Saturday, February 07, 2004
Privacy timeline
January 1, 2004 - Federal privacy law comes into force for provincially regulated private sector
January 1, 2004 - Alberta private sector privacy law comes into effect
January 26, 2004 - Federal, British Columbia and Alberta commissioners working together to ensure seamless privacy protection in the private sector
December 30, 2003 - Quebec challenges constitutional validity of federal privacy law
December 17, 2003 - Ontario introduces health privacy legislation
December 11, 2003 - Alberta passes private sector privacy law
November 19, 2003 - Quebec's An Act Respecting the Protection of Personal Information in the Private Sector is declared to be "substantially similar" to PIPEDA
November 13, 2003 - Prime Minister Welcomes New Privacy Commissioner, Jennifer Stoddart
August 13, 2003 - Minister Boudria Announces Appointment of Two Assistant Privacy Commissioners, including Heather H. Black as Assistant Commissioner Responsible for PIPEDA
Friday, February 06, 2004
Canadian Privacy Law and Medical Information: Privacy Handle with Care, If At All
Handle With Care, If At All:
Employers and Medical Information
In one of the first decisions related to the collection and use of medical information, the Office of the Privacy Commissioner has provided some guidance to employers who are subject to the federal privacy law[1] and to others who routinely handle medical information.
In PIPEDA Case Summary #226,[2] the Assistant Privacy Commissioner of Canada considered a complaint brought by a former employee of a telecommunications company. In this case, the former employee alleged that that the employer was unnecessarily collecting personal medical information and had not implemented appropriate security safeguards to protect that information. In this specific complaint, the former employee said that the company was assisting with the administration of its long term disability program and required employees to file claim forms and medical reports with the employer’s Human Resources office. With respect to safeguards, the complainant objected to the employer’s practice of collecting medical reports by facsimile to the Human Resources office.
The federal privacy law, the Personal Information Protection and Electronics Documents Act (or “PIPEDA”, as it is often called), contains ten mandatory principles, taken from the Canadian Standards Association Model Code for the Protection of Personal Information. Principle 4 requires that all affected organizations limit their collection of personal information to that which is reasonably necessary for the purposes they have identified. Principle 7, also drawn from the Model Code, requires that an organization protect personal information with “security safeguards appropriate to the sensitivity of the information”. In short, the former employee was complaining that the organization was collecting more information than was necessary and was not safeguarding it appropriately.
The Assistant Privacy Commissioner, in the published summary of her decision, concluded that the company was in violation Principle 4 because the collection of employee medical information was not reasonably necessary. The disability plan was managed by a third-party insurance company and the employer was simply assisting with the processing of claims. Employees should have been able to submit their information directly to the insurer. The Assistant Commissioner also noted that while some people might find the practice adopted by the company to be innocuous, the company did not give employees any options. For that reason, the Assistant Commissioner determined that the company was in contravention of Principle 4 and also determined that the collection was not reasonable, as is required under Section 5(3) of PIPEDA, which reads:
(3) An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
With respect to the complaint about safeguards, the Assistant Commissioner made some very important determinations. First of all, she concluded that medial information is considered to be “sensitive information” and that “specific diagnosis [are] among the most sensitive of medical information”. Principle 7 requires safeguards that are appropriate in light of the sensitivity of the information. The organization was in violation of Principle 7, the Assistant Commissioner found, by receiving sensitive medical information on a facsimile machine that was in an unlocked, accessible room. In the circumstances, receiving the information by fax was not appropriate, regardless of whether it occurred at the local human resources office or at the company’s head office. Allowing general human resources staff to receive and process reports containing such sensitive medical information was not appropriate. While employers may have a legitimate need to collect certain medical information (for purposes of verifying an employee’s medical absences and to meet employer obligations to accommodate employees under human rights legislation), stringent safeguards must be put in place. Specifically, the Assistant Commissioner said that such medical diagnosis should only be shared among qualified medical practitioners.
The Assistant Commissioner concluded that while the purposes for the collection by the employer might have been legitimate, the practices were unacceptable “on the whole”.
In conclusion, the Assistant Commissioner made the following specific recommendations to the employer, all of which provide useful lessons for similarly situated organizations:
- The company should revise its policies and procedures for collecting and handling employee medical reports;
- Employees need to be notified that for those who may be required to submit a medical report, they have the option of sending the form in strictest confidence directly to medical staff in the employer’s health services office and that if they choose the usual route, it will be received and processed by the usual human resources staff; and
- Managers must be trained to refuse to accept any medical report from an employee, and should instead direct the employee to submit it directly to Health Services.
- The corporate Head office should no longer receive detailed medical information related to any employees.
This finding reinforces the fact that any health information requires special handling. Employers may, from time to time, have a legitimate need to know about specific diagnoses, procedures must be put in place to make sure that only necessary information is collected, that employees know how and for what purposes it will be used and, finally, extremely stringent safeguards must be put in place to protect that sensitive information.
Thursday, February 05, 2004
Incident: Computers likely containing personal information stolen from Whitehorse probation office
From the Whithorse Star:
"Police ask for public's help in solving theft
by Sarah Elizabeth Brown
Whitehorse RCMP are turning to the public for help in solving a computer theft from the territory's probation office.
In particular, police are asking for calls from anyone who saw vehicles or people in the alley between Jarvis Street and Wood Street behind the Yukon Theatre between 4 p.m. and midnight last Sunday.
Police are also asking that anyone who noted activity in front of the Justice department's offices at 301 Jarvis St. in that time period to call them or Crime Stoppers.
Taken during the theft was a shopping list of electronics: palm pilots, camcorders, overhead projects, miscellaneous computer accessories, several black Dell computers and several laptop computers of the same make.
Along with the cost of the equipment itself, the concern is what information was stored on the hard drives.
The office's main server where the bulk of information is kept are located outside the building.
Justice Minister Elaine Taylor told reporters this morning that department officials and police are still trying to determine what information was on the hard drives of computers and laptops now missing.
If personal information was taken, those individuals will be notified immediately, said Taylor.
Most of the stolen equipment was taken from the adult probation office on the second floor, along with the crime prevention and policing and assistant deputy minister's office, also on the second floor, a department spokeswoman explained today.
While a boardroom on the first floor was entered, victims' services and the family violence sections were untouched and secure on the first floor.
Anonymous tips can be made to Crime Stoppers at 1-800-222-8477. Whitehorse RCMP can be contacted at 667-5555."
Wednesday, February 04, 2004
Article: New law guards consumer privacy
"If you are headed to your dentist's office, pharmacy or travel agency, you may be asked to sign a form before you can get service, now that new federal privacy laws are in place.
And in some cases, you may not be able to book an appointment for a family member or have someone pick up a prescription for you without specific permission. The new privacy laws are altering the way many businesses � from pharmacies to dentists, travel agents and even the much-maligned 407 toll road � do business.
'The new law means you just can't go and collect information about people willy-nilly,' says Irwin Fefergrad, registrar with the Royal College of Dental Surgeons of Ontario.
Consumers must now be told what information is collected about them, how it is used and why it is collected. Every operation, large and small, from video stores and magazine publishers to charities and accounting firms, will need to get its information management practices in order if it wants to avoid possible court action and fines, in some cases of $10,000. Consent may be written, verbal or implied � meaning that, by using a service, a person consents. However, the person must be given a chance to opt out.
Fefergrad says that will definitely mean some changes in wording and protocols. 'You can't leave personal information on voice mail, for example.'
He says people may not be able to make some dental appointments for a family member without their written permission. But he notes dentists already have strong confidentiality rules."
(Once again, there's an otherwise accurate article that suggests that you can be fined for violating consumer privacy. Not a bad message to send people fleeing to privacy lawyers, but the info is still wrong.)
Article: New law guards consumer privacy
"If you are headed to your dentist's office, pharmacy or travel agency, you may be asked to sign a form before you can get service, now that new federal privacy laws are in place.
And in some cases, you may not be able to book an appointment for a family member or have someone pick up a prescription for you without specific permission. The new privacy laws are altering the way many businesses � from pharmacies to dentists, travel agents and even the much-maligned 407 toll road � do business.
'The new law means you just can't go and collect information about people willy-nilly,' says Irwin Fefergrad, registrar with the Royal College of Dental Surgeons of Ontario.
Consumers must now be told what information is collected about them, how it is used and why it is collected. Every operation, large and small, from video stores and magazine publishers to charities and accounting firms, will need to get its information management practices in order if it wants to avoid possible court action and fines, in some cases of $10,000. Consent may be written, verbal or implied � meaning that, by using a service, a person consents. However, the person must be given a chance to opt out.
Fefergrad says that will definitely mean some changes in wording and protocols. 'You can't leave personal information on voice mail, for example.'
He says people may not be able to make some dental appointments for a family member without their written permission. But he notes dentists already have strong confidentiality rules."
(Once again, there's an otherwise accurate article that suggests that you can be fined for violating consumer privacy. Not a bad message to send people fleeing to privacy lawyers, but the info is still wrong.)
Monday, February 02, 2004
Article: Federal privacy law is a dog's breakfast
Today's Toronto Star has two columns about PIPEDA that bear a close read. The first one is by Richard Owens of the Centre for Innovation Law at the University of Toronto, is a critique of Michael Geists' earlier article (referred to below): "Federal privacy law is a dog's breakfast":
"The costs of the Quebec government's constitutional challenge to the federal privacy law are too high, Michael Geist argued in his Jan. 19 column in this newspaper. He fears the consequence, that the law may be struck down and replaced with a patchwork of provincial laws.
But are those costs really too high? There are several good reasons to doubt it. The federal legislation does its job poorly; provincial legislatures might offer legislation that does the job better; and the structure of the federal legislation itself encourages a patchwork of laws. "
The Star also has a surrebuttal by Michael Geist: "CANADA badly needs a national standard".
Sunday, January 25, 2004
Article: Swiping driver's licenses - instant marketing lists?
A little while ago, I wrote about biometrics on drivers licenses and particularly referred to the practice of swiping driver's licenses (below). Debora Pierce, who regularly writes on law and technology issues in the Seattle Press, has an article on the topic that I just found: The Seattle Press - LAW&TECHNOLOGY: Swiping driver's licenses - instant marketing lists?:
"IN AN effort to cut down on underage drinking and smoking, many bars, clubs, and restaurants have begun to use devices that scan driver's licenses. In addition to verifying the age of the driver's license holder, the scanner also picks up all of the information in the magnetic stripe found on the backs of most driver's licenses. The obvious benefit is that underage drinking and smoking is curtailed, but that benefit comes at a price. Here is another case where technology has outpaced the law, and the casualty is privacy. "
I would suggest that the automatic swiping of driver's licenses at bars is very likely in violation of law. PIPEDA requires knowledge and consent for the collection, use or disclosure of personal information. From what I understand, individuals are not being informed about why their cards are being swiped (collection) and how that information will be used (use). There is no "identifying Purposes", as required by Principle II. Individuals are not being given the opportunity to consent, let alone being asked to consent. If a bar refuses admission because you refuse to have your personal information harvested, they are in violation of the following sub-principles:
4.3.2 - The principle requires "knowledge and consent". Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
4.3.3 - An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill the explicitly specified, and legitimate purposes.
If the collection is supposed to be to verify that the license has not been tampered with, it probably still amounts to a violation of Principle 4 - Limiting Collection because much more information is collected and used than is necessary for that particular purpose:
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
The Federal Privacy Commissioner hasn't, as far as I know, had a complaint about this practice but I am sure it is not too far off.
Friday, January 23, 2004
Findings: New findings issued by the Office of the Privacy Commissioner
Commissioner's Findings - Privacy Commissioner of Canada - For the first time in quite a while, the Office of the Privacy Commissioner has issued a new batch of findings (and when I say "new", it only means newly-released because they all date from August through September of last year):
- PIPED Act Case Summary #223: Bank accused of collecting too much information from credit card applicant
- PIPED Act Case Summary #222: Bank exceeds time limits in responding to an access request
- PIPED Act Case Summary #221: Bank fails to respond to access request within time limit
- PIPED Act Case Summary #220: Telemarketer objects to employer sharing her sales results with other employees
- PIPED Act Case Summary #219: Bank requires credit checks as condition for opening deposit account
- PIPED Act Case Summary #218: Bank accused of using personal information for purposes other than those for which it was initially collected
- PIPED Act Case Summary #217: A telecommunications company requires two pieces of identification from a subscriber
- PIPED Act Case Summary #216: An airport is accused of not having disclosed all the personal information requested by an employee and of not having retained other personal information
Sunday, January 18, 2004
Halifax Cams - CCTV in public places
Outdoor closed circuit television cameras (CCTV) in Halifax, Nova Scotia, Canada
Privately owned cameras in public place"
CBC News: RCMP to investigate Radwanski
CBC News: RCMP to investigate Radwanski:
"OTTAWA - The RCMP is launching a criminal investigation into the spending of former privacy commissioner George Radwanski and several of his top officials, the National Post reported Saturday. "
