Home / Privacy Resources / Article Search / PrivaTalk - September 2001

PrivaTalk - September 2001

PrivaTalk

September 2001
Volume 1
Issue 8

Privacy Diagnostic Tool Assesses Privacy Readiness

The Ontario Information and Privacy Commissioner (IPC) has introduced the Privacy Diagnostic Tool (PDT), which will allow companies to assess their business privacy policies and information practices. This free self-assessment guide, which the IPC developed with the assistance of security and privacy experts at Guardent and PricewaterhouseCoopers, compares an organization's business information processes against international privacy principles. The PDT is designed for organizations that wish to assess their information management policies, and for consumers who want to evaluate the privacy practices of the companies with which they do business.

The PDT is based on a series of questions in 10 issue areas that are consistent with internationally recognized fair information principles for the management of personal information, including accountability, consent, accuracy, safeguards and openness. These principles form the basis of privacy laws around the world, including Canada’s new Personal Information Protection and Electronic Documents Act. Businesses are informed about the objectives of each principle and are alerted to the risks if they fail to comply. The self-assessment requires organizations and consumers to answer "Yes" or "No" to the questions based on their current business practices, and provides a quick initial measure of a company's privacy readiness.

The Privacy Diagnostic Tool, which is available as software or in hard copy, can be downloaded from the IPC's Web site. The PDT is not designed to give a detailed privacy assessment and is intended to be complementary to other measures that may be taken to protect privacy or comply with privacy legislation or industry privacy codes. The PDT may highlight for an organization that more rigorous work is needed to effectively manage personal information in a privacy protective manner. If one is familiar with the general privacy principles, for example those in the CSA Model Code for the Protection of Personal Information, most of which are quite readable, the PDT may be overrated. A general, high level test does not help a company determine how to change their practices. The solution must be effectively customized based on the type of organization and the type of personal information being handled.

This is the first time that an independent privacy commissioner and private sector consulting firms have collaborated to produce a privacy assessment tool. The PDT will be launched onto the world stage by the IPC at the annual International Data Commissioners’ conference in Paris this month. Given that privacy issues have come to the forefront at a global level, we are likely to see a number of interesting public/private sector initiatives in this area in the near future.

Is Publicly Available Information too Public on the Internet?

According to Canada’s new privacy law, the Personal Information Protection and Electronic Documents Act, if information is “publicly available” and is specified in the Regulations, it can be collected, used or disclosed without the knowledge and consent of the individual. Industry Canada released regulations specifying personally available information that came into force on January 1, 2001. The following are considered publicly available information:

a) Personal information (names, addresses and phone numbers) appearing in the telephone directory;
b) Personal information including names, titles, addresses and phone numbers appearing in professional or business directories that are available to the public;
c) Personal information that appears in a registry collected under a statutory authority, and to which a right of public access is authorized by law;
d) Personal information that appears in a record or document of a judicial or quasi-judicial body, that is available to the public;
e) Personal information that appears in a publication, in print or electronic form, that is available to the public.

The information in b), c) and d) are only publicly available information if the collection, use and disclosure relates directly to the purpose for which the information appears in the directory, registry, record or document. This limitation with respect to the purposes attempts to address the growing use that commercial organizations make of publicly available information which has nothing to do with the primary purpose for which the information was made public (e.g. using public information to contact individuals and offer them products or services). To require an organization to obtain consent to use publicly available information for its primary purpose would not contribute to the protection of the individual’s privacy, and would add to the organization’s costs unnecessarily. However, it is reasonable to insist that any purpose other than the primary one should be subject to the consent requirement.

The fundamental tenet of privacy is that individuals should be able to decide who they will share their personal information with and under what circumstances. However, some public information enters the public domain without the knowledge or consent of the individual. This information is made public for a specific and primary purpose. One example given in Industry Canada’s Regulatory Impact Analysis Statement is that public access is permitted to some court records to facilitate transparency in the justice system.

The purpose of many professional and business directories is not explicitly stated. Industry Canada indicated that when no purpose is stated, the organization should make reasonable assumptions about the purpose. Similarly, for any court record, it is possible to ascertain the purpose for making the record publicly available from statements by the courts about public access to records, such as promoting transparency and the perception of fairness in the justice system. These are broad purposes that could capture a variety of uses, however Industry Canada pointed out that the Regulation on publicly available information may encourage the courts or other authorities to take into consideration privacy conerns in making decisions about the extent of public access to particular court records. It seems that placing court files on-line is consistent with the purpose for making these documents public – promoting transparency – unless a judge says that a record is not to be made available to the public, for example, if there are other interests at stake, like the privacy and safety of a victim or witness.

In the States, there has been a growing concern about the privacy and security of providing electronic public access to court case files. These files could contain sensitive medical or financial data. Many courts have placed court records on the Web for anyone to access. Once, the only way to get such information was to go to the courthouse and request it. Some feel that if it’s public at the courthouse, it should be public on the Internet, while others would say public court records that go on-line are too public! Although judgements appear on-line in Canada (e.g. the Supreme Court of Canada’s website), full case files rarely do. There is no simple way to find out, for example, whether someone has ever appeared before a judge on criminal charges, or whether defendants cooperated with authorities. In the U.S., the PACER system (Public Access to Court Electronic Records) is the government’s plan to link court files from all federal courts under a single Web-based system.

A committee of U.S. federal judges recently recommended that courts limit the case information they place on the Internet. The recommendation was that documents in civil and bankruptcy cases be made available electronically to the same extent that they are now in courthouses. However, Social Security cases should be excluded from electronic access. In addition, personal identifiers, such as Social Security and financial account numbers, should be removed from civil case and bankruptcy files. Public remote access to documents in criminal cases should not be available. Judges will be voting on the recommendations at a judicial conference this month.

The assumption is that most court records should be open to public scrutiny for the good of the courts, democracy and society. However, judges must weigh the commitment of the court to openness against privacy concerns of those whose personal information is found in court records.

Delicate Health Privacy Issues Spur Controversy in Ontario

Over the past year, in response to public demand, the provinces have been quick to introduce laws that protect personal health information (in Alberta, the Health Information Act; in Manitoba, the Personal Health Information Act; and in Saskatchewan, the Health Information Protection Act which is not yet in force). Personal health information is information that identifies an individual and includes the physical or mental health of an individual, or any health service provided to an individual.

The federal privacy legislation will apply to the trans-border flow of health information for commercial purposes as of January 1, 2002. The same rules apply with respect to the protection of health information as those for the protection of any other personal information, such as contact details, buying preferences or financial information. Although health information is recognized as sensitive information, thus requiring express consent before being sharing, no consideration has been given to the unique needs of the health sector in handling health information, for example in the context of vital health research. As of 2004, provincial health privacy legislation will ensure the federal legislation does not apply within the province, as long as the federal government determines the provincial legislation to be substantially similar to the federal legislation. The provinces are in fact not just looking to be similar, but to have enhanced protections and provisions that are more workable in the context of health care (for example, situations where health information must be shared between health care practitioners).

Ontario introduced Bill 159, the Ontario Personal Health Information Privacy Act, in December of 2000. The bill was intensely criticized and died on the order paper. The most controversial provision was the power given to the Minister of Health to direct any health care practitioner or facility to disclose personal health information for the purpose of planning and management of the health care system. The Federal Privacy Commissioner noted in Committee hearings that Bill 159, as worded, would not be held to be substantially similar. Although Ontario does not have health privacy legislation at the moment, the Ontario government is planning to introduce general privacy legislation that will cover the private and health sectors before the end of the year. With Bill 159 being folded into this new general privacy legislation, the health sector’s needs will likely be addressed more effectively than they are in the federal legislation.

There have recently been a number of Ontario health privacy issues in the media. For example, the Ministry of Health and Long-Term Care is working on a project called “Smart Systems for Health”. Personal health information about all Ontarians will be stored in databases and exchanged among thousands of providers on a health information network being set up by the province. It is designed to reduce costs and increase the efficiency of the public health system by allowing health care providers to send, receive and access patient files (for example, between doctors and blood testing labs). Privacy concerns stem from the wide access to this sensitive information. Although the system will be extremely secure and the information will be encrypted such that it can not be retrieved without a key, up to 150,000 authorized users in the province could ultimately get those keys.

Recently the media reported concerns about the disclosure of patients’ medical records to hospital foundations (entities separate from the actual hospitals) for fundraising purposes, even if the only information shared is the mere fact of being in a hospital. Many have experienced coming home from the hospital to find letters from the hospital’s foundation requesting funds. The concern is not that hospital foundations have access to patients as a source of funds, but the fact that in many cases, the patient’s consent to the access is not sought.

Conservative MPP Garfield Dunlop is engaging in consultations across the province with respect to whether emergency workers, victims of crime and Good Samaritans should be able to access the health records of individuals they have come in contact with, and who may have an infectious disease such as AIDS. All too often, police officers, ambulance workers and correctional officers are bitten or stabbed by syringes while on the job. Whether access to medical records is really needed is what Dunlop needs to figure out, particularly because experts say that the “AIDS cocktail”, which if administered within hours of initial contact can stop the virus, should be taken regardless. Although the cocktail has horrible side effects, the medical records being accessed could be incomplete, or the virus may not have been detected yet. If an emergency worker must assume that everyone they come into contact with is potentially carrying the disease, the violation of privacy may not be justified. If it is justified, Dunlop plans to introduce legislation in the fall of next year.

Just as in every other context today, information is power. More and more health privacy issues will come to the forefront as the boundaries of access to health records are tested. In the health context in particular, legislators must proceed cautiously and openly when expanding those boundaries and balancing other interests against health privacy.

Australian Businesses Push Government to Delay Privacy Law

Australia’s Prime Minister, John Howard, has been inundated with criticisms from the Australian Retailers Association (ARA) on the timelines for implementation of the new Australian privacy law. Businesses are expected to comply by December 21st of this year, however the retailers want to delay the legislation by at least one year.

The Prime Minister has made commitments to consider the retailers’ concerns and discuss the matter with the Attorney-General. The main concern is the late release of the Guidelines on the National Privacy Principles (NPPs). The draft guidelines were released in early May, and the Australian Privacy Commissioner received comments on the draft guidelines, as part of a consultation process, till early July. The much revamped final guidelines are expected to be released in early October. The retailers’ main concern was that businesses will not have enough time to properly absorb the guidelines, and ensure their practices and operations comply, between the release of the guidelines and the coming into effect of the legislation two months later.

Under the new law, consumers will have access to their personal information held by businesses, the right to correct errors in their information, and the right to insist on removal from direct mailing lists. The NPPs provide a default framework for the protection of personal information – private sector organizations will be bound by them, unless they have developed their own privacy code that has been approved by the Privacy Commissioner. The NPPs provide guidance in the following areas:

Collection of personal information - NPP 1
Use and disclosure of personal information - NPP 2
Quality of personal information - NPP 3
Security of personal information - NPP 4
Openness - NPP 5
Access of individuals to personal information - NPP 6
Identifiers - NPP 7
Anonymity - NPP 8
Transborder data flows - NPP 9
Collection of sensitive information - NPP 10

Powerful business groups flooded the Commissioner’s office with submissions on the draft guidelines, pointing out the cost of gaining consumer consent to collect and use data. Businesses have been criticizing the new legislation for some time for being too prescriptive and heavy-handed. Many businesses are not prepared and are just beginning to understand that they will have to make drastic changes to their practices. Research by the Privacy Commissioner’s office found that half the organizations selected for a survey had little knowledge of the new laws, and 75% had not begun to prepare for the legislation.

In my opinion, delaying the legislation because of business pressure is not appropriate. There will always be a great deal of resistance to compliance with privacy legislation, particularly from retailers who engage in intense marketing campaigns. The basic obligations on businesses, as laid out in the NPPs and in general international privacy principles are fairly clear, with or without the guidelines. The approach taken by the Canadian Privacy Commissioner when the federal private sector privacy legislation came into force on January 1st of this year, sooner than businesses would have liked, was that businesses should be working towards compliance. The Privacy Commissioner made it clear that he was there to assist and guide Canadian businesses, and was not expecting strict compliance by the January 1st deadline.

The amendments to the Australia privacy legislation to include the private sector suffer from many lax exemptions, such as the full exemption from the legislation for small businesses with a total income of $3,000,000 or less. Such exemptions drove the EU to finding that Australia’s privacy protection was inadequate, such that Australia could not be the destination for the transfer of data on EU citizens, without other data protection measures in place such as contractual terms. The Australian government could use some time to improve the legislation, however, using a delay to amend the legislation is unlikely given that the legislation would have to be repealed and re-introduced – a process that could easily take over a year.

As more and more companies are becoming aware of the new obligations, a delay does not seem justified. The Internet Industry Association (IIA) yesterday released its draft privacy code for the Internet industry. After a seven-week consultation period, the code will be formally submitted for registration by the Privacy Commissioner. A recent survey showed that 66% of Australia’s top websites have privacy policies, a 15% increase in six months.

Canadians More Comfortable with On-line Banking than Americans

An Ipsos-Reid poll recently revealed that 61% of active Canadian Web surfers have done some on-line banking, compared with just 29% of their American counterparts. As well, about 15% of Canada’s active surfers have invested on-line, compared with just 10% of those in the United States.

Researchers at Ipsos-Reid attributed the difference to the Canadian banking industry, which has been extremely aggressive in promoting on-line banking and investing, and has made measurable progress towards convincing Canadians that the Internet is a viable and secure option.

In fact, Ipsos-Reid found 69% of those surveyed were confident that Canadian banks can ensure the on-line security and privacy of both their financial transactions and their account information. The comparable number for our neighbours to the south was 49%. As well, the poll showed that 48% of Canadian Internet users who have been on-line for less than a year have already banked on the Net, while just 13% of U.S. newcomers to the Internet have done so.

There may be other factors that contribute to the higher comfort level among Canadians with respect to banking on-line, such as the fact that Canada's banking system is national, while in the U.S., the banking system is much more regional and diffuse. Thus, the commitment to privacy and security would be less consistent between U.S. banks.

The Canadian Bank Act (S.C. 1991, c. 46.) has regulated financial institutions for some time, and deals with privacy concerns. The law requires a bank to establish procedures to restrict the use of confidential information, to provide for the disclosure of information to customers, and to deal with complaints. American banks do not face the same level of regulation for the entire banking industry. Thus, legislation may also be an underlying factor in customer confidence. If a customer knows that a bank is held to a high standard and faces legal consequences if that standard is not met, this likely has an impact on their willingness to bank on-line. In Canada, banks are also now governed by the Personal Information Protection and Electronic Documents Act that requires each bank to implement the ten privacy principles of the CSA Model Code for the Protection of Personal Information (LINK).

In the U.S., new privacy rules (the Gramm-Leach-Bliley Act) for the financial sector came into effect on July 1st of this year. The Center for Democracy and Technology (CDT), an Internet privacy advocacy group, surveyed the Web sites of 100 U.S. banks, brokers and mortgage companies offering financial services. The new financial privacy rules require financial firms to tell customers how their personal information is collected and used and to allow them to block some of it – such as account balances, account numbers or spending records – from being sold to outside companies such as telemarketers. The study found that only 22 of the firms surveyed offered convenient ways – such as secure, on-line forms linked to their privacy policies or e-mail response systems – for Internet customers to exercise that "opt-out" right. Thirty-four of the companies surveyed had few or no online options for customers to exercise privacy choices, instead requiring physical mailings or calls to toll-free numbers.

The CDT report, “On-line Banking Privacy: A Slow, Confusing Start to Giving Customers Control Over Their Information”, is meant to signal American legislators and federal regulators that they need to monitor banks’ practices more closely. It is also intended to encourage on-line banks to comply with privacy provisions. Given that the law has only been in effect for two months, it is unclear whether the poor score many banks received with respect to providing on-line choices will improve, and whether better compliance with the Gramm-Leach-Bliley Act will affect Americans’ comfort levels with banking on-line.

Despite their relative comfort with on-line banking, Canadian Web surfers still remain far behind their U.S. neighbours when it comes to on-line shopping. The Ipsos-Reid survey found that over the past year, Americans have made an average of 14.5 purchases each, compared with only 6.5 average purchases by Canadians. Ipsos-Reid attributed the Canada-U.S. on-line shopping gap to the lack of Canadian on-line options, currency exchange rates and delivery costs.

Given the Canadian government’s push to be leaders in e-commerce, the Ipsos-Reid on-line banking polls are encouraging. This is also a big boost for the Canadian banking industry, that can politically take credit for Canadians beating the Americans for a change.

Privacy and Security Concerns about Microsoft’s New Operating System

Microsoft’s upcoming Windows XP operating system (scheduled to be released on October 25th), has been severely criticized by users, politicians and privacy groups. Nearly 15 privacy and consumer groups recently filed a complaint with the Federal Trade Commission, claiming that Microsoft, by offering Passport and associated services, is engaging in unfair and deceptive trade practices.

Passport is Microsoft's on-line authentication system, which gives users the ability to use a single sign-in to access multiple Web services. The idea behind Passport is simple: one secure ID and password rather than the many needed to access the wide range of Web sites and services consumers use every day. Passwords do not have to be re-entered because the Passport system is essentially a portal into a host of Web services that Microsoft will offer itself or through industry partners. Microsoft uses Passport authentication for its MSN Messenger and Hotmail e-mail services and Microsoft Developer Network on-line access, among other product and service offerings.

Analysts say that Passport's greatest security weakness may be the single sign-on process. Since the ID is always an e-mail address, someone looking to break into an account might easily obtain half the information needed to do so. With respect to privacy, privacy groups find that Passport seems to collect too much personal information. Some industry experts question the validity of this claim given that when Windows XP is installed, Microsoft notifies the user of the information they're going to collect.

The difficulty is that by being the keeper of password information and a wide range of other personal information, Microsoft’s repository of data could be vulnerable to hack attacks. Also, Microsoft may in the future be tempted to sell or otherwise use the data inappropriately. Although users maintain control over what information they include, many will not understand the risks of sharing credit card and banking information and be focusing on the fact that including this information gives them expanded services.

Public pressure has already caused Microsoft to pull Smart Tags from the new browser, Internet Explorer 6.0, to be distributed with Windows XP. Smart Tags are highlighted words and phrases that allow users to jump immediately to related Web information. Content providers argued that the automatic links could be used by Microsoft to divert users away from their Web pages and towards Microsoft’s alliances or partners.

Another issue is product activation. Windows XP will quit working if it is not activated via the Internet or telephone. This anti-piracy measure keeps track of a computer's hardware. If you make substantial changes in hardware or attempt to install the same copy of XP on a different computer, another activation code will be required. Some contend the feature is intrusive and impinges on their right to install an operating system on any machine they want at any time. In fact, Microsoft is within its rights to restrict unauthorized installations. Whether consumers are sympathetic to Microsoft's piracy concerns is another question. Privacy experts rightfully worry that registration information (name, address, phone and e-mail) could be matched with activation codes to create a database for tracking Web movement.

Explorer 6.0 will allow users to bar access to Web sites whose privacy policies aren’t strong enough. These “personal privacy preferences” or P3P settings, allow users to set the level of privacy protection they’ll accept from a Web site. When a user tries to access a Web site, the browser will look for a computer code version of the privacy statement to make sure it matches up to the preferences specified by the user. For more information about P3P, visit the Technology section of the XXX issue of PrivaTalk. It is important to recognize that just because a company says their policy is not to sell your information, there is no guarantee that a company actually follows its policy.

Microsoft has attempted to ensure that a great deal of control is given to the users of Windows XP. The difficulty is that no matter what protections are put in place, there is always a risk that a company that collects a great deal of personal information could violate privacy by using the information in ways unknown to the user. In its attempts to create an operating system that touts security and privacy (with authentication features and user control), a host of public concerns about these very issues seem to be preventing Windows XP from getting off to a strong start.