The Canadian Privacy Institute

newfoundland &
labrador

north-West
territories & Nunavit

Software Updates
expose users to
Privacy Risks

Canada

• A new study finds that Canadian and U.S. firms comply with privacy regulations for markedly different reasons. The study finds that U.S. firms comply due largely to obey the law and avoid potential litigation, while their Canadian counterparts see their privacy practices as more a matter of information ethics and an opportunity to improve customer relationships [ visit ] • The Federal Government has declared both British Columbia and Alberta privacy laws to be “substantially similar”. Therefore, PIPEDA does not apply to the collection, use and disclosure of personal information by provincially regulated organizations that occurs within Alberta or British Columbia . PIPEDA will apply if you disclose personal information across provincial borders. • Summary of PIPEDA Legislation - CPAC-PIPEDA - CPAC-Collecting Information - CPAC-Consent - CPAC-Use of Information & Retention • Privacy Worldwide - CPAC-International Privacy Legislation • Office of the Privacy Commissioner [ visit ] • Parliamentary Report regarding Office of the Privacy Commissioner [ visit ] • Commentary on change of Privacy Commissioners [ visit ] • The American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) have proposed a privacy framework that provides criteria and related material for protecting the privacy of personal information. [ back to top ]

	British

• The British Columbia privacy law has been declared to be substantially similar to the federal law. Therefore, PIPEDA does not apply to the collection, use and disclosure of personal information by provincially regulated organizations that occurs within British Columbia. PIPEDA will apply if you disclose personal information across provincial borders. • David Loukidelis continues to focus on transborder data flow – see his most recent speech on the subject [ view ] • Information and Privacy Commissioner for British Columbia - David Loukidelis 4- 1675 Douglas Street Victoria, British Columbia V8V 1X4 Phone: (250) 387-5629 Toll-free: 1 (800) 663-7867 (free within B.C.) Fax: (250) 387-1696 Email: info@oipc.bc.ca Web Site: [ visit ] [ back to top ]

	Alberta

• The Alberta privacy law has been declared to be substantially similar to the federal law. Therefore, PIPEDA does not apply to the collection, use and disclosure of personal information by provincially regulated organizations that occurs within Alberta. PIPEDA will apply if you disclose personal information across provincial borders. Frank Work 410, 9925 - 109 Street Edmonton, Alberta T5K 2J8 Phone: (780) 422-6860 Fax: (780) 422-5682 Email: ipcab@planet.eon.net Web Site: [ visit ] [ back to top ]

	Saskatchewan

• Information and Privacy Commissioner of Saskatchewan Gary Dickson, Q.C Information and Privacy Commissioner of Saskatchewan 100-1230 Blackfoot Drive Regina, Saskatchewan S4S 7G4 Bus: (306) 787-8350 Fax: (306) 798-1603 Web Site: [ visit ] [ back to top ]

	Manitoba

• Conservative MLA Mavis Taillieu introduced an identity theft bill in the fall of 2005 and expects it to be debated in March’06. The bill includes ground-breaking provisions such as an onus on organizations to notify individuals if their personal information is lost or stolen. PIPEDA contains no such requirements and neither do the parallel laws in other provinces. So far, the NDP government has been silent but the minister responsible has recognized that ID theft is a severe problem and that "the Manitoba Government is committed to evaluating legislation needed to help citizens avoid the consequences of having their private information stolen." It will be interesting to see if the government supports Bill 207, the Personal Information Protection and Identify Theft Prevention Act, when the opposition private member's bill is debated in the legislature in the coming days. If it does Manitoba would join BC, Alberta and Quebec in having its own privacy law. • Office of the Ombudsman Irene Hamilton, Ombudsman 750 - 500 Portage Avenue Winnipeg, Manitoba R3C 3X1 Phone: (204) 982-9130 Toll-free: 1 (800) 665-0531 Fax: (204) 942-7803 Email: ombusma@ombudsman.mb.ca Web Site: [ visit ] [ back to top ]

	Ontario

• Ontario has passed the Health Information Protection Act (HIPA) consisting of two parts : the *Personal Health Information Protection Act* , and the *Quality of Care Information Protection Act.* It will provide consistent and comprehensive rules for individuals and organizations that collect, use and disclose personal health information. [ visit ] For specific questions about the legislation, you can email healthprivacy@moh.gov.on.ca • Information and Privacy Commissioner of Ontario Ann Cavoukian Information and Privacy Commissioner of Ontario 2 Bloor Street E, Suite 1400 Toronto, Ontario M4W 1A8 Phone: (416) 326-3333 Toll-free: 1 (800) 387-0073 (free within Ontario) Fax: (416) 325-9195 Web Site: [ visit ] [ back to top ]

	Quebec

• La Commission d'accès à l'information du Québec Me Jacques Saint-Laurent, President 575, rue St. Amable, Bureau 1.10 Québec, Québec G1R 2G4 Phone: (418) 528-7741 Fax: (418) 529-3102 Toll-free: 1 (888) 528-7741 (free within Quebec) Email: Cai.Communications@cai.gouv.qc.ca Web Site: [ visit ] [ back to top ]

	New Brunswick

• Bernard Richard, Ombudsman Province of New Brunswick 767 Brunswick Street P.O. Box 6000 Fredericton , New Brunswick E3B 5H1 Phone: (506) 453-2789 Fax: (506) 453-5599 Email: nbombud@gnb.ca Website: [ visit ] [ back to top ]

	Nova Scotia

• Freedom of Information and Privacy Review Officer Dwight Bishop P.O. Box 181 Halifax, Nova Scotia B3J 2M4 Phone: (902) 424-4684 Fax: (902) 424-8303 Email: bishopd@gov.ns.ca Web Site: [ visit ] [ back to top ]

	Prince Edward Island

• Information and Privacy Commissioner of Prince Edward Island Rebecca Wellner J. Angus MacLean Building 180 Richmond Street P.O. Box 2000 Charlottetown, Prince Edward Island C1A 7N8 Telephone: (902) 368-4099 Fax: (902) 368-5947 Email: rmwellner@gov.pe.ca Web Site: [ visit ] [ back to top ]

	Newfoundland and Labrador

• The Access to Information and Protection of Privacy Act (ATIPPA) was passed by the Newfoundland and Labrador House of Assembly in March of 2002 and the access provisions were proclaimed into force on January 17, 2005. The privacy provisions (Part IV) of the Act are not yet in force. The ATIPPA repeals and replaces the Freedom of Information Act which came into effect in 1981. The ATIPPA governs access to records in the custody of or under the control of a public body and sets out requirements for the collection, use, storage and disclosure of personal information contained in the records they maintain. • Phillip Wall, Privacy Commissioner 5th Floor, East Block Confederation Building P. O. Box 8700 St. John’s, NL A1B 4J6 Telephone: (709) 729-6309 Facsimile: (709) 729-6500 Toll Free: 1-877-729-6309 (in Newfoundland and Labrador only) E-mail: oipc@nv.nl.ca [ back to top ]

North-West Territories and Nunavit

• Information and Privacy Commissioner of the Northwest Territories , and Information and Privacy Commissioner of Nunavut Elaine Keenan Bengts 5018, 47th Street Yellowknife, Northwest Territories X1A 2N2 Phone: (867) 669-0976 Fax: (867) 920-2511 Email: atippcomm@theedge.ca • Information and Privacy Commissioner of Nunavut 5018, 47th Street Yellowknife, Northwest Territories X1A 2N2 Phone: (867) 669-0976 Fax: (867) 920-2511 [ back to top ]

	Yukon Territory

• Ombudsman and Information and Privacy Commissioner of the Yukon Hank Moorlag 211 Main Street, Suite 200 P.O. Box 2703 Whitehorse, Yukon Territory Y1A 2C6 Phone: (867) 667-8468 Fax: (867) 667-8469 Email: email.ombudsman@ombudsman.yk.ca Web Site: [ visit ] [ back to top ]

	Australia

• Constitutional protections for privacy do not exist at either the federal or provincial level in Australia . The Privacy Act of 1988 is comprehensive European-style legislation, providing a wide range of privacy protections, although with a number of significant exemptions and differences, including a greater role for self-regulation and voluntary compliance. But while the Act applies to the processing of the personal data of applicants, for the most part it does not apply to the processing of the personal data of employees. Furthermore, transfers out of Australia are allowed if the transfer is to a related company or corporate parent, regardless of the location of the receiving entity. Based upon a January 2001 opinion of the Article 29 Working Party, the European Commission is unlikely to find that the Act meets the adequacy test of the European Union without further amendment. [ view ] Karen Curtis, Privacy Commissioner GPO Box 5218 Sydney NSW 2001 Phone: 1300 363 992 TTY: 1800 620 241 Fax: +61 2 9284 9666 E-mail: privacy@privacy.gov.au Web: [ visit ] [ back to top ]

	India

• Privacy studies have been conducted across the world to understand privacy perceptions and concerns. In particular there have been many studies conducted in the US, but very little information has been published about privacy perceptions and concerns in India. The Business Process Out-sourcing (BPO) industry and the software industry in India are experiencing the need for privacy studies because of outsourcing of personal information to India from other countries. The Indian BPO industry currently employs over 900,000 people and is expected to employ 2 million people by 2008. [ view ] [ back to top ]

	Japan

• The Japanese Constitution provides the right of individuals to life, liberty and the pursuit of happiness. Based on this right in the Constitution and on basic tort law, the concept of privacy and privacy rights has long existed separate and aside from privacy laws. However, companies essentially did what they wanted to do. Outsourcing was largely unregulated, and lax security procedures were common, leading to many leaks of personal information. The Nikkei (general business press) reported that 70% of data leaks were “inside” thefts by service providers or employees. Taking data without permission was very poorly covered by the law generally, since taking data itself was not theft. The formal privacy law was enacted in 2003 and went into effect on April 1 2005. [ back to top ]

	United Kingdom

• On June 11, 2003 the UK Information Commissioner released the long-delayed third part of the Employment Practices Data Protection Code, on monitoring in the workplace. [ view ] • Freedom of Information – One Year on A year after the Freedom of Information Act came into force, the majority of public authorities say that the Act is beneficial and is helping to create a culture of greater openness in the public sector. [ view ] Information Commissioner's Office in Wilmslow, England Wycliffe House Water Lane Wilmslow, Cheshire SK9 5AF Fax: 01625 524 510 DX 20819 [ back to top ]

	USA

• The American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) have proposed a privacy framework that provides criteria and related material for protecting the privacy of personal information. Comments are requested no later than August 31, 2003. [ visit ] • March 2006 - New civil liberties protections made the Patriot Act's passage possible. To critics, these changes are superficial but the bill's defenders say its provisions are necessary. The civil liberties package clarifies that most general-purpose libraries are not subject to demands made in so-called National Security Letters for information about suspected terrorists. In addition, recipients of court-approved subpoenas for information in terrorist investigations: Will have the right to challenge the requirement that they not tell anyone about the subpoena. Will no longer be forced to provide the FBI with the name of their lawyer. The most adamant opponent of the Patriot Act in the Senate, Russell Feingold (D) of Wisconsin, held that most of the civil liberties changes would have little real effect, in practice. But he acknowledged that in political terms the provisions had worked, and the bill was virtually certain to clear all reauthorization hurdles. In the end, the change makes clear that only libraries that are Internet service providers are subject to subpoenas for information. Most libraries are not providers, but only have access to the Internet. With congressional reauthorization, the Patriot Act may now be more entrenched — but some of its most important provisions will face another reauthorization in four years. Included are sections which allow roving wiretaps and permit secret warrants for books, records, and other items from businesses, hospitals, and some libraries as well as the power to wiretap "lone wolf" terrorists, who may operate on their own. BC Privacy Commissioner David Loukidelis has long championed the concerns of Canadians about the ease with which Patriot Act provisions cross the 49th parallel. [ view ] [ back to top ]

Software Updates Expose Users to Privacy Risks by Lindsey Arkley

SYDNEY, Australia -- Canada and more than 20 other countries have issued a warning to computer users that software companies could be surreptitiously stealing personal data as they provide updates to their products online.

The warning came in a resolution, co-sponsored by Ontario passed at the end of a conference last week in Sydney of data protection and privacy commissioners from around the world.

Software manufacturers worldwide were increasingly using "non-transparent techniques" to transfer updates online, the resolution said.

These allowed the manufacturers to collect personal information stored on users' computers, such as Internet browsing habits, without the users even being aware of it happening, let alone being able to try to prevent it.

In some cases, the commissioners warned, manufacturers could gain at least partial control over the target computers -- and restrict the owners' ability to meet legal responsibilities or to ensure the security of data.

"This may cause particular problems in government institutions and private companies to the extent that they are under specific legal obligations how to process personal information," the resolution said.

Users requesting software updates online should only have to provide a minimal amount of personal data, and the download process should not involve any unchecked access to their computers, it said.

The resolution was endorsed by Heather Black, an assistant Privacy Commissioner of Canada, and more than 20 national counterparts from Australia, New Zealand, Asia and Europe.

Ontario's invitation to take joint leadership on the issue with five European countries was in recognition of its pioneering work in a number of privacy protection areas, said Ken Anderson, the province's deputy Privacy Commissioner.

"We recognise that this is a worldwide problem and as we follow this up we will be expecting any company involved in software updates to comply," he said.

One major Ontario initiative, advanced further during the Sydney conference, was a proposed international system of certification of privacy enhancing technology, Anderson added.

"The Ontario office is a shining light in the privacy commissioner community," confirmed the Sydney meeting's chairman, Australia's federal Privacy Commissioner, Malcolm Crompton.

"In fact the Ontario office helped to invent the term 'privacy enhancing technologies,' as opposed to privacy invasive technologies.

"They continue to do a lot of very good work in this area and we in Australia and others around the world are benefiting from this."

During the Sydney conference, the Canadian recently appointed as chief privacy strategist for Microsoft International, Peter Cullen, promised his company's commitment to addressing concerns over the behaviour of software manufacturers.

Cullen, a Vancouver native who joined Microsoft two months ago after 26 years at the Royal Bank of Canada, said privacy was a key part of the "trustworthy computing" policy outlined by company head Bill Gates earlier this year.

"On the privacy front, we realise we've got to give customers more control and choice over how their information is collected and used, and in ways that are easily understood," Cullen said.

"Sometimes the emotional concern over privacy tends to sort of govern the behaviour of consumers, and the down side of that from a business perspective is missed opportunities."

Microsoft's next Windows operating system, dubbed Longhorn after a bar in Whistler, B.C., and expected to be released in 2005, would incorporate new privacy safeguards, Cullen said.

"It will be much more transparent, much more upfront," he said. "The customer will get a lot more information about privacy as well as a lot more access to different privacy tools at the click of a mouse, as opposed to having to look two or three levels down."

Microsoft's stated commitment to improved privacy protections were dismissed by another participant at the Sydney conference, Cedric Laurant, from the Washington, D.C.-based Electronic Privacy Information Centre.

"I think it is just probably just a PR motto," said Laurant, whose centre led a coalition of U.S. consumer groups which last year forced Microsoft to amend security and privacy promises made through its "passport" Internet services.

"I think they have shown in the past that they couldn't care less about the privacy of their users," he said.

[ back to top ]