Home / Privacy Resources / Article Search / PrivaTalk - January 2002

PrivaTalk - January 2002

PrivaTalk

January 2002
Volume 2
Issue 1

The Sharing of Personal Information by the Canadian Government

In a unanimous decision, the Supreme Court of Canada recently ruled that government auditors did nothing wrong when they obtained information about Employment Insurance claimants from Customs and Revenue Canada officials. The ruling came in one of two test cases involving the government departments sharing information with one another.

The Supreme Court said that the appellant, Deborah Smith, in one case could not have had a “reasonable expectation of privacy” in relation to information customs officials assembled involving her travel arrangements. The information given to Employment Insurance Commission auditors disclosed that Ms. Smith had continued to receive EI payments despite going abroad for a two-week vacation. Her conduct in doing so amounted to a violation of EI regulations.

The second ruling was, in effect, a reference case launched by the Privacy Commissioner of Canada. It focused on whether the sort of data-matching being conducted by the EI
Commission amounted to unreasonable search and seizure. This appeal, too, was dismissed by the court.

Both rulings were extremely brief and deferred to the lower court judges, offering little guidance to assess what ramifications they might have on other information sources.

Another issue that recently arose involved the government’s sharing of information with foreign governments. The newest anti-terrorism bill has been tailored to meet security concerns involving Canadian commercial flights bound for the U.S. It was split from a larger omnibus bill introduced earlier and requires officials to release any passenger information requested to foreign authorities.

The U.S. government has set January 18th as the deadline for inbound foreign airlines to provide information on passengers such as name, birth date, gender and passport number. The policy stems from U.S. legislation passed in response to the September 11th terrorist attacks. The Canadian law, Bill C-44, will require information be provided about passengers on an aircraft departing from Canada, or on a Canadian aircraft leaving any place outside Canada, to authorities of a foreign state.

In response to one of the Federal Privacy Commissioner’s primary concerns, the law was amended such that federal departments will not be allowed to go to foreign governments seeking personal information on travellers provided by Canadian airlines. The Commissioner had pushed for the amendment, saying the government of Canada “should not end up with a backdoor access to information that it might not otherwise have to Canadians.” The amendment does allow the Canadian government to obtain the information for the purpose of protecting national security or public safety.

The Privacy Commissioner still has other concerns with the bill: He wants assurances from the United States and any other foreign governments that have access to passenger lists that they use it for security purposes and do not pass it on to third parties. He also wants finer definitions of what kinds of information can be provided. As it currently stands, a foreign government could request such things as frequent-flyer information (which could include information about travel the individual has taken in the past year); lifestyle information (such as dietary preferences that could reveal a person's religion); or the manner in which a ticket is paid for.

The privacy concerns expressed by the Commissioner when the government shares information are sound and as to be expected, particularly because information sharing is a slippery slope – what is tolerated becomes accepted as the norm. However, other competing interests such as the prevention of fraud and national security are being balanced against privacy rights and in today’s environment seem to be tipping the scale in favour of information sharing.

Privacy Commissioner of Canada Publishes Decisions on Web Site

A new section of the Privacy Commissioner’s Web site where decisions are posted, called “Commissioner’s Findings”, recently appeared after a great deal of public pressure on the Commissioner to publish his findings from investigations conducted under the federal private sector privacy law. Many rightfully argued that it is critical to have access to the Commissioner’s interpretation of various provisions of the privacy law in order to engage in effective compliance initiatives. The Commissioner has finally paid heed to these requests, and as hoped, without revealing the identity of the complainant or the organization (other than the industry) that is the subject of the complaint.

The following is a sample of the findings of the Commissioner in November based on complaints received (the full decisions and other findings can be found at http://www.privcom.gc.ca ):

1. A telecommunications company asking new subscribers for two pieces of identification explained that this was necessary simply to confirm identity. However, the actual purpose of the collection was to run a credit check on the applicant, in accordance with CRTC regulations, since the provision of telephone services constitutes an extension of credit. The Commissioner concluded that collecting personal information to confirm the credit worthiness of a potential customer was reasonable, however, the company must explicitly state this purpose for its collection in order to be in compliance with the law.

2. A complainant found that every time he tried to log onto a broadcaster’s Web site, his firewall detected an attempt by the broadcaster’s advertising server to gain access to the NETBIOS information on his computer. The broadcaster discovered that the network administrator, on installing Microsoft Windows NT had neglected to deactivate certain features that come automatically with that program. These features enable a server to collect the NETBIOS information of Web site users. A NETBIOS is a computer’s common name related to its Internet protocol (IP) address. An IP address can be traced to find out which Web sites are visited by the computer’s user or what recent passwords were used in obtaining access to secure accounts. The Commissioner found that a NETBIOS might be used to obtain information traceable to an identifiable individual. The broadcaster was found to be in violation of the Act since it failed to obtain consent to collecting this information.

3. Upon making a request for access to information held by her employer, the complainant received a letter of response saying that the organization was refusing her request. The letter indicated that copies were being sent to two union representatives, although the complainant had not sent copies of her access request to her union. The Commissioner found that there would have been implied consent for the employer to send the response letter to the union only if the complainant had indicated that she had sent copies of the access request to the union. The complainant had the right to seek formal recourse without union intervention, and it was not necessary for the employer to inform the union of its response. The Commissioner further found that a reasonable person would have considered the disclosure to the union representative to be unacceptable.

4. An employee of a telecommunications company complained that her employer used her personal information without her consent by printing her bank account and transit number on her pay statements, and did not adequately safeguard employees’ pay statements. Printing of such numbers on pay statements where the employer pays by direct deposit into the employee’s account has become standard practice in both the public and private sectors. Only a person familiar with the bank’s information codes would know what the numbers on the statement represent. The Commissioner found that employees who provide their bank account and bank transit numbers for direct deposit purposes could reasonably expect those numbers to appear on transaction records for the consistent purpose of verifying proper allocation of funds. He was satisfied that the complainant had thus implicitly given consent. However, the Commissioner determined that the company's operational controls were not consistent with the sensitivity of the personal information contained in the pay statements. The sealed envelopes containing employees' pay statements were left on a manager's desk, where they often remain unsecured and largely unattended for periods as long as 24 hours. Thus, the company failed to meet its obligations to keep personal information secure.

Access to the Commissioner’s findings is a major step forward in giving organizations the tools necessary to assess their own compliance initiatives.

Concerns over the Privacy of Medical Records in Ontario

The Ontario Ministry of Health and Long-Term Care recently began setting up primary health networks where doctors can share information about patients over the Internet to improve efficiency and provide better service. Health Minister Tony Clement has said he plans to have 80 per cent of family doctors working in teams, or primary-care networks, by 2004. However, questions about whether the government has failed to carefully protect the new on-line medical records have recently arisen.

The Globe and Mail reported that Ontarians’ health records are now vulnerable to hackers and the prying eyes of government-hired technicians. Ontario's Privacy Commissioner is investigating the system and looking into a wide range of allegations. The project received approval from the Privacy Commissioner one day before the first team of four doctors, in the Chatham, Ontario area, started using the system on November 1st. The project has since expanded to include nine Chatham-area doctors with 1,500 to 2,000 patients each. But the Privacy Commissioner wasn't told several details about how the information is handled. Government contracts, meeting minutes and internal correspondence about the Chatham project reveal a long list of issues now under investigation by the Commissioner's office, including:

· Evidence exists that vulnerability tests showed that the system can be hacked into too easily by a skilled hacker.

· Patients were not fully informed about what happens to their data. Although they were told that other doctors could see their files, most patients don't know that their information is stored on a server in a Ministry of Health building in Toronto.

· A computer technician took unencrypted backup tapes, containing thousands of medical records, to his home for several nights. Allegations that some of the tapes were lost are being denied by the Health Ministry.

· Three private companies have been granted access to patient information. Two of the companies, software developers that helped build the system, can look at raw data files including patients' names and medical histories. The Health Ministry denies this.

The Health Ministry assures that the government is absolutely committed to ensuring privacy and confidentiality of patient records. It is not clear at this point whether privacy and security measures taken by the government were adequate. It is possible that some allegations are not well-founded. For example, when the system is being built by third parties, it is often necessary to test the system using real data. Appropriate precautions and clear contracts setting out responsibilities are critical under such circumstances, but the sharing of information may be unavoidable.

What is clear is that if the Health Ministry is found to have mismanaged sensitive health information, this could undermine patients’ trust in the Ontario health system, which could in turn lead to patients withholding information and negatively affecting their treatment.

Malaysia’s New Personal Data Protection Law

The final draft of Malaysia’s new personal data protection law is scheduled to be completed by March of next year. The Energy, Communications and Multimedia Minister, Datuk Amar Leo Moggie, promises that the new legislation will enhance privacy rights, but maintain a balance with other competing public and private rights and interests such as the protection of national and public security, by providing necessary exemptions.

The law will be based on internationally accepted privacy principles and will include punishment for non-compliance such as fines and prison terms. The legislation is expected to propose the establishment of a Commission as a regulatory body that would probably report directly to the Government. The Commissioner would promote the observance of data protection principles and would have investigative powers and the ability to search and seize.

Malaysia’s Personal Data Protection Act is intended to be a leading-edge cyberlaw in Asia that will encourage the uptake of and confidence in electronic transactions. The law is intended to protect the privacy of electronic personal data residing on computer systems and being transmitted over networks and the Internet. The government has framed the new law as being the latest in a series of cyberlaws to be introduced in tandem with the ongoing development of the Multimedia Super Corridor (MSC). Cyberlaws that have been enacted so far are the Digital Signature Act 1997, Copyright Act (Amendment) 1997, Computer Crimes Act 1997, Telemedicine Act 1997, and the Communications and Multimedia Act 1998.

Malaysia has been one of the more prolific countries in introducing cyberlaws, but the speed at which such legislation has been drafted and passed has, at times, left the enforcement aspect trailing. However, Moggie claims that local law enforcement authorities have been steadily building up expertise in these areas, such as the capacity to deal with computer crimes, over the last few years.

The drafting of the new law has involved gathering comments and inputs from various parties in the private and public sector, including representatives from industries and consumer associations, NGOs (non-government organisations), civil servants and others.

Although the emphasis has been placed on privacy protections for the on-line world, the bill will also apply to off-line transactions and activities. As is being discovered all over the world, the implications of privacy legislation on paper-based functions are just as great, if not more so, particularly if paper records have been widely disbursed or mismanaged.

Survey of Privacy Officers shows Privacy is being Institutionalized

An American survey of privacy officers across consumer-services industries in the States shows companies that have Privacy Officers are institutionalizing comprehensive privacy policies and practices in their organizations' operations. According to the survey, which was sponsored by Privacy & American Business (P&AB) and the Association of Corporate Privacy Officers (ACPO), 82% of privacy officers are reporting directly to senior officials, demonstrating that privacy is supported at the highest levels in leading companies. Many of these privacy officers have a long corporate experience, privacy-relevant professional backgrounds, and substantial salaries.

The survey is of tremendous value to hundreds of companies in the U.S. that are considering appointing CPOs and deciding who they should report to and what their salary, background, experience, roles, and responsibilities should be. 76% of the respondents reported that their companies are directly covered by sector-specific privacy legislation. In Canada, where all federally regulated companies are governed by the federal Personal Information Protection and Electronic Documents Act, and where all private sector organizations will be governed by privacy legislation, at the latest by 2004, it would seem that there is even a greater need in this country for senior executives to take on privacy roles within organizations.

The survey shows what privacy officers are doing to bring privacy protection to the forefront of their companies’ commitments. 80% have on-line privacy notices and policies for all the company’s on-line or Internet operations. 70% are conducting privacy risk assessments of all personal information their company collects, how it is used and what kinds of privacy issues are involved. 69% have a permanent privacy team of representatives from various business units or departments within their organization.

78% have backgrounds well-suited to deal with privacy-related issues, such as legal, public or government affairs, marketing, information technology or management, with a third having previously had privacy responsibilities in those positions. 67% of privacy officials participating in the survey have worked in the business world for 11 years or more, with 20% having over 20 years of business experience.

While 50% of privacy officers work in large firms within their industry, 20% of privacy officers have been appointed in medium size companies and 23% in small companies.

Overall, almost half of the companies (47%) said they recognize privacy as a competitive edge issue since respecting privacy proactively helps them play a leadership role with consumers. This compares with 5-10% of companies in consumer-service industries that held a proactive philosophy in the mid to late 90s.

The survey was conducted by compiling a list of 311 publicly designated privacy officials in U.S. companies that collect and use personal information, which represents approximately 75% of privacy officials across all such American firms. A representative sample of 102 privacy officers were surveyed, with 44% in the financial services or health industries.

A full report and analysis of the survey will be available at P&AB's Eighth Annual Conference, held in Washington, DC in March 2002.

P&AB (http://www.pandab.org ) pioneered and continues to run the first and only comprehensive program to inform and train CPOs. ACPO is an outgrowth of P&AB’s CPO program and the Privacy Officers Association. A number of privacy officers in Canada have met to explore the creation of an association of Canadian CPOs or some other forum through which privacy professionals can share experiences and enhance skills. Although a much smaller group than in the U.S., there are a growing number of CPOs in Canada.

The Use of Biometrics in the Financial Services Sector

New research from TowerGroup's Retail Brokerage and Investing Service in the States finds that counter to popular wisdom, concerns over privacy and fears that biometric technologies are too intrusive will not keep consumers from adapting to biometric screening. Instead, convenience will be the key to the acceptance of biometric technology use in retail financial services. Despite the benefits biometrics could bring to financial institutions and consumers alike, the high cost of implementing these technologies combined with a lack of industry consensus could delay its widespread use for at least a decade. Ultimately, an institution would have to retool every customer touch-point with new biometric hardware, in addition to costs for training personnel, educating consumers and integrating biometric technologies with existing IT systems.

Biometric technologies analyze the unique biological traits that differentiate one human being from another, such as fingerprints, the retina or iris of the eye, or the patterns of an individual's voice. Data gathered by some of these technologies, particularly iris patterns and fingerprints, are unique enough to distinguish a single individual from the entire population of the world. Highlights of TowerGroup's findings include:

· Biometric authentication has clear potential benefits for the financial services industry. By accurately validating clients’ identities through their physical or behavioral characteristics, financial institutions will be able to drastically reduce costs related to identity theft, while simultaneously assuring consumers that their financial assets are well-protected.

· For biometric authentication to be used at a retail level, technologies must be first and foremost, convenient (quick and reliable), but also robust (able to stand up to heavy use), accurate (providing top-quality security) and cost-effective. Few of the technologies currently available offer all of these features.

· While certain technologies work better in certain environments, every financial services delivery channel has a possible application for biometrics. In call centers, voice biometrics will prevail, as they can best leverage existing infrastructure. At physical locations (branch and ATM), fingerprint, iris, hand or face recognition systems could all be used. For online access, keystroke biometrics provides an interesting alternative that doesn't require additional hardware investments by financial institutions.

Ultimately, TowerGroup believes that the government will need to play a key role in any broad roll-out of biometrics technology. Since the September 11th events, there has been increased interest in, and debates over, the appropriate application of biometrics. Concerns over national security now stand side-by-side with more business-driven authentication issues, such as fraud prevention. If implementation is left to the private sector alone, the national security and business benefits of biometric identification may take much longer to reach.