensure the website is protected and secured.

  • Be wary of Internet promotions that ask for personal information and computer start-up software that asks for registration information.

The best advice to give to someone who has become a victim of identity theft is that they should immediately contact their credit card or bank and/or report the incident to local police. In addition, it is important to report the incident to PhoneBusters [www .phonebusters.com] and credit reporting agencies, Equifax and Trans Union.