Home / Privacy Resources / Article Search / PrivaTalk - June 2002

PrivaTalk - June 2002

PrivaTalk

June 2002
Volume 2
Issue 6

Test Case in the United States on DNA-based Job Discrimination

Burlington Northern Santa Fe Corporation in the United States recently agreed to pay $2.2 million to settle charges of illegally testing workers for genetic defects in the U.S. government’s first case against workplace DNA discrimination.

While the company, one of the country’s biggest railroads, denies it violated the law, the case was a milestone in the brave new world of medical privacy battles involving employees. Burlington Northern, which has 39,000 employees, had said it started the genetic testing in March 2000 when it gave medical examinations to workers who filed claims of work-related carpal tunnel syndrome.

The U.S. Equal Employment Opportunity Commission charged Burlington Northern with genetically testing or seeking to test 36 employees, mostly track workers who said they had job-related carpal tunnel syndrome, without their knowledge as part of a comprehensive diagnostic exam. The Commission found that employees who refused to take the test faced possible discipline. The Commission concluded that the tests violated the 1990 Americans with Disabilities Act (ADA) by subjecting the unknowing employees to DNA analyzes of whether they were genetically predisposed to carpal tunnel syndrome, a painful hand and wrist condition often caused by repetitive motion.

While the Commission did not find that Burlington Northern had used genetic tests to screen out employees, employers should be aware of the Commission’s position that the mere gathering of an employee’s DNA may constitute a violation of the ADA. The ADA essentially bars employers from requiring medical exams unless they are needed to determine whether a worker can perform a particular job or poses a threat to anyone. No such legal rules exist in Canada, other than the fact that discriminating employees based on their genetic makeup may be a violation of the Human Rights Code.

The company, one of the few U.S. employers to admit to using genetic tests, voluntarily suspended its program in February 2001, a few days after the Commission sought a court order against the company. In an interim settlement with the Commission last April, the company agreed not to resume the testing. Both sides said they were satisfied with the settlement, which is subject to court approval. The $2.2 million will be split among the 36 workers according to how much of the testing process they endured.

The current patchwork or state laws concerning genetic information is confusing. President Bush has declare his support for legislation forbidding employers and insurance companies from denying jobs or health coverage to people based on their genetic makeup. However, although bills to ban DNA discrimination on the job and in health insurance are pending in Congress, there has been little or no movement on them in the
past year.

Although there is no equivalent to the ADA in Canada, under the Personal Information Protection and Electronic Documents Act, an employee’s personal information must only be collected for reasonable purposes and such collections must be limited. The Federal Privacy Commissioner would likely find that the kind of testing engaged in by Burlington Northern would, in Canada, violate the Act because the reasonable person would not consider the testing to be appropriate. Provinces that enact their own private sector privacy legislation would also require that the collection of personal information be limited to appropriate purposes, in order to be considered substantially similar, and thus avoid having PIPEDA apply within that province as of January 1, 2004. Provincial privacy commissioners are also likely to find genetic testing of employees inappropriate in most cases.

Inappropriate Disclosure of Social Insurance Numbers by the Federal Government

The Privacy Commission of Canada has found a Toronto man’s rights were “egregiously violated” after a government officer supplied his social insurance number to a private investigator who was investigating an insurance claim.

The RCMP has opened a criminal investigation into the matter and Human Resources Development Canada has taken disciplinary action against an employee in its Oshawa office. In his report dated May 10, 2002, Commissioner George Radwanski criticized HRDC for not actively pursuing the matter for almost 10 months, even after confirming there was a breach and pinpointing the employee who provided the number to the private investigator.

The complainant discovered that a robbery had occurred at his apartment and filed a claim for an $87,000 claim with Chubb Insurance Company of Canada. He was told his claim was under investigation, but eventually the complainant filed a civil lawsuit for damages.

Before the court, Chubb's lawyers submitted a file from a private investigator with Signum Corporate Services. The file included the complainant’s SIN number, which the investigator stated was retrieved from the Employment Insurance Commission, a department within the HRDC.

A SIN number is a confidential number issued to Canadian residents for income-related purposes. A person’s SIN can be used to steal his or her identity, something that has occurred much more frequently in the United States with stolen Social Security Numbers, the equivalent of the SIN in Canada. Along with other personal information, someone may be able to use your SIN to apply for a credit card or open a bank account, rent vehicles, equipment or accommodation in your name, leaving you responsible for the bills, charges, bad cheques and taxes.

The complainant was issued a new SIN by HRDC but was told that the case would not be further pursued. The complainant reached a settlement with Chubb Insurance but filed a complaint with the Privacy Commissioner against HRDC. HRDC has agreed to implement new measures to protect the SIN number, in accordance with the Privacy Commissioner’s report of findings, including:

· A quarterly list of employees with designated access to the social insurance registry.

· Monthly checks by managers of their employees’ actions on the databank and a new process for immediately reporting security breaches.

· A warning to employees detailing the consequences of compromising registry information.

The Commissioner has also made it clear in a finding against a telecommunications company in the Fall of 2001 that using the SIN for any purposes other than taxation, such as using the SIN as an employee or customer identifier, is simply not appropriate and would not be acceptable to the reasonable person. Hence, use of the SIN for such purposes would be in violation of the Canadian private sector privacy law that has been in force since January of 2001.

Inappropriate uses or disclosures of the SIN are serious privacy breaches and can clearly lead to grave consequences for individuals in Canada. We are sure to see further private and public sector decisions coming from the Commissioner’s office that make it clear that a high level of protection must be afforded to the SIN.

Privacy Abuses in Saskatchewan Reduce Confidence in the Government

A number of Saskatoon and Regina city police, provincial RCMP officers, Crown corporation employees and provincial government employees have recently been found to be improperly disclosing personal information to unauthorized third parties.

The Saskatchewan government is now conducting a full review of its agencies’ policies and procedures to ensure that systems are in place to protect the confidentiality of personal information in government employees’ hands, and that will leave a record of those who get access to private information

It is unclear how widespread the problem of improper disclosure of information really is. When asked to investigate the privacy scandal by the official Opposition of the Saskatchewan government, Saskatchewan’s Privacy Commissioner, Gerald Gerrand stated that he can not independently investigate the issue because the Commissioner lacks the power under the Freedom of Information and Protection of Privacy Act (FOIPPA) to compel individuals to speak to him when conducting an investigation, thus constraining his ability to gather information. Any information obtained from individuals by the Commissioner would have to be given voluntarily.

Saskatchewan's Justice Minister Chris Axworthy said the province would consider amending the Act if Gerrand thinks it is necessary. The Ontario Information and Privacy Commissioner, Ann Cavoukian has also complained about her lack of subpoena powers under Ontario’s FOIPPA. She wants to see the Ontario government amend its draft private sector privacy legislation to give her a clear right to compel individuals to speak to her in the context of an investigation.

The concern lies not only with those disclosing personal information inappropriately, but those collecting it. With a little bit of probing, it quickly became clear to the Saskatchewan government that police officers often disclose highly sensitive personal information, such as criminal records, to private investigators, who in many cases are former police officers seeking information from their colleagues.

What the province needs are laws that require private investigators to protect privacy, since private investigators are not covered by public sector legislation. In Ontario, under the draft Privacy of Personal Information Act, exemptions to the requirement of obtaining consent for the collection, use and disclosure of personal information, as currently worded, would exempt much of the activities of private investigators. Although we may see some changes to the Ontario draft, with the efforts to ensure that a balance between privacy and security are achieved, and to ensure that the privacy rules do not limit the need to obtain information in the context of law enforcement or national security, this exemption is likely to remain quite broad.

Governments and law enforcement authorities hold a great deal of sensitive personal information, abuses of which may occur now and then, but which can be minimized by implementing strong privacy policies and security procedures.

New Privacy Laws for Internet Companies in the United States and the European Union

A European Union Internet privacy bill, that will revise the 1997 Directive on privacy, would require opt-in consent for commercial e-mail and cookies. The bill passed in the Parliament’s 626-member assembly on May 30, 2002. Though it might be difficult for the EU to enforce the bill outside its borders, it still has serious implications for all marketers.

The most controversial provision of the bill would require Internet service providers (ISPs) and telecommunications companies to retain detailed records of consumers’ Web surfing, e-mail, telephone, fax and pager communications for law enforcement and national security purposes. ISPs would also be required to provide law enforcement agencies (police, customs, immigration and internal security agencies) with access to this data when requested. Under the 1997 Directive, data can only be retained for a short period for “billing” purposes (ie: to help the customer confirm usage details) and then it must be deleted. With the new bill, governments can find out exactly what Web sites an individual visits, which seems contradictory to the rest of the bill.

Civil liberties groups and some Parliament members strongly opposed the data retention rules, but the bill passed regardless. EU companies are still required to eliminate data after a billing cycle ends until the bill receives approval from each of the 15 EU governments, making it law. It is unclear when those voting procedures will take place.

Meanwhile, in the United States, an online privacy bill, S. 2201, has advanced in the Senate with supporters maintaining it will bolster consumer spending and critics claiming it will weaken corporate security and burden IT departments and budgets.

The Online Personal Privacy Act, sponsored by the Chairman of the Senate Commerce Committee, Ernest Hollings, has received approval from the Senate Commerce Committee by a vote of 15 to 8. The bill now is headed to the full Senate for the final vote.

Internet companies that want to trade customers’ sensitive personal information, such as their debts, income, assets, and medical records, will need to get the customers’ consent. The bill will set a national standard for all online transactions. It's a move Hollings says will promote consumer confidence in buying online, bolster spending and give some much-needed support to the lagging high-tech industry.

But some in the e-commerce arena worry that the passage of the bill would mean expensive overhauls of e-commerce systems and databases, and create security nightmares by letting customers into the system to check, and change, their personal information.

The bill, which also opens the door to ‘private rights of action’, or individual and class action lawsuits, over privacy breaches, means that one technical glitch that fouls up personal data collection could be financially catastrophic.

Online companies haven't clearly explained how giving consumers access to their information will weaken security. The information is already there and if companies don’t enhance security to protect it, hackers can already get to it. Increased security is something all online companies should be working towards, regardless of whether they need to give customers access to their information.

In summary, the bill calls for:

· Rules governing consumers’ ability to opt-in to the collection of sensitive personal data, such as race, income level and sexual preference;

· Rules giving consumers the ability to opt-out of the collection of ‘non-sensitive’ information, such as name, address and purchase history;

· A national standard, preempting state laws or the ability of states to pass their own online privacy rules;

· The right of individuals to sue over privacy breaches, opening the door to class-action lawsuits;

· ‘Reasonable access’ or the right for consumers to view and change personal data, and

· Enforcement by the Federal Trade Commission (FTC) and state Attorneys General.

Naturally, there will be costs to comply with the new U.S. privacy rules. By investing and dealing with it now, online companies will have made a long-term investment in security and customer trust for the future.

American Survey Shows Need for Increased Security for Drivers’ Licenses

A recent U.S. national poll reveals the American public overwhelmingly favours cooperative state and federal efforts to close one of the biggest loopholes in the United States’ national security system by strengthening motor vehicle agency (DMV) licensing practices. These efforts include hardening security measures by closing licensing loopholes at DMVs, making drivers’ licenses more resistant to counterfeiting and increasing penalties and fines for fraudulently presenting a fake driver’s license.

A Public Opinion Strategies study commissioned by the American Association of Motor Vehicle Administrators (AAMVA), shows 77 percent of Americans favour modifying the current system of issuing drivers’ licenses and ID cards. The poll results suggest the American public believes driver’s license and ID security is paramount. Sixty-five percent of Americans believe it is too easy for a person to obtain a false identification card, such as a fake driver’s license.

These findings further support specific security enhancements AAMVA recommended in January of this year. For example, 80 percent favor closing existing licensing loopholes, while 87 percent favor making drivers’ licenses more resistant to tampering and counterfeiting by using biometrics such as fingerprints and holograms. Also, 87 percent favor increasing penalties for those who make, sell or help others obtain fake drivers’ licenses or ID cards. An overwhelming 88 percent favour allowing states to search other states drivers' records to verify an applicant's identity and driver history.

It’s clear that the American public wants a more secure driver’s license. With 87 percent of adult drivers using their driver’s license for purposes other than driving, DMVs throughout the U.S. have a responsibility and obligation to deliver a more secure license and ID credential.

The Association warns that unless DMVs receive federal assistance to repair the patchwork licensing practices used nationwide, unscrupulous individuals, identity thieves and terrorists will continue to undermine and exploit the process by shopping around for licenses in states with the weakest motor vehicle laws.

In Canada, the Ontario Information and Privacy Commissioner recently spoke about the inappropriate use of drivers’ licenses by nightclubs in Toronto. Some clubs are not just swiping the driver’s license to ensure its authenticity, but also to generate targeted marketing databases that give the clubs the ability to market their events. Using drivers’ licenses for marketing may not seem as controversial as using a driver’s license to assume another’s identity, but clearly, if Ontario’s draft Privacy of Personal Information Act becomes law, clubs that use licenses for marketing would be in violation of the law if they do not inform and obtain their patrons’ consent to this use of their personal information. The storage of drivers’ licenses in databases could also lead to future abuses – many nightclubs have already been offered large sums of money in hopes of luring the clubs into selling their lists.

Drivers’ licenses in the U.S. and Canada need to be offered a high level of protection because their misuse could lead to serious cases of identity theft.

IBM Introduces New Data Scrambling Software that Promises to Protect Privacy

IBM has developed new software that takes personal information and scrambles it before forwarding it to merchants. On the merchant end, the software can unscramble the data enough for a company to mine for a marketing campaign, without revealing any personal information.

Researcher at IBM’s Privacy Research Institute say that the new software could benefit both merchants and consumers because consumers could get marketing messages targeted to them without worrying about sacrificing their private information, and merchants and marketers could get useful data without worrying about whether consumers were giving false information. Called “privacy-preserving data mining”, the technology would allow retailers to generate accurate data models to deliver customized services without ever seeing personal information.

Many top companies online and off have been investing in customer relationship management (CRM) software to try to market their goods and services more effectively. Such software can find the customers most likely to buy a particular book or to want to consolidate their debt on a single credit card. But such software is only as good as the data it works with, and many companies are plagued with “dirty data”. Some of the faulty data are the result of hardware failures or mistakes in data entry. Other false data are the result of consumers entering the wrong data in the first place.

Online merchants have long been struggling with how to balance their desire for more information from consumers with people’s privacy concerns. Many have posted privacy statements saying they won't share customers' personal data, and some have allowed consumers to opt in or out of having their information shared.

IBM’s software might scramble the amount of salary a person makes by adding $15,000 to it, for instance, or scramble a person’s age by subtracting five years, before sending it to the merchant. On the merchant side, the software aggregates all the data, coming up with a distribution of values. By knowing the range of values with which each entry has been randomized, the program can take the raw, scrambled data distribution and come up with a more accurate distribution of aggregate values. Merchants can then mine that data to find target customer groups.

The software could be used not only by online merchants, but also by medical researchers dealing with sensitive health information.

It is important to note that although publicized as such, the software will not directly address the issue of consumers entering false data. IBM is assuming that if customers have confidence that their private information will be protected, they will be more likely to enter their real data.

IBM launched its Privacy Research Institute earlier this year. The data-scrambling software is the first project to be announced by the Institute.