CAPAPA supports Canadian’s Right to Know “Privacy IS Your Business”(Calgary, Alberta)August 26, 2007 – CAPAPA (Canadian Association of Professional Access and Privacy Administrators) is pleased to support international Privacy Awareness Week, August 26th to September 1st, 2007. Privacy Awareness Week, a campaign first initiated by Privacy Victoria (Australia) in 2001, has for the first time gone international.
As Canada’s leading association serving privacy and access professionals, CAPAPA is spearheading the campaign to promote privacy awareness in Canada. “Identity theft and information security breaches are happening more often than ever,” says CAPAPA National Chair Sharon Polsky. “To reverse that trend, Canadians must recognize the importance of protecting their personal information — at home, in the workplace, and in the consumer marketplace.”
Privacy Awareness Week provides an opportunity for individuals to raise questions about privacy legislation and its impact on how individuals conduct their business and personal lives. Privacy Awareness Week spotlights the need for Canadians to recognize their rights and obligations to maintain the privacy of their personal information. The theme for Privacy Awareness Week 2007 is ‘Privacy is your business'.
Know your Rights and Obligations
Canadian organizations, governments, and government agencies are bound by a variety of wide-reaching privacy laws. Ms. Polsky notes that, “As consumers, each of us is responsible to understand what our rights and responsibilities are under those laws.”
CAPAPA is a key source for helping Canadians recognize their privacy rights and responsibilities, and is the privacy advocate’s source for issues such as the passenger name record exchange, emerging RFID CHIP technology, and CAPAPA's Submission to the Senate on proposed changes to Canada’s Election Act.
More information on these and other Canadian privacy issues is at http://www.capapa.org./ For more information on how you can promote Privacy Awareness Week 2007, visit http://www.capapa.org/ or contact CAPAPA at: info@capapa.org.
Privacy Commissioner launches e-learning tool for retailers
0
comments
Labels:
alberta,
privacy,
retail
This should have been done a few years ago ...
Yesterday, the Privacy Commissioner of Canada launched an online training tool for retailers to understand their obligations under PIPEDA. I haven't taken the course yet, but anything like this should be a good thing.
News Release: Privacy Commissioner launches e-learning tool for retailers (August 20, 2007) - Privacy Commissioner of CanadaOttawa, August 20, 2007 – Retailers now have a free, do-it-yourself interactive tool to help them bring their privacy practices and policies in line with the law, the Privacy Commissioner of Canada, Jennifer Stoddart, announced today.
“Small businesses often don’t have the money to hire privacy specialists or lawyers to help them figure out how to comply with Canada’s privacy legislation,” says Commissioner Stoddart. “Nor is it always necessary. Good privacy compliance doesn’t have to be expensive or time-consuming”.
The new e-learning tool created by the Office of the Privacy Commissioner of Canada (OPC) provides retailers with the information they need to set up their business to meet their obligations under Canada’s privacy laws and provide customers with the privacy protection they’re guaranteed under the Personal Information Protection and Electronic Documents Act (PIPEDA).
“Protecting customers’ information is an increasingly important part of running a business today and the online training is a valuable tool to help our members build solid privacy practices into their operations,” says Catherine Swift, President and CEO of the Canadian Federation of Independent Business (CFIB).
Derek Nighbor, Vice-President, National Affairs with the Retail Council of Canada (RCC) agrees. “With the proliferation of identity thieves and online fraudsters, members of the RCC who do not always have the time or the resources to learn about PIPEDA requirements will be pleased with the user-friendliness of this e-learning tool. Ultimately, their customers will find this a rewarding tool in the protection of their personal information” says Mr. Nighbor.
The OPC, in a joint initiative with the RCC, recently mailed privacy information kits to some 3,000 retailers in provinces where businesses are governed by PIPEDA. The kit includes a guide entitled Your Privacy Responsibilities: A Guide for Businesses and Organizations. (The kits will not go out to Retail Council members in the three provinces which have adopted their own private-sector privacy laws, B.C., Alberta and Quebec.)
“Some small businesses have been very proactive in developing good privacy practices, while many others still have a ways to go,” Ms. Stoddart says.
“Protecting customers’ personal information is the law, and it’s also good for a company’s reputation and bottom line,” the Commissioner adds, noting that research has shown it costs far less to adequately protect personal information in the first place than to clean up after a data breach.
The online retailer training session takes only about 30 minutes to complete. At the end, retailers will have: an information audit of their business; consent provisions required specifically for their business; a security plan; a sample privacy brochure for customers; and a training needs assessment. The interactive training is available online at http://www.privcom.gc.ca/privacy_comm/0001_home_e.asp.
New information for other types of small businesses is also available on the OPC’s web site.
Companies – large and small – in all but three provinces are subject to PIPEDA. The law imposes obligations on how those businesses must handle personal information such as names and addresses.The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of the privacy and protection of personal information rights of Canadians.
Why businesses need to ask themselves "What's the worst that can happen?"
0
comments
Labels:
alberta,
identity theft,
nova scotia,
ontario,
privacy
Many businesses deal with personal information that they would not consider "sensitive" personal information. Names, addresses, delivery instructions, maybe payment information. Other than credit card data (which isn't retained, right?), most is seen to be routine, mundane transactional data.
But businesses need to constantly ask themselves what is the worst that can happen if personal information is disclosed? Or if any of their usual practices could somehow cause their customers harm of any kind. Privacy goes well beyond preventing fraud and identity theft. Personal information is powerful and what might be perfectly mundane to most may cause particular individuals real problems.
There's a story out of Texas that provides a great illustration of what can go wrong and how businesses should be thinking about their practices. A Texas resident is suing 1-800-FLOWERS for a million bucks because they sent him a card thanking him for his patronage. Nothing offensive there, right? But the thank you card was read by his soon-to-be ex-wife and it showed that the plaintiff had sent a dozen long-stemmed roses to someone else. What had been an amicable separation went sideways and she has significantly upped her demands. (See: Married Man Sues Florist for Revealing Affair: Man Sues for $1 Million After Wife Discovers He Bought Flowers for His Girlfriend.)
You may think he is a cheating weasel who deserves everything he gets. But, assuming the article is correct, was it really his florist's job to drop a dime on him? Simply put, no it isn't.
Some time ago, a cellular phone carrier in Ontario provided a customer's billing records to his wife because she said she was doing the monthly bills and couldn't understand some of the charges. He was having an affair and the bills told the tale. (National Post, 27 September 2003.)
I've heard of a clinic in Nova Scotia that called to ask a question about scheduling a patient's vasectomy and, when the patient wasn't home, asked his wife. No harm done in that case, but what if the spouse didn't know about the man's plans? What if it wasn't his wife who answered, but a friend, housekeeper, etc?
A while ago, the Alberta Privacy Commissioner "named and shamed" a pharmacist for disclosing a patient's prescriptions to the patient's spouse. The question related to tax records, but it did disclose psychiatric prescriptions.
What does all of this mean? Many of these disclosures are made in good faith with no intention to harm anyone. On the contrary, most are made to be helpful. But for some customers/patients, these disclosures can have disastrous consequences. Every business that collects, uses or discloses personal information has to be mindful of this.
The Federal Privacy Commissioner has just released privacy breach guidelines, which are similar to guidelines produced by the Ontario and British Columbia commissioners. Here is the press release, with links to the guidelines:
News Release: Privacy Commissioner releases privacy breach guidelines (August 1, 2007) - Privacy Commissioner of CanadaPrivacy Commissioner releases privacy breach guidelines
Ottawa, August 1, 2007 – New guidelines will help organizations take the right steps after a privacy breach, including notifying people at risk of harm after their information has been stolen, lost or mistakenly disclosed, says the Privacy Commissioner of Canada, Jennifer Stoddart.
The guidelines outline some of the key steps in responding to a breach, such as containing the breach, evaluating the risks associated with it, notifying the people affected and preventing future breaches.
“It’s clear that most businesses take seriously their responsibilities under Canada’s private-sector privacy law. I want to thank the industry groups, civil societies groups and privacy commissioners' offices that helped my office in developing these,” Commissioner Stoddart says.
The Office of the Privacy Commissioner (OPC) has become increasingly concerned about privacy breaches and breach notification following some major data breaches in recent months. Earlier this year, Commissioner Stoddart urged the federal government to amend the Personal Information Protection and Electronic Documents Act (PIPEDA) to make it mandatory for businesses to notify people when their personal information has been breached.
“Our new voluntary guidelines do not take away from the need for breach notification legislation,” the Commissioner says. “I would once again urge the Minister of Industry and his cabinet colleagues to help better protect Canadians by making breach notification a legal requirement for businesses.” The guidelines call on businesses to notify people that their personal information has been compromised in cases where the breach raises a risk of harm. For example, there may be a risk of identity theft or fraud in cases where sensitive personal information has been lost or stolen.
Organizations are also encouraged to inform the appropriate privacy commissioner(s) of a privacy breach. (In British Columbia, Alberta and Quebec, provincially regulated businesses should speak to their provincial privacy commissioners. In Ontario, breaches involving personal health information must be reported to the provincial commissioner.)
The OPC is currently investigating two high-profile privacy breach cases involving large amounts of personal information.
In one case, the Canadian Imperial Bank of Commerce reported to the OPC the disappearance of a hard drive containing the personal information and financial data of close to half a million clients of its subsidiary, Talvest Mutual Funds.
The other investigation, being conducted jointly with the Information and Privacy Commissioner of Alberta, is looking at a breach at TJX Companies Inc., which affected thousands of Canadians who shopped at TJX’s Winners and HomeSense stores.
The new guidelines as well as a privacy breach checklist and a list of organizations which participated in the consultation process to develop the guidelines are available on the OPC website, http://www.privcom.gc.ca/.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.
Oshawa second-hand store bylaw invades privacy
0
comments
Labels:
alberta,
bc,
british columbia,
law enforcement,
ontario,
privacy,
public sector,
retention,
surveillance
Earlier this week, the Ontario Court of Appeal, in Cash Converters Canada Inc. v. Oshawa (City) (July 4, 2007) (an appeal from Cash Converters Canada Inc. v. Oshawa (City), 2006 CanLII 3469 (ON S.C.)), overturned a City of Oshawa Bylaw that required sellers of second hand goods to collect detailed personal information about those who sell second hand goods to the stores. The bylaw was inconsistent with the Municipal Freedom of Information and Protection of Privacy Act.
Here's what the Toronto Star had to say about it:
TheStar.com - News - Oshawa second-hand store bylaw invades privacy: CourtTracey Tyler
LEGAL AFFAIRS REPORTER
The Ontario Court of Appeal has struck down sections of a controversial Oshawa bylaw that require second-hand dealers to collect detailed personal information from people who sell them goods and transmit the data to police.
The bylaw conflicts with provincial privacy legislation, which requires the collection and retention of personal information to be strictly controlled, the court ruled Wedneday, The 3-0 decision could influence challenges to similar bylaws in other parts of the country, including Alberta and British Columbia.
“This decision comes at a time when cities are gaining broader law-making powers,” said David Sterns, a lawyer representing the Oshawa franchise of Cash Converters Canada Inc., a second-hand store that challenged the bylaw.
“The court has sent a strong signal that all forms of information gathering and surveillance by municipalities are subject to the public’s overriding right to privacy.”
Under the Oshawa bylaw, passed by the city in 2004 as part of a new licensing system for second-hand dealers, stores were required to record the name, address, sex, date of birth, phone number and height of their vendors, who also had to produce three pieces of identification, such as a driver’s licence, birth certificate or passport.
“This information is then transmitted and stored in a police data base and available for use and transmissions by the police without any restriction and without any judicial oversight,” said Justice Kathryn Feldman said, writing on behalf of Associate Chief Justice Dennis O’Connor and Justice Paul Rouleau.
Store owners were required to send reports to police at least daily, in some cases at the time of purchase. The city argued the bylaw was meant to protect consumers from purchasing stolen goods.
But the municipality offered no evidence of a growing problem involving the sale of stolen goods to second-hand dealers, said Feldman.
Nor is there evidence that unscrupulous people are more likely to be deterred by the electronic collection and transmission of personal information, she said.
In 2003, Cash Converters purchased more than 28,000 used items from people in 2003. About 30 of those were seized by police in connection with criminal investigations.
It’s unknown whether any were confirmed as stolen, the court said.
The bylaw did not apply to pawn shops, which are provincially regulated.
See, also, James Daw's column: TheStar.com - columnists - New ruling stands up for privacy.
From the OIPC website:
OIPC:"
On Friday, June 22, 2007, the Standing Committee on Legislative Offices voted to recommend to the Legislative Assembly that Frank Work will be reappointed as Information and Privacy Commissioner for a term of 4 years."
Town gossip over sex assaults hits Facebook
0
comments
Labels:
alberta,
facebook,
privacy,
social networking,
tort
In an unsolicited media blitz, I had three reporters call me yesterday about three different stories. The second was about a facebook group that popped up in the wake of a series of unsolved sexual assaults in Carman, Alberta. The group, called "Kiss my ass, Carman rapist", included speculation on who might be a suspect. I understand that the group has since been removed, but it raises the usual internet defamation issues:
Town gossip over sex assaults hits Facebook... David Fraser, a Halifax lawyer who specializes in privacy and Internet law, said a host of legal issues arise when water-cooler chats move to the Net.
"What was a small conversation in the drug store or at the post office is now being broadcast globally," he said.
Fraser said anyone naming "suspects" or calling someone a rapist online is opening themselves to a potential lawsuit.
"The rules of defamation that apply in the real world also apply online," he said.
"The anonymity of the Internet ... actually makes it easier to say things that perhaps they wouldn't say in front of a crowded auditorium full of people, although there's probably more people seeing it online."
Alberta Commissioner confirms right to have personal health information masked
0
comments
Labels:
alberta,
health information,
privacy
The Alberta Information and Privacy Commissioner's office, in Investigation Report H2008-IR-001, has confirmed that individuals have the right to have their personal health information masked and its distribution restricted on Alberta Netcare:
Investigation confirms Albertans' right to ask custodians to limit disclosure of health information through Alberta NetcareMay 15, 2008Investigation confirms Albertans' right to ask custodians to limit disclosure of health information through Alberta NetcareInformation and Privacy Commissioner, Frank Work, has confirmed that individuals can ask that disclosure of their health information through Alberta Netcare, Alberta’s electronic health record, be limited. On conclusion of a recent investigation, it was recommended that Alberta Health and Wellness take steps to fully implement the technology that will allow custodians to limit the disclosure of health information through Alberta Netcare and communicate the availability of this option to Netcare users and Albertans.
The case involves a woman who asked her pharmacist to limit the disclosure of her health information through Alberta Netcare, but was told the pharmacist could not refuse to disclose information to AHW. The woman then contacted AHW to request that her information be “masked” in Alberta Netcare, but was directed to make her request to other custodians.
The Health Information Act (HIA) section 58(2) requires custodians to consider the expressed wishes of individuals when deciding how much health information to disclose. AHW has decided to manage expressed wishes in Alberta Netcare by masking information. Masked information is hidden until an authorized user who is providing care to a patient decides to unmask the information.
The investigation found that AHW built masking capabilities into Alberta Netcare as early as 2006, but did not did not formalize the processes required to allow Netcare users to apply masking until April 2008. The investigation also found that AHW had not adequately communicated the availability of masking as a means to manage an individual’s expressed wishes to health care providers nor had they developed the administrative tools required to fully support implementation of masking.
Mr. Work says “While I commend Health and Wellness for building important privacy features like masking into the system, it is not very useful to develop a masking system and not support its implementation or advise end users that it is available to them. In principle, AHW’s approach to masking information in Alberta Netcare is sound but implementation has been weak. The Department acknowledges this gap and has committed to developing an enhanced masking implementation plan for my review and comment before the end of the month. We will continue to work with AHW on this issue.”
Other recommendations that have been accepted by AHW include the recommendation to respond to the complainant’s request that her information be masked and expand Alberta Netcare communications materials to inform and educate patients about how a masking request can be made. The Department has taken immediate steps to implement these recommendations.
The investigation report and its recommendations can be found at http://www.oipc.ab.ca/.
The Parliamentary Committee on Access to Information, Privacy and Ethics has just released its report following the five year PIEDA review:
ETHI (39-1) — Fourth Report: STATUTORY REVIEW OF THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) — Standing Committee on ACCESS TO INFORMATION, PRIVACY AND ETHICS - Committees of the House of CommonsThe Standing Committee onACCESS TO INFORMATION, PRIVACY AND ETHICS
has the honour to present its
Fourth Report
Pursuant to its mandate under Standing Order 108(2), the Committee has studied a Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA) and agreed to the following report:
The HTML version of this report will be available soon. In the meantime, the Committee is pleased to make available the report entitled STATUTORY REVIEW OF THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) (.PDF, 262 KB) in printable format.
Here are the recommendations:
47Recommendation 1
The Committee recommends that a definition of “business
contact information” be added to PIPEDA, and that the
definition and relevant restrictive provision found in the
Alberta Personal Information Protection Act be considered for
this purpose.Recommendation 2
The Committee recommends that PIPEDA be amended to
include a definition of “work product” that is explicitly
recognized as not constituting personal information for the
purposes of the Act. In formulating this definition, reference
should be added to the definition of “work product
information” in the British Columbia Personal Information
Protection Act, the definition proposed to this Committee by
IMS Canada, and the approach taken to professional
information in Quebec’s An Act Respecting the Protection of
Personal Information in the Private Sector.Recommendation 3
The Committee recommends that a definition of “destruction”
that would provide guidance to organizations on how to
properly destroy both paper records and electronic media be
added to PIPEDA.Recommendation 4
The Committee recommends that PIPEDA be amended to
clarify the form and adequacy of consent required by it,
distinguishing between express, implied and deemed/opt-out
consent. Reference should be made in this regard to the
Alberta and British Columbia Personal Information Protection
Acts.Recommendation 5
The Committee recommends that the Quebec, Alberta and
British Columbia private sector data protection legislation be
considered for the purposes of developing and incorporating
into PIPEDA an amendment to address the unique context
experienced by federally regulated employers and employees.Recommendation 6
The Committee recommends that PIPEDA be amended to
replace the “investigative bodies” designation process with a
definition of “investigation” similar to that found in the Alberta
and British Columbia Personal Information Protection Acts
thereby allowing for the collection, use and disclosure of
personal information without consent for that purpose .Recommendation 7
The Committee recommends that PIPEDA be amended to
include a provision permitting organizations to collect, use
and disclose personal information without consent, for the
purposes of a business transaction. This amendment should
be modeled on the Alberta Personal Information Protection Act
in conjunction with enhancements recommended by the
Privacy Commissioner of Canada.Recommendation 8
The Committee recommends that an amendment to PIPEDA be
considered to address the issue of principal-agent
relationships. Reference to section 12(2) of the British
Columbia Personal Information Protection Act should be made
with respect to such an amendment.Recommendation 9
The Committee recommends that PIPEDA be amended to
create an exception to the consent requirement for information
legally available to a party to a legal proceeding, in a manner
similar to the provisions of the Alberta and British Columbia
Personal Information Protection Acts.Recommendation 10
The Committee recommends that the government consult with
the Privacy Commissioner of Canada with respect to
determining whether there is a need for further amendments to
PIPEDA to address the issue of witness statements and the
rights of persons whose personal information is contained
therein.Recommendation 11
The Committee recommends that PIPEDA be amended to add
other individual, family or public interest exemptions in order
to harmonize its approach with that taken by the Quebec,
Alberta and British Columbia private sector data protection
Acts.Recommendation 12
The Committee recommends that consideration be given to
clarifying what is meant by “lawful authority” in section
7(3)(c.1) of PIPEDA and that the opening paragraph of section
7(3) be amended to read as follows: “For the purpose of clause
4.3 of Schedule 1, and despite the note that accompanies that
clause, an organization shall disclose personal information
without the knowledge or consent of the individual but only if
the disclosure is […]”Recommendation 13
The Committee recommends that the term “government
institution” in sections 7(3)(c.1) and (d) be clarified in PIPEDA
to specify whether it is intended to encompass municipal,
provincial, territorial, federal and non-Canadian entities.Recommendation 14
The Committee recommends the removal of section 7(1)(e)
from PIPEDA.Recommendation 15
The Committee recommends that the government examine the
issue of consent by minors with respect to the collection, use
and disclosure of their personal information in a commercial
context with a view to amendments to PIPEDA in this regard.Recommendation 16
The Committee recommends that no amendments be made to
PIPEDA with respect to transborder flows of personal
information.Recommendation 17
The Committee recommends that the government consult with
members of the health care sector, as well as the Privacy
Commissioner of Canada, to determine the extent to which
elements contained in the PIPEDA Awareness Raising Tools
document may be set out in legislative form.Recommendation 18
The Committee recommends that the Federal Privacy
Commissioner not be granted order-making powers at this
time.Recommendation 19
The Committee recommends that no amendment be made to
section 20(2) of PIPEDA with respect to the Privacy
Commissioner’s discretionary power to publicly name
organizations in the public interest.Recommendation 20
The Committee recommends that the Federal Privacy
Commissioner be granted the authority under PIPEDA to share
personal information and cooperate in investigations of
mutual interest with provincial counterparts that do not have
substantially similar private sector legislation, as well as
international data protection authorities.
Recommendation 21
The Committee recommends that any extra-jurisdictional
information sharing, particularly to the United States, be
adequately protected from disclosure to a foreign court or
other government authority for purposes other than those for
which it was shared.Recommendation 22
The Committee recommends that PIPEDA be amended to
permit the Privacy Commissioner to apply to the Federal Court
for an expedited review of a claim of solicitor-client privilege in
respect of the denial of access to personal information
(section 9(3)(a)) where the Commissioner has sought, and
been denied, production of the information in the course of an
investigation.Recommendation 23
The Committee recommends that PIPEDA be amended to
include a breach notification provision requiring organizations
to report certain defined breaches of their personal
information holdings to the Privacy Commissioner.Recommendation 24
The Committee recommends that upon being notified of a
breach of an organization’s personal information holdings, the
Privacy Commissioner shall make a determination as to
whether or not affected individuals and others should be
notified and if so, in what manner.Recommendation 25
The Committee recommends that in determining the specifics of an appropriate notification model for PIPEDA, consideration
should be given to questions of timing, manner of notification,
penalties for failure to notify, and the need for a “without
consent” power to notify credit bureaus in order to help
protect consumers from identity theft and fraud.
Alberta order on consent and withdrawal thereof
0
comments
Labels:
alberta,
breach notification,
pipa,
privacy,
retail
Order P2007-003Two Complainants brought complaints under the Personal Information Protection Act with respect to the collection, use and disclosure of their personal information by International Stereo Ltd., (now operating as Urban Audio Video Inc.) (the “Retailer”). The information had been collected by the Retailer and then conveyed to Wells Fargo Financial Corporation of Canada, so as to permit the latter organization to conduct credit checks for determining whether it would grant credit for buying the Retailer’s merchandise. Although the Complainants signed applications containing clauses consenting to use of personal information for credit checks, they said they had been assured their personal information would not be used in this way. They also said they had been led to believe the cards for which they applied would allow them to get 10% discounts on purchases. As well, one of them complained that his request to withdraw his application had been refused.
The Adjudicator found that the Retailer collected, used and disclosed the Complainants’ personal information in violation of section 7 of the Act (collection, use and disclosure without consent), that it failed to provide adequate notification of the purpose for collection in contravention of section 13, and that it failed to cease collecting, using or disclosing the personal information after consent had been withdrawn, in violation of section 9(4).
Clerk fined for inappropriate access to personal health information
0
comments
Labels:
alberta,
health information,
privacy
Earlier this month, a medical clerk was fined $10,000 for unlawfully accessing the personal health information of her lover's wife. To my knowledge, this is the first charge and conviction of its kind in Canada. The charges were laid under Alberta's Health Information Act. Most other provinces would have no penalty for such conduct.
Medical office clerk fined $10,000 for accessing records of lover's wifeCALGARY (CP) - A medical office clerk has been fined $10,000 for illegally obtaining health records of her lover's wife.
Stephanie MacDonald, who was charged under the Alberta Health Information Act, gained access to test results, biopsy findings and X-rays belonging to Marlene Stallard 17 times between August 2005 and May 2006.
Stallard, who is fighting ovarian cancer, told court in her victim impact statement the records were used in an attempt to convince her husband she was gravely ill.
It was part of MacDonald's strategy to make her adulterous relationship with James Stallard more permanent, she alleged.
''A violation of your privacy to that degree, when you're going through cancer, is a pretty terrible thing,'' Marlene Stallard said Friday, after the sentencing.
MacDonald, who could access information through her capacity as a clerk at the Dr. McPhalen Professional Corporation, maintained she was working under her lover's direction when she accessed the records. MacDonald and James Stallard are no longer lovers.
But James Stallard testified he only asked MacDonald to get information about his wife's condition twice, and denied he'd asked for information the other 15 times.
MacDonald also said she wasn't aware what she was doing was illegal, noting she'd never been briefed on such practices and her office didn't have a privacy policy.
Provincial court Judge Manfred Delong said he didn't believe a 12-year medical clerk didn't know what she was doing was wrong.
Alberta faults Ticketmaster for requiring consent to secondary purposes
0
comments
Labels:
alberta,
pipa,
privacy
The Alberta Information and Privacy Commissioner has found that Ticketmaster violated that province's privacy law by requiring that purchasers consent to use of their information by concert promoters. From the Commissioner:
OIPCOffice of the Information and
Privacy Commissioner of Alberta
December 19, 2007
Ticketmaster investigated under Personal Information Protection Act
The Office of the Information and Privacy Commissioner has found that Ticketmaster
Canada Ltd (Ticketmaster) contravened the Personal Information Protection Act (PIPA) by
requiring on-line customers to consent to the use of personal information for the event
provider’s marketing purposes, as a condition of a ticket sales transaction.
The investigation also determined Ticketmaster’s on-line opt-out process did not allow
customers to make an informed decision about consent nor did it offer customers a
reasonable opportunity to decline or object to the use of their personal information for event
providers’ marketing purposes. Ticketmaster’s on-line privacy policy was also found to be
complex and ambiguous.The Complainant went on Ticketmaster’s website, www.ticketmaster.ca to purchase tickets
for an event. During the on-line transaction, the Complainant was unable to proceed with his
on-line ticket purchase unless he consented to Ticketmaster’s “Use of Personal Information”
privacy statement. The Complainant was particularly concerned with the contents of this
privacy statement, which authorized Ticketmaster to share his email address with event
providers for the event providers’ marketing purposes.Ticketmaster agreed to implement the Investigator’s recommendations, which included
launching, across Canada, a new on-line and telephone opt-in mechanism for event
providers’ marketing communications. This mechanism offers on-line and telephone
customers the opportunity to opt-in to receiving marketing materials from event providers by
checking a box during the on-line ticket purchase process. In conjunction with the new on-
line opt-in mechanism, Ticketmaster posted its revised on-line privacy policy with an easily
navigable table of contents linking to appropriate section of the policy.
To obtain a copy of Investigation Report P2007-IR-007, please visit our website at:
www.oipc.ab.ca
CBC has some coverage of the story here: CBC.ca Arts - Ticketmaster's online sales violated Alberta privacy law.
Privacy Commissioner Concerned With Ticketmaster's Privacy Practices
0
comments
Labels:
alberta,
breach notification,
pipeda findings,
privacy
Privacy Commissioner Concerned With Ticketmaster's Privacy Practices, Encourages Companies to Adopt High Privacy Standards Across OperationsOTTAWA, April 18, 2008 – Privacy Commissioner of Canada Jennifer Stoddart expressed concern with the information collection and privacy practices of a major online ticket vendor. However, following an investigation by her office and that of Alberta Commissioner Frank Work , the privacy practices of Ticketmaster Canada Limited have been brought up to standard.
However, she encourages companies to adopt the highest standard of privacy practices possible, regardless of where they do business.
“Online commerce continues to grow and customers worldwide expect companies to safeguard their personal information in the course of their business,” says Jennifer Stoddart. “It simply makes good business sense for companies to implement excellent privacy practices across their operations. It is also the law in Canada.”
The Commissioner launched an investigation into the information collection practices of Ticketmaster Canada Limited after a private citizen filed a complaint alleging that the company’s policies and practices on the collection, disclosure and use of customers’ personal information did not comply with the Personal Information Protection and Electronic Documents Act (PIPEDA).
The Information and Privacy Commissioner of Alberta, Frank Work, investigated a similar complaint into how Ticketmaster obtained consent to collect its customers’ personal information and released an investigation report late in 2007.
The investigation conducted by the Office of the Privacy Commissioner of Canada examined the issue of consent, but also investigated whether Ticketmaster followed the principles of access, openness and accountability found in PIPEDA.
“I am now satisfied with the measures Ticketmaster undertook to resolve the complaints that were brought to our attention,” says Jennifer Stoddart. “But I am very concerned that, seven years after PIPEDA was enacted, a major online company operating throughout Canada was found to be in violation of the legislation.”
The investigation of Ticketmaster Canada’s privacy practices was led by Assistant Commissioner Elizabeth Denham. It found that although the company had a privacy policy in place, this policy was long, complex and difficult for consumers to read.
The Assistant Commissioner also found that Ticketmaster’s online customers were required to consent to their personal information being used for marketing purposes as a condition of purchasing a ticket – a clear violation of PIPEDA.
Following the two investigations, Ticketmaster has revised its privacy practices to explicitly communicate what personal information is collected, with whom it is shared, and how it is used. The company has also adapted its online notification and call-centre telephone scripts so that customers are provided with a choice of whether to opt in to receive marketing material from Ticketmaster and event providers.
Furthermore, Ticketmaster in the United States has amended its privacy policy to make it more understandable and user-friendly for its customers. However, it did not implement any mechanism to provide customers the choice of opting in to receive marketing material, as it has done for its operations in Canada and the United Kingdom.
The Commissioner will bring this distinction to the attention of her colleagues at the US Federal Trade Commission. As well, she will continue to encourage companies with operations in Canada and elsewhere to adopt the highest standard of information protection practices possible to ensure compliance with Canadian privacy law.
To view the case summary and backgrounder:
Investigator: Employer did not violate PIPA by investigating whether staffer was looking for another job
0
comments
Labels:
alberta,
employment,
pipa,
privacy
OIPCApril 10, 2007
EPCOR Utilities Inc. found in compliance with Personal Information Protection
ActThe Office of the Information and Privacy Commissioner has found that EPCOR Utilities Inc.
(EPCOR) complied with the Personal Information Protection Act (PIPA) when it collected,
used and disclosed personal employee information without consent. EPCOR’s collection, use
and disclosure of the employee’s personal information was also found to be reasonable for
purposes of an investigation.The complainant, an EPCOR employee at the time, took a leave of absence from EPCOR.
Shortly thereafter, EPCOR received unsolicited information suggesting the complainant was
about to begin work for another company. EPCOR contacted the other company to verify the
complainant’s alleged employment there. The complainant complained that EPCOR
collected, used and disclosed his personal information without consent.The Investigator found that EPCOR had collected, used and disclosed the complainant’s
personal information to investigate a possible contravention of the complainant’s employment agreement. As such, consent was not required.Further, the Investigator found that the information qualified as personal employee
information under PIPA: the information was reasonably required to manage the
complainant’s employment relationship with EPCOR, and consisted only of information
related to that employment relationship. The complainant was notified at the time of hire that
his personal information could be collected, used or disclosed for investigation purposes. As
such, EPCOR did not require consent to collect, use and disclose the complainant’s personal
employee information in these circumstances.For more information about investigation report P2007-IR-004, please visit our website at:
http://www.oipc.ab.ca/
Daniel J. Michaluk has a great comment on an Alberta case that's pending dealing with employee drug testing, which is a very common practice in that province's oil sands projects. Check it out: One to watch - Drug testing case at Alberta CA « All About Information.
There have been some interesting releases from the Information and Privacy Commissioner of Alberta's office:
Posted: Mar/19/2008
Adjudicator rules personal information released in contravention of Personal Information Protection ActAn Adjudicator with the Office of the Information and Privacy Commissioner has ruled that the Alberta Teachers’ Association contravened the Personal Information Protection Act (PIPA), when it published an article containing the personal information of former members.
The Complainants filed the complaint when the ATA published their names in a newsletter stating that they no longer were required to adhere to the ATA’s Code of Professional Conduct.
The ATA argued while it had published personal information, it had done so for “journalistic purposes” and that PIPA did not apply.
The Adjudicator determined that PIPA did apply and that the information was disclosed contrary to sections 7 and 19 of PIPA.
Posted: Mar/18/2008
Adjudicator finds Alberta Energy and Utilities Board did not disclose personal information in contravention of the FOIP Act
Posted: Mar/11/2008
Information and Privacy Commissioner, Frank Work, has ruled that the parents of a student had no legal standing in a complaint over the seizure of their son’s cell phone. The Commissioner says he was not presented with any evidence under section 84 of the Freedom of Information and Protection of Privacy Act (FOIP) that the parents were authorized to act on behalf of their son, nor is there any evidence that the son is even aware of a complaint being made on his behalf.The parents complained to the Commissioner their son’s cell phone had been seized by school administrators who had accessed photographs contained on the phone.
During an inquiry into the matter, the Commissioner found the evidence did not establish that the parents had standing to make a complaint. The Commissioner also found there was little evidence that the son’s personal information had been collected or used by the school.
Investigation Report P2008-IR-002
Posted: Mar/06/2008
Commissioner releases investigation report on DeVry Institute of Technology, related to discovery of identity theft.
Posted: Mar/06/2008
Commissioner releases investigation report related to discovery of identity theft
News Release: New Video Surveillance Guidelines
Posted: Mar/06/2008
New guidelines set out how companies should evaluate the use of video surveillance that respects privacy rights and complies with the law.
Posted: Mar/06/2008
Adjudicator upholds decision not to release Crown Prosecutor records
Posted: Mar/06/2008
Adjudicator rules company tried to find applicant's personal information
Privacy commissioner raps home improvement retailer for collecting drivers licenses on product returns
0
comments
Labels:
alberta,
pipa,
privacy,
retail
The Information and Privacy Commissioner of Alberta has ruled that Home Depot violated the Personal Information Protection Act (Alberta) when it collected and recorded a customer drivers license information in connection with a product return. The company's policy was that returns for purchases that were made with a debit card, even with a receipt, are treated as a "no receipt" return and the information is collected. The Commissioner noted that the information would be placed in a database maintained by the American parent company in the United States, which is a disclosure of personal information.
The article on Canada.com quotes a Home Depot spokesperson who says this is no longer the policy as customers thought it to be an invasion of privacy. See: Privacy commissioner raps Home Depot.
Alberta Commissioner investigating Barlink on ID swiping
0
comments
Labels:
alberta,
id swiping,
privacy
I've blogged on this topic of bars swiping patrons' identification a number of times (see label "id swiping"), but it appears that we'll have a decision from the Alberta Commissioner on the topic in the next few months: edmontonsun.com - Edmonton News - Barlink probed by privacy watchdog.
Alberta Commissioner upholds cameras in locker rooms at health club
0
comments
Labels:
alberta,
health information,
pipa,
privacy
This is likely to spur some interesting discussion:
OIPCA complaint was made against the Organization which operates the “Talisman Centre for Sport and Wellness”. The Complainant stated that the Organization had placed overt security cameras in the Talisman Centre’s men’s locker rooms. The Complainant was concerned about a loss of privacy and that patrons of the Centre would be unable to change without being viewed by the cameras. The Organization stated that the security cameras were installed in 1997 in response to over 900 incidents of theft and property damage during the years 1994-97. The security cameras were installed after all other means to prevent criminal activity had failed. The cameras’ field of vision was restricted to the lockers and had no zoom, panoramic or audio capabilities. The cameras were not actively monitored and a protocol was in place which restricted the viewing of images to instances where there was an incident or reported criminal activity with a case number assigned by the Calgary Police Service. Viewing of the images occurs only in the presence of two senior staff members or by one such member and a police constable. If images are not reviewed they are automatically overwritten in approximately 21 days. After installation of the cameras there was a sharp reduction in criminal activity. As of the date of the Organization’s submission to the Commissioner only 19 images had ever been viewed. The Commissioner found that due to the history of theft, the attempt to use other measures prior to using security cameras as a last resort, and the fact that the images recorded were only accessed in the event of a criminal incident, that the Organization’s collection of personal information was for purposes that were reasonable, as required by section 11(1) of the Personal Information Protection Act (“PIPA”). However, the Organization’s signage was not in compliance with section 13(1) of PIPA. The Commissioner ordered the Organization to change the signage.
Click to view more information Order P2006-008
Alberta commissioner: "It' just nuts that we're not looking after this stuff better"
0
comments
Labels:
alberta,
health information,
laptop,
privacy
After an investigation into a stolen laptop from Alberta Capital Health, Frank Work has expressed some exasperation about how personal information is being protected:
Safeguard cyber-privacyThe Edmonton Journal
Thursday, November 15, 2007
Crafting sophisticated privacy legislation has never been more important, as lawmakers struggle to keep up with technological advances. And yet all the statutes in the world are no excuse for common sense.
"It's just nuts that we're not looking after this stuff better," exclaimed an exasperated Frank Work on Tuesday. Work, Alberta's information and privacy commissioner, had just released a report investigating the May theft of four laptop computers at a Capital Health office.
The study concluded that Capital Health had contravened the Health Information Act by not taking adequate security precautions. This was in spite of two previous warnings about the need for encryption programs. Capital Health has promised that it will have encryption for laptops installed by January and will soon provide the commissioner with a detailed implementation plan for other changes. Let's hope so.
Not that Capital Heath is alone. Work also announced another investigation into the theft of a memory stick storing personal details of 560 students attending Edmonton Catholic Schools. An employee of the board's school bus company kept the stick in her purse. The school board now insists bus carriers' memory sticks must be encrypted.
The hope is that other organizations are paying attention. Breaches in consumer information security have made all of us think twice when ordering online or even at the local cash register.
To be fair, a lot of bright people are working on this and lessons have been learned. Still, coming to terms with the storehouse of private information most of us carry around daily in various devices is everyone's business. As technology moves forward, we must remember that privacy is too precious to be taken lightly. That begins at home, at work and at school.