15-28 February 2011

Biometrics 

CA – OPC Issues Report on Biometrics and the Challenges to Privacy

Canadians are witnessing a growing interest among government and private-sector organizations in adopting systems that use biometric characteristics to automatically identify people or verify their identity. But whether a fingertip, a face or an iris is being scanned, what’s being collected is personal information about an identifiable individual. The Office of the Privacy Commissioner of Canada has prepared a primer on biometrics (“Data at Your Fingertips”) and the systems that use them. It also describes some of the privacy implications raised by this emerging field, as well as measures to mitigate the risks. [Source]

Canada 

CA – Alberta Proposes Missing Persons Act

New legislation proposed by the Alberta government will make it easier for police when searching for missing persons. Bill 8: the Missing Persons Act will allow a police agency to obtain the personal information they need to help find missing persons in cases where the police have no reason to suspect that a crime has been committed. The proposed legislation is intended to balance fundamental privacy rights with access to important information such as cell phone and financial records. [Source

CA – Funding Available for Privacy Research and Education in Canada

The Office of the Privacy Commissioner of Canada is calling for proposals for cutting-edge privacy research and public education projects in Canada. The application deadline is March 14, 2011. The Office is interested in receiving research proposals focusing on four priority areas: 1) identity integrity and protection, 2) information technology, 3) genetic privacy, and 4) public safety. However, the Office will continue to accept research proposals on issues that fall outside these areas. As well, the Office invites proposals to fund public education and regional outreach initiatives that aim to inform Canadians about their privacy rights and how they may better protect their personal information. All proposals will be evaluated on the basis of merit by OPC officials, and the maximum amount that can be awarded for each research or public education project is $50,000. ot-for-profit organizations, including education institutions and industry and trade associations, are eligible, and this includes consumer, voluntary and advocacy organizations. [Source

CA – Supreme Court Deabtes National Security Versus Privacy

Canada’s highest court will have a tough decision later this week when it has to choose between the public’s right to now versus national security issues when it comes to the domestic activities of both CSIS and the RCMP. In what’s being called a case of history against national security, the Canadian Press is challenging the government’s refusal to fully disclose the 1,142-page dossier on socialist icon Tommy Douglas, widely regarded as the father of Canada’s medicare system. Uncensored information released by Library and Archives Canada shows RCMP security officers shadowed Douglas for 50 years, showing particular interest in his links to the peace movement and Communist party members. The library is refusing to release the entire dossier saying fuller disclosure would jeopardize the country’s ability to detect, prevent or suppress “subversive” activities. [Source]

Consumer 

US – Research: Consumers Want Transparency, Control

Recent research indicates that when it comes to online privacy, what consumers want is security and control. Ball State University’s Center for Media Design found that “the notion of privacy is actually ‘situational’ and depends on the context of the consumer, the nature of their information being tracked and the organizations that are tracking it,” the report states. With a focus on how consumers—rather than advocacy, industry or regulatory groups—react to online tracking, the first round of research found that college students surveyed are concerned about online tracking, but the focus is “not about privatizing their information. It’s about keeping it secure.” [Source] [Research website]

E-Government 

CA – Bureaucrats Sending Sensitive Information on BlackBerrys

Senior federal bureaucrats are sending sensitive government information on their BlackBerrys despite warnings to stop. Deputy ministers at Transport Canada, Veterans Affairs and Public Works have all used a BlackBerry feature called PIN messaging to discuss information that is supposed to be secure, The vulnerability of government communications was exposed this week with the revelation that computer networks at two federal departments were compromised by hackers. Exactly what the hackers were after is unclear but Internet service at the Treasury Board and finance department has been curtailed as a result. [Source] See also: [Foreign hackers attack Canadian government] and [Montreal councillors’ email privacy questioned

US – US Immigration Computer System Vulnerable to Insider Threats

According to a report from the Department of Homeland Security (DHS) Office of the Inspector General (OIG), the US Citizenship and Immigration Services’ (USCIS) processing system is vulnerable to insider threats. The OIG brought in a third-party group from Carnegie Mellon University’s software engineering institute to evaluate insider threats on systems at USCIS. [Source

CA – Family Suing Alberta Government Over Alleged Privacy Breach

Four years of domestic abuse “hell” followed by nearly a decade-long battle to obtain a nationwide name change came crashing down for a Canadian mother and daughter after the Alberta government posted their identities online. “Jane” and her daughter “Janet Doe” obtained Unpublished Secure Name Changes more than five years ago and began rebuilding their lives with new connections, re-location and the security of never having to look over their shoulders. But all the effort and security went up in flames after a Google search revealed both the old and new identities of the Does were published online in the Alberta Gazette – the official newspaper of the Government of Alberta. Now, nearly 19 months later after contacting top Canadian officials, agencies and individual organizations for a settlement, no restitution has been received. [Source]

E-Mail 

WW – Google Investigating Problem that Reset 150,000 Gmail Accounts

Google is looking into a problem with Gmail that emptied the inboxes of a small percentage of users over the weekend. Some users have had their information restored; Google engineers are working on the problem. About 150,000 accounts appear to have been reset, meaning that users cannot access their stored emails, attachments and chat logs. [Source] [Source] [Source]

Electronic Records 

AU – APF Concerned About E-Health Implementation

The head of the Australian Privacy Foundation says that patients’ medical data is vulnerable because e-health projects are being planned absent their input. “Because consumer representatives have had so little input, there’s a very strong chance sensitive data will be compromised, and the system won’t suit people’s needs,” says Roger Clarke, who adds that consumer engagement only began in January. A health department spokeswoman said that consultations with consumers and privacy groups have been “constructive,” and “The government is serious about a personally controlled system in which privacy protections will be a key element.” [Source

CA – Feds Order Monster Hard-Drive Grinder for Sensitive Data

The federal government has ordered a monster machine to chew up its discarded hard drives, USB thumb drives, CDs, and even ancient Beta videotapes. Like a tree chipper, the grinder will rip apart a range of data-storage devices into pieces so tiny the sensitive information can never be recovered. The Public Works Department is calling for “destruction equipment that performs disintegration, which is the physical demolition of electronic storage devices to particle sizes too small for data retrieval or reassembly,” says a recent tender document. Until 2005, the RCMP’s technical security branch provided departments with free hard-drive overwrite software, known as DSX. But the Mounties stopped supporting the program six years ago because it often did not work properly on newer drives with larger storage capacities, leaving confidential information in place. Some newer hard drives have software embedded in them that allow their entire contents to be securely erased on the proper command. But data storage in other formats such as memory sticks, and even in some new hard drives, sometimes cannot be reliably overwritten, creating headaches for security-conscious departments. [Source] [UK – The Limits of Anonymisation in NHS Data Systems

WW – Erasing Data on SSDs Proves Difficult

A study published by researchers at the University of California at San Diego says that it is more difficult to erase data from solid state drives (SSDs) than from hard disk drives (HDDs). On some SSDs, overwriting the data several times can make it inaccessible, but some techniques proved more successful than others. Techniques for sanitizing hard drives may not work well on SSDs because their internal architecture is so different. Cryptographic erasure, which involves encrypting the device so that users must provide a password to use it, and when the device is ready to be retired, deleting the cryptographic keys on the SSD, appears to be quite effective. [Source]

EU Developments 

EU – Europe’s Top Court to Hear Google Case

The European Court of Justice (ECJ) will consider the Spanish Data Protection Authority’s demands for Google to remove from search results the links to Web sites that contain certain information about citizens. The ECJ will “offer guidance on whether Spain’s demands comply with European law.” A Google official said the company is pleased that Europe’s top court will review the issue. “It shows that key issues are at stake,” said Google’s head of European external relations. “We believe that European law rightly holds the publisher of material responsible for its content.” [Source

EU – Regulators Seek Stronger IP Address Protection

German data regulators are considering making it illegal for Web companies to provide their visitors’ IP addresses to third parties without their users’ permission. The Lower Saxony DPA has already moved in that direction, with Data Protection Commissioner Joachim Wahlbrink recommending that users’ permission be in place before IP addresses can be passed on to advertisers. Germany’s revised law only allows the use of personal information for marketing “if the individual has expressly consented to such use.” The Lower Saxony DPA’s order to one online marketer to remove an ad tool feature may result in a lawsuit from the company, the report states. [The Register

EU – AFDCP Report Finds Lack of Compliance

The French Association of Data Protection Officers (AFCDP) has determined that 82% of organizations do not abide by the French Data Protection Act. The AFCDP’s annual report for 2011, published last month, found that just 18 percent of responding organizations addressed information access requests in a “legally satisfactory manner,” Monique Altheim writes, adding, “This very useful survey by the AFCDP illustrates how the passing of data protection acts alone is totally useless unless these laws actually get enforced,” questioning that “if legislation does not even guarantee significant compliance, what kind of compliance will ‘self-regulation’ achieve?” The AFCDP’s Bruno Rasle told the Daily Dashboard that most individuals are not familiar with the right of access, “So it is not, until now, very often used,” and “organizations are not ‘trained’ to handle it when it occurs.” Rasle explained that the French press only began writing on this right last year, “but things change. Our results show the presence of a CIL (French version of DPO) provides better quality response. For AFCDP, it is a strong sign: Someone is needed to handle the subject/do the job, and the DPO is the right man. And since we’ve started this index, we see a lot of improvements–thanks also to the CNIL’s onsite audits and penalties. We are confident we are going to see major improvements in the near future.” [Source

EU – CNIL Announces Data Processing Exemption

The French Data Protection Authority (CNIL) has published its Deliberation No. 2011-023, which should make reporting requirements less odious for companies that have no operations in France but use subcontractors or cloud providers there to process data. The French Data Protection Law requires companies to file with CNIL and, in some cases, obtain authorization in advance. Under the new declaration, payroll processing, workforce management and the management of databases of clients and prospects for personal data collected outside of France will be exempt from the requirement for data that is returned to the data controller, or other specified recipient, “for the benefit of the data subject,” the report states. [Source]

Filtering 

WW – Libya Cuts Internet, Bahrain Restricts Traffic

There are reports that Internet access in Libya has been shut down. In that country, the “Internet is essentially owned and controlled by the government through a telecommunication company,” which is chaired by the eldest son of Moammar Gadhafi. The government of Bahrain has reportedly restricted Internet traffic and blocked access to YouTube in an effort to impede protesters’ momentum. The government claims the Internet traffic is lower because connections are overwhelmed. Last week, US Secretary of State Hillary Clinton announced her department’s policy on Internet freedom. [Source] [Source] [Source] [Source] [Source

AU – Supreme Court: Data Could Prevent Fair Trial

The Australian Supreme Court has ordered newspapers to delete certain articles from their Web sites, saying that they could impact the fairness of an upcoming trial. The jurors on the trial will also be ordered to refrain from reading about or discussing the case, but “The confidence in the integrity of the jurors does not mean the court should not protect them from incidents that put their integrity to the test,” said Justice Derek Price. One publishing executive described the decision as “the modern equivalent of burning books,” and a civil liberties advocate said the order appears to “discriminate against the Internet because courts never ordered the removal of a microfiche from every library in the state.” [The Age]

Finance 

EU – Refuses to Reveal Bank Data Transfers to US

The European Commission and Europol have once again refused to reveal any information about how the Terrorist Finance Tracking Agreement between the E.U. and the U.S. is working six months after it came into force. The so-called ‘SWIFT’ accord, which allows the bulk transfer of European citizens’ financial data to the U.S. authorities, came into force on Aug. 1 last year. In December, German representatives revealed that questions from the German data protection commissioner about how many requests the U.S. has made for data and how many, if any, have been approved, were not answered. Europol said that questions could only be answered by the Commission. But the Commission said that ‘neither the Commission nor Europol nor the member states have the power to bindingly interpret the agreement.” Europol further indicated that such sensitive information is in any case top secret. The German delegation to the Council of Europe said that repeatedly sidestepping the questions is not helpful and will lead to growing public mistrust. [Source] [MEP: Swift ‘secrecy’ may hamper new data deals with US

US – FINRA Imposes $600K Fine on Lincoln National Units

The Financial Industry Regulatory Authority (FINRA) has reached an agreement with Lincoln Financial Securities Inc. (LFS) and Lincoln Financial Advisors Corp. (LFA) over inadequate data security. FINRA fined the broker-dealer and financial advisory firms a combined $600,000 for allowing employees to “use shared usernames and passwords to access customer records from any Web browser on any network” and other inadequacies, the report states. FINRA fined LFS $450,000 and LFA $150,000. [Source

WW – PCI Council Launches Training Program

The PCI Council begins its series of training programs intended to educate practitioners on Payment Card Industry Data Security Standards (PCI DSS). The courses “cover all PCI basics, including how the payment system operates straight through to how PCI works and why it is important to be compliant.” Offerings include in-person sessions as well as online training, and there will likely be supplemental guidance throughout the year. Version 2.0 of the PCI DSS went into effect last month, and merchants have one year to comply with the new standard. [Source]

FOI 

CA – Privacy Rules Halted Investigation of Rogue Scientists

The federal government has been pushing Canada’s largest research council to release the names of scientists who fudge research results, plagiarize reports or misspend grant money, according to federal documents obtained by Canwest News Service. But the Natural Sciences and Engineering Research Council has yet to change its rules, despite pointed recommendations from its political masters. The council, which distributes $1 billion in federal funding every year to thousands of researchers across the country, says federal privacy laws prevent it from identifying scientists involved in misconduct, or their universities. [Source]

Genetics 

US – DHS to Test Portable “Real Time” DNA Analyzer

The Homeland Security Department this summer plans to begin testing a DNA analyzer that’s small enough to be easily portable and fast enough to return results in less than an hour. The analyzer, about the size of a laser printer, initially will be used to determine kinship among refugees and asylum seekers. It also could help establish whether foreigners giving children up for adoption are their parents or other relatives, and help combat child smuggling and human trafficking. Only DNA can positively determine family relationships. Eventually, the analyzer also could be used to positively identify criminals, illegal immigrants, missing persons and mass casualty victims. [Source]

Health / Medical 

US – OCR Plans to Tighten Up HITECH Privacy, Security, Breach Regs

Financial penalties for single privacy and security violations will be increased to $50,000 per violation with a maximum fine of $1.5 million under final HITECH privacy, security and breach notification rules. Adam Green, senior health IT and privacy advisor at the HHS Office for Civil Rights (OCR) says changes to the current rules will be made under the OCR’s authority, will arrive in 2011 and “need to be revised to reflect the more widespread use of electronic data and electronic health records.” Besides steeper fines, key changes the OCR aims to implement include direct liability for business associates and subcontractors and restrictions on the use of patient data for marketing and fundraising, the report states. [Source

US – HHS Stepping Up HIPAA Privacy Rules Enforcement

The US Department of Health and Human Services (HHS) appears to be getting serious about enforcing Health Insurance Portability and Accountability Act (HIPAA) privacy rules. HHS has imposed enforcement actions against two organizations for HIPAA privacy violations. Cignet Health was charged a civil monetary penalty of US $4.3 million for failing to provide patients access to their own medical records and failing to cooperate with an HHS investigation into the matter. When Cignet finally sent boxes of records to the US Justice Department, they included records for the 41 individuals who had requested their records as well as records of 4,500 other people. Massachusetts General Hospital will pay HHS US $1 million for the exposure of personal information of 192 patients when documents were left on a subway in March 2009. HHS appears to be getting serious about enforcing HIPAA privacy rules. Both incidents are the result of business process failures rather than technology failures. [Source] [Source

US – Advances in Health Care IT Increase Data Breach Risks, Says Deloitte

Health care organizations using advanced technologies are at increasing risk for patient data breaches, warns a new Deloitte report. The report, “Privacy and Security in Health Care: A Fresh Look“, says that as the health care industry increasingly adopts electronic health records, clinical data warehousing, home monitoring, and telemedicine, the risks of patient data breaches are also increasing. This could lead to more medical fraud and identify theft. Some of the reasons identified in the report for inadequate data protections by health care providers include lack of internal resources, poor internal controls over patient records, lack of upper management support for data security, outdated policies and procedures, and inadequate personnel training. The report recommends that the health care industry adopt a three-prong approach to improve data security: develop and implement appropriate data security controls to mitigate or avoid risk; adopt and implement policies, procedures, and training to mitigate or avoid risk; and verify organizational compliance with policies and standards. [Source] [Press Release

UK – Patients’ Privacy Threatened In NHS Shake-Up, Say Doctors

The overhaul of the NHS will spell the end of doctor-patient confidentiality, the British Medical Association has warned. The association says new legislation will give the Government, quangos and local authorities the power to access sensitive medical details without the patient’s permission. It fears that the change will lead to patients withholding information from doctors. The doctor’s union raised its concerns in a letter to Simon Burns, the health minister. It is calling for the legislation to be redrafted so that proper safeguards are in place. [Source

CA – Study Raises Concerns About Security Measures for Clinical Trial Data

Privacy and security safeguards designed to protect patients’ sensitive files during clinical trials are inadequate, according to a study published in the Journal of Medical Internet Research. Khaled El-Emam – Canada research chair in electronic health information at the Children’s Hospital of Eastern Ontario Research Institute – led the study. Key Findings

  • Researchers successfully decoded passwords for 14 of 15 files transmitted by e-mail. Thirteen of the 14 compromised files contained sensitive health data and other identifying information, such as dates of birth and names of the clinical trial site.
  • Unencrypted patient data was shared through e-mail and posted on shared drives with common passwords.
  • Some password choices were as simple as number sequences like “123” or the names of car manufacturers.
  • Having inadequate security can harm patients participating in clinical trials, potentially leading to medical and non-medical identity theft. [Source]

 

Horror Stories

US – Massachusetts General Takes $1 Million Hit for Losing 193 Patient Records

Following closely on the heels of its first Health Insurance Portability and Accountability Act (HIPAA) privacy rule fine, the Department of Health and Human Services (HHS) has doled out a $1 million fine against Massachusetts General Hospital for a data breach involving 192 patients begin treated for infectious diseases. HHS levied the fine on Mass General for a data breach involving the loss of documents containing names and medical record numbers of 192 patients at the hospital’s Infectious Disease Associates practice, as well as billing forms that included names, dates of birth, medical record numbers, health insurers and policy numbers, diagnosis, and names of provider for 66 of those patients. The practice treats patients with HIV/AIDS, as well as other infectious diseases. According to HHS, the documents, which were not recovered, were left by a Mass General employee on the subway on March 9, 2009. In addition, Mass General agreed to take actions to prevent future data breaches, including implementing a set of policies and procedures regarding information that is removed from the hospital’s premises, training personnel on these policies and procedures, and designating the hospital’s director of internal audit services to serve as an internal monitor to assess the hospital’s HIPAA compliance and produce semi-annual compliance reports to HHS for three years. [Source] See also: [Patient privacy breached at St. Thomas Elgin General Hospital] and [HK – Lost Flash Drive Contains Patient Records]

Identity Issues 

IN – ‘Aadhar’ Does Not Breach Privacy: Nilekani

Allaying privacy fears surrounding ‘Aadhar’, the Unique Identification Authority of India Chairman Nandan Nilekani said the project would in no way put at risk citizens’ security and rights. “The data collected of the individual by means of biometric system will only be for the sake of their identification and access to other facilities like availing bank loans, being part of the PDS system and others. There is no way other agencies or non-concerned parties having access to the Aadhar data base,” Nilekani said. He asserted that the 12-digit Aadhar number will not have much personalised information about the resident for anyone to misuse. He said, nevertheless, the government was looking to put into place a data security law to iron out any privacy issues. UIDAI has issued close to 2 million Aadhaar numbers and targets to touch the 600 million mark by 2014. [Source] See also: [Technology diluting privacy: Indian Supreme Court] and [IN: 45% active users want to pay for goods, services through mobile

IN – Indian Gov’t to Tighten Cyber-cafe Rules: ID & Monitoring

New rules proposed by the Indian government would require users at cyber-cafes to establish their identities, while placing the onus on cyber-cafe operators to take precautions to ensure that their computers are not utilized for any illegal activity. The proposed rules, which would come into effect under the country’s Information Technology Act, reflect concerns that the Internet is being used for illegal activities such as planning terrorist attacks and viewing pornography in public, which is illegal in India. The government has viewed public Internet services offered by cyber-cafes with suspicion for some time, and more recently it has scrutinized other online communications, including through mobile phones. Under the proposed rules for cyber-cafes, operators cannot allow a user to use computer resources without the person’s identity first being established. Users will be asked to establish their identities by producing documents such as their passport, voter identity card, photo credit card, driver’s license, or identity cards issued by schools and colleges. Users who cannot establish identity to the satisfaction of the cyber-cafe operator might be photographed by the cyber-cafe using a Web camera. The photographs are to be part of the log register, which may be maintained in physical or electronic form. The Ministry of Communications and Information Technology has invited public comments on the new rules. The rules would require cyber-cafe owners to store and maintain certain backups of logs and computer resource records for at least six months for each access or login by any user. These include the history of websites accessed, mail server logs as well as logs of any proxy servers, network devices, firewalls or intrusion prevention and detection systems that are installed. Partitions of cubicles in the cyber cafe would not be allowed to be higher than four and a half feet from the floor level, and minors would be denied access to computers from these cubicles unless they are accompanied by parents or guardians. The draft rules, if they come into effect, would also require that all the computers in a cyber-cafe be equipped with safety and filtering software to avoid access to websites relating to pornography, obscenity, terrorism and other material deemed objectionable. Cyber-cafes would also have to display a board, clearly visible to users, prohibiting them from viewing pornographic sites, according to the proposed rules. [Source]

Intellectual Property 

US – Lawsuits Challenge U.S. Online Data Brokers

Two lawsuits in federal court in California that challenge the way a popular online data-mining company does business could give consumers more privacy protection from firms that sell personal information on the Web. In the most recent complaint, filed last week in the Central District of California, plaintiff Thomas Robins alleged that Spokeo Inc. violated the Fair Credit Reporting Act by offering false data about individuals without giving them the chance to correct or remove inaccurate reports. The suit alleged that Robins’ Spokeo profile was rife with misinformation, stating that he was in his 50s, married with children and employed in a professional field. Robins is actually in his 20s, single and has no children. He argued that such false representations have hurt his employment prospects, causing him anxiety and lost earnings. In a similar suit filed in September in the Northern District of California, plaintiff Jennifer Purcell alleged that Spokeo marketed her personal information in violation of the FCRA, which restricts who can access personal information. Both Robins and Purcell are seeking class-action status for their cases. The lawsuits reflect efforts by privacy advocates to gain some measure of control over the data aggregators like Spokeo, which have proliferated. The Privacy Rights Clearinghouse lists over 130 online data vendors on its website, including Intelius, Jigsaw and Peek You. Robins and Purcell face the challenge of proving actual harm – a heavy burden in privacy cases where the damage is seldom tangible. [Source]

Internet / WWW 

UK – High Court: Newspaper’s Anonymous Posters Can Stay Anonymous

The Daily Mail does not have to identify the people behind two anonymously posted comments on its website because to do so would breach their rights to privacy, the High Court said. The subject of a news story had demanded information from the Daily Mail that would help her to identify the two commenters so that she could sue them for defamation, but the Court said that identification of those people would be disproportionate. But Justice Sharp said that the posters’ rights to privacy were more important than the woman’s right to take legal action about comments that were little more than “pub talk”. Jane Clift sued Slough Council after it put her on its list of potentially violent people following her complaint to the Council about the antisocial behaviour of a man in a park. The Council said that Clift’s conduct in complaining had been threatening and it put her name on the list, where it could be seen by Council departments and Government agencies, for 18 months. Clift won her case and was paid libel damages. The Daily Mail’s website carried a report on the story and a year after its publication Clift saw it. She objected to remarks made by two readers in the comments section of the web page. She asked the High Court to order the Daily Mail to give her information which could help identify the people so that she could sue them for defamation. Justice Sharp said that Clift’s case was not strong enough to merit the identification, and that she should not have taken the comments as seriously as she did. [OUT-LAW News

US – Cyber Security Bill Expressly Prohibits Internet Kill Switch

Legislation introduced in the US Senate late last week clarifies the intent of the bill’s sponsors. The Cybersecurity and Internet Freedom Act specifically denies the President the “authority to shut down the Internet.” The new language comes in response to reports that the bill’s sponsors had written a provision for an Internet kill switch into the legislation. The new bill would require critical infrastructure operators and owners to address vulnerabilities on their networks. [Source] [Source] [‘Kill Switch’ Internet Bill Alarms Privacy Experts

US – Legislator Calls for Secure Default Web Pages

Senator Charles Schumer (D-NY) is calling on online companies to switch their default pages from HTTP to HTTPS to help protect users who connect to the Internet through public Wi-Fi hot spots. The advent of programs like Firesheep makes it easy for people with little or no technical skill to steal sensitive information, including login credentials and financial account information. [Source]

Law Enforcement 

CA – Alberta Government Will Make Public Police Database Report

Alberta Solicitor General Frank Oberle says the government will make public an internal government report that shows how a new police database will affect people’s privacy. The government initially said it would not release the assessment of The Alberta Law Officers’ Network, known by its acronym, Talon. A spokeswoman had said that “once the privacy commissioner has reviewed it, then we will be guided by his comments.” Oberle did not say when the review will be released. His department has previously said it would be complete by early March. [Source

US – Lawful Access Proposals: Privacy vs. Policing

The Washington Senate Judiciary Committee heard testimony on a bill that would prohibit local law enforcement agencies from collecting and storing information about an individual’s political, religious or other First Amendment-protected views unless “there is reasonable suspicion that the subject of the information is or may be involved in criminal conduct or activity.” Law enforcement turned out in force in opposition to the bill. Don Pierce, executive director of the Washington Association of Sheriffs and Police Chiefs, said the bill would prevent police from collecting information and storing it as they conduct criminal investigations. “We call these tidbits of information ‘clues,’” he said. “If you pass that bill, you will effectively prevent us from collecting that information.” Police also raised concerns about the potential cost of the bill, which calls for audits of law enforcement agencies to ensure compliance. Sen. Adam Kline, D-Seattle, the chairman of the Senate Judiciary Committee and the prime sponsor of the bill, suggested that the bill would create some accountability for agencies that investigate and collect information about protected speech. Michael German, the ACLU’s policy counsel in Washington, D.C., and a former FBI agent, said unjustified law enforcement investigations of political activity protected by the First Amendment have a chilling effect on such speech and are “damaging to democracy.” [Source] See also: [US: GBI arrests Georgia Cop for Running Tag info]

Offshore

IN – Indian Government Publishes Draft Rules

The Ministry of Communications and Information Technology has proposed three draft rules that would implement the Information Technology Act, 2000. The rules include Reasonable Security Practices and Procedures and Sensitive Personal Information, which covers information processed in India no matter its origin; Due Diligence Observed by Intermediaries Guidelines, which requires intermediaries to notify computer resources users of unethical and unsafe online activities and police these actions, and Guidelines for Cyber Cafés. The rules are open for comment through today, and according to the report, the U.S. Department of Commerce is considering submitting comments on behalf of the U.S. government. [Hunton & Williams Privacy and Information Security Law Blog]

Online Privacy 

EU – ENISA Warns About Privacy Threat from Next-Generation Cookies

The European Network and Information Security Agency (ENISA) is warning that new types of cookies with “privacy-invasive” features for marketing, tracking, and profiling pose increased privacy risks for computer users. In its policy paper Bittersweet cookies: Some security and privacy considerations, ENISA said that new types of cookies being developed by the advertising industry support user-identification in a persistent manner and do not have enough transparency about how they are being used. To mitigate the privacy and security implications of these next-generation cookies, ENISA recommends that users’ informed consent should guide the design of systems using cookies; the use of cookies and the data stored in cookies should be transparent for users. In addition, users should be able to manage cookies, in particular new cookie types. All cookies should have user-friendly removal mechanisms which are easy to understand and use by any user. Also, storage of cookies outside browser control should be limited or prohibited, and users should be provided with another service channel if they do not accept cookies, ENISA recommends. [Source

WW – SANS Technology Institute Paper: Assessing Privacy Risks from Flash Cookies

This paper was developed by students Stacy Jordan and Kevin Fuller as part of the SANS Technology Institute Masters Program. It includes an analysis of flash cookies; a description of the risks of using flash cookies; and technical approaches for detecting, removing, managing and analyzing flash cookies. [Source] [Paper

US – Ad Industry Slams Do-Not-Track Proposal

The public comment period on the FTC’s “Protecting consumer privacy in an era of rapid change: A proposed framework for businesses and policymakers” report has ended, and the reactions are varied. Industry groups, for example, are among those opposing calls for a do-not-track mechanism to improve consumer privacy online. InformationWeek reports on the assertion by industry groups that the FTC’s proposal would “wreck the ability of Web sites to provide personalized content.” The Interactive Advertising Bureau, which suggests “a do-not-track program would require reengineering the Internet’s architecture,” is instead recommending self-regulation for online advertising. [Source

US – IAB Members Must Publicly Affirm Privacy Principles

In the midst of looming online tracking legislation, the Interactive Advertising Bureau (IAB) has voted to require all its members to sign a new code of conduct that includes compliance with the industry’s self-regulatory principles. The IAB is giving members up to six months to follow the principles, which state that companies must provide clear notice of cookie-based behavioral advertising in at least two places and must obtain user consent—though it may be on an opt-out basis–in order to track. Companies that fail to comply face a six-month suspension and possible FTC sanctions, the report states. [Source

US – Facebook Responds to FTC’s Privacy Plans

In its 29-page response to the FTC’s proposal for protecting privacy online, Facebook offered one of the most comprehensive looks to date at its stance on privacy and how the company believes the issue will – and should – evolve. While acknowledging that government regulation ought to play a role in safeguarding user information on the Internet, Facebook argued in the response that web companies should be principally self-regulated so as not to stifle innovation. The company said it agreed with the FTC that greater transparency and the option of “context-sensitive privacy protections,” or what the FTC had called “privacy by design,” were important, but stressed the importance of taking into account individuals’ evolving perceptions of privacy. [Source] [Facebook’s comments to the FTC]

WW – Facebook to Redeploy Sharing Feature

As Facebook plans to reactivate a feature that would allow third-party applications to request contact information from users, Rep. Ed Markey (D-MA) says he is not satisfied with the company’s response to his inquiry about such features. After Markey and Rep. Joe Barton (R-TX) last month wrote to the company about privacy concerns, Facebook suspended the feature temporarily. It now says it will redeploy the feature alongside enhanced “user controls.” Responding to Markey’s concerns about third-party access to minors’ contact information, a Facebook spokesman said children under 13 are prohibited from using the site and that it is “actively considering” whether third parties may request information from anyone under 18. [Source] [Facebook letter

US – Google in Privacy Trouble Again for Collecting Kids’ Digits

Google has nabbed the “privacy outrage spotlight” this week over its collection of the last four digits of children’s social security numbers in an art contest — Doodle 4 Google. Documentary director Bob Bowdon brought the practice to light in a Huffington Post editorial, pointing out that Google’s entry forms for the contest requested children’s date and city of birth, as well as the last four digits of their SSNs. He hyped the story by pointing out that “a national, commercial database of names and addresses of American children” could “be worth many millions to marketing firms and retailers.” Children’s protection groups started rumbling; “twenty-six hours later Google released an updated Parental Consent form without requiring the last four digits of the child’s SSN, although the form still inexplicably asks for the child’s city of birth,” wrote Bowdon. Broadcasting & Cable reports that Google was using the SSNs to sort entries and prevent duplicate entries. The children’s city of birth was needed to ensure that the contest was limited to U.S. citizens. Privacy advocate Anne Collier, executive director of ConnectSafely.org, tells the Associated Press: “It was a stupid mistake, but they corrected it so let’s move on.” But yesterday, Congressmen Joe Barton and Ed Markey, heads of the House Privacy Caucus, released a joint statement saying they plan to hold a hearing over children’s privacy because of the Google flap: We are deeply disturbed by recent media reports that Google may have engaged in sketchy practices with its Doodle 4 Google contest by collecting the social security numbers of children who participated in the contest. This is unacceptable. [Source

WW – Google Mapping Feature Expands, Authorities Concerned

As Google moves forward with plans for its Street View mapping feature in Israel and Switzerland, authorities are voicing concerns. The company will soon photograph 218 miles of the Swiss Alps for the feature, despite a pending court challenge. A hearing is scheduled for February 24 after Switzerland’s data protection officer argued in 2009 that Street View’s privacy safeguards were insufficient. Google has agreed not to post new photos in Switzerland until a ruling has been made and said it has made improvements. The company has also met with Swiss data protection officials. Meanwhile, as Google plans to launch Street View in Israel, officials are concerned about potential uses of the images. [Source

AU – Nations Look to Retain Data for One Year

Talks between the U.S. and Australia could result in Internet search providers (ISPs) retaining data on users for one year. The talks, slated for July, aim to align data retention periods between the two countries and Europe. Though some European nations suggest retaining data for five years–an idea being considered by the European Convention on Cybercrime–both the U.S. and Australia believe that’s too long, according to Australia Attorney General Robert McClelland. McClelland added that governments have a “strong obligation” to balance the scope of data retention and law enforcement needs for data to solve crimes. [Source]

Other Jurisdictions 

NZ – Emergency Code Issued After Earthquake

In the aftermath of the Christchurch earthquake, Privacy Commissioner Marie Shroff has issued an Information Sharing Code to allow emergency services to “share personal information as necessary to assist victims of the earthquake and their families.” The code will remain in effect for the next three months and will then be reviewed. “Although the Privacy Act already allows collection and disclosure of information in emergencies and for public safety, greater certainty will help everyone,” Shroff said. The code is aimed at helping identify injured individuals, assisting with medical and financial needs, notifying families and making it possible for visitors to get home. [Source]

Privacy (US) 

US – Supreme Court: Businesses Do Not Have Personal Privacy Rights

Corporations do not have personal privacy rights when it comes to the disclosure of federal records. That’s according to a U.S. Supreme Court ruling. The case was brought forward after an Appeals Court ruling that found an exception in the federal Freedom of Information Act where the U.S. Congress defined a “person” to include “an individual, partnership, corporation, association or public or private organization.” In today’s ruling, the justices unanimously overturned the prior court’s finding that “corporations can assert personal privacy in claiming the records should be exempt from disclosure,” the report states. [Reuters

US – California’s High Court Rules That Stores Can’t Request ZIP Codes

Retailers do not have the right to ask consumers for their ZIP code while completing credit card transactions, according to a ruling by the California Supreme Court. California’s high court of seven judges unanimously stated that the practice of requesting customers’ ZIP codes infringe on their privacy rights. The ruling, which overrules previous decisions by trial and appeals courts in the Golden State, pointed to a 1971 State law that prohibits businesses from asking credit card users from information that could be used to track them down. Requesting ZIP codes “would permit retailers to obtain indirectly what they are clearly prohibited from obtaining directly,” the ruling stated. [Source

US – FERC Report Cites Smart Grid Privacy Concerns

The Federal Energy Regulatory Commission (FERC) this month released its biannual report, which includes questions about smart meters and privacy. The report outlines concerns about consumer data privacy as companies continue to deploy new technologies, and customers, unsure of the purposes and uses of such technologies, push back. “The existing business policies and practices of utilities and third-party smart grid providers may not adequately address the privacy risks created by smart meters and smart appliances,” the FERC report states. Jeff St. John writes that this year may be the year that “smart grid privacy finally becomes a must-do, rather than a oft talked-about, subject.” [Source

US – Suit: Sharing Device IDs Violates Privacy

The most recent potential class-action suit against Apple and 11 outside companies is for allegedly violating the privacy of iPhone and iPad users. The suit is the fourth case of its kind and was filed in U.S. District Court in California. It alleges the company violated federal and state laws and contends that users did not authorize Apple to share their devices’ unique identifiers with application developers and other parties. However, the report states, it remains to be seen “whether courts will rule that transmitting a unique device number–as opposed to a name or street address–raises any privacy issues.” [Source

US – Customer Sues Game Retailer for PII Collection

A California resident has filed a class-action lawsuit against a game retailer for allegedly “requesting and recording personal information from its customers without their knowledge or consent.” Melissa Arechiga filed the suit last week on behalf of all customers who made a purchase within the last year at a GameStop location that allegedly collected her name, credit card number and personally identifiable information (PII). The suit claims that the store made no attempt to delete the information from the electronic cash register after the credit card number was recorded, which violates a California law prohibiting corporations from requesting credit card customers to provide and record PII, the report states. [Source]

Privacy Enhancing Technologies (PETs) 

WW – Governing Body Accepts Microsoft Tracking Proposal

The World Wide Web Consortium (W3C), the governing body for HTML5, has accepted Microsoft’s tracking opt-out proposal to protect consumer privacy. Microsoft’s Tracking Protection allows users to choose not to be tracked on the Web by blocking the content that does the tracking, the report states. Internet Explorer’s corporate vice president, Dean Hachamovitch, said online privacy is a high priority for consumers and governments around the world. Ashkan Soltani, a privacy and security researcher, called Microsoft’s release of the program “a great move” that demonstrates the company’s recognition “that for this to work, you want both technology and policy to work in tandem.” [PCWorld

WW – Start-Ups Capitalize on Data as Currency

Entrepreneur Shane Green’s company allows people to personally profit from providing companies with their personal data, which he says has become “a new form of currency.” His company is one of about a dozen start-ups aiming to capitalize on privacy as marketers increasingly rely on personal data for targeted ads. One London real estate developer now offers to sell people’s personal information on their behalf and give them 70% of the sale, the report states, while others offer products to help block online tracking or charge to remove users from marketing databases. One entrepreneur said while “privacy” was a hard sell as of two years ago, investors are now quick to jump at opportunities. [Wall Street Journal: Web’s Hot New Commodity: Privacy

US – Despite Tracking Concerns, Investments Continue

The Wall Street Journal reports that in spite of ongoing concerns about tracking and a push for legislation to regulate online advertising, companies that specialize in this kind of tracking continue to secure venture capital investments. “Since 2007, venture firms as a group have invested $4.7 billion in 356 online ad firms,” the report states, increasing at a rate of 29% last year alone. While a Jafco Ventures partner suggests, “Advertisers want to buy individuals. They don’t want to buy (Web) pages,” Chris Fralic of First Round Capital says privacy concerns can influence investment decisions. As he puts it, “What I look for are the consumers raising their hands” against having their privacy compromised. [Source]

RFID 

EU – Working Party Approves Self-Regulatory Proposal

The Article 29 Working Party has approved an industry proposal for a privacy and data protection impact assessment framework for RFID self-regulation. Although it rejected a series of drafts, including a March 31, 2010, proposal that contained only “scattered references” to risk assessment, industry reworked its proposal and submitted its latest version, the Revised Framework, on January 12. The industry proposal was developed at the request of the European Commission, which issued a recommendation in 2009 on the implementation of privacy and data protection principles in applications supported by RFID. In its February 11 opinion, the Article 29 Working Party endorsed the revised framework. [Source]

Security 

WW – Security Shocker: Android Apps Send Private Data in Clear

Cellphones running the Android operating system fail to encrypt data sent to and from Facebook and Google Calendar, shortcomings that could jeopardize hundreds of millions of users’ privacy, a computer scientist says. In a simple exercise for his undergraduate security class, Rice University professor Dan Wallach connected a packet sniffer to his network and observed the traffic sent to and from his Android handset when he used various apps available for Google’s mobile platform. What he saw surprised him. The official Facebook app, for instance, transmitted everything except for the password in the clear, Wallach blogged on Tuesday. This meant that all private messages, photo uploads and other transactions were visible to eavesdroppers, even though the account had been configured to use Facebook’s recently unveiled always-on SSL encryption setting to prevent snooping over insecure networks. Google Calendar showed a similar carelessness in Wallach’s experiment by also sending and receiving data in the clear. That makes it possible for snoops to see your schedule when the service is accessed on unsecured networks. Wallach found a few other apps that took a cavalier approach to user privacy. [Source] See also: [Modified Android App Sends Surreptitious Text Messages to Premium Numbers] [NYT: Security to Ward Off Crime on Phones] and [Suspect in iPad data theft remains jailed in NJ

AU – Security to Go Under Privacy Microscope

The Australian federal privacy commissioner Timothy Pilgrim intends to clamp down on businesses that neglect security standards following a string of public data breaches this year. Future investigations will focus on determining if businesses have adopted baseline privacy and security benchmarks before collecting customer data. Businesses will need to have constant “strong risk assessment processes” that ensure only necessary customer data is held within corporate systems, he said. “Businesses need to make sure the privacy protections are strong and are built early into the systems. Information will be vulnerable when the right security controls are not in place, as we found with the Vodafone system.” Privacy probes will examine whether security systems have been “regularly updated” and are designed in accordance with industry benchmarks including ISO 27002:2006. [Source

UK – Keystroke Loggers Found on Library Computers

Keystroke logging devices were found plugged in to computers at libraries in Cheshire, UK. It is not known how long the devices were connected to the computers before they were discovered. Keyboards are now being plugged in to ports at the front of computers. [Source] [Source]

Surveillance 

AU – Australian Government Opens Consultation on Cybercrime Treaty

The Australian government is seeking public comments on a proposed cyber crime treaty that would allow the government to order real-time network traffic data collection. Australia is considering signing the Council of Europe Convention on Cybercrime, which was established in 2004. Australia is in line with much of the treaty already, but the treaty’s provisions for collection and storage of traffic data would require legislative amendments. [Source] [Source] [Source] see also: [New Technology Hinders FBI Wiretaps

JP – Japan Company Developing Sensors for Seniors

Japan’s top telecoms company is developing a simple wristwatch-like device to monitor the well-being of the elderly, part of a growing effort to improve care of the old in a nation whose population is aging faster than anywhere else. The device, worn like a watch, has a built-in camera, microphone and accelerometer, which measure the pace and direction of hand movements to discern what wearers are doing – from brushing their teeth to vacuuming or making coffee. In a demonstration at Nippon Telegraph and Telephone Corp.’s research facility, the test subject’s movements were collected as data that popped up as lines on a graph – with each kind of activity showing up as different patterns of lines. Using this technology, what an elderly person is doing during each hour of the day can be shown on a chart. The prototype was connected to a personal computer for the demonstration, but researchers said such data could also be relayed by wireless or stored in a memory card to be looked at later. Plans for commercial use are still undecided. [Source] See also: [Canadian Doctor filmed naked patients with hidden camera

UK – Freedoms Bill good for CCTV, Not for Privacy

A statutory code of practice covering CCTV/ANPR is to be produced by the Home Secretary and regulated by a new “Surveillance Camera Commissioner”. The code’s application is limited to policing bodies and local authorities; it does not cover the CCTV systems that are installed by Government Departments, the Security Service, other public bodies, or used in large shops or shopping malls. If the measure was intended to limit CCTV surveillance, then one would expect that some of these missing areas would be covered in its provisions. Also not covered in the code is the use of CCTV in the domestic circumstance. The Home Secretary is seeking powers that could extend the bodies that are subject to the code. There is no penalty if the code is breached, although a breach of the code may be raised in any legal proceedings. There are no new individuals rights created – for instance, for the Surveillance Camera Commissioner to investigate complaints about the operation of the code. There is also a possibility of at least two regulators with apparently overlapping responsibilities; this does not seem to be a useful proposal if privacy protection is an objective. The Surveillance Commissioner could be a third regulator if CCTV is used in combination with covert directional microphones. There is no provision in the code with respect of retention of CCTV images, but retention provisions can be included in the code at any time. Also missed from all the press coverage is the role of Automated Number Plate Recognition (ANPR) camera systems. ANPR is important because of the police have a policy of “denying criminals the use of the roads” [Source] [UK: People get power to take CCTV abusers to court] see also: [US: ‘Spier’ education: Officials pull plug on website promoting hidden camera gadgets for principals]                                                                                             

NZ – Reality TV Show Breached Privacy

A Northland man whose arrest for possession of a small amount of cannabis was shown on TV2’s Police Ten 7 programme had his privacy breached, in what the Broadcasting Standards Authority (BSA) says is a “landmark decision” regarding filming reality television. It has ordered TVNZ to pay the man $1500 in compensation for breach of privacy and the Crown costs of $1000. [Source

WW – Microsoft Addresses Silent Updates in Blog Posting

Microsoft has admitted that it has been issuing “silent” updates for some time. The fixes are not documented in security bulletins and are usually delivered to address variants of vulnerabilities for which fixes have already been issued. [Source] [Source

WW – Microsoft Changes Stance on Internet Quarantining

Microsoft’s Scott Charney has had a change of heart about where the responsibility for keeping inadequately protected machines off the Internet should lie. Last year at the RSA conference, Charney, who is Corporate VP for Trustworthy Computing, said that ISPs should take the lead, possibly scanning machines and quarantining those deemed unsafe. Speaking again at RSA this year, Charney says he “realize[s] that there are many flaws with that model.” Users may perceive the scans as invasive, and an unpatched machine could keep someone who uses it for communication from reaching emergency services. The biggest stumbling block, said Charney, is the cost imposed on ISPs. The new position would have web service providers impose requirements on users. [Source] [Source] [Source]

Telecom / TV 

AU – Australian Communications Authority Questioning Telecoms About Data Security

Following Vodafone’s exposure of customer data, the Australian Communications and Media Authority (ACMA) is starting to crack down on other telecommunications providers. Ten major players in Australia’s telecommunications market have been contacted by ACMA, which is seeking answers to questions about how each company handles customer information security. [Source

UG – Uganda: Phone Tapping Law Comes Into Force

President Yoweri Museveni has assented to the Regulation of Interception of Communications Act 2007, which authorises the tapping of telephones and other private communication for security purposes. The Act, which has now become law, forbids repeated sending of abusive messages and letters. “A person who repeatedly makes abusive telephone calls or causing another person to make abusive telephone calls to the victim, commits an offence,” reads the Act. This also means telecommunication service providers will be required to register SIM cards of their clients. The President assented to the Act on February 17, 2011. [Source] See also: [Jamaica: Nelson tackled on privacy rights stance]

US Government Programs 

US – Bill Would Require CISOs in Federal Agencies

The E-Government Act, currently in front of congress, would require federal agencies to designate a senior officer as chief information security officer (CISO) and lays out the responsibilities of that position. Sponsored by the leaders of the Senate Homeland Security and Governmental Affairs Committee, the bill states that the CISO would oversee agency security operations and report annually to the agency head. The CISO would also, with the federal CIO, “establish, maintain and update an enterprise network, system, storage and security architecture” to be accessed by a newly created National Center for Cybersecurity and Communications. [Source]

US Legislation 

US – Full-Body Scan Privacy Law Gets One Step Closer to Reality

Back in December, a law being proposed by Senator Chuck Schumer would make it a crime to distribute or save images taken as part of an airport security scan. That law has come one step closer to becoming a reality after being unanimously accepted as an amendment to the FAA Reauthorization Bill being considered by the Senate. The legislation, known as Security Screening Confidential Data Privacy Act, ensures that anyone — airport staff or member of the public — with access to scanned body images would be prohibited from photographing or disseminating those images. Violators could face up to one year in prison and a fine of up to $100,000 per violation. In addition to airports, the bill would also cover images from scans in courthouses and federal office buildings. It also covers not just the original image files, but any photographs taken by cameras, cell phones or any other video device. By being attached to the non-controversial FAA Reauthorization Bill, which sets travel policy for the entire country and funds the Federal Aviation Administration, insiders tell Consumerist that the privacy legislation is virtually guaranteed to pass. The Senate is expected to vote on the complete bill as early as this week. [Source] [DHS: Body Scanners Do Not Store, Transmit Images]

Workplace Privacy 

US – Disneyland Workers Plan Lawsuit Over Privacy Concerns

Two Disneyland Resort employees will seek to certify a class action lawsuit against the Walt Disney Company to stop Disney from encoding the worker’s Social Security numbers in a barcode printed on their cast member identification cards. Jorge Iniestra and Josh Stern claim this practice violates a California privacy law, and exposes the cast members to the risk of identity theft. The union says the lawsuit could involve 20,000 Disneyland Resort employees, and that Disney employees elsewhere in California may also be covered by the action. Local 11 says that workers at the Walt Disney World Resort in Florida also have the same information on their ID cards, but that those workers are not part of this lawsuit. [Source] See also: [Florida Police Obtain Warrant to Search ‘All Persons’ in Apartment Complex] and also: [Court gives SPCA access to workers’ compensation documents in dog slaughter case

US – Maryland AG: Requiring Employees’ Personal Passwords is Legal

Maryland Attorney General Douglas Gansler says requiring a prospective state employee to turn over his social networking user names and passwords as a condition of employment could be appropriate and legal. A day after Maryland’s Department of Public Safety and Corrections suspended the practice, which it used to root out potential employees’ possible gang affiliations, Gansler says the major problem is there hasn’t been a written policy in place for corrections officials. Gansler, whose office defends the corrections department in court, says it “it would be patently unfair” to say to a current employee, who had passed all background checks, “Now you’re going to have to waive all your privacy rights on the Internet in terms of your social networking.” “It’s a completely different issue to prospectively do it, and say ‘You can be a correctional officer at this facility, but one of the things you should know up front is that you’ll have to give up your passwords to your social networking websites.’” Gansler says his office was not consulted by corrections officials before or after the policy was put in place, or since it was temporarily suspended after complaints from the American Civil Liberties Union of Maryland. [Source] [Want A Job? Password, Please!]

CA – Many Companies Monitor Employees Online Use

Any electronic correspondence sent at the workplace should be considered about as private as a postcard. That’s the message from the head of Quebec’s Privacy Commission, Jean Chartier, who recently advised that a “computer screen is not a wall that you can hide behind.” A case set to unfold this week before Montreal’s city council illustrates the lingering question surrounding how much privacy an employee can expect at work, The Montreal Gazette reports. A city employee claims to have been spied upon by officials who say they investigated the employee based on allegations of misconduct. Employees must work within the employer’s guidelines, Quebec’s privacy commission warns. [Source

+++

 

About these ads
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: