Home / Privacy Resources / PrivaTips

PrivaTips

Late June 2010 (CASE LAW AND INVESTIGATIONS)

Federal Privacy Commissioner Says Mortgage Brokers Need to Better Protect Information

Several mortgage brokerages improved some privacy and security measures following a string of major data breaches, but failed to implement controls to raise the alarm about any future suspicious activity, a privacy audit has found.

The audit by the Office of the Privacy Commissioner of Canada (OPCC) was launched after the brokerages self-reported 14 data breaches in the space of a few months in mid-2008.  In each case, someone impersonating an experienced mortgage agent downloaded credit reports for people who hadn't even applied for a mortgage. As a result, the personal information of thousands of people across Canada was compromised.

"The breaches prompted the brokerages to take some positive steps to better protect personal information," Ms. Stoddart said in her report. "However, our audit found that those changes did not go far enough."

The audit is described in the Commissioner's 2009 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA), which was tabled in Parliament in early June.

As the report's summary of the latest OPCC private-sector audit describes, mortgage brokers represent a large and growing segment of the mortgage industry in Canada - accounting for one-quarter of all mortgage transactions.  They need to obtain credit reports from credit reporting agencies in order to assess an individual's eligibility for a mortgage. Credit reports contain extensive personal information that can be used by criminals to commit identity fraud.

Following the breaches, the five audited brokerages significantly tightened their practices for hiring agents.   However, the audit found there was a lack of adequate controls to restrict agents' access to credit reports. Specifically, the web-based tool used to obtain credit reports doesn't allow brokers to limit the number of credit reports an agent can download.  In addition, there are no technological controls to monitor for, and raise the alarm about, suspicious activity.

Among the other risks to personal information highlighted in the audit:

*    Some brokers stacked files containing personal information on the floor or on desks within accessible offices.  One had overflow storage in an unsecured parking arcade.

*    Brokers lacked shredders capable of securely destroying documents. One broker was re-using the reverse side of old, filled-out mortgage applications in order to print out new applications.

*    Credit reports were sometimes obtained prior to consent from  a client being recorded and there was no ability for clients to opt out of secondary uses of their personal information, such as marketing.

*    There was a lack of training about privacy responsibilities and many agents did not know to whom they should turn with a privacy-related question.  In one case, a broker franchisee stated that his organization's chief privacy officer was located at the brokerages head office when, in fact, he was the chief privacy officer.

One of the five audited brokerages is no longer in the mortgage broker business.  The four others still operating stated they would implement all of the recommendations in the OPCC's audit report.

Google Street View - WiFi Sniffing Software Discovered

In a puzzling turn of events, Google has been caught using its controversial camera-laden Street View vehicles to do more then just snap pictures. It seems those same vehicles were using Wi-Fi sniffing software called Kismet, to allow Google to automatically collect information about wireless networks including whether they are encrypted. To make matters worse, some extra software was added by a Google programmer making it capable to grab packets of information sent over several of the networks it was scanning. How much data did the company get? According to the company's latest admission, around 600 gigabytes.

While the cataloguing of personal network identification information was intentional, Google says capturing data on those networks was not. According to a spokeswoman from Google, the company was collecting the data to improve Google's "geolocation services," the company's alternative to Global Position Services (GPS).

Google also said it was not targeting any particular information. The company said it was unaware of what this software running in tandem with Kismet was doing. The software found its way onto almost every Street View vehicle in more than 30 countries. The oversight begs the question, if this piece of software got through the cracks, what else is going on that Google doesn't know about? Evidently Jennifer Stoddart, the Privacy Commissioner of Canada, had similar concerns and quickly issued a statement after Google's Wi-Fi goof was recently revealed.

"We have a number of questions about how this collection could have happened and about the impact on people's privacy," said Stoddart, in a release on June 1st. "We are very concerned about the privacy implications stemming from Google's confirmation that it had been capturing Wi-Fi data in neighbourhoods across Canada."

Supreme Court Rules on Grow-Ops, Privacy and Power Companies

Government lawyers are asking Canada's top court to rule on whether police need a warrant to look at power consumption graphs of suspected marijuana grow operations. Daniel James Gomboc was convicted of running a Calgary grow-op, but had the conviction overturned with the argument police had breached his right to privacy by asking the power company to measure his consumption.

The case was argued at the Supreme Court in May. The Crown said the power company was fully within its rights to measure Gomboc's energy use by installing a device on its own power line off Gomboc's property. The Crown also argued the power company was a victim of theft because Gomboc tried to hide the high consumption - which frequently tips off police and power companies to grow-ops - so police had the right to investigate.

The court has previously ruled utility companies can provide police with the amount of power consumed. But technology has changed since then and they can now graph how much power is used at what time of day. Gomboc's lawyer says the data give a precise picture of activity inside the home, including the signature power cycling needed to grow pot.

"All we want (the police) to do is get prior judicial approval." Justice Ian Binnie asked whether the court would be eroding privacy rights if anyone who delivered services to a home, including cable companies, postal workers and repair services, could collect evidence for police. "(The right to privacy) can disappear into a thousand cuts," Binnie said. "Where do you draw the circle around the household?"

The court will reserve its judgment and rule at a later date.
 

Ontario Court Sets Standard for Disclosing Anonymous Posters

The Ontario Superior Court of Justice has issued its appellate decision on whether the owners of the Free Dominion website can be ordered to disclose the identities of several anonymous posters accused of defamation.  The case can be found at http://www.freedominion.com.pa/images/appeal_ruling.pdf

The original order covered e-mail and IP addresses.  On appeal, the Canadian Civil Liberties Association and CIPPIC intervened to argue that the court should take free speech and privacy rights into consideration The court established the following criteria in defamation cases involving requests for disclosure of information on anonymous posters:

1. Whether the unknown alleged wrongdoer could have a reasonable expectation of anonymity in the particular circumstances.

2. Whether the respondent has established a prima facie case against the unknown alleged wrongdoer and is acting in good faith.

3. Whether the respondent has taken reasonable steps to identify the anonymous party and has been unable to do so; and

4. Whether the public interest favouring disclosure outweigh the legitimate interests of freedom of expression and right to privacy of the persons sought to be identified if the disclosure is ordered.

It is good to see that the appellate court has restored the balance in defamation cases in order to better take privacy into account.

_____________________________________________

June 2010 (LEGISLATIVE UPDATE)

Federal Government Tables Amendments to PIPEDA and Reintroduces Anti-Spam Law

On May 25, 2010, two key bills, C-28 and C-29 were  tabled in the House of Commons. This article summarizes the significant amendments to PIPEDA and the key provisions of the anti-spam bill, as adopted from backgrounders on these two important introductions. 

Bill C-29 requires organizations to report material data breaches of personal information to the Privacy Commissioner of Canada, and to notify affected individuals when the organization deems the breach to pose a real risk of significant harm, such as identity theft or fraud. Bill C-29 also proposes PIPEDA amendments related to protecting the privacy of minors and other vulnerable individuals on-line. Other amendments are designed to clarify and streamline rules for business and support effective investigations by law enforcement and security agencies. CLICK HERE for the official version of Bill C-29.

Business Contact Information:

The first significant change is the exclusion of “Business Contact Information” from the purview of the statute. "Business Contact Information" refers to an individual’s name, position name or title, work contact details (including e-mail address) and any similar information of the individual so that, in the new Section 4.01, business contact information is excluded from the provisions of PIPEDA if business contact information is collected, used or disclosed solely for the purpose of communicating with the individual in relation to their work.

Valid Consent:

Bill C-29 raises the bar, or at least clarified, what is necessary to get consent from an individual. Section 6.1, entitled “Valid Consent” clarifies that the consent that is required under Principle 3 of the CSA Model Code is only valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting. This likely raises the bar on what is valid consent.

Witness Statements and Work Product:

In Section 7, which allows the collection, use or disclosure of personal information without consent a number of changes have been added to permit the collection, use and disclosure of information in witness statements where it is necessary to assess, process or settle an insurance claim. In addition, information produced by individuals in the course of their employment is exempt from the consent requirements provided that the collection, use and disclosure are consistent with the purposes for which the information was produced. This particular exemption codifies what is often referred to as “work product” exception to consent.

Lawful Authority:

Also in Section 7, the government has attempted to clarify what has been a very confusing provision regarding disclosures to law enforcement. Section 7(3)(c.1) permits the disclosure to government institutions and law enforcement where the government body has identified its “lawful authority” to obtain the information. The meaning of "lawful authority" has been very problematic since the first version of PIPEDA, with interpretations ranging from legal authority to compel or just part of a lawful process. Though I have strong opinions on what it should mean, I was looking for clarification on what Parliament thinks it means. I was disappointed. Lawful authority is "defined" in the new Section 7(3)(c.1):

(3.1) For greater certainty, for the purpose of paragraph (3)(c.1)
(a) lawful authority refers to lawful authority other than
(i) a subpoena or warrant issued, or an order made, by a court, person or body with jurisdiction to compel the production of information, or
(ii) rules of court relating to the production of records; and
(b) the organization that discloses the personal information is not required to verify the validity of the lawful authority identified by the government institution or the part of a government institution.

Also in Section 7(3)(c.1), the government has added to the circumstances where information could be disclosed without consent, provided there is lawful authority of course, for the purpose of performing policing services that are not otherwise referred to in Section 7(3)(c.1). Sub paragraph (iv) permits a disclosure for the purpose of notifying next of kin of an injured, ill or deceased individual.

Gag Order:

A notable addition to PIPEDA is a “gag order” that prohibits an organization from notifying an individual that information has been requested or obtained by a government institution or part of a government institution under a range of provisions contained in Section 7(3). Before it notifies the individual, it has to notify the government institution and get their OK. If the government institution vetoes the disclosure, the organization is not allowed to notify the individual but is required to notify the Privacy Commissioner.

This above provision supplements what had previously been the case where an individual had made a request for access to their own personal information or an account of its collection, use or disclosure where that personal information had been the subject of a government request.

Removing Investigative Bodies:

Notably, these amendments have completely done away with investigative bodies. It used to be that under Section 7(3), an organization could disclose personal information to designated investigative bodies for the purposes of investigations. Investigative bodies included the Insurance Fraud Bureau of Canada, most Barristers’ Societies and other professional regulators. Instead, the new Section 7(3)(d.1) permits disclosures to another organization where that disclosure is necessary to investigate a breach of an agreement or a violation of the laws of Canada or Province or is necessary to prevent, detect or suppress fraud where it would be reasonable to expect the disclosure with the knowledge or consent of the individual would undermine the ability to prevent, detect or suppress the fraud. Subsection (d.2) allows disclosures to government institutions or next of kin related to “financial abuse”. Finally, Subsection (d.3) further permits disclosures for notifying the next of kin of injured, ill or deceased individuals.

Business Transactions:

The new Section 7.1 permits disclosures and uses of information in connection with a “prospective business transaction”. This term is defined to include a range of transactions, including purchase or sale of a business, mergers and amalgamations, financings, leasings, and joint ventures. This section 7.1, parties to a perspective business transaction can use and disclose personal information without the knowledge or consent of the individual if they have entered into an agreement that requires the recipient to use the information and disclose it solely for the purposes related to the transaction, to protect that information with appropriate safe guard and, if the transaction does not proceed, to return or destroy the information within a reasonable period of time. It is also a condition that personal information be necessary to determine whether to proceed with the transaction and is necessary to complete the transaction. Once the transaction is completed, Subsection (2) permits the parties to the transaction to use and disclose the personal information without consent, provided they have entered into an agreement that requires them to reach only used information for the purposes for which it was originally collected, to protect that information and to give effect any withdrawal with consent as is already provided for under Principle 3 of the CSA Model Code. It is an overriding condition that the personal information be necessary for carrying on the business or the activity that was the object of the transaction and that the individuals are notified within a reasonable time after the transaction has completed of the transaction and that their personal information has been disclosed.

This provision that permits the use and disclosure of personal information for business transactions does not apply to business transactions where the primary purpose or result is the purchase, sale or other acquisition of personal information.

Employee Personal Information:

The new Section 7.2 will mark a significant change in how PIPEDA applies to employees of federal works, undertakings and businesses. No longer is consent of the individual required to collect use and disclose employee personal information if that collection use or disclosure is necessary to establish, manage, or terminate the employment relationship, provided that the employer has notified the individual that the personal information will be or may be collected, user disclosed for these purposes.

Breach Notification - Notification of the Commissioner:

Perhaps the most notable addition to PIPEDA in Bill C29 is the addition of Division 1.1, which deals with breaches of security safe guards. The new section 10.1 requires an organization to report to the Privacy Commissioner any “material breach” of security safeguards. Whether the breach is material depends upon the sensitivity of the information, the number of individuals whose personal information was compromised and an assessment by the organization whether the cause of the breach or a pattern of breaches indicates a systematic problem. The form of the notice will be set out in the regulations. The Commissioner has no power to require the organization to notify individuals, nor does she have any power to seek a remedy on behalf of affected individuals unless they themselves complain.

Breach Notification - Notification of the Individual:

The new Section 10.2 deals with notification to the individual, which is mandatory if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual. Section 10.2(2) defines significant harm to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. Subsection (3) then goes on to provide guidance on whether there is a “real risk”, which is based on the sensitivity of the information and the probability that the personal information has been, is being or will be misused. The notification has to contain enough information to allow the individual to understand the significance of the breach to them and to take steps to mitigate that harm. Notice has to be given as soon as feasible after the organization confirms the occurrence of the breach and concludes that they are required to give notice occasionally under Section 10.2(1). The form and manner of notice may be prescribed in regulations, which I anticipate will allow for notice to large groups of people though the mass media where it is not feasible to give individual notice.

This new Section 10.3 allows organizations to give breach notification to other organizations that will help to reduce the risk of harm that could result from the breach or to mitigate that harm.

********

Bill C-28, entitled the Fighting Internet and Wireless Spam Act (FISA) targets the sending of what we would typically call spam, or unwanted commercial e-mail, as well as more deceptive forms of bulk mail such as phishing and spyware. The proposed FISA provides a comprehensive regulatory regime that uses economic disincentives to protect electronic commerce and is modeled on international best practices. To enforce the legislation, the bill would use the expertise, and expand the mandates of three enforcement agencies: the Canadian Radio-television and Telecommunications Commission, Competition Bureau Canada and the Office of the Privacy Commissioner of Canada.

Since the bill was originally introduced in April 2009, amendments have been made to address legitimate concerns brought forward through witness testimony during the review of the FISA by the House of Commons Standing Committee on Industry, Science and Technology (INDU) during the last session of Parliament. The FISA reflects the bill passed by the House of Commons on November 30, 2009, but contains some additional technical and coordinating amendments.

The bill establishes a multi-faceted approach to enforcement that protects consumers and businesses alike with a clear regulatory enforcement regime consistent with international best practices. This legislation will make Canada a world leader in anti-spam measures. An important component of the proposed FISA is the enforcement regime whereby the CRTC, Competition Bureau Canada and the Office of the Privacy Commissioner would be given the authority to share information and evidence with their counterparts that enforce similar laws internationally in order to pursue violators beyond our borders.

The proposed FISA would enable the CRTC to impose administrative monetary penalties (AMPs) of up to $1 million per violation for individuals and $10 million for businesses. The Competition Bureau Canada, through application to the Competition Tribunal, may seek AMPs under the current AMPs regime in the Competition Act. That regime allows for penalties of up to $750 000 for individuals and $1 million per subsequent violation, and up to $10 million for businesses and $15 million per subsequent violation. The Office of the Privacy Commissioner would use its existing tools and enforcement framework to enforce the provisions of this legislation. The bill also proposes that the Privacy Commissioner's powers to cooperate and exchange information with her international counterparts be expanded under the Personal Information Protection and Electronic Documents Act (PIPEDA).

This bill proposes a private right of action, modelled on U.S. legislation, which would allow consumers and businesses to take civil action against anyone who violates the FISA. The proposed technology-neutral approach allows all forms of commercial electronic messages to be treated the same way. This means that the proposed bill would also address unsolicited text messages, or "cellphone spam," as a form of "unsolicited commercial electronic message."

During the last session of Parliament, the bill received unanimous support in the House of Commons at third reading, and INDU heard from diverse witnesses representing enforcement agencies, industry associations, Internet service providers, consumer groups, marketers and the financial sector.

Moving forward, Industry Canada will act as a "national coordinating body" in order to expand awareness of the law and educate consumers, network operators and small businesses, coordinate work with the private sector and conduct research.

The government also intends to create a spam reporting centre that will work with the three enforcement agencies (the CRTC, Competition Bureau Canada and the Office of the Privacy Commissioner), engage in public awareness, identify and analyze trends in online threats and engage in public awareness.

Businesses will benefit from improved protection against threats to the network and from consumers' strengthened confidence in the online marketplace.

Alberta PIPA Amendments - Transparency when using Service Providers Outside of Canada

Last month`s PrivaTips reported on the new breach notification requirement in Alberta.  There are other significant amendments to Alberta`s Personal Information Protection Act.  The law now imposes additional obligations on organizations that use service providers outside of Canada to collect, use, disclose or store personal information. Organizations are now required to:

1. Include in their policies and practices information regarding:

        - the countries outside Canada in which the collection, use,
            disclosure or storage is occurring or may occur; and

        - the purposes for which the service provider outside Canada has
            been authorized to collect, use or disclose personal information
            for or on behalf of the organization;

 2. Notify individuals at or before the collection or transfer, in writing
        or orally:

        - how individuals may obtain access to written information about
            the organization's policies and practices with respect to
            service providers outside Canada; and

        - the name or position name or title of a person who is able to
            answer the individual's questions.

Manitoba`s Health Privacy Law Changes are in Effect

Amendments to Manitoba's patient privacy law are now in effect. The controversial changes to the Personal Health Information Act went largely unnoticed in the province, but will have big implications for Manitobans.

Effective May 1, hospitals, personal care homes and other designated health-care facilities can now legally disclose the names and mailing addresses of patients to affiliated charitable fundraising foundations without having to first obtain the express opt-in consent of patients.

Instead, patients must either be notified in writing that their personal information might be disclosed or be able to read notices to that effect where it is likely to come to patients' attention. Such notices must be written in a manner that patients can actually understand so they cannot be buried in the fine print of lengthy documents. In essence, it is a negative option, or opt-out, regime.

Patients who are unhappy about the disclosure of their personal information to foundations will have no recourse to complain. Manitoba's ombudsman does not typically have the jurisdiction to investigate privacy complaints regarding foundations, nor does the Privacy Commissioner of Canada.

Patients with privacy concerns must simply let the hospital, personal care home or other designated health care facility know that they do not want their personal information disclosed to a foundation. The foundations will have to be mindful of the privacy sensitivities of patients. Like all other organizations, they have a vested interest in meeting the privacy expectations of stakeholders.

 

********************

May 2010

Mandatory Breach Notification in Alberta

On May 1, 2010 amendments to Alberta's privacy legislation come into effect. The Personal Information Protection Amendment Act will include Canada's first mandatory breach notification requirements for the broader private sector. Effective May 1, organizations covered by PIPA, the Personal Information Protection Act, may be required to notify the Privacy Commissioner of a loss, theft, or unauthorized disclosure of personal information, including personal employee information. Businesses that are not government bodies or public bodies will be subject to the new breach notification requirements.

The new legislation requires organizations to report a breach where "a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure ." Where this "real risk" threshold is met, the organization must notify the Privacy Commissioner of the breach. The Commissioner may then require the organization to notify individuals, such as employees or clients, to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure.

 

Federal Privacy Commissioner Leads t