1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Closing the Gap between Privacy Policies and the Use of Portable Storage Devices

The Office of the Privacy Commissioner of Canada has released its Report of Findings from a year-long investigation into a significant incident involving the loss of personal data at the former Ministry of Human Resources and Skills Development Canada (HRSDC).

In late 2012, an employee of HRSDC discovered the loss of an external hard drive containing the personal information of 583,000 Canada student loan borrowers, and 250 employees. The external hard drive was a 1 terabyte external drive that was being used to backup information prior to the migration of information on HRSDC’s network. According to the Report of Findings, the backup was unnecessary to the migration but was conducted as a risk mitigation measure.

However, this “work around” created significant risks for HRSDC. Remarkably, the drive was not encrypted or even password protected. Nor was the drive inventoried by serial number. The drive was not stored in a vault. Instead, the hard drive was stored frequently but not always in a lockable filing cabinet located in an employee’s cubicle, in an envelope, hidden under suspended files.

Although HRSDC had many sound policies, there were significant gaps in practices. Among the notable observations and recommendations in the report and accompanying guidance are:

  • Privacy impact assessments and threat risk assessments are critical elements of an accountability framework. They should be conducted for the use of portable storage devices.

  • Portable storage devices should only be used as a last resort for the storage or transfer of personal information. They should not be used as permanent storage.

  • Portable storage devices used for personal information should be protected by strong technological safeguards, such as encryption.

  • Assets, such as portable storage devices, that are used to store personal information should be inventoried, monitored and tracked.

  • Organizations should verify compliance with policies regarding safeguards by periodically conducting security reviews, including physical checks to ensure that the portable storage device is being safeguarded.

  • Organizations should scan networks for unauthorized devices.

One of the issues not addressed in detail in the Report of Findings or the accompanying guidance is the root causes for the use of portable storage devices. In this case, it is not clear that the use of the external hard drive was necessary as a precaution against loss of data. The benefits of subjecting work processes and technologies to a privacy impact assessment or threat risk assessment is that the organization is more likely to examine the privacy and security issues in a systemic way that will reveal the root causes for the use of media such as portable storage devices. For example, are they being used because of a lace of trust or understanding about the migration or back up of data? Is it because remote access is not available or unreliable? Are there IT infrastructure limitations that should be addressed?

The Report of Findings may be found here. A Fact Sheet containing Tips for Federal Institutions Using Portable Storage Devices may be found here. Although the Fact Sheet is directed at governmental agencies, it has broader application under the OPC’s Accountability Guidelines released last year in conjunction with the Information and Privacy Commissioners of Alberta and British Columbia.

,

Closing the Gap between Privacy Policies and the Use of Portable Storage Devices

Private sector, not government, “big data” under White House review

PC World: A White House-ordered privacy review group will focus its attention on the private sector’s use of data, rather than the government’s, according to the group’s leader. By focusing on companies, the group hopes to “get a more holistic view of the state of the technology,” John Podesta, White House counselor, said on March 3 at the Massachusetts Institute of Technology.  Podesta was charged with leading the government review of “big data” earlier this year, as President Obama announced plans to reform government surveillance programs. Monday’s event was the first of three university-based events being co-hosted by Podesta’s review group.  The review group has roughly three months to produce a report analyzing the state of “big data” practices, predict future uses and determine how well current policies fit with those practices and uses.  Although the review was announced as the president focused on reforming government surveillance practices, including at the National Security Agency, Podesta said on March 3 that his group will focus on the private sector, while others will focus on the public sector.

Story Here

, ,

Private sector, not government, “big data” under White House review

OPC Calls for Greater Oversight of Canadian Intelligence Community

On January 28, 2014, the Office of the Privacy Commissioner of Canada (OPC) tabled a special report to Parliament on privacy oversight for Canada’s intelligence-gathering agencies. Titled “Canadian Checks and Controls: Reinforcing Privacy Protection and Oversight for the Canadian Intelligence Community in an Era of Cyber-Surveillance,” the special report contains a mature and measured analysis of the governance issues in balancing privacy and intelligence gathering for national security.

The OPC makes recommendations in three areas. These recommendations include:

1. Greater Transparency. Augment existing review and reporting mechanisms through:

  • Reporting statistics annually on instances in which the Communications Security Establishment Canada (CSEC) assists other Canadian federal agencies when it receives requests for interception, as well as tabling annual reports by CSEC to Parliament.
  • Extending existing reporting requirements on use of surveillance in Public Safety Canada’s annual reports, separating domestic and foreign mandates, and those activities that are authorized by warrant and those that are warrantless.
  • Updating public disclosure providing an overview of Canada’s intelligence community and engage in a dialogue regarding mandates and how Canada’s intelligence community cooperates with global partners.
  • Reporting on consideration, rejection or implementation of recommendations from previous commissions of inquiry and policy reviews of Canada’s Intelligence Community.

2. Privacy Law Modernization. Modernize Canada’s privacy protections by:

  • Reforming existing privacy legislation to require privacy impact assessments prior to implementing new programs.
  • Strengthening provisions relating to exchange of information with foreign authorities to ensure that there is an investigative foundation for information and to ensure clear rules for cooperation.
  • Expanding grounds for recourse to the Federal Court.
  • Permitting the OPC to cooperate with other oversight bodies governing Canadian intelligence agencies.
  • Regulating use of and access to online sources and social networking sites by government agencies.

3. Accountability. Strengthen accountability by:

  • Bolstering the powers of oversight bodies, particularly with respect to joint reviews.
  • Clarifying legislative authority for certain intelligence gathering activities.
  • Increasing the role of Parliament in oversight.

The full report can be found here.

,

OPC Calls for Greater Oversight of Canadian Intelligence Community

Major Tech Companies Call for Greater Digital Due Process in Government Surveillance

AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo have issued an open letter to Washington calling on politicians to reform government surveillance worldwide.

The organizations have outlined five principles that they believe encapsulate and are consistent with “global norms of free expression and privacy” and “the goals of ensuring that government law enforcement and intelligence efforts are rule-bound, narrowly tailored, transparent, and subject to oversight”.

The principles are:

1. Limiting Governments’ Authority to Collect Users’ Information. No bulk downloads of information. Codification of limitations on the ability to compel service providers to disclose data. Limiting surveillance to specific, known users for lawful purposes.

2. Oversight and Accountability. Executive powers to be subject to strong checks and balances and subject to review by independent courts and an adversarial process. Rulings of law should be made public in a timely manner.

3. Transparency About Government Demands. Companies should be able to publish the number and nature of government demands and governments should do so as well.

4. Respecting the Free Flow of Information. Data flow across borders should not be inhibited and service providers should not be required to locate infrastructure within a country.

5. Avoiding Conflicts Among Governments. Mutual legal assistance treaties to permit obtaining data across borders should be robust, principled and transparent and governments should resolve conflicts between their laws.

The Reform Government Surveillance website is here. Microsoft’s General Counsel, Brad Smith, has a blog post here.

 

 

 

 

,

Major Tech Companies Call for Greater Digital Due Process in Government Surveillance

Privacy at Too High a Price Supreme Court of Canada Rules

The Supreme Court of Canada has just released the much anticipated decision in Information and Privacy Commissioner, et al. v. United Food and Commercial Workers, Local 401. The case is also known as the Palace Casino case.

The Supreme Court has upheld the invalidity of provisions of Alberta’s private sector privacy legislation, providing the government of Alberta 12 months to make changes to the legislation to recalibrate the balance of freedom of expression and privacy.

The core of the case was to determine whether the narrow exemption in Alberta’s Personal Information Protection Act (PIPA) for the collection, use and disclosure of personal information for “journalistic purposes and for no other purpose” and the very narrow exemption for “publicly available” information was a reasonable limit in a free and democratic society on section 2(b) of Canada’s Charter of Rights and Freedoms (Charter), which protects “freedom of thought, belief, opinion and expression, including freedom of the press and other media of communication.”

As followers of Canadian privacy law may understand, “publicly available” information is restricted in PIPA and other privacy statutes in Canada to a limited class of records such as voluntary listings in directories and governmental registries and, even then, is only exempt for narrow purposes. Unlike Canada’s federal legislation (the Personal Information Protection and Electronic Documents Act), the restrictions in Alberta’s PIPA apply to non-commercial activities as well as commercial activities.

The Supreme Court of Canada has concluded that the infringement of the right to freedom of expression is disproportionate to the government’s objective of providing individuals with control over the personal information. The context and specific nature of the infringement was important. The images were taken at a picket line. The union’s activity was not surrepticious. PIPA’s application restricted activities in the context of labour relations, where the Supreme Court has long been sensitive to protecting freedom of expression (much more so than in commercial activities).

Although the reasoning in the case has application beyond the picket line, the Supreme Court was careful not to diminish the very important privacy interests at stake. The Supreme Court unequivocally stated that individuals have privacy rights even while they are in public:

“It goes without saying that by appearing in public, an individual does not automatically forfeit his or her interest in retaining control over the personal information which is thereby exposed. This is especially true given the developments in technology that make it possible for personal information to be recorded with ease, distributed to an almost infinite audience, and stored indefinitely. Nevertheless, PIPA’s restrictions operate in the context of a case like this one to impede the formulation and expression of views on matters of significant public interest and importance.”

Background

The case arose out of a labour dispute between workers and management at Palace Casino in Edmonton, Alberta. The union set up picket lines and took video and still pictures of individuals around the area of the picket lines. Signs in the area stated that images of those who the crossed picket line might be placed on a website entitled “www.CasinoScabs.ca”. In fact, it did not appear that the images were not distributed or published with one exception. The image of a vice president of the casino was placed on a mock “police mug shot” poster. It was also used in what the court of appeal described as “other satirical ways.”

Privacy Commissioner Orders Union to Stop

The Adjudicator for the Information and Privacy Commissioner concluded, among other things, that the union had not collected the images, which were personal information of the individuals, solely for journalistic purposes and, therefore, the exemption did not not apply. Nor did other exemptions dealing with collection personal information for legal proceedings, since that did not cover all of the images, such as the one of the vice-president that was used satirically. The Adjudicator ordered the union to cease collecting, using and disclosing images for any purpose other than the authorized investigation or legal proceeding and to destroy those that were improperly collected.

Alberta Courts Find PIPA Restrictions Unconstitutional

The Adjudicator’s order was judicially reviewed by the Alberta Court of Queen’s Bench and quashed on the basis that it permissibly interfered with the union’s freedom of expression. The case was further appealed to the Alberta Court of Appeal, which also concluded that the provisions of PIPA violated the Charter. The Court of Appeal concluded that PIPA was over-broad in the following ways:

    • “ It covers all personal information of any kind, and provides no functional definition of that term. (The definition of “personal information” as “information about an identifiable individual” is essentially circular.) The Commissioner has not to date narrowed the definition in his interpretation of the Act in order to make it compliant with Charter values.”
    • “The Act contains no general exception for information that is personal, but not at all private. For example, the comparative statutes in some provinces exempt activity that occurs in some public places.”
    • “The definition of “publicly available information” is artificially narrow.”
    • “There is no general exemption for information collected and used for free expression.”
    • “There is no exemption allowing organizations to reasonably use personal information that is reasonably required in the legitimate operation of their businesses.”

The Court of Appeal held:

“While the protection of personal information is important, it is no more important than collective bargaining and the rights of workers to organize. It is also no more important than the right of the union to communicate its message to the public. On the other hand, the privacy interest being protected here is minimal. The persons who were videotaped were in a public place, crossing an obvious picket line, in the face of warning signs that images were being collected. The privacy expectations were very low. Protecting that low expectation of privacy does not warrant the significant stifling of expression that resulted from the Adjudicator’s order.”

 PIPA Exacts Too High A Price

The Supreme Court of Canada reaffirmed that privacy legislation in Canada is quasi-constitutional. The Court accepted that the there were demonstrable benefits to PIPA. PIPA responds to an important need in Canadian society to protect informational privacy of individuals in an era in which “the list of those who may access and use personal information has expanded dramatically and now includes many private sector actors.” The Court stated that “providing an individual with some measure of control over his or her personal information is intimately connected to individual autonomy, dignity and privacy, self-evidently significant social values.” The Court characterized PIPA as seeking “to avoid the potential harm that flows from the permanent storage or unlimited dissemination of personal information through the Internet or other forms of technology without an individual’s consent.”

However, the Court also concluded that PIPA exacts too high a price when balanced against the importance of freedom of expression in the context of labour relations. The court concluded that PIPA limits the collection, use and disclosure of personal information (without consent) without “regard for the nature of the personal information, the purpose for which it is collected, used or disclosed, and the situational context for that information.”

The problem was that there was no way to accommodate the important expressive purposes of unions engaged in lawful strikes resulting in a general prohibition of the union’s use of personal information to further its collective bargaining objectives unless it had consent of the individual.

PIPA’s interference with freedom of expression was problematic when the situational context was considered. The collection of the images was not surreptitious. It occurred at an open, public demonstration. The court concluded that a reasonable person crossing the picket line would have expected that their image could be caught and disseminated by others. These images did not, in the Court’s view, engage “intimate biographical details” of “the lifestyle or personal choices of the individuals”.

The Supreme Court of Canada has declared PIPA to be invalid but has suspended the declaration of invalidity for 12 months to provide the Alberta Legislature with an opportunity to re-balance the rights of freedom of expression and privacy in a constitutionally compliant manner.

, , ,

Privacy at Too High a Price Supreme Court of Canada Rules