Home / Privacy Resources / Article Search / PrivaTalk - April 2003

PrivaTalk - April 2003

PrivaTalk

April 2003
Volume 3
Issue 4

National ID Card Proposal Receives Severe Criticism from the Privacy Commissioner

A proposed national identification card with biometrics would “drastically infringe” on the right of Canadians to privacy and would cost billions of dollars to implement, federal Privacy Commissioner George Radwanski warned.  


Testifying before the parliamentary committee on citizenship and immigration, Radwanski said it would cost $3 billion to $5 billion to issue the card being proposed by Immigration Minister Denis Coderre and to set up the machines necessary to read it.  


Radwanski told the committee that any such proposed measure must meet a four-part test of necessity, effectiveness, proportionality and lack of any less privacy-invasive alternative.  In his view, a biometric national ID card “fails miserably” on every count.  


The Commissioner also stressed that Minister Coderre’s argument that Canada should come up with such a card before the Americans force Canada to do it, is not an appropriate way of looking at basic rights.  He stated, “A national identification card would radically change Canadian society by drastically infringing on the right to anonymity that is a key part of our fundamental right of privacy.”  


The debate sparked by Coderre over whether Canada should introduce a national identification card with biometric identifiers has been going on for some time. Coderre argues a national card would provide a more secure way for Canadians to prove who they are and could combat identity theft. However, in a scathing critique, Radwanski urged the committee to immediately reject the proposal.  


Radwanski also warned:  


-  The card would make it easier to keep track of what Canadians are doing.  


-  It is unlikely to prevent another terrorist attack: many of the Sept. 11th  terrorists, Radwanski noted, were established in their communities and used their own names.  


-  It would not be foolproof because it could only be as reliable as the documents used to obtain it and even the most sophisticated technology can be compromised.  


Speaking after question period in the Commons, Coderre confirmed his department is preparing a pilot project to add biometrics to permanent residents cards, but participation would be voluntary. Nor will the government add biometrics to the permanent resident card until it examines whether to do it for all Canadians, he added.  


The problem with national ID cards is that they would solely be in place for the purpose of allowing the government to compel people to produce them.  The card could become  the equivalent of a domestic passport that citizens are required to produce for the most routine daily tasks.  If everyone is required to have one, then that means there will be a lot of bureaucrats responsible for collecting and filing our personal information. Beyond logistical questions about how that process will work and how much it will cost, it raises concerns about potential fraud and abuse. Canada and many other countries that have, for years, talked about implementing a national ID card, may never get over the huge invasion of privacy hurdle.

Federal Privacy Commissioner addresses Private Investigators

At a General Meeting of the Private Investigators Association of British Columbia on March 20th, the Privacy Commissioner of Canada, George Radwanski, provided some direction as to how the federal private sector privacy law affects private investigators.  


Since collecting, using, and disclosing personal information is a big part of private investigation, this industry has very real concerns as to the impact of the legislation, which applies to them in January of 2004.  It is clear that when videotaping people claiming to have injuries, for example, or investigating suspected theft from an employer, private investigators are often collecting sensitive personal information. Locating a person to serve legal documents or to collect a debt, and collecting background information on prospective employees, business partners, or witnesses are also activities that will be governed by the law.  


The Commissioner emphasized that a central principle of the PIPED Act is consent.  He acknowledged that it is going to be rare that private investigators will have the consent of the people whose information they’re collecting, using or disclosing. Certainly, it won’t be direct consent, since investigators will almost never have a direct relationship with the person being investigated. However, in the Commissioner’s opinion this does not make the job of private investigators impossible.  


The Commissioner also stated that private investigators do not need to resort to the provisions in the Act that make special allowance for disclosures without consent to designated investigative bodies. In order to be granted the status of an investigative body, organizations should have to demonstrate that, without it, they would not be able to operate within the legislation. As stated by the Commissioner: “I can’t accept investigative body status being used as a means of side-stepping consent, just as a convenience.”  


Regardless, it is clear from reading the Act that being given the status of an investigative body does not give free reign to collect and use personal information and certainly does not exempt one from the Act. Having this status only allows disclosures to, and by, an investigative body in specific limited circumstances. It doesn’t, for example, allow an organization to collect information without consent.  Currently, only the Insurance Crime Prevention Bureau and the Bank Crime Prevention and Investigation Office have been designated to be investigative bodies.  The Commissioner, rightfully so, has reservations about giving the entire private investigator industry such status.  


The Commissioner discussed what he called the “agency” concept, stating that this is the principal way that the Act applies to private investigators.  Although the Act is silent on the application of the Act to an agent (that is, the Act applies to an agent as to any other organization), the Act does allow an organization to transfer personal information to a third party, without consent, for processing purposes. The Commissioner gave the example of a bank that wants to have cheques printed for its customers. The Act allows the bank to transfer the personal information of its customers to a cheque printing company for this purpose. The bank is not “disclosing” the information. That’s because the Act distinguishes this kind of transfer for processing purposes from disclosures. Transfers are only allowed for limited purposes, and they’re subject to the processor using the information only for the specified purposes, and the processor protecting the information as required by the Act. Recognizing transfers for processing, as distinct from disclosures, is necessary to the reasonable functioning of standard business practice.  


The Commissioner stated that it makes sense that the Act would allow an organization to transfer information to a private investigator without consent, in the same way that an organization can transfer personal information to a third party for processing without consent. The private investigator would be acting as the organization’s agent. In effect, that means that it is just doing something that the organization itself would be entitled to do under the Act.  


The Commissioner felt that this “agency” concept can also be extended to allow an organization to retain an agent to collect personal information if the organization has the consent of the individual to collect the information.  The consent could essentially “flow through” to the private investigator. The investigator would then have consent to collect the information. For example, a business could hire an investigator to collect background information on a prospective employee, or a prospective business partner, who had consented to background checks. Or an insurance company could hire an investigator to investigate a claim by a policyholder who had consented to investigation of any claim when applying for the policy.  


There are also two relevant circumstances where the PIPED Act allows information to be collected without consent. One is where the knowledge or consent of the individual would compromise the availability or accuracy of the information, and where the collection is “reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province.” This is likely to be relevant to private investigators. For example, it could allow an organization to retain an investigator to collect personal information about an employee suspected of theft. Or it could allow an insurance company to retain an investigator when insurance fraud is suspected. Or it could allow an organization to hire an investigator to locate someone who’s breached an agreement with the organization.  


The Commissioner’s clarification that private investigators, as agents, will be legally able to do under the PIPED Act whatever the organization that hires them can do under the PIPED Act, is helpful to the industry, particularly because the Act is rather unclear in this regard.  However, the Commissioner should have also pointed out that this means there is a heavy responsibility on private investigators to ensure that the companies hiring them have obtained the appropriate consents that they intend to piggy-back on.

Alberta Pharmacists Ordered to Stop Selling Prescription Information

The Alberta Privacy Commissioner recently initiated an investigation under the Alberta Health Information Act (“HIA”) on the issue of whether the HIA permit Alberta pharmacists and pharmacies to disclose information about health services providers to IMS HEALTH Canada (“IMS”), a private company who sells the information to drug manufacturers.  Upon conducting a public hearing, the Commissioner found that Alberta pharmacists and pharmacies were disclosing up to 37 data elements to IMS that pertained to prescribing activity. The patient’s identity is not revealed, only their gender and age. The Commissioner found that disclosure of the first and last name of the health services provider in the context of the 35 other data elements disclosed to IMS would reveal “other information” about the health services provider and is thus prohibited under the HIA, unless the consent of the health services provider is obtained prior to the disclosure. The other information revealed by each disclosure is information about how the prescriber, in his or her professional capacity, chose to diagnose and treat a patient of a particular age, with a particular condition, and specifically what medication was used, in what dosage, and for how long. The information revealed by the disclosure of the data permits IMS to compile a prescribing analysis.  According to the Alberta Medical Association (“AMA”), the prescribing analysis released to drug companies by IMS allows the drug companies to figure out who isn’t using their products, and then pressure physicians to change what they prescribe.  However, a lot goes into a physician’s choice of drug, including the patient’s reaction to certain medications.  


The Federal Privacy Commissioner has heard two complaints related to IMS’s gathering of information about prescribing activity under the Personal Information Protection and Electronic Documents Act (“PIPEDA”). These findings are posted on the Federal Privacy Commissioner’s website. One of the PIPEDA complainants applied in November of 2001 to the Federal Court for review of the Federal Privacy Commissioner’s determination that physicians’ names and prescribing patterns is business and not personal information (in the Commissioner’s words, “work product” information) that can not be afforded privacy protection under PIPEDA. A final decision from the Federal Court has not been rendered in this case, entitled  Maheu v. IMS Health Canada and the Privacy Commissioner of Canada.  


According to the Alberta Commissioner, there is nothing in the HIA indicating that health services provider information must be of a personal or intimate nature. Likewise, there is nothing in the HIA that indicates that “work product” type of information is not information “about” the health services provider.  Thus, the Alberta Commissioner ordered Alberta pharmacists and pharmacies not to disclose to IMS a health services provider’s first and last name in the context of the 35 other data elements regarding a prescription, unless that health services provider’s consent has been obtained.   


The Commissioner has given Alberta pharmacists and pharmacies six months to fully comply with his Order, in order to make necessary changes to operational practices and information systems.  The Commissioner stated that thereafter, he intends to investigate complaints about non-compliance with the Act in this regard, and may conduct spot audits to ensure compliance.  Manitoba and B.C. already ban the selling of prescription information.  


The Commissioner’s full order, released March 19th, can be found at http://www.oipc.ab.ca/ims/client/upload/H2002-003.pdf.  The AMA is appealing the Commissioner’s order to the courts.

Data Retention and Access Consultations in the U.K.

The U.K. Home Office recently launched two consultation papers: one addressing data retention, and the other addressing who has access to communications data and how they can access it. The first of these – the consultation paper on a Code of Practice for Voluntary Retention of Communications Data, which can be found at http://www.homeoffice.gov.uk/oicd/antiterrorism/consult.htm, is actually a requirement under the U.K. Terrorism Act and has been the subject of much controversy.  


Among the paper’s concessions to concerns from industry and the public are reduced terms for how long ISPs and communications providers need to retain data: 12 months maximum for subscriber information and telephony data, compared to the seven years that the government originally called for. Subscriber information includes the telephone number of an individual, their e-mail address, log-in names for dial-up Internet accounts and other data that can be used to identify users. Telephony data typically covers numbers called, and location of mobile phones when those calls are placed.  


Under the draft code, user data, including details of where e-mails were sent to and received from, would be kept for six months, and details of websites visited would be kept for four months.  


The director of the U.K. Foundation for Information Policy Research has criticized the Home Office for not addressing in the consultation draft the concerns expressed by the Information Commissioner, the communications industry or by the parliamentary All-Party Internet Group (APIG), which published a critical report earlier this year. Industry had called for the code of practice to be made mandatory, so that ISPs would be protected from legal action under the Human Rights Act and the Data Protection Act when complying with the measures in the code of practice.  


Furthermore, the Home Office has not addressed the cost issues that have been raised – ISPs say that retaining all the required data will be extremely costly. Many feel the Home Office has generally failed to address the well-known substantive issues and is merely going through the motions so it can come back with a compulsory scheme.  


The consultation on access to communications data is a second attempt to regulate who should be able to access communications data: the first, last summer, drew widespread public concern when it became apparent just how many agencies would have access to communications data, and how easily they would have access.  


New proposals contained in the revised consultation paper introduce the idea of vetting by the Information Commission of each request to access communications data. Under this idea, access would be restricted by purpose and by type of data, and agencies would have to satisfy the Information Commission that their systems are suitable to securely store the data. What isn’t clear is whether the Information Commission has enough resources to deal with the expected flood of requests.  


Given the anti-terrorism laws in the U.K., it is clear that data retention and access to communications data are initiatives that will not be buried by public unrest or industry disapproval.  However, in order to ensure cooperation and smooth implementation, the U.K. government needs to take the feedback it receives from these consultations seriously.

Harris Poll Finds Most People are “Privacy Pragmatists”

A Harris Poll conducted by Harris Interactive in February surveyed over 1000 adults across the United States. The recently released results indicate that:   


*    69% of adults agree with the statement, “consumers have lost all control over how personal information is collected and used by companies.” This is a decline of eleven points from 80% who felt this way in 1999.  


*    54% of the public disagree that “most businesses handle the personal information they collect about consumers in a proper and confidential way.” This is an increase of nineteen points from only 35% who felt this way in 1999.  


*    53% of all adults disagree that “existing laws and organizational practices provide a reasonable level of protection for consumer privacy today.” This is an increase of fifteen points from 38% in 1999.  


Several dimensions of privacy have become slightly less important in recent years, even though most people still feel they are extremely important.  For example, the number of people  who feel that not having someone watch them or listen to them without their permission is extremely important has fallen from 79% in 1994 to a still high 73%.  


However, by far the largest decline in concern is found among those who feel that not being monitored at work is extremely important – this number has fallen from 65% in the 1994 Harris Poll to only 42% now. This may reflect the fact that monitoring of telephone call centre conversations is now so widespread and is, therefore, acceptable to many more people.  


One dimension of privacy has become much more important than it used to be. Those who think that not being disturbed at home is extremely important has increased from 49% in 1994 to 62% now, surely as a direct result of the growth of telemarketing calls.  


After reviewing these results with Dr. Alan Westin, president of Privacy & American Business, and using his 3-pronged privacy characterization, Harris Interactive concluded that “privacy fundamentalists”, those that feel very strongly about privacy matters and are strongly resistant to any erosion of their privacy currently represent about a quarter (26%) of all adults. At the other extreme there are people who have no real concerns about privacy and who have far less anxiety about how other people and organizations are using information about them. They are the “privacy unconcerned” and make up about ten percent of all adults.  


The third, and by far the largest group, now almost two-thirds of all adults (64%) are the “privacy pragmatists”, who have strong feelings about privacy and are very concerned to protect themselves from the abuse or misuse of their personal information by companies or government agencies. However, they are, to a far greater degree than the privacy fundamentalists, often willing to allow people to use their personal information where they understand the reasons for its use, where they see tangible benefits for so doing and when they believe care is taken to prevent the misuse of this information.  


Since 1999 the numbers in each segment have varied somewhat. Compared to nine years ago, privacy pragmatists have increased from 54% to 64%, while the privacy unconcerned have declined from 22% to 10% of all adults.   The results of the Harris Poll can be found at http://www.harrisinteractive.com/.

Increasing Incidents of Hacker Attacks should put Companies on Alert

Recent widely publicized hacker attacks point to an alarming trend facing every organization - theft of vital personal information belonging to employees, customers, and potentially, everyone who does business with the organization. Hacking threats are increasing and putting at risk an organization’s daily operations as well as its credibility. It’s not just large organizations that need protection against security breaches – every organization needs a strategy for keeping hackers at bay.  


Hacker attacks in the United States were up 28 percent during the first half of 2002, and the Federal Trade Commission reports that as many as 700,000 consumers in the United States may be victims of identity theft this year. Even more troubling is the finding that most organizations aren't even aware that they have been hacked.  


There are steps every organization can take to prevent hacking.  A company cannot protect itself unless it has thought about what internal and external threats it faces and how serious they are. There is no one-size-fits-all list of risks. Every business has individual vulnerabilities and priorities.  


External threats become more important as your network extends to suppliers, customers and partners. This automatically means network security must be given high priority. External threats include unauthorized users such as hackers, as well as network users who leave their computer poorly protected, providing opportunities for unauthorized users.  


A major internal risk most companies are not aware of is mismanaged identities from employees who have left the organization, but who are still able to access the network. Typically, 20 percent of user accounts belong to employees who haven’t worked for the organization for five years or longer.  


Every company needs a security policy based on the risks it faces. One way to identify risks is by having an independent third party conduct an audit of the company’s security systems to find vulnerabilities before purchasing protective hardware or software. Many security management products on the market offer a holistic, “dashboard-style” view of entire systems. The ability to view the entire system at once allows administrators to identity and correlate specific security vulnerabilities and then take proper action to resolve them.  


Protecting against threats is not as simple as deploying a software package though and forgetting all about it. A business’s best protection comes down to policy and procedure as much as technology. Employees must have rigorous instructions concerning receipt of suspicious emails and what to do in the event of a virus infection. Available tools can also help define and enforce security and privacy policies so organizations can ensure consistency across all aspects of their business.  


The FBI lists the following as the most common mistakes companies and their employees make that leaves their data vulnerable:  


*    Default installation of operating systems and applications.  


 *    Weak passwords.  


*    Incomplete backup of data.  


*    Unneeded ports left open.  


*    Data packets not filtered for correct incoming and outgoing addresses.  


While a company cannot protect against everything, it can at least be prepared. Taking active security steps will help businesses to protect themselves in the event that hackers attempt to obtain access to, and possibly destroy, the company’s systems.