Oshawa second-hand store bylaw invades privacy

Earlier this week, the Ontario Court of Appeal, in Cash Converters Canada Inc. v. Oshawa (City) (July 4, 2007) (an appeal from Cash Converters Canada Inc. v. Oshawa (City), 2006 CanLII 3469 (ON S.C.)), overturned a City of Oshawa Bylaw that required sellers of second hand goods to collect detailed personal information about those who sell second hand goods to the stores. The bylaw was inconsistent with the Municipal Freedom of Information and Protection of Privacy Act.

Here's what the Toronto Star had to say about it:

TheStar.com - News - Oshawa second-hand store bylaw invades privacy: Court

Tracey Tyler

LEGAL AFFAIRS REPORTER

The Ontario Court of Appeal has struck down sections of a controversial Oshawa bylaw that require second-hand dealers to collect detailed personal information from people who sell them goods and transmit the data to police.

The bylaw conflicts with provincial privacy legislation, which requires the collection and retention of personal information to be strictly controlled, the court ruled Wedneday, The 3-0 decision could influence challenges to similar bylaws in other parts of the country, including Alberta and British Columbia.

“This decision comes at a time when cities are gaining broader law-making powers,” said David Sterns, a lawyer representing the Oshawa franchise of Cash Converters Canada Inc., a second-hand store that challenged the bylaw.

“The court has sent a strong signal that all forms of information gathering and surveillance by municipalities are subject to the public’s overriding right to privacy.”

Under the Oshawa bylaw, passed by the city in 2004 as part of a new licensing system for second-hand dealers, stores were required to record the name, address, sex, date of birth, phone number and height of their vendors, who also had to produce three pieces of identification, such as a driver’s licence, birth certificate or passport.

“This information is then transmitted and stored in a police data base and available for use and transmissions by the police without any restriction and without any judicial oversight,” said Justice Kathryn Feldman said, writing on behalf of Associate Chief Justice Dennis O’Connor and Justice Paul Rouleau.

Store owners were required to send reports to police at least daily, in some cases at the time of purchase. The city argued the bylaw was meant to protect consumers from purchasing stolen goods.

But the municipality offered no evidence of a growing problem involving the sale of stolen goods to second-hand dealers, said Feldman.

Nor is there evidence that unscrupulous people are more likely to be deterred by the electronic collection and transmission of personal information, she said.

In 2003, Cash Converters purchased more than 28,000 used items from people in 2003. About 30 of those were seized by police in connection with criminal investigations.

It’s unknown whether any were confirmed as stolen, the court said.

The bylaw did not apply to pawn shops, which are provincially regulated.

See, also, James Daw's column: TheStar.com - columnists - New ruling stands up for privacy.

Names of defaulted student loan debtors sent in mass e-mail

I got a call yesterday from Lindsay Jones of the Halifax Daily News (Canada's top journalist) to discuss an interesting sitution that has popped up here in Nova Scotia. It appears that an e-mail was sent out to hundreds of defaulted student loan recipients to advise that their case officer was changing. Whoever hit the send button didn't notice that everyone was on the "TO:" line, so each receipient also got a list of all the other defaulted debtors. Not good form.

Of course, the e-mail was forwarded to the Halifax Daily News and the rest is history... (I understand that a journalist from another publication was on the list.)

I've been saying for years that security and safeguards are probably the most important principles in any privacy plan. You won't be on the front page of the newspaper for having a confusing privacy policy or for using opt-out consent instead of opt-in. But if you have a security breach like this, the odds are that you're in for a rough ride.

(Also interesting: part of the response is a hotline for personal apologies.)

Here's Lindsay's article:

Halifax, The Daily News: News Names of student-loan defaulters sent in mass e-mail

Last updated at 7:32 AM on 22/06/07

LINDSAY JONES

The Daily News

An embarrassing breach of personal privacy has led to policy changes at the provincial government department that deals with student loans.

Full names, and in many cases workplaces, were inadvertently disclosed in a mass e-mail sent by a Service Nova Scotia and Municipal Relations collection officer.

The subject line of the June 8 e-mail said "Defaulted Nova Scotia government guaranteed student loans - new contact name."

The e-mail was to inform the employee's clients that she had been reassigned.

Ian Daye, whose name appeared on the list, is annoyed at the lack of discretion.

"It's just: 'You have student loan problems. And here's a list so you can see who else has student loan problems.' This really isn't right, as far as I'm concerned," said the 33-year-old, who works for Research In Motion.

"It's something that should've been done in confidence," Daye added. "It's not really very professional of her to put everyone's addresses out there."

Some of the e-mail addresses on the list belonged to people who work in government offices, banks and local businesses.

Canada's top privacy lawyer said the e-mail is a "highly embarrassing" violation of the freedom of information and protection of privacy (FOIPOP) act.

"People's financial information is some of the most sensitive information out there," David Fraser of Halifax said.

"It really needs to be protected with measured safeguards that are appropriate to the sensitivity of the information."

Fraser said people have the right to complain to the provincial FOIPOP office, though there's no legislation for redress.

"The bigger thing is likely the embarrassment for those individuals whose information was released into the wild," he said.

While accidental privacy breaches do sometimes occur, Fraser said it's also embarrassing for the government that an employee allowed this to happen.

A spokeswoman for Service Nova Scotia and Municipal Relations said steps were taken the day after the email went out to ensure no mass communication of this nature would happen again.

"Every employee that deals with clients has received education about the ongoing importance of protecting personal information," Donna Chislett said.

The computer system for student loans is being revamped to prohibit staff from sending such mass e-mails, she added.

About one third of the e-mails were returned as undeliverable mail.

"It was certainly done inadvertently and it was an oversight. We do apologize for that," Chislett said.

Staff are providing personal apologies and explanations of the privacy breach to anyone with concerns; call 494-4961 for details.

ljones@hfxnews.ca

If you handle personal information, you'd better know the exceptions in privacy laws

If you handle personal information and only read one privacy law article, this one should be it:

Far too often, bureaucrats, cops and others use poorly understood privacy laws as a justification for inaction. Maybe it's just that they don't fully understand the myriad rules and the multiplicity of exceptions.

Privacy laws are complicated and are not well understood, even by people whose day-to-day operations are affected by them. But they are generally sensible and coherent. And -- believe it or not -- they are laced with common sense.

I've had the opportunity to look at every privacy law in Canada and I don't think I've seen one that does not have a public interest override. A public body, in the public sector context, can disclose personal information without consent if it is in the public interest to do so. There are often other exceptions from the general rule that requires consent.

Some may recall the aftermath of the south Asian tsunami where the federal government said they couldn't name victims or survivors because of the Privacy Act. The Privacy Commissioner and others were pretty quick to point out s. 8 of the Privacy Act, which allows the government to disclose personal information where it is in the public interest:

8(2) Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed

...

(m) for any purpose where, in the opinion of the head of the institution,

(i) the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or

(ii) disclosure would clearly benefit the individual to whom the information relates.

(I wrote about it on this blog at the time: Editorial urges that naming Canadian tsunami victims is in the public interest & Fallout from naming/not naming Canadian victims)

I was recently reminded of this in a discussion about the failure of the police in Merritt BC to identify a suspect on the lam after a family was found murdered. Police blamed privacy laws. (RCMP grilled for delay in alerting town over suspect) The National Post Editorial Board called them out on the misstep:

The Post editorial board on the Allan Schoenborn case: The RCMP's high-profile failure - Full Comment

...Two days later, Ms. Clarke returned from errands to find her children murdered, and their father vanished along with his dog. The RCMP, confronted with a gruesome spectacle that may have resulted from their failed efforts to get Schoenborn under lock and key, took nearly a full day to announce to the public in Merritt that he was the prime suspect in the killings. Their excuse? "Due to privacy concerns," said RCMP Staff Sergeant Scott Tod, "we had to make sure that we had information that this was the suspect before we released his name."

"Privacy" is a popular item these days in the lexicon of justice, as it is used by the Mounties. No act of ineptitude in communicating with the public can possibly escape its reassuring cover, even though every privacy law or code written down anywhere in the last 50 years contains public-interest exemptions.

Most recently, a University in Ontario has been called to account for not notifying the parents of a mentally ill student who subsequently committed suicide. Privacy laws were pointed to as preventing such action. Anne Cavoukian and her counterparts have reminded universities that these laws are easy scapegoats, but without exception contain provisions that allow privacy rights to be overridden in certain circumstances.

Universities grapple with providing health services, protecting privacy

...University officials say they followed procedures and couldn't tell Kajouji's parents about her mental health because of the province's privacy law. They also indicated universities that don't respect the privacy of their students' health information risk driving students away from the very services designed to help them.

Ontario's privacy commissioner, Ann Cavoukian, and several of her counterparts in other provinces, say universities need to have a clearer understanding of what privacy laws allow and they cautioned that too often privacy laws are the automatic target of blame when controversy arises.

Cavoukian's office provided a fact sheet several years ago to universities explaining the law allows them to disclose personal health information in "compelling circumstances" and if they believe on reasonable grounds it would eliminate or reduce the risk of bodily harm.

Determining whether a situation warrants disclosure is a judgment call, Cavoukian said in an interview, though the law affords protection to the decision-maker as long as he or she acted in good faith.

"If you are a health-care practitioner or a university professional and you have information relating to a student that is considering suicide and you fear for that person and want to reduce the risk of suicide, absolutely you are allowed to release that information," she said. "It's not an easy decision but it is one that is permitted under our privacy laws and I'm sick and tired of people saying that it's the privacy laws that prevented the counsellors from contacting the girl's parents. That's incorrect," she said.

... Suzanne Blanchard, vice-president for student support services, said in an e-mail message the university has specific procedures to deal with students who are in "imminent danger of doing harm to themselves or others."

"Carleton University has reviewed its actions in the aftermath of Nadia's tragic death. We believe that we followed all proper procedures and provided all the support services we could for Nadia," she said. "Carleton University is always diligent in its compliance with Ontario's privacy laws and we believe that we acted, and continue to act, in accordance with those laws."

Cavoukian said some universities take their obligations under the privacy law seriously, but there is still a lot of confusion. She plans to convene a meeting with the Council of Ontario Universities in an attempt to clarify any lingering questions.

Saskatchewan's privacy commissioner agreed there is a "significant need for more education" about the flexibility that is built into privacy laws.

"Sometimes you have people who don't want to do the wrong thing and so therefore you get a kind of paralysis and they don't share information even when the law allows them to and it's appropriate to do so," said Gary Dickson.

Dickson said Kajouji's death, while tragic, provides incentive for universities to ensure they are prepared to deal with students' mental health issues and with situations where informing the parents is up for debate. "Decisions will have to be made and then there have to be people with the appropriate training and judgment who can then make that discretionary decision," he said.

Frank Work, Alberta's privacy commissioner, said it has to be kept in mind Kajouji was an adult and the university may have felt her situation was under control. All the law asks is that a standard of reasonableness be applied, said Work.

"I think it's true in just about every privacy law, the standard is always reasonableness, not perfection," he said.

People will disagree on whether Carleton made the right decision, but one thing the privacy commissioners all agree on is the decision needs to be given due consideration.

"The worst case scenario is if it's just neglect. They saw the bus coming and they didn't yell: 'Get out of the way.' We don't know here. Hopefully in this case they made a judgment call," said Work.

Ontario's commissioner similarly said university officials have to take the time to make the difficult determination and should not rely on privacy laws as the default reason for not disclosing personal information.

"I would urge people to resist the knee-jerk reaction of automatically blaming privacy laws," Cavoukian said.

Here is the moral of this story: Whenever common sense or humanity seem to bump up against privacy laws, take a close look at the law and its exceptions. You will probably find that the drafters have designed the laws to accommodate common sense and humanity.

UK: governance in the public sector

One of the interesting developments in the past decade or two has been the way in which the 'corporate governance' label has been used to describe governance and accountability issues beyond the corporate sector. A good example was provided this week by the Audit Commission, which published a corporate governance inspection report for Doncaster Metropolitan Borough Council: see here (pdf). The report notes:

Good governance is about running things properly. It is the means by which a public authority shows it is taking decisions for the good of the people of the area, in a fair, equitable and open way. It also requires standards of behaviour that support good decision making – collective and individual integrity, openness and honesty. It is the foundation for the delivery of good quality services that meet all local people’s needs. It is fundamental to showing public money is well spent. Without good governance councils will struggle to improve services when they perform poorly".

See here for further information about the Audit Commission's corporate governance inspection work, this includes information about the Commission's key lines of enquiry and policy and methodology in respect of governance inspections.

Ontario Commissioner releases detailed report on TTC surveillance cameras

The Information and Privacy Commissioner of Ontario has released an extensive report on the use of video surveillance by the Toronto Transit Commission. The report can be found here: Privacy and Video Surveillance in Mass Transit Systems: A Special Investigation Report - Privacy Investigation Report MC07-68.

From the media release:

TTC’s surveillance cameras comply with privacy Act,
but additional steps needed to enhance privacy protection,
says Privacy Commissioner Ann Cavoukian

TORONTO – Ontario Information and Privacy Commissioner Ann Cavoukian ruled today that the Toronto Transit System’s expansion of its video surveillance system, for the purposes of public safety and security, is in compliance with Ontario’s Municipal Freedom of Information and Protection of Privacy Act – but she is calling on the TTC to undertake a number of specific steps to enhance privacy protection.

The Commissioner’s office conducted a four-month special investigation that went beyond the scope of the usual privacy investigation conducted in that it included:

• A detailed review of the literature and analysis from various parts of the world on the effectiveness of video surveillance;
  
• An examination of the role that privacy-enhancing technologies can play in mitigating the privacy-invasive nature of video surveillance cameras; and
  
• A detailed investigation into a privacy complaint by U.K-based Privacy International about the expansion of the TTC’s video surveillance system.

“Video surveillance presents a difficult subject matter for privacy officials to grapple with impartially because, on its face, it is inherently privacy-invasive due to the potential for data capture – despite that fact, there are legitimate uses for video surveillance … that render it in compliance with our privacy laws,” said the Commissioner. “Mass transit systems like the TTC, that are required to move large volumes of people, in confined spaces, on a daily basis, give rise to unique safety and security issues for the general public and operators of the system.”

“The challenge we thus face is to rein in, as tightly as possible, any potential for the unauthorized deployment of the system. We have attempted to do this by ensuring that strong controls are in place with respect to its governance (policy/procedures), oversight (independent audit, reportable to my office) and, the most promising long-term measure, the introduction of innovative privacy-enhancing technologies to effectively eliminate unauthorized access or use of any personal information obtained.”

While the expectation of privacy in public places is not the same as in private places, it does not disappear. People have the right, the Commissioner stresses in her report, to expect the following when it comes to video surveillance:

• That their personal information will only be collected for legitimate, limited and specific purposes;
  
• That the collection will be limited to the minimum necessary for the specified purposes; and
  
• That their personal information will only be used and disclosed for the specified purposes.

“These general principles,” said Commissioner Cavoukian, “should apply to all video surveillance systems. Where developments such as video surveillance in mass transit systems, like the TTC, can be shown to be needed for public safety, you must also ensure that threats to privacy are kept to an absolute minimum.”

Among the 13 recommendations the Commissioner is making to the TTC are the following:

• 
  That the TTC reduce its retention period for video surveillance images from a maximum of seven days to a maximum of 72 hours (the same standard as the Toronto Police), unless required for an investigation;
  
• 
  That the TTC’s video surveillance policy should specifically state that the annual audit must be thorough, comprehensive, and must test all program areas of the TTC employing video surveillance to ensure compliance with the policy and the written procedures. The initial audit should be conducted by an independent third party using Generally Accepted Privacy Principles, and should include an assessment of the extent to which the TTC has complied with the recommendations made in this special report;
  
• 
  That the TTC should select a location to evaluate the privacy-enhancing video surveillance technology developed by University of Toronto researchers, K. Martin and K. Plataniotis; and
  
• 
  That, prior to providing the police with direct remote access to the video surveillance images, the TTC should amend the draft memorandum of understanding (MOU) with the Toronto Police to require that the logs of disclosures be subjected to regular audits, conducted on behalf of the TTC. A copy of the revised draft MOU should be provided to the Commissioner prior to signing.

EMERGING PRIVACY-ENHANCING TECHNOLOGY

The Commissioner devotes part of her 50-page special report, and a specific recommendation, to the area of emerging privacy-enhancing video surveillance technology.

“In light of the growth of surveillance technologies, not to mention the proliferation of biometrics and sensoring devices, the future of privacy may well lie in ensuring that the necessary protections are built right into their design,” said the Commissioner. “Privacy by
design may be our ultimate protection in the future, promising a positive sum paradigm instead of the unlikely obliteration of a given technology.”

As an example of the research being conducted into privacy-enhancing technologies, the Commissioner cites the work of researchers Karl Martin and Kostas Plataniotis at the University of Toronto, who used cryptographic techniques to develop a secure object-based coding approach. While the background image captured by a surveillance camera can be viewed, the sections where individuals are caught in the image would automatically be encrypted by the software. Designated staff could monitor the footage for unauthorized activity, but would not be able to identify anyone. Only a limited number of designated officials with the correct encryption key could view the full image.

The Commissioner is recommending that the TTC select a location to evaluate the video surveillance technology developed by Martin and Plataniotis.

A copy of the special report is available on the IPC’s website, www.ipc.on.ca.

Taxman moves to protect privacy

I was interviewed today for Global National's most recent report on privacy problems at the Canada Revenue Agency (our IRS, for my American readers). Since earlier reports on misdirected tax information, many more people have come out to report they have also been the unwitting recipients of information about other taxpayers. See: Taxman moves to protect privacy and also note the many comments in which others relate receiving others' personal information.

I think you can get the video of the feature here: http://video.canada.com/VideoContent.aspx?13750&vc=1&popup=1, but it seems hit and miss to me.

Ontario Commissioner issues unprecedented order against used goods vendors databases

In an apparently unprecedented move, the Information and Privacy Commissioner for Ontario, Ann Cavoukian, has issued a cease and desist order and an order to destroy personal information related to the collection of personal information from people who sell second hand goods to resellers. This follows a battles in the Ontario courts, where the Commissioner's position was ultimately upheld by the Court of Appeal (See: Canadian Privacy Law Blog: Oshawa second-hand store bylaw invades privacy). For more info from the Commissioner's office, see: Privacy Commissioner Ann Cavoukian issues seminal Order to cease collecting detailed personal information from individuals selling used goods, and to destroy all existing records.

I think this is a very important move on the part of the Commissioner.

We are seeing a growing trend in Canada that forces some serious thought about privacy. Private businesses are increasingly being conscripted to collect information on behalf of law enforcement or for law enforcement purposes. For example, money laundering legislation, no-fly lists operated by airlines, "lawful access" and databases of used goods sellers. Meanwhile, the Privacy Commissioners and privacy advocates are taking a stronger stand against this. We've seen various statements and submissions to legislative committees, unanimous declarations against the no-fly list and now the exercise of dramatic coersive powers. It will be very interesting to see how this all plays out.

Nova Scotia's new FOIPOP review officer

As of February 5, 2007, Nova Scotia will have a new review officer under the Freedom of Information and Protection of Privacy Act:

News Release: Department of Justice

New FOIPOP Review Officer Appointed

Department of Justice

January 11, 2007 8:20

---

Dulcie McCallum, former Ombudsman for the Province of British Columbia, is Nova Scotia's new Freedom of Information and Protection of Privacy Review Officer.

Ms. McCallum will oversee how provincial and municipal governments protect the privacy of Nova Scotians and respond to requests for access to information.

"I'm pleased that Ms. McCallum has agreed to take on this important role," said Justice Minister Murray Scott. "The courts have recognized our legislation as being among the most open, progressive information and privacy laws in the country. Ms. McCallum brings tremendous expertise and knowledge to this office, particularly in the areas of the rights of persons with disabilities and children, constitutional matters and justice issues."

Ms. McCallum received her law degree from the University of Victoria and has expertise in administrative and human rights law. Over the past 30 years, Ms. McCallum has held positions in private practice and in the public sector. She was Ombudsman for the Province of British Columbia for seven years, until 1999. Since then, Ms. McCallum has worked for government and a number of organizations, including representative on the Canadian Delegation to the United Nations, to draft the new UN Convention on the Rights of Persons with Disabilities.

"I am thrilled to be named the new FOIPOP Review Officer and am ready to serve Nova Scotians in this important office," said Ms. McCallum. "I moved to rural Nova Scotia just over a year and a half ago from Victoria, British Columbia.

"Living in Sherbrooke has been one of the most rewarding times of my life. This new opportunity, which will enable me to work throughout the province to ensure citizens' rights of access and privacy are respected, is both a great honour and privilege."

The review officer is an independent ombudsman appointed by the Governor in Council for a term of five to seven years. The review officer will accept appeals from people and organizations who are not satisfied with the response they received from government departments or other public bodies such as hospitals, universities and school boards.

The review officer may make recommendations to the public body. The public body must respond in writing to the report. If the applicant, or a third party, is not satisfied with the outcome of a review, an appeal may be made to the Supreme Court of Nova Scotia.

The selection process for a new review officer was led by the Public Service Commission. An independent selection advisory committee, chaired by Auditor General Jacques Lapointe, recruited candidates for the position. The committee reviewed 70 applications and interviewed six candidates.

Ms. McCallum will assume office on Feb. 5.

More on privacy and the Canada Revenue Agency

The Canada Revenue Agency continues to be in the news as of late.

The Canadian Press has found that the CRA official leading the investigation into the disclosure of information about high profile taxpayers, including MP and former hockey star Ken Dryden, once faced the wrath of George Radwanski:

CRA commissioner probing Dryden tax leak once dismissed privacy breach finding

Gregory Bonnell

Canadian Press

Monday, January 08, 2007

TORONTO (CP) - The senior public servant leading a probe into the leak of Ken Dryden's confidential tax information once dismissed a scathing ruling by the federal privacy commission that found Canada Revenue Agency employees had violated the Privacy Act.

Larry Hillier, the agency's assistant commissioner for the Ontario region, launched an "immediate investigation" last month after a published report that employees had violated the Income Tax Act, the Privacy Act and possibly criminal law by leaking Dryden's information.

In an internal e-mail sent to CRA employees, Hillier also warned of possible disciplinary action, including dismissal.

"When one employee breaches confidentiality, as is currently alleged, each and every one of us is impacted," he wrote.

Hillier, however, had a decidedly different response in 2003, when the federal privacy commissioner found CRA employees committed a "serious violation" of the Privacy Act by accessing and disclosing the tax information of former employee Lillian Shneidman while investigating allegations that she had violated a taxpayer's privacy rights.

In an October 2003 letter obtained by The Canadian Press, Hillier defended the actions of his employees, despite the privacy commissioner's findings.

"I offer the following regarding the above-referenced report, which concludes that we inappropriately accessed Ms. Shneidman's tax information," Hillier writes in a letter to then-CRA human resources branch assistant commissioner Dan Tucker.

"It is felt that this particular investigation warranted the accessing of Ms. Shneidman's tax information, as a taxpayer raised serious allegations."

CRA employees who are found guilty of disclosing confidential tax information - a violation of the Income Tax Act - face fines of up to $5,000 or jail time of up to 12 months. Under the Criminal Code of Canada, breach of trust by a public officer is punishable by a maximum prison sentence of five years.

Shneidman, who was fired from the CRA in 2001, had been assured in a July 2003 letter from Tucker that the agency viewed "any breach in privacy as a very serious matter."

The CRA "will ensure that appropriate corrective action will be taken," Tucker wrote.

At least one of the employees involved in the incident has been promoted, said Shneidman - who continues to fight her termination, with cases pending before the Public Service Labour Relations Board and the Federal Court of Appeal.

Former privacy commissioner George Radwanski was unequivocal in his condemnation of the CRA's treatment of Shneidman.

"Accessing that information . . . for the sole purpose of confirming your status as a (CRA) employee was, in my view, totally unnecessary and a gross misuse of taxpayer information," wrote Radwanski, who faces charges of fraud and breach of trust after resigning that same year amid an expense-abuse scandal.

"I consider the use of your (tax) information in this instance to constitute a serious violation of the confidentiality rights afforded you under . . . the Privacy Act."

...

Incident: CRA misdirects taxpayer information

A Halifax resident was more than slightly surprised when he went to the Canada Revenue Agency to pick up his requested notice of assessment. While the notice was conspicuously absent from the envelope, he did find a raft of information about ten complete strangers. Apparently, the CRA stuffed the wrong envelopes and handed over confidential and sensitive information to the wrong person.

When the individual who received the information was not satisfied with the CRA's reaction, he called the other taxpayers and went to the media. The story is on the front page of the Halifax Chronicle Herald.

To make matters worse, the notice of assessment was mailed but nobody knows who to.

CTV is doing a piece for the supper hour news here in Halifax, for which I was interviewed earlier today. They are hoping to get some comment from the unshuffled Minister responsible for CRA.

From today's paper:

More than he wanted to know

Government mistakenly mails other people’s tax papers to Whites Lake man

By JOHN GILLIS Staff Reporter

Andrew Doiron of Whites Lake just wanted to find out his RRSP contribution limit for the year. But what he got was a raft of personal information about 10 strangers from as far away as British Columbia.

The Canada Revenue Agency is now investigating how the confidential tax documents landed in Mr. Doiron’s mailbox and where the information he requested ended up.

"It looks like somebody just picked a handful of paper off a printer and just slipped it in an envelope with my (address) page on top," Mr. Doiron said Wednesday. "But of course they didn’t put my papers in there."

The confusion began Dec. 20 when Mr. Doiron went to the Canada Revenue Agency’s Halifax office in person to ask for a copy of his notice of assessment. He was told he had to call a toll-free number to ask for the document. Staff let him use a phone in the building.

Mr. Doiron was surprised Tuesday when he found an envelope from the agency in his mailbox, and it contained about 35 pages. The documents bore the names, addresses, social insurance numbers, income, marital status and other personal information for 10 other people. His own notice of assessment was not included.

He immediately called a toll-free Canada Revenue Agency number again but said it was tough to persuade the person who answered to let him speak to a supervisor. When he finally did, he said he was asked to mail the documents back to the agency and advised he could claim the price of the postage stamp on his tax return next year.

Mr. Doiron also called as many of the people whose tax information he’d been sent as possible.

One, Sandra Ambersley of Brampton, Ont., told CTV she was very concerned about what might have happened if someone had wanted to use that information.

"I was totally shocked yesterday when I received a call from Halifax, this man saying that he’d received all my personal information," she said Wednesday.

Mr. Doiron noted that on the same online telephone directory he used to find people’s telephone numbers, there was an ad pointing to a Capital One credit card application that required only an address and a social insurance number.

He personally returned all the strangers’ documents to the Halifax office Wednesday.

Mr. Doiron said he felt he did not get a serious response from the agency until after he began contacting the media.

Jack Lee, acting director of the Nova Scotia office, called to apologize and had a copy of the notice of assessment Mr. Doiron requested sent to him. It arrived safely.

The notice had been mailed previously, but not to him.

"Mine’s out there somewhere, floating around," Mr. Doiron said. "I hope somebody threw it away."

Canada Revenue Agency spokesman Roy Jamieson said security is the No. 1 priority for the service, but mistakes happen.

"We’re certainly scrambling to try and piece together what took place," he said. "There’s quite an active and quite an intense investigation going on right now."

He said a call to a toll-free number could be answered at any one of a number of call centres across the country, depending in part on the nature of the request. A requested document could be printed at the appropriate location and mailed from there.

The agency sends about 90 million pieces of mail per year and it’s rare that something gets mixed up, he said.

"To be misdirected in the magnitude of this case, it’s certainly unusual," Mr. Jamieson said.

He said the agency will contact all of the people whose documents were involved and will keep Mr. Doiron abreast of its investigation into the mix-up.

"There’s no question that any kind of breach of security and compromising of an individual’s privacy and confidentiality is our most significant issue in this agency," Mr. Jamieson said.

Mr. Doiron has little confidence that anything will change.

"My gut feeling is, this is government, nothing’s going to happen," he said.

Update: From CTV:

Canada Revenue investigates botched mailout

The Canada Revenue Agency is scrambling to restore public trust and has launched an internal investigation after confidential information on several Canadians was sent to a Halifax-area man.

Documents that Andy Doiron of White's Lake, N.S., were mistakenly sent include social insurance numbers, income, addresses and the marital status of 10 Canadians, including some from as far west as Edmonton.

Doiron said he called most of the people to tell them what happened, and returned the documents to Revenue Canada.

With the trust of Canadians potentially on the line and tax time just around the corner, the agency is promising tough action if necessary.

Revenue Canada spokesperson Roy Jamieson called the incident a rare case of misdirected mail, but admitted somebody in the department made a mistake.

"Certainly if we identify breaches of policy process and procedure, there are disciplinary measures that can be taken and I expect they will be looked at quite seriously," he told CTV Atlantic.

Federal Minister of National Revenue Carol Skelton said she was "disturbed" by the security breach.

"The instant that I found out about it we had launched an investigation," she told CTV News in Saskatoon. "I really can't say much more about it than that. The incident is being looked into."

The agency is still trying to determine which one of five locations was responsible for the botched mail out.

David Fraser, a legal expert in security matters, told CTV Halifax that if such information were to fall in the wrong hands, it could easily be used to commit fraud.

"There really does need to be something done in order to make sure the trust is always there. Accidents happen but so often trust is won or lost in the aftermath of how they decide to deal with it," he said.

Sandra Ambersley of Brampton, Ont. was one of the people Dorion called.

"I was totally shocked when I received the call (on Tuesday) from Halifax," Ambersley told CTV Toronto.

"This man (was) telling me that he received all my personal information. As a joke he did say 'I could duplicate you right now.'"

The confusion began when Doiron called the revenue agency on Dec. 20 requesting a copy of his notice of assessment.

On Tuesday, an envelope from the agency arrived in his mailbox, containing over 30 pages of documents with all the information. His own assessment wasn't included.

Doiron said he immediately called the toll-free Canada Revenue Agency number again and he was asked to mail the documents immediately.

With a report from CTV Atlantic reporter Marc Patrone.

BC Commissioner: Student records can be shared to protect public safety

Proably not a surprise for those who regularly work with the provincial public sector privacy laws in Canada, which usually contain a public interest and "health and safety" override:

Records of troubled B.C. students can be shared: privacy commissioner

Universities in British Columbia can share confidential medical records about troubled students if there's a perceived a threat to public safety, the province's privacy commissioner says.

Responding to a U.S. government report issued June 13 on the April 16 massacre at Virginia Tech that left 33 people dead — including the student who fired the gun — David Loukidelis said a university student's confidential medical records can be shared — regardless of the student's age.

"The laws in B.C. fully enable university and college officials to take steps to protect individual and indeed public safety," Loukidelis told CBC News on Monday.

The U.S. report says schools, doctors and police often do not share information about potentially dangerous students because they can't figure out complicated and overlapping privacy laws.

Loukidelis said there's a long list of exemptions in B.C.'s privacy laws that allow a student's private information to be shared for the good of public safety.

Tim Rahilly, senior director of student and community life at Simon Fraser University in Vancouver, said he often noticed the beginning of problems with students and wondered whether that information could be shared.

He said the university would ask the student whether it can talk to the student's parents about the concerns.

"The student can say no and if they are above the age of majority we are a little bit hamstrung," Rahilly said.

Loukidelis said if a student denies a request to share personal information with their parents or school officials, an assessment can be made.

Video

Nil Koksal reports for CBC-TV (Runs: 2:28)

Play: QuickTime »

Play: Real Media »