Home / Privacy Resources / PrivaTips

PrivaTips

September 2010

Facebook Privacy is being Evaluated by the Federal Privacy Commissioner

Officials at the Office of the Privacy Commissioner of Canada have taken a keen interest in Facebook's privacy practices. In response to complaints, the office conducted two investigations of the social-networking giant.

Officials gave Facebook a deadline of September 1 of this year to make its privacy settings less complicated and easier for users to understand. Time has run out and the Commissioner's assessment of whether Facebook has lived up to its list of undertakings to bring the company on side with PIPEDA will soon be released. If the review is negative, Stoddart can open a fresh investigation or move to seek a binding order from the Federal Court.

In May, a "disappointed" Stoddart said Facebook had been moving in the opposite direction in the key area of privacy settings. Since then, the commissioner has remained quiet about progress with the social media giant on the question of privacy settings or Facebook's new permissions model for application developers' access to user information.

Facebook said the "enhancements and changes" made in the past year, specifically addressing the commissioner's concerns, bring Facebook in line with Canadian privacy law. The Canadian Internet Policy and Public Interest Clinic (CIPPIC), which launched the initial privacy complaint against Facebook, disagrees, even though the company has increased transparency in some key areas. Facebook's revamped privacy settings are actually broader now than a year ago because the site's new favoured "Everyone" default category trumps the previous default of approved friends. And as pointed out by CIPPIC, the new permissions model does not apply to "Everyone" information, the commissioner's key recommendation about user information and third-party developers - to only get access to basic user information required to run a specific service - has been ignored.

Facebook clearly either hasn't learned its lesson in terms of what the Privacy Commissioner's Office was ultimately trying to get across, or if it understands that lesson, has decided in spite of it, that it will proceed differently. Defaults that say share with everybody and disclose to everybody certainly do not accord with the spirit of Canada's privacy law. A spokeswoman for Stoddart wouldn't say which side she will come down on, but said the Commissioner will soon be in a position to speak publicly about the Facebook case.
 

Federal Privacy Commissioner Challenges Fingerprinting of Med School Applicants

The Federal Privacy Commissioner has launched legal action in Federal Court against the American Association of Medical Colleges, accusing it of violating PIPEDA. She would like the court to order that the collection and storage of fingerprints from students who apply to medical schools be stopped. The association administers the Medical College Admission Test on behalf of schools in the U.S. and Canada. It uses "biometric identity verification" to stop cheating on the tests. Students who take the MCAT are digitally photographed and fingerprinted to confirm their identity when they enter the testing rooms. The association's website says it retains the electronic data for 10 years. This helps ensure that the person who shows up to attend medical school was the same person who took the test.



But it also means the fingerprints and photographs of Canadian students who write the MCAT in Canada - even if they plan to attend medical school in Canada - could later be accessed by U.S. authorities under the Patriot Act. The anti-terrorism act gives law enforcement official broad powers to access electronic records stored in the U.S.



According to documents filed in Federal Court, the Privacy Commissioner found that the practice of collecting and retaining the fingerprints for the MCAT violated the Personal Information and Electronic Documents Act (PIPEDA). The AAMC agreed to make changes but has not stopped collecting fingerprints, the court application says. Stoddart is asking the court to order AAMC to develop an alternative procedure for verifying the identity of people registering for the MCAT in Canada that does not involving collecting fingerprints.



Two years ago, Stoddart's office launched an investigation into similar issues involving the administration of the Law School Admissions Test (LSAT) after receiving a complaint that thumbprints were collected before the test. The Law School Admission Council (LSAC) administers the test for admission to 200 law schools, including 15 in Canada. It said it collected the thumbprints in case a question about the identity of the test-take arose later. Because the records are retained in a warehouse in the U.S., the anti-terrorism law could allow American authorities access to fingerprints - even if the students were from Canada and had applied only to Canadian schools. LSAC decided to replace the thumbprints with photographs that would be retained if a question about the identity of test-taker arose. Stoddart ruled that there was less of an expectation of privacy with photographs. She called the change an appropriate balance but recommended the pictures be stored for only five years.



__________________________

August 2010

Federal Court Releases Decision on "Commercial Activities" under PIPEDA

Last month the Federal Court of Canada released an important decision, State Farm vs. Privacy Commissioner, 2010, FC 736. The Court concluded that when collecting evidence, an insurer acting for one of its insured in the defence of a personal injury claim, is not engaged in a "commercial activity", so PIPEDA doesn't apply.

Part 1 of PIPEDA applies to every organization in respect of personal information that the organization collects, uses or discloses in the course of "commercial activities". The expression "commercial activity" is defined in subsection 2(1) of PIPEDA as an act or transaction or course of action that is of a "commercial character." State Farm submitted that a defendant in a civil action, and a defendant's agents, are not engaged in "commercial activity" with respect to the plaintiff in that action,  in view of the ordinary meaning of those words. According to State Farm, the plaintiff was attempting to use PIPEDA in order to obtain information beyond what he is entitled to under the rules of tort litigation in New Brunswick and without having any commercial relationship with the defendant or State Farm.

The Federal Privacy Commissioner stated that section 12 of PIPEDA is clear and unambiguous: the Privacy Commissioner is required to conduct an investigation whenever she is in receipt of a complaint. It is also clear that, pursuant to paragraph 12(1)(c) of PIPEDA, the Privacy Commissioner may seek evidence in order to carry out such an investigation. The Privacy Commissioner therefore took jurisdiction to conduct an investigation as she was required to under section 12 of PIPEDA, but this did not constitute a decision as to whether the conduct complained of occurred in the course of "commercial activity". It was submitted by the Privacy Commissioner that her interpretation and application of these provisions of PIPEDA were reasonable and should not be interfered with. In any event, in the alternative, the Privacy Commissioner submitted that the collection of the surveillance information in question constituted "commercial activity". State Farm collected the information because of its insurance contract.

The Commissioner argued that the relationship between State Farm and its client (the defendant) is entirely commercial in nature and the surveillance of the plaintiff pertained to this relationship: State Farm had an obvious interest in minimizing what amounts it must pay out under that insurance contract. Thus the defence of a third party tort action is "commercial activity" within the meaning of PIPEDA.The Privacy Commissioner further submitted that since the defendant has paid an insurer to defend her against such a claim, such collection of evidence has now assumed a "commercial character" and is thus now prohibited under subsection 7(1) of PIPEDA unless the plaintiff consents thereto.

The Federal Court concluded that collection of evidence on a plaintiff by an individual who is a defendant in a tort action brought by that plaintiff would clearly not constitute a "particular transaction, act or conduct that is of a commercial character" as set out in the definition of "commercial activity" found in subsection 2(1) of PIPEDA. The Federal Court judge stated, “In interpreting this legislation, the Court must strike a balance between two competing interests. Furthermore, because of its non-legal drafting, Schedule 1 does not lend itself to typical rigorous construction. In these circumstances, flexibility, common sense and pragmatism will best guide the Court.” The Court thus concluded that the investigation reports and related documents and videos concerning the plaintiff and prepared by or for State Farm or its defence lawyers in the civil tort action taken against the plaintiff by the defendant are not subject to PIPEDA.
 

Employers Beware: Protecting Privacy when Employees Depart

Employers often brief employees (or send a memo) when an employee leaves the organization.
Employers often wish to communicate in some way with remaining employees in these situations in order to ease concerns they may have about another employee's departure (voluntary or otherwise).

The Alberta Privacy Commissioner issued an Order on June 14th, 2010 which makes it clear that employers must be very careful about their choice of words in these situations, and that if too much is said, the employer may face civil liability. 

The recent Alberta case involved an employee ("X") who left Insight Psychological Inc. in difficult circumstances. Insight's management sent a memo around to all employees advising of X's departure and identifying the person who would be replacing her. The memo went on in the second and third paragraphs to state that X had found employment elsewhere and that all employees were reminded of various key values held by the company.

X found out about this memo and made a complaint to the Alberta Information and Privacy Commissioner's office ("OIPC").

The OIPC Order finds that the second and third paragraphs of the memo breached the Alberta Personal Information Protection Act ("PIPA") because they went beyond what was necessary to advise employees of X's departure. The OIPC found that the statement about "key values" was, in essence, an indication that X had not acted consistently with the organization's key values. This was personal information about her and it was not necessary for this to be disclosed to the remaining employees.

This OIPC order means that X now has a cause of action against the employer for any loss or injury she may have suffered as a result of the employer's breach of PIPA (e.g. damage to her reputation, impact on future employment, etc.)

______________________________________

Late June 2010 (CASE LAW AND INVESTIGATIONS)

Federal Privacy Commissioner Says Mortgage Brokers Need to Better Protect Information

Several mortgage brokerages improved some privacy and security measures following a string of major data breaches, but failed to implement controls to raise the alarm about any future suspicious activity, a privacy audit has found.

The audit by the Office of the Privacy Commissioner of Canada (OPCC) was launched after the brokerages self-reported 14 data breaches in the space of a few months in mid-2008.  In each case, someone impersonating an experienced mortgage agent downloaded credit reports for people who hadn't even applied for a mortgage. As a result, the personal information of thousands of people across Canada was compromised.

"The breaches prompted the brokerages to take some positive steps to better protect personal information," Ms. Stoddart said in her report. "However, our audit found that those changes did not go far enough."

The audit is described in the Commissioner's 2009 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA), which was tabled in Parliament in early June.

As the report's summary of the latest OPCC private-sector audit describes, mortgage brokers represent a large and growing segment of the mortgage industry in Canada - accounting for one-quarter of all mortgage transactions.  They need to obtain credit reports from credit reporting agencies in order to assess an individual's eligibility for a mortgage. Credit reports contain extensive personal information that can be used by criminals to commit identity fraud.

Following the breaches, the five audited brokerages significantly tightened their practices for hiring agents.   However, the audit found there was a lack of adequate controls to restrict agents' access to credit reports. Specifically, the web-based tool used to obtain credit reports doesn't allow brokers to limit the number of credit reports an agent can download.  In addition, there are no technological controls to monitor for, and raise the alarm about, suspicious activity.

Among the other risks to personal information highlighted in the audit:

*    Some brokers stacked files containing personal information on the floor or on desks within accessible offices.  One had overflow storage in an unsecured parking arcade.

*    Brokers lacked shredders capable of securely destroying documents. One broker was re-using the reverse side of old, filled-out mortgage applications in order to print out new applications.

*    Credit reports were sometimes obtained prior to consent from  a client being recorded and there was no ability for clients to opt out of secondary uses of their personal information, such as marketing.

*    There was a lack of training about privacy responsibilities and many agents did not know to whom they should turn with a privacy-related question.  In one case, a broker franchisee stated that his organization's chief privacy officer was located at the brokerages head office when, in fact, he was the chief privacy officer.

One of the five audited brokerages is no longer in the mortgage broker business.  The four others still operating stated they would implement all of the recommendations in the OPCC's audit report.

Google Street View - WiFi Sniffing Software Discovered

In a puzzling turn of events, Google has been caught using its controversial camera-laden Street View vehicles to do more then just snap pictures. It seems those same vehicles were using Wi-Fi sniffing software called Kismet, to allow Google to automatically collect information about wireless networks including whether they are encrypted. To make matters worse, some extra software was added by a Google programmer making it capable to grab packets of information sent over several of the networks it was scanning. How much data did the company get? According to the company's latest admission, around 600 gigabytes.

While the cataloguing of personal network identification information was intentional, Google says capturing data on those networks was not. According to a spokeswoman from Google, the company was collecting the data to improve Google's "geolocation services," the company's alternative to Global Position Services (GPS).

Google also said it was not targeting any particular information. The company said it was unaware of what this software running in tandem with Kismet was doing. The software found its way onto almost every Street View vehicle in more than 30 countries. The oversight begs the question, if this piece of software got through the cracks, what else is going on that Google doesn't know about? Evidently Jennifer Stoddart, the Privacy Commissioner of Canada, had similar concerns and quickly issued a statement after Google's Wi-Fi goof was recently revealed.

"We have a number of questions about how this collection could have happened and about the impact on people's privacy," said Stoddart, in a release on June 1st. "We are very concerned about the privacy implications stemming from Google's confirmation that it had been capturing Wi-Fi data in neighbourhoods across Canada."

Supreme Court Rules on Grow-Ops, Privacy and Power Companies

Government lawyers are asking Canada's top court to rule on whether police need a warrant to look at power consumption graphs of suspected marijuana grow operations. Daniel James Gomboc was convicted of running a Calgary grow-op, but had the conviction overturned with the argument police had breached his right to privacy by asking the power company to measure his consumption.

The case was argued at the Supreme Court in May. The Crown said the power company was fully within its rights to measure Gomboc's energy use by installing a device on its own power line off Gomboc's property. The Crown also argued the power company was a victim of theft because Gomboc tried to hide the high consumption - which frequently tips off police and power companies to grow-ops - so police had the right to investigate.

The court has previously ruled utility companies can provide police with the amount of power consumed. But technology has changed since then and they can now graph how much power is used at what time of day. Gomboc's lawyer says the data give a precise picture of activity inside the home, including the signature power cycling needed to grow pot.

"All we want (the police) to do is get prior judicial approval." Justice Ian Binnie asked whether the court would be eroding privacy rights if anyone who delivered services to a home, including cable companies, postal workers and repair services, could collect evidence for police. "(The right to privacy) can disappear into a thousand cuts," Binnie said. "Where do you draw the circle around the household?"

The court will reserve its judgment and rule at a later date.
 

Ontario Court Sets Standard for Disclosing Anonymous Posters

The Ontario Superior Court of Justice has issued its appellate decision on whether the owners of the Free Dominion website can be ordered to disclose the identities of several anonymous posters accused of defamation.  The case can be found at http://www.freedominion.com.pa/images/appeal_ruling.pdf

The original order covered e-mail and IP addresses.  On appeal, the Canadian Civil Liberties Association and CIPPIC intervened to argue that the court should take free speech and privacy rights into consideration The court established the following criteria in defamation cases involving requests for disclosure of information on anonymous posters:

1. Whether the unknown alleged wrongdoer could have a reasonable expectation of anonymity in the particular circumstances.

2. Whether the respondent has established a prima facie case against the unknown alleged wrongdoer and is acting in good faith.

3. Whether the respondent has taken reasonable steps to identify the anonymous party and has been unable to do so; and

4. Whether the public interest favouring disclosure outweigh the legitimate interests of freedom of expression and right to privacy of the persons sought to be identified if the disclosure is ordered.

It is good to see that the appellate court has restored the balance in defamation cases in order to better take privacy into account.

_____________________________________________

June 2010 (LEGISLATIVE UPDATE)

Federal Government Tables Amendments to PIPEDA and Reintroduces Anti-Spam Law

On May 25, 2010, two key bills, C-28 and C-29 were  tabled in the House of Commons. This article summarizes the significant amendments to PIPEDA and the key provisions of the anti-spam bill, as adopted from backgrounders on these two important introductions. 

Bill C-29 requires organizations to report material data breaches of personal information to the Privacy Commissioner of Canada, and to notify affected individuals when the organization deems the breach to pose a real risk of significant harm, such as identity theft or fraud. Bill C-29 also proposes PIPEDA amendments related to protecting the privacy of minors and other vulnerable individuals on-line. Other amendments are designed to clarify and streamline rules for business and support effective investigations by law enforcement and security agencies. CLICK HERE for the official version of Bill C-29.

Business Contact Information:

The first significant change is the exclusion of “Business Contact Information” from the purview of the statute. "Business Contact Information" refers to an individual’s name, position name or title, work contact details (including e-mail address) and any similar information of the individual so that, in the new Section 4.01, business contact information is excluded from the provisions of PIPEDA if business contact information is collected, used or disclosed solely for the purpose of communicating with the individual in relation to their work.

Valid Consent:

Bill C-29 raises the bar, or at least clarified, what is necessary to get consent from an individual. Section 6.1, entitled “Valid Consent” clarifies that the consent that is required under Principle 3 of the CSA Model Code is only valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting. This likely raises the bar on what is valid consent.

Witness Statements and Work Product:

In Section 7, which allows the collection, use or disclosure of personal information without consent a number of changes have been added to permit the collection, use and disclosure of information in witness statements where it is necessary to assess, process or settle an insurance claim. In addition, information produced by individuals in the course of their employment is exempt from the consent requirements provided that the collection, use and disclosure are consistent with the purposes for which the information was produced. This particular exemption codifies what is often referred to as “work product” exception to consent.

Lawful Authority:

Also in Section 7, the government has attempted to clarify what has been a very confusing provision regarding disclosures to law enforcement. Section 7(3)(c.1) permits the disclosure to government institutions and law enforcement where the government body has identified its “lawful authority” to obtain the information. The meaning of "lawful authority" has been very problematic since the first version of PIPEDA, with interpretations ranging from legal authority to compel or just part of a lawful process. Though I have strong opinions on what it should mean, I was looking for clarification on what Parliament thinks it means. I was disappointed. Lawful authority is "defined" in the new Section 7(3)(c.1):

(3.1) For greater certainty, for the purpose of paragraph (3)(c.1)
(a) lawful authority refers to lawful authority other than
(i) a subpoena or warrant issued, or an order made, by a court, person or body with jurisdiction to compel the production of information, or
(ii) rules of court relating to the production of records; and
(b) the organization that discloses the personal information is not required to verify the validity of the lawful authority identified by the government institution or the part of a government institution.

Also in Section 7(3)(c.1), the government has added to the circumstances where information could be disclosed without consent, provided there is lawful authority of course, for the purpose of performing policing services that are not otherwise referred to in Section 7(3)(c.1). Sub paragraph (iv) permits a disclosure for the purpose of notifying next of kin of an injured, ill or deceased individual.

Gag Order:

A notable addition to PIPEDA is a “gag order” that prohibits an organization from notifying an individual that information has been requested or obtained by a government institution or part of a government institution under a range of provisions contained in Section 7(3). Before it notifies the individual, it has to notify the government institution and get their OK. If the government institution vetoes the disclosure, the organization is not allowed to notify the individual but is required to notify the Privacy Commissioner.

This above provision supplements what had previously been the case where an individual had made a request for access to their own personal information or an account of its collection, use or disclosure where that personal information had been the subject of a government request.

Removing Investigative Bodies:

Notably, these amendments have completely done away with investigative bodies. It used to be that under Section 7(3), an organization could disclose personal information to designated investigative bodies for the purposes of investigations. Investigative bodies included the Insurance Fraud Bureau of Canada, most Barristers’ Societies and other professional regulators. Instead, the new Section 7(3)(d.1) permits disclosures to another organization where that disclosure is necessary to investigate a breach of an agreement or a violation of the laws of Canada or Province or is necessary to prevent, detect or suppress fraud where it would be reasonable to expect the disclosure with the knowledge or consent of the individual would undermine the ability to prevent, detect or suppress the fraud. Subsection (d.2) allows disclosures to government institutions or next of kin related to “financial abuse”. Finally, Subsection (d.3) further permits disclosures for notifying the next of kin of injured, ill or deceased individuals.

Business Transactions:

The new Section 7.1 permits disclosures and uses of information in connection with a “prospective business transaction”. This term is defined to include a range of transactions, including purchase or sale of a business, mergers and amalgamations, financings, leasings, and joint ventures. This section 7.1, parties to a perspective business transaction can use and disclose personal information without the knowledge or consent of the individual if they have entered into an agreement that requires the recipient to use the information and disclose it solely for the purposes related to the transaction, to protect that information with appropriate safe guard and, if the transaction does not proceed, to return or destroy the information within a reasonable period of time. It is also a condition that personal information be necessary to determine whether to proceed with the transaction and is necessary to complete the transaction. Once the transaction is completed, Subsection (2) permits the parties to the transaction to use and disclose the personal information without consent, provided they have entered into an agreement that requires them to reach only used information for the purposes for which it was originally collected, to protect that information and to give effect any withdrawal with consent as is already provided for under Principle 3 of the CSA Model Code. It is an overriding condition that the personal information be necessary for carrying on the business or the activity that was the object of the transaction and that the individuals are notified within a reasonable time after the transaction has completed of the transaction and that their personal information has been disclosed.

This provision that permits the use and disclosure of personal information for business transactions does not apply to business transactions where the primary purpose or result is the purchase, sale or other acquisition of personal information.

Employee Personal Information:

The new Section 7.2 will mark a significant change in how PIPEDA applies to employees of federal works, undertakings and businesses. No longer is consent of the individual required to collect use and disclose employee personal information if that collection use or disclosure is necessary to establish, manage, or terminate the employment relationship, provided that the employer has notified the individual that the personal information will be or may be collected, user disclosed for these purposes.

Breach Notification - Notification of the Commissioner:

Perhaps the most notable addition to PIPEDA in Bill C29 is the addition of Division 1.1, which deals with breaches of security safe guards. The new section 10.1 requires an organization to report to the Privacy Commissioner any “material breach” of security safeguards. Whether the breach is material depends upon the sensitivity of the information, the number of individuals whose personal information was compromised and an assessment by the organization whether the cause of the breach or a pattern of breaches indicates a systematic problem. The form of the notice will be set out in the regulations. The Commissioner has no power to require the organization to notify individuals, nor does she have any power to seek a remedy on behalf of affected individuals unless they themselves complain.

Breach Notification - Notification of the Individual:

The new Section 10.2 deals with notification to the individual, which is mandatory if it is reasonable in the circumstances to believe that the breach creates a real risk of significant h