01-15 April 2011

Canada

CA – Amendments to PIPEDA Enable Pickier Privacy Commissioner Investigations

Legislative amendments proclaimed in force last week mean that the Privacy Commissioner of Canada may now be more selective about the complaints her office decides to investigate. The amendments in question, made to the Personal Information Protection and Electronic Documents Act (PIPEDA), were actually contained in Bill C-28, Canada’s Anti-Spam Legislation, which received Royal Assent last December. Although most of that statute is not yet in force, last week the Governor in Council proclaimed in force some of the consequential amendments in that bill that affect PIPEDA, leaving for proclamation at a later date those PIPEDA amendments that coordinate with new obligations in the Anti-Spam law itself. Previously, PIPEDA required the Privacy Commissioner to investigate all complaints submitted to her office, regardless of their nature or seriousness, although she had some discretion in not having to prepare a report in all cases. With these new amendments, the Commissioner is no longer required in all circumstances to conduct an investigation in respect of a complaint received. Complaints need not be investigated if the complainant has not exhausted other grievance or review procedures that may be available, if the complaint could be more appropriately dealt with under another Federal or Provincial law, or if the complaint was not filed within a reasonable time after subject matter of the complaint arose. In all cases, complainants must be notified that their complaint will not be investigated. The Commissioner retains the right to reconsider a decision not to investigate a particular complaint, if the complainant is able to provide compelling reasons to investigate. The new powers have long been sought by the Commissioner as a way to better manage the workload of the Office of the Privacy Commissioner, by weeding out complaints whose resolution would be of little public interest or significance, thereby allowing for the focus of resources on issues of a broader systemic nature. The authority to manage the processing of complaints in this way is already afforded to some degree to other tribunals, including the Canadian Human Rights Commission and the Privacy Commissioner for Alberta. Once the investigation of a compliant commences, the new amendments also give the Privacy Commissioner the power to discontinue investigation in certain circumstances. Investigations may be discontinued where:

  • there is insufficient evidence to pursue the complaint
  • the complaint is trivial, frivolous or vexatious or is made in bad faith
  • the organization that was the subject of the complaint has provided a fair and reasonable response
  • the subject matter is already the subject of a report by the Commissioner
  • the complainant has not exhausted other grievance or review procedures that may be available
  • the complaint could be more appropriately dealt with under another Federal or Provincial law
  • the complaint was not filed within a reasonable time after subject matter of the complaint arose
  • the matter is being or has already been addressed via another grievance or review process, or pursuant to a procedure under another Canadian law.

As with a case of declining to investigate, the Commissioner must notify a complainant and organization of the discontinuance of a complaint, giving reasons for the discontinuance. With other tribunals that have the power to decline to investigate complaints, there has understandably been a reluctance to exercise this authority, since doing so denies a complainant a full consideration on the merits of the complaint. As a result, the bar for refusing a complaint has tended to have been set fairly high, with complaints being declined or discontinued only in the clearest and most egregious of circumstances. [Source: Mondaq News]

E-Government

US – New York State Pursues Delinquent Taxes With Analytics Tool

New York state is among states that are deploying data analytics in the fight to collect delinquent taxes. In 2010, the state’s Department of Taxation and Finance implemented an IBM analytics tool to help recover $83 million in delinquent taxes – an 8% increase from 2009 and double the annual increase from previous years, according to an announcement from the company. IBM said the software inserts an algorithm into the department’s debt case management system. The software determines on a case-by-case basis the best course of action for collecting a delinquent tax given the department’s limited resources, while maximizing the amount of revenue collected. The department then develops an action plan for each case – delinquent or fraudulent taxes – based on the analytics data. The predictive modeling tool used in the IBM Tax Collections Optimizer is like what private-sector companies use for gathering predictive analytics. But the tool’s distinguishing feature is that it factors in budget and resource limitations in its decision-making, Barry said. New York isn’t the only state using analytics for tax collection. For example, last year Hawaii officials announced they had collected more than $100 million within a three-year period through a partnership between the Department of Taxation and CGI Technologies and Solutions. [Source

US – Texas Comptroller: Personal Records of 3 Million People Publicly Posted

The office of the Texas comptroller revealed on Monday that information of 3.5 million people were accessible on a public server for more than a year. The information includes names and mailing addresses, Social Security numbers, and for some people, birth dates and driver’s license numbers. These were inadvertently posted on a public server when three agencies transferred data. The information was not encrypted as required under state law. Moreover, personnel at the comptroller’s office did not follow internal procedures in posting such records. Comptroller Susan Combs said her office began publicly blocking after discovering the oversight on March 31. The state attorney general’s office is investigating what Combs described as a “serious issue.” The comptroller will begin sending notification letters on Wednesday to people with records involved in the security breach. Combs will be working with the Legislature to advance legislation to enhance information security as outlined in the Protecting Texans’ Identities report she released in December. This would include the designation of Chief Privacy Officers at each agency as well as the creation of an Information Security Council in the state. [Source]

Electronic Records 

WW – Iron Mountain to Shutter Cloud Storage Service

After only two years, Iron Mountain is planning to close its public cloud storage services , having already stopped accepting new customers as of April 1. The company will close its Virtual File Store services, which is targeted at archival of inactive file data and its Archive Service Platform , which allows software vendors to integrate the Iron Mountain API to leverage the company’s cloud architecture. Virtual File Store customers that stay with Iron Mountain will be transferred to a higher-value offering, File System Archiving (FSA) in 2012. The new offering will be a hybrid that leverages policy-based archiving on site and in the cloud with indexing and classification capabilities. Archive Service Platform customers have no migration path and are being terminated or moved to an alternative service provider. Iron Mountain’s announcement makes it the third public cloud infrastructure as a service (IaaS) provider to abandon the market over the past year, Gartner said. The others that have shut down are: Vaultscape, which launched its service in 2009 and closed in 2010, and EMC, which announced Atmos Online in 2009 and took it offline a year later. [Source]

Encryption 

RU – Russian Agency Says it’s Hard to Monitor Citizens Who Use Encrypted Services

The Kremlin will not ban Skype, Gmail and Hotmail, despite a recommendation to do so from the country’s Federal Security Service (FSB) because the services threaten national security. FSB says the services make it challenging to monitor citizens because they use encryption that is difficult to break. [Source] [Source]

EU Developments 

EU – Tech Companies Challenging France’s Data Retention Law

Several large technology companies are reportedly challenging the French government’s requirement that service providers, web mail providers, ecommerce companies and online video and music sites retain information about users for a year. The data they are required to store and to provide the government on demand include user names, passwords, IP addresses, and financial transaction information. The requirement was established by a February 25, 2011 decree that updates the Legal Regime for eCommerce Trust (LCEN). The decree is being challenged by the French Association of Community Internet Services (ASIC), whose members include eBay, Facebook and Google. LCEN says the decree was formulated without consulting the European Commission and that retaining the information poses a greater risk of data security breaches. [Source] [Source] [Source

EU – Annual Big Brother Awards Draw Attention to German Privacy Issues

Data protection and privacy are big topics in Germany today, but they weren’t always. The organizers of the Big Brother Awards like to think they had something to do with that. Late last week, this year’s BigBrotherAwards were handed out to organizations, businesses and individuals deemed to be undermining privacy and data protection using technology and information. The annual awards are bestowed by FoeBuD e.V., a German non-profit activist organization that was first formed in 1987 to protect civil rights and data security. The BigBrotherAwards include categories such as “Workplace,” “Politics” and “Consumer Protection.” This year a negative award was handed out to Facebook under the category of Communications for “systematically poking its nose into people and their relationships, behind the friendly facade of an ostensibly free service,” according to FoeBuD’s description of the award. According to the BigBrotherAwards website, the online social media platform is likened to a gated community “sprawling across the net in which people are monitored every step of the way. It is governed by the whims of a corporation that is earning billions with systematic privacy violations.” Other “winners” included the German auto manufacturer Daimler, for requiring blood tests of its employees, a practice FoeBud compared to vampirism, and Apple’s Munich branch, which the award accused of “taking their customers hostage by way of expensive hardware and subsequently blackmailing them into accepting a questionable privacy policy.” [Source]

Finance 

US – Limits Sought to Employers’ Use of Credit Reports

Battle lines are being drawn in state capitals over whether workers should be judged by their creditworthiness. In 25 states, 49 proposed bills are being debated. The majority of the bills are aimed at restricting when credit histories can be used in the hiring process, says Heather Morton, analyst at the National Conference of State Legislatures. Economic stress is the main trigger. “Legislators are responding to the impact the recession has had on employment.” There is also concern about fairness, says Beth Givens, director of the non-profit advocacy group Privacy Rights Clearinghouse. “Using a credit report to make a hiring decision is essentially making a value judgment,” says Givens. “The employer is saying, ‘I think you’re an irresponsible and careless person because you have a bad credit report.’” [Source]

Genetics 

EU – Dog DNA Database to Prevent Foul Play

A Spanish town has set up a DNA database to track down owners who allow their dogs to mess in streets and parks without clearing it up. The town council of Hernani in northern Spain approved the introduction of a bylaw that will force owners to register their pet’s DNA for a municipal dog census. Under the scheme, which residents have called “Canine CSI”, deposits in the street will be collected by a team and sent to laboratories at the University of the Basque Country for analysis. Owners of dogs whose DNA matches the samples will be tracked down through the database and will face fines of up to euros 300 (pounds 265). Those who refuse to provide DNA analysis of their dogs face similar fines. But local dog owners were furious at the proposal and set up a Facebook page in protest, arguing that it was “unfair, ineffective and very costly”. The cost of DNA analysis, carried was about euros 45 (pounds 40) and must be borne by the pet owner. [Source]

Horror Stories 

WW – Epsilon Breach Compromises Millions of eMail Addresses

A security breach at US marketing company Epsilon Data Management appears to have compromised millions of email addresses. Epsilon sends email on behalf of more than 2,500 clients. Many of the companies have contacted their customers to notify them of the breach and the possibility that they may receive spam or malicious email that attempts to get them to disclose more sensitive information. Epsilon said the only information taken was names and associated email addresses. Affected companies include American Express, Citibank, The College Board, and BestBuy. [Source] [Source] [Source] [Source] [Source] [Source] [Senator Calls for Investigation Into Epsilon Breach] [Canadian consumers among victims of massive email security breach

US – Epsilon Received Warning of Potential Breach Months Ago

The data breach at Epsilon was likely due to a spear phishing attack, something the company was warned about several months ago. An Epsilon technology partner, Return Path, sent out a warning in November 2010 after an employee fell for a phishing attack, exposing thousands of email addresses to the attackers. Ironically, the type of information stolen during the attack could be used to launch spear phishing attacks against customers of some of the 2,500 companies on whose behalf Epsilon sends out email. [Source] [Source] [Source] See also: [US: Company that services L.L. Bean Visa reports privacy breach

WW – WordPress.com Data Breach Puts Millions of Bloggers at Risk

WordPress.com, which hosts millions of blogs using the popular WordPress blogging software, announced that its servers had been breached and that sensitive data was likely taken. “We presume our source code was exposed and copied,” WordPress founder Matt Mullenweg said in a blog posting yesterday. “While much of our code is Open Source, there are sensitive bits of our and our partners’ code.” Mullenweg was unusually candid for a company president disclosing a major data breach. [Source

AU – BP Employee Loses Laptop With Unencrypted Claimant Information

BP’s acknowledgment that an employee lost a laptop containing unencrypted information of 13,000 people who have submitted claims associated with last year’s oil spill has prompted analysts to declare that failing to encrypt sensitive data on portable devices is inexcusable. The information compromised in the BP laptop breach includes names, Social Security numbers (SSNs) and dates of birth. Even a requirement for federal agencies to encrypt sensitive data on portable devices following a breach that compromised the security of records of more than 26 million veterans has not resulted in compliance. [Source

CA – Alberta School Board Loses Memory Stick With Employee Data

The private information of thousands of Edmonton Public School Board employees has been missing for more than three weeks. In a massive privacy breach, a USB memory stick containing information, including resumes and employment records of about 7,000 employees, was lost on March 22. The stick was used by a school board computer technician working in human resources to download the data, but then he lost it. The school board has recently sent out letters to the affected employees, advising them that their private information — possibly including banking data — may have gone astray. Provincial privacy commissioner Frank Work said the school board violated its own policies. “First of all, according to school board policy, you’re not supposed to use an unencrypted stick,” said Work. “They did.” “Second of all … they’re supposed to keep a list of what they download … onto a portable device, like a stick. They did not. And the third way they breached their own policy was they had kept too much information too long.” Work said he sees a privacy breach like this almost every month. But he said there is no point in penalizing the board financially because it has already spent thousands of taxpayer dollars to sort out the mess. [Source]

Identity Issues 

US – Obama Calls for Secure Online-Identity System

President Barack Obama unveiled an ambitious “National Strategy for Trusted Identities in Cyberspace“ proposal urging the private sector to create a trusted-identity system to boost consumer security in cyberspace. Digital rights groups cautiously welcomed the first-of-its-kind government proposal, calling it a blueprint for increased internet security and privacy. The latest plan, which distances itself from a national ID approach, calls on the private sector to develop methods by which consumers can create a secure, online identification to enable web transactions. The plan envisions replacing today’s reality of generally having to remember passwords for dozens of sites where consumers have already lodged their sensitive data, such as credit card numbers. The government is allotting up to five years for the “standardization of policy and technology” to come together. Implementation of the plan, the government said, “will not occur overnight.” [Source]

Intellectual Property 

NZ – New Zealand Passes Three-Strikes Anti-Piracy Law

Legislators in New Zealand have passed a three-strikes anti-piracy law. Vehemently opposed by members of the country’s Green Party and independent MPs, the Copyright and Infringing File Sharing bill provides for warning illegal filesharers twice; a third infringement would give rights holders the opportunity to bring the offender before a tribunal with the authority to impose fines of up to NZ $15,000 (US $12,000). Subsequent violations could result in a court order suspending the offender’s Internet account. Those opposing the law say that people could have their accounts suspended without sufficient proof of wrongdoing. [Source] [Source]

Internet / WWW 

EU – Microsoft launches StreetView rival in Europe

Microsoft is launching its own version of Google’s StreetView – dubbed Streetside – across Europe. Cars fitted with cameras have begun taking pictures around London and will start mapping major cities on the continent next month. The service is already available in 56 US towns and cities. Microsoft has been keen to avoid the privacy concerns that dogged Google’s service but said that it does plan to gather wi-fi data. Initially, Streetside will be on a smaller scale than Streetview, according to the company’s director of search, Dave Coplin. “We’re not setting out to record every street. We believe it is most valuable in urban centres where people want to find services,” he told BBC News. [Source

WW – Chrome Will Warn Users of Suspicious Downloads

Google plans to add a feature to its Chrome browser to warn users when they are downloading a file that is suspected to contain malware. The feature will rely on Google’s Safe Browsing service; if a user tries to download an EXE file with a URL that appears on the Safe Browsing blacklist, the user will receive a message that reads “This file appears to be malicious. Are you sure you want to continue?” Users will have the option of going ahead and downloading the questionable file if they choose. The new service will be tested with a subset of Chrome users running the dev version of the browser before being incorporated into the stable version of Chrome. [Source] [Source] [Source] [Source

EU – IAB Europe Releases Behavioural Advertising Framework

Google, Microsoft, AOL, Guardian News & Media and The Irish Times are among the companies that have signed up to a new cross-European self-regulatory framework for online behavioural advertising (OBA) that will see ads that target users based on previous internet activity being identified by a special icon. Developed by IAB Europe, the framework aims to improve transparency and consumer control when ads are delivered using OBA. By June 2012, all OBA-based display advertisements on the websites that have signed up to the framework will have an icon indicating that behavioural advertising is being used. If users click on the icon, which is currently being trialled in the UK, they’ll be directed to a company site with more information and they’ll have the ability to turn off OBA ads. They will also have the option of going to a new pan-European website, http://www.youronlinechoices.eu, which provides further information on OBA in the relevant language and a tool to manage data preferences, including turning off OBA with just a few clicks. According to IAB Europe, the major practical achievement of the framework is that it provides full transparency and control to users without limiting their browsing experience. IAB Europe said that as the obligations of the framework are only binding to signatory companies, it will be complemented by the European Advertising Standards Alliance’s (EASA) Best Practice Recommendations, also released today. According to IAB Europe, these recommendations are designed to “ensure that the entire advertising ecosystem adheres to rules that together guarantee that the value chain delivers the objective of enhanced control and consumer choice”. The companies that have signed up the OBA framework are: 24/7 Real Media, Adconion Media Group, AdGenie, Adnetik, AOL, ARBO Interactive, Audience Science, BBC Worldwide, BlueKai, Cognitive Match, CPX Interactive, Crimtan, Criteo, datvantage, Financial Times, Google, Guardian News & Media, Hi-Media, Independent Digital, Lotame, Media6degrees, Microsoft, Nugg.ad, Orange, PRISA, Profero, Sanoma, Specific Media, Struq, tectonic, The Irish Times, Tribal Fusion, Telegraph Media Group, United Internet Media, ValueClick Media, Vibrant Media, Weborama, Yahoo and Yell. A copy of the framework and FAQs is available here. [Source]

Law Enforcement 

US – Cameras Read License Plates, Helping City’s Police

The Manhattan’s Police Department’s growing web of license-plate-reading cameras has been transforming investigative work. Though the imaging technology was conceived primarily as a counterterrorism tool, the cameras’ presence has aided in all sorts of traditional criminal investigations. The latest example came last month with the arrest of Marat Mikhaylich, a suspect in 9 bank robberies in New York and New Jersey. Even though the FBI had identified Mr. Mikhaylich through surveillance photos, he had managed to avoid arrest — until he added car theft to his criminal history. One or more of the NYPD’s security cameras detected the stolen car’s license plates and directed federal agents to a block in Queens. The next morning, Mr. Mikhaylich was arrested there, as he was stopped at a traffic light. There are 238 license plate readers in use in New York City, said Paul J. Browne, the Police Department’s chief spokesman. Of those, 130 are mobile. They are mounted on the back of police cars assigned to patrol duties across the city’s five boroughs and to specialized units like the highway and counterterrorism divisions. The remaining 108 cameras are set up at fixed posts at city bridges and tunnels and above thoroughfares. Yet the strategy for the use of the license plate readers has raised questions about whether they represent a system for tracking driving patterns, said Donna Lieberman, the executive director of the New York Civil Liberties Union. She said it was hard to tell whether interest in “effective and efficient law enforcement” was being balanced with the “values of privacy and freedom.” “We don’t know how much information is being recorded and kept, for how long, and by which cameras,” Ms. Lieberman said. “It’s one thing to have information about cars that are stopped for suspicious activity, but it’s something else to basically maintain a permanent database of where particular cars go when there is nothing happening that is wrong and there is no basis for suspicion.” When it comes to car thefts, the value of the cameras seems clear, Mr. Browne said. In 2005, the year before the first license plate readers were put in place, there were 17,855 reports of stolen cars in the city, according to police statistics. Last year, there were 10,334, the statistics showed. [The New York Times 

CA – Body Upholds Order that Officer Resign

The Ontario Civilian Police Commission ruled Wednesday that a disciplinary tribunal was right to order Ottawa police Const. Harinderpal “Bob” Mamak “to resign within seven days” or be dismissed. In doing so, the OCPC upheld a July 29, 2010, decision by hearing officer Terence Kelly. In September 2009, Mamak was found guilty of insubordination and breach of confidence under the Police Services Act. The charges were laid by the professional standards section of the Ottawa police in December 2007, in relation to Mamak’s unlawful use of the Canadian Police Information Centre, a federal database of suspicious and stolen vehicles and bicycles. Mamak can appeal the decision before the Ontario Divisional Court. Ottawa police said he remains suspended from duty with pay. [Source

US – States Address Privacy Risks of Digital Copiers and Electronic Waste

On April 1, 2011, a New York law went in effect requiring retailers of certain electronic equipment to institute electronic waste collection programs and to provide information to consumers on how to “destroy all data on any electronic waste, either through physical destruction of the hard drive or through data wiping.” Manufacturers of devices that have hard drives capable of storing personal information or other confidential data must include instructions describing how consumers can destroy such data before recycling or disposing of the devices, and businesses that sell products with hard drives must inform customers at the point of sale where the data destruction information can be located. In addition, five other states are considering legislation to address the privacy risks associated with digital photocopiers that may store personal information on their hard drives.

  • Connecticut would require businesses that lease digital copiers to ensure that all data is erased from the machine’s memory when the lease expires.
  • Florida would require financial institutions to implement security polices to identify copiers under their control and ensure that the hard drives on the copiers are erased before returning any leased copiers to a lessor or selling the copiers.
  • Nevada would require any business or data collector that owns or possesses a copier, fax machine or multifunction device (collectively, “digital office equipment”) that uses a data storage device to ensure that any personal information stored on such digital office equipment is either (1) encrypted or (2) physically or technologically destroyed before giving up ownership, physical custody or control of the digital office equipment.
  • New Jersey would require businesses to destroy personal information stored on digital copiers before disposing of the machines.
  • Oregon would require sellers and distributors of copy machines to remove, erase or destroy and personal information in a data storage device on the machines.

These bills reflect an enhanced focus on the privacy risks associated with digital office equipment. Last year, the FTC was investigating this issue after an exposé showed that almost every digital copier produced since 2002 stores on its hard drive images of documents that are “scanned, copied or emailed by the machine” – including documents with sensitive personal information. The FTC eventually produced a report entitled “Copier Data Security: A Guide for Businesses” that offers businesses tips for securing data stored on digital copiers. [Hunton & Williams LLP, Security Law Blog]

Location 

CA – Abbotsford, Victoria Join Other Cities With Online Crime Maps

Police departments in Abbotsford and Victoria are following the example of several major Canadian cities and launching online crime maps. But while they are useful for police and the public to track clusters of auto theft or break and enters, one Vancouver homicide expert doesn’t believe they’ll have a significant impact on reducing crime. On Friday, the Abbotsford Police Department added a new crime-map feature to its website, abbypd.ca. And one day earlier the Victoria Police Department launched its own crime-map site at vicpd.ca. The system costs about $150 per month. Both maps employ CrimeReports software. Vancouver and West Vancouver, as well as other cities in Canada including Calgary, already use crime maps, databases that allow police to enter crime files, plot the type of call on a map and later analyze the data to identify criminals. Police agencies hope that posting the information online will encourage people to report crime, because they will be more aware of what is happening in their neighbourhoods. Neil Boyd, a professor at SFU’s school of criminology, said there is no way to know how well the databases are working, but he doesn’t believe they’ll have an immediate impact on reducing crime. He said the online maps could cause crime displacement, where criminals become aware that an area is being monitored by police and move elsewhere, but he added that it’s unlikely a criminal will use the maps. [Source]

Online Privacy 

EU – Court: Google Must Guarantee Anonymity of Street View Faces, License Plates

A Swiss court has ruled that Google must guarantee anonymity before publishing faces and license plates captured in Switzerland for the popular street view service. The Federal Administrative Court largely sided with Switzerland’s data protection commissioner who claimed that Google was breaching citizens’ right to personal privacy, according to the ruling published Monday. Google said it was disappointed by the verdict and is considering an appeal to the Swiss supreme court. The Bern-based court said Google needs to ensure that all faces and vehicle license plates are blurred before uploading pictures to the service that provides panoramic views from various positions along the world’s streets. It also ordered the company obscure other identifying features, such as skin colour and clothing, from people photographed in the vicinity of “sensitive establishments,” such as women’s shelters, retirement homes, prisons, schools, courts and hospitals. Google’s right to pursue its commercial interests does not outweigh Swiss privacy laws, the court said in an explanatory note. [Source

US – Free Pandora App Shares User Data

Online music service Pandora has acknowledged being served with a subpoena demanding documents related to information sharing practices. The subpoena appears to be connected to a federal grand jury investigation into information sharing practices of apps that run on Apple and Android mobile platforms. A report recently found that a Pandora smartphone app shares user information with advertisers. The shared data include age, gender, geographic location, birth date and device ID. [Source] [Source] [Source

WW – World’s First Personal Lifestyle Database System Released

The lifecentral group announced the immediate availability of the world’s first lifestyle database yesterday. The system allows any Internet user to reveal previously undiscoverable correlations between his or her activities, meals, moods, medications, and more. Lifecentral, available at lifecentral.info, provides users with an easy-to-use and intuitive interface for entering data about every aspect of their lives. In just five minutes per day, a user can enter everything he or she has done, eaten, felt, and taken during that day. After a sufficient amount of data has been entered, users can then produce reports to examine correlations between aspects of their lives that they had previously been unable to discover. These correlations are often more precise than the generalized advice offered by medical professionals that is not tailored to a person’s unique physiology. Accounts at lifecentral are free to any user over 13 years of age. Users may choose to keep their data private on secure servers, to share data with selected friends, or to make their data available to the world. lifecentral does not mandate the entry of personally identifiable information, so users may elect to track data anonymously. lifecentral will never reveal individual, nonaggregate data to anyone. Data is available to export to external software such as Microsoft Excel if users wish to generate reports that are not available on the lifecentral site. [Source

CA – Ontario Teachers Advised Not to ‘Friend’ their Students Online

The Ontario College of Teachers released a report outlining appropriate online conduct for educators. While the report acknowledges that social media plays an increasingly important role in young students’ lives, it cautions teachers against using it to communicate with their students. It also reminds teachers that anything they publish online – despite their privacy settings – could eventually be viewed by their employer or students. Teachers are advised to:

  • Communicate electronically with students at appropriate times of the day, but if it would be too late to call them at home, don’t send an email either.
  • Use “established education platforms,” creating websites and profiles intended for class use only.
  • Notify parents of any decision to use social media platforms in the classroom, and consider giving them access to the sites.
  • Maintain a formal, courteous professional tone at all times, across all platforms.
  • Remove any “inappropriate content” that either they or others post to private accounts and assume that anything posted online can be accessed and altered.

Teachers are cautioned against:

  • Exchanging private texts, phone numbers, personal e-mail addresses with students.
  • Accepting students’ “friend” requests, or issuing “friend” requests to students.
  • Enabling any students to post to teachers’ social media accounts.
  • Creating an alter ego. (Courts can compel disclosure of your true identity, the report advises, so be transparent and authentic.)
  • Divulging student information
  • Criticizing students, colleagues and superiors and making “impulsive, inappropriate or heated comments.” [Source]

 

Other Jurisdictions 

AU – Right to Sue if Online Privacy Violated: New Law Recommended

A Senate Committee Report into the online privacy of Australians using the internet recommends giving all Australians a legislated right to online privacy, something which does not presently exist, Committee Chair Senator Mary Jo Fisher said. “This would mean a person could take legal action if his or her online privacy were seriously invaded,” Senator Fisher said. “The Report also recommends allowing an individual online user to dictate the amount of personal data that a web service provider can collect and use to target them with advertisements, through a ‘Do Not Track’ model,” she said. “The Committee recommends increasing the scope for the Office of the Privacy Commissioner to handle complaints about the use of online privacy consent forms. [Source

IN – Indonesian Lawmaker Resigns After Being Caught Watching Porn in Parliament

An Indonesian lawmaker who helped pass a tough anti-pornography law resigned Monday after he got caught watching sexually explicit videos on his computer during a parliamentary debate. The scandal has transfixed this predominantly Muslim nation since a local photojournalist filmed Arifinto, a member of the staunchly Islamic Prosperous Justice Party, gazing at the downloaded porn sites. [Source

MX – Update on Mexico’s New Privacy Law: No Immediate Enforcement

Mexico’s data protection authority will not rush to carry out compliance inspections or take enforcement actions when rules implementing the country’s new data protection law begin taking effect in July, the head of the DPA, the Instituto Deral De Acceso a la Información Pública (IFAI), said March 10 at a conference. As soon as the final rules are published in July, the government expects businesses and other covered entities to begin following the basic requirements that they appoint an individual to be in charge of data protection and establish written data security and privacy policies, IFAI President Commissioner Jacqueline Peschard Mariscal said. [Source

NZ – Juror Privacy to be Tightened

Legislation that will enhance the privacy, safety and security of jurors has been introduced to the New Zealand Parliament. Justice Minister Simon Power said the Juries Amendment Bill included a provision to remove the addresses of potential jurors from jury panel lists. The move comes after convicted murderer George Baker wrote to a juror whose name he saw on a list while he was representing himself in a trial. Currently, a jury list must contain the name, occupation, date of birth and full address of potential jurors. Since 2008, self-represented defendants have been prohibited from keeping a copy of the jury list or taking notes, but they can inspect it under supervision. In addition, where there is a real risk that an accused may intimidate jurors, the prosecutor can apply for a judge-alone trial. Mr Power said those changes were made to protect the privacy of jurors, but the Baker incident highlighted the need to further restrict access to the information. The proposed changes in the bill will:

  • remove the addresses of potential jurors from jury lists;
  • allow the prosecution, defence lawyer, or the court-appointed adviser to defendants representing themselves to have automatic access to all address information on request;
  • prevent the accused from ever seeing potential jurors’ addresses by prohibiting the defence lawyer or court-appointed adviser from showing the addresses to the accused;
  • extend the section of the Juries Act which makes it clear that misconduct in relation to jury lists may be treated as contempt of court to include the act of showing the accused, or any other person, jurors’ addresses; and
  • bar people from serving on a jury if they have, in the previous five years, been sentenced to home detention for three months or more. This puts them in the same category as those sentenced to a short term of imprisonment. [Source]

 

Privacy (US) 

US – US Judge Trying to Determine if Google Breached Wiretap Law

A federal judge presiding over combined lawsuits against Google over its inadvertent collection of packets sent over unprotected wireless networks is trying to decide if Google breached the Wiretap Act. US District Judge James Ware is seeking a definition of “radio communication” under the Wiretap Act to determine whether or not home Wi-Fi networks fall under this purview. Google says they do, while the plaintiffs’ legal team says that the data were only sent over radio waves while traveling between a home router and a laptop. Both parties agree that eavesdropping on cordless phones is illegal. [Source

US – Google Settles With FTC Over Buzz Privacy Charges

On Wednesday, March 30, Google settled deceptive privacy practice charges from the Federal Trade Commission regarding its social networking tool, Buzz. The terms of the settlement call for Google to launch a privacy program and undergo regular third-party audits for 20 years. The settlement does not impose a fine, but Google could face fines if it violates the terms of the settlement. The settlement is the first in which the FTC has ordered a company to implement a comprehensive security policy. On the same day, Google launched a new social networking tool called +1; it allows users to annotate search results to recommend pages to friends. [Google must undergo privacy reviews for next 20 years] [Source] [Source] [Source] [Source

US – Infra-Red Camera Scheme Put On Hold Over Privacy Concerns

A project in Boston designed to educate home owners about energy efficiency has been put on hold due to privacy concerns. The city was due to have a number of infrared cameras installed that would take aerial and street-level photos across approximately four miles in order to show heat loss in homes during the winter months. Boston officials planned on sharing the photos and analysis with home owners and were hoping the findings would increase enrolment in efficiency programs and also create business opportunities. The cameras were similar to the van-mounted cameras that take street view photos for Google maps and were built by researchers at the Massachusetts Institute of Technology. Besides just helping the average consumer, it was thought the technology offered by a company called Sagewell, could benefit larger groups, businesses and cities that want to save energy and money. Officials had planned to scan every building this way. But the project has been put on hold after the ACLU of Massachusetts raised concerns that the infra-red cameras would reveal information about what is going on inside the homes as they can take up to 20,000 images of homes per day. [Source]

RFID 

EU – EU Commission, Firms Sign Privacy Deal On Smart Tags

The European Commission signed a voluntary agreement with companies that make or use smart tags, establishing privacy guidelines over the rapidly growing use of the identification chips. The new voluntary rules, to take effect before the end of the year, require companies to conduct a privacy risk assessment before putting a smart tag product on the market. About 1 billion smart tags – also called radio frequency identification devices or RFIDs – are expected to be used in Europe this year. The number of smart tags used worldwide is predicted to rise to 50 billion by 2020 from an estimated 2.8 billion this year, according to industry forecasts. Risk assessments would have to take into account the possible damage from personal data falling into the wrong hands, as well as suggest steps to prevent or mitigate any impact. [Source

US – ‘Ready Lane’ Opening at Peace Arch Crossing

It soon should be easier for motorists with an enhanced driver license to pass through Peace Arch border crossing into Canada at Blaine. U.S. Customs and Border Protection opens a “ready lane” next week to expedite travelers with radio frequency identification (RFID) documents. In addition to the Washington enhanced driver license, they include the NEXUS card, new permanent resident card and U.S. passport card. Customs and Border Protection spokesman Thomas Schreiber says the ready lane should be 10-to-15 seconds faster per car, which can make a big difference over time in a line of traffic. The agency is demonstrating the ready lane Thursday. It goes into operation next week. [Source]

Security 

US – SEC Fines Three for Failing to Protect Customer Data

The US Securities and Exchange Commission (SEC) has fined former employees of broker-dealer GunnAllen Financial for failing to adequately protect customer data. The company was liquidated in November 2010; the SEC maintains that GunnAllen former president Frederick O. Kraus and former national sales manager David C. Levine broke privacy rules when Kraus authorized Levine to take information about 16,000 clients with him to his new job; the data were transferred on a thumb drive. Kraus and Levine were fined US $20,000 each. Former chief compliance officer Mark A. Ellis was fined US $15,000 for failing “to ensure that the firm’s policies and procedures were reasonably designed to safeguard confidential customer information.” The case is the first in which people have been fined solely for violating the SEC’s Safeguard Rule, or Regulation S-P, which requires financial advisers and institutions under SEC jurisdiction to protect customer data and give customers the opportunity to opt out of having their information shared with unaffiliated third parties. [Source] [Source

US – FBI, DoJ Act to Block International Botnet

The Justice Department and FBI have taken what they characterize as the most complete and comprehensive action ever by American authorities to disable an international botnet known as Coreflood, which is believed to have been operating for nearly a decade and infected more than 2 million computers worldwide. The U.S. attorney in Connecticut filed a civil complaint against 13 John Doe defendants, alleging that they engaged in wire fraud, bank fraud and illegal interception of electronic communications. Authorities also seized five command and control servers that remotely controlled hundreds of thousands of infected computers as well as 29 domain names used by the Coreflood botnet to communicate with the control and command servers. The government said it replaced the illegal servers with substitute servers to prevent Coreflood from causing further injury to the owners and users of infected computers and other third parties. The government also obtained a temporary restraining order, authorizing the government to respond to signals sent from infected computers in the United States to stop the Coreflood software from running, which they contend would prevent further harm to hundreds of thousands of unsuspecting users of infected computers. Authorities said Coreflood records keystrokes and private communications on a computer. Once a computer is infected with Coreflood, it can be controlled remotely from another computer, Coreflood steals usernames, passwords and other private personal and financial information allegedly used by the defendants for a variety of criminal purposes, including stealing funds from the compromised accounts. In one example described in court filings, through the illegal monitoring of Internet communications between the user and the user’s bank, Coreflood was used to take over an online banking session and caused the fraudulent transfer of funds to a foreign account. [Source]

Surveillance 

US – Requests for Stored Communication Data Not Reported

While US law requires reporting of requests to intercept communications data in real-time, no such requirement exists for requests for stored communications data. Christopher Soghoian, in his research article “The Law Enforcement Surveillance Reporting Gap,” says that law enforcement agencies have made tens of thousands of requests for stored data from companies like Facebook and AOL. Not only is it easier for law enforcement to get their hands on the information once it has become stored communication, but it is considerably less expensive, too. At one US service provider, wiretaps can run into the thousands of dollars, while account information is provided for US $40. [Source] [Source] [Read full article

CA – B.C. Transit Tests Security Cameras on Victoria Buses

B.C. Transit is using Victoria as a testing ground for security cameras on its buses. Closed circuit television cameras have been installed on three vehicles as part of a year-long trial. In addition to monitoring security, they will also record traffic incidents. Information gathered will help charter policy on the use of security cameras in B.C. Transit properties throughout the province, said Transit spokeswoman Joanna Linsangan. “It won’t just impact Victoria itself but also province-wide,” she said. The trial will show how well the system performs, where cameras can be best placed and how they affect operations. It will also identify any support or infrastructure needs. “Every camera has audio,” said Stephen Anderson, B.C. Transit senior manager corporate safety and security. “We can isolate audio from every camera and understand what happened — what communications happened between the driver and the member of the public during and after an incident.” Notices on each bus inform passengers of the video surveillance. Information is stored on a hard drive for one week before being over-written. It will only be accessed if an incident is reported, Anderson said. The Information and Privacy Commissioner’s Office has been consulted on the plan. [Source]

Telecom / TV 

US – Justice Department Opposes Digital Privacy Reforms

The U.S. Justice Department has offered what amounts to a frontal attack on proposals to amend federal law to better protect Americans’ privacy. James Baker, the associate deputy attorney general, warned that rewriting the 1986 Electronic Communications Privacy Act, or ECPA, privacy law to grant cloud computing users more privacy protections and to require court approval before tracking Americans’ cell phones would hinder police investigations. This appears the first time that the Justice Department has publicly responded to a set of digital privacy proposals unveiled last year by a coalition of businesses and advocacy groups including AT&T, Google, Microsoft, eBay, the American Civil Liberties Union, and Americans for Tax Reform. The Digital Due Process coalition hopes to simplify the wording while requiring police to obtain a search warrant to access private communications and the locations of mobile devices–which is not always the case today. A group of conservative and libertarian groups sent a letter to Leahy and Grassley urging them to move “immediately” to “extend the Fourth Amendment’s protections against the unreasonable search and seizure of digital documents and other electronic information.” It was signed by groups including TechFreedom, the Competitive Enterprise Institute, FreedomWorks, and the Liberty Coalition. “The current standards are messy, inconsistent, and unclear,” says Julian Sanchez, a research fellow at the libertarian Cato Institute, which is not part of either group. “I think DOJ has realized is that this is largely severable from the question of whether you…establish consistency in favor of uniformly protecting privacy–or uniformly permitting easier government access.” Baker, the associate deputy attorney general, also offered two suggestions: that any ECPA rewrite might include “the disclosure by service providers of customer information for commercial purposes,” and that the practice of telecommunications companies charging fees for the time it takes to process routine police requests should be curbed. The second suggestion, Sanchez suggested, might end up being used by the Justice Department as a bargaining chip “to splinter the telecom-civil libertarian coalition.” As for the first suggestion, Marc Rotenberg, director of the Electronic Privacy Information Center, said his group never joined the Digital Due Process coalition because it was “unwilling to address that issue which, we believe, for users is straightforward and obvious.” “ECPA amendments should cover commercial use of user data,” Rotenberg said. [Source]

US Government Programs 

US – Appeals Court Upholds Warrantless Laptop Border Searches

A 2-1 decision from the 9th US Circuit Court of Appeals says that US government authorities may seize digital devices at US borders without warrants and keep them for days while searching their contents. The case in question involves a man whose laptops and camera contained child pornography images. ICE agents seized the devices and transported them 170 miles to be searched. [Source] [Source] [6,500 warrantless searches since 2008].

US Legislation 

US – Sens. Kerry, McCain Introduce Online ‘Privacy Bill of Rights’

Sens. John Kerry and John McCain have teamed up to introduce a bill that would provide Internet users with a commercial privacy bill of rights. The Commercial Privacy Bill of Rights Act of 2011 is intended to create a framework to protect the personal information of all Americans. Customers should have the right to security and accountability, the right to know how their information is being used, and right to have the smallest amount of data collected about them as possible, the senators said. Kerry, a Massachusetts Democrat, said in a statement, that “Our bill makes fair information practices the rules of the road, gives Americans the assurance that their personal information is secure, and allows our information driven economy to continue to thrive in today’s global market.” McCain, an Arizona Republican, said the bill allows companies to continue marketing and advertising to consumers, but “does not allow for the collection and sharing of private data by businesses that have no relationship to the consumer for purposes other than advertising and marketing.” Specifically, the bill states that:

  • Collectors of information must implement security measures to protect the information they collect and maintain.
  • Collectors of information must provide clear notice to individuals on the collection practices and the purpose for such collection.
  • Collectors of information would be required to collect only as much information as necessary to process or enforce a transaction or deliver a service, but allow for the collection and use of information for research and development to improve the transaction or service and retain it for only a reasonable period of time.

Companies must provide users with the ability to opt-out of data collection unauthorized by the bill and opt-in to the collection of personally identifiable information. This requires a “robust and clear notice” about data collection, and the ability of users to access and correct their information. The bill would be enforceable by state attorneys general and the FTC, though not at the same time. It also bans private rights of action. The FTC would also be able to approve nongovernmental organizations to oversee safe harbor programs that would have “the ability to be exempt from some requirements of the bill.” The Department of Commerce can weigh in on these exemptions, which it will submit to the FTC. The bill comes several weeks after the Obama administration gave its seal of approval to a “consumer privacy bill of rights” intended to allow consumers to avoid unwanted online tracking or data collection. Microsoft, HP, Intel, and eBay released a joint statement in support of Kerry and McCain’s bill. The Center for Democracy & Technology said the bill “contains many strong elements.” [Source

US – Critics Say Proposed Online Privacy Law Does Not Go Far Enough

US lawmakers have proposed legislation that would allow Internet users the right to demand that their online activity not be tracked. The Commercial Privacy Bill of Rights, sponsored by Senators John Kerry (D-Massachusetts) and John McCain (R-Arizona), requires that consumers deliberately opt out of tracking practices through links on websites, drawing criticism from some groups who say the proposed law does not go far enough. Some critics would like to have a universal opt-out capability so consumers do not have to perform the cumbersome task of opting out on every site they visit. The bill does require that websites provide clear information about their data collection practices and that the organizations collect only as much information as necessary to conduct transactions or render services. The bill does not apply to data mining, surveillance or other actions used by governments to collect personal data. Local, state and federal law enforcement agencies are exempt, as are government agencies. [Source] [Source] [Source] [Bill]

Workplace Privacy 

CA – Good News For Employers: Right to Manage Sets Limits on Employee Privacy

Three arbitration decisions have been released that support an employer’s right to manage the safety, security and efficiency of its operations through the introduction of policies relating to workplace technology, periodic police record checks, and cell phone records checks, even though these may affect employee privacy rights. 

  • In the 2010 decision of International Union of Elevator Constructors, Local 1 v. Otis Canada Inc. [2010] B.C.C.A.A.A. No. 121 (QL), Arbitrator John Steeves ruled that telematic devices in its company vehicles did not violate employee privacy rights. Otis Canada Inc. had installed devices in its cars that used satellite technology to provide information about the start, stop and idle time of each vehicle, along with the name of the employee driving the vehicle. The information was available to managers and was used to evaluate fuel efficiency, determine if regular maintenance was being done, and whether there was any unauthorized use of the vehicle (the company had a strict policy prohibiting personal use of company vehicles). The devices did not have GPS technology, so they could not provide detailed information about the location of the cars. The union representing the employees filed a policy grievance alleging that the employer was collecting personal information (the employee’s location) through the telematic devices, and thereby violating the collective agreement and British Columbia’s Personal Information Protection Act (PIPA). The employer argued that the information being collected was related to its business, and therefore did not constitute “personal information” under PIPA. Further, if the information was “personal information,” then both the collection and the use were reasonable. The grievance was dismissed. Arbitrator Steeves found that the devices were used to record the working time of employees and that this formed part of the company’s general management rights to know what its employees are doing when they are working and when they are using company vehicles. He also found that the only personal information being collected was the employee’s name, and that this did not violate PIPA. There was the potential to use the information to investigate and discipline an employee, but the data being collected by the devices itself did not meet the definition of “personal information,” and therefore there was no violation of employee privacy in the circumstances. 
  • A second policy grievance relating to employee privacy rights was dismissed by Arbitrator Wayne Moore in Vancouver Firefighters’ Union, Local 18 v. Vancouver (City) [2010] B.C.C.A.A.A. No. 81 (QL). In this case, the union grieved a policy introduced by the City of Vancouver requiring those employees in its Fire & Rescue Services Department who held “designated positions of trust” to submit to police record checks every five years. These positions were identified primarily as those that have ongoing or significant relationships with vulnerable people or where the main duties involve protecting the security of people and/or material assets. Employees who failed to comply with the policy ran the risk of being disciplined or discharged. The union did not object to the employer’s practice of requiring police record checks at the time of hire, but argued that the ongoing requirement to disclose information about an employee’s police record, and the requirement that record checks be provided at five-year intervals, breached employee’s statutory and common law rights to privacy and exceeded the employer’s management rights under the collective agreement. The employer asserted that the policy was in furtherance of its legitimate interest in providing safe and effective services to the public. Arbitrator Wayne Moore upheld the policy with slight modifications. He noted that it was necessary for the employer to determine the suitability of employees, considering its interests in protecting the safety of the public and the security of the public’s property, as well as in ensuring the integrity of its operations and employees. In reaching his decision, Arbitrator Moore noted that in light of the need to maintain public trust and the integrity of its operations, the employer should not have to wait for complaints of misconduct before ensuring that the employees who hold designated positions are appropriate for the job. In his decision, Arbitrator Moore noted that this was not a blanket requirement of a criminal record check on all employees, but was limited to particular employees who had some degree of choice in deciding whether to apply for designated positions.
  • The third decision in this employer-friendly trilogy is that in the case of Teamsters Canada Rail Conference v. Canadian Pacific Railway Company (Case No. 3900, Canadian Railway Office of Arbitration & Dispute Resolution). After a number of serious collisions in the railway industry in North America, the Canadian Pacific Railway Company adopted a policy of asking employees to provide copies of their personal wireless telephone records as a routine part of investigations where a significant accident or incident remained otherwise unexplained. In the policy grievance that ensued, the union argued that the company’s request was unreasonably intrusive and violated employee privacy rights, and pointed to a decision by the Privacy Commissioner of Canada in which it was held that telephone records are “personal information” within the meaning of the federal Personal Information Protection and Electronic Documents Act (PIPEDA). After emphasizing the highly safety-sensitive nature of railway operations in Canada, Arbitrator Michel Picher dismissed the grievance and found that the company’s policy was compliant with the requirements of PIPEDA. In his decision, he noted that given the particular nature of railway operations, “There must be an inevitable balancing of interests between the privacy rights of employees and the interests of a railway employer to ensure safe operations.” In addition, Arbitrator Picher was influenced by the fact that the infringement was very narrow and that the company was not seeking any information beyond whether a cell phone had been used in close proximity to a railway accident. There was no attempt to go “behind the privacy” into the contents of any wireless communication. This finding is comparable to the Otis Canada Inc. finding; in that case, the information from the telematic devices only collected the name of the mechanic/driver and no other information personal to the individual, so it was found to be a narrow infringement on privacy. 

Key Points for Employers:

  • Employers have a right to ensure the efficient, safe and secure operation of their business. In some circumstances, the exercise of management rights will permit a reasonable intrusion upon employee privacy.
  • The implementation of technology, policies or practices that permit employers to collect, use and disclose personal information should be as narrow as possible in the circumstances, and should focus on legitimate interests such as ensuring the safe and effective operation of the business.
  • In order to minimize the likelihood of a successful complaint or grievance as a result of the introduction of new technology or policies in the workplace, consider providing notice of the changes and informing employees of the objectives behind implementing the technology or policy. [Source: Mondaq news

IS – Israel Monitoring Employees Email Severely Restricted

In a 91 page opinion, the National Labor Court laid down a clear set of rules on employers right to monitor their employees email messages. The rules impose severe restrictions on that right and employers should consider reforming their workplace policies accordingly. The issue that was brought before the court was whether an employer may access employees email messages and submit them as evidence in the course of court proceedings brought by the employee against the employer. Typically, the employer wishes to present evidence obtained from the employee’s email account, in an effort to dismiss the employee’s claim for unlawful termination. However, a “Fruit of the poisonous tree” evidential rule under the Privacy Protection Act, prohibits submission of evidence obtained through invasion to privacy. Chief Judge Nili Arad delivered the National Labor Court’s opinion on two appeals from District Labor Courts that reached inconsistent decisions related to the employers’ rights in that respect. The court laid down the following principles:

  • In light of the employer’s proprietary interest in the workplace and managerial prerogative, the employer should set a balanced policy for use of the corporate IT and email systems. The employer must bring the policy to the attention of the employees and must incorporate the policy into their personal employment contracts.
  • A clear line should be drawn between an email account allocated by the employer to an employee and an employee private email account, such as a webmail account.
  • An employer may allocate accounts to employees and designate them for work related purposes only (‘professional purpose accounts’), or for personal purposes as well (‘dual purpose accounts’), or for the employer’s personal purpose only (‘personal purpose account’).
  • If the employer makes the employees aware of the e-mail monitoring policy, then the employer may monitor the traffic data and contents of professional purpose accounts. However, if an employee uses the mailbox for personal e-mail exchange, even if in violation of the corporate policy, then the employer may access the personal messages in that account only subject to the employee’s explicit, informative and freely given consent and only if the contents of such personal messages are unlawful or abusive.
  • The employer may monitor and access personal messages in dual purpose and personal accounts, subject to the following terms: (1) There are unusual circumstances that justify access to the messages; (2) The employer first uses less invasive tools that reveal the monitored employee’s misconduct; (3) The employee gives explicit, informative and freely given consent to the corporate policy and specifically to the monitoring of or access to his personal (not work related) messages; (4) The employee provides specific consent to each access by the employer to the contents of personal messages in a dual purpose account, or specific consent for any surveillance activity by the employer which include access to a personal account, and to personal content in such account.
  • An employer may not monitor or access an employee private email account, even if the employee uses the workplace IT system to access the account and even if the employee consented to such access. An employee’s private account may be accessed only subject to an appropriate court order, that courts grant on rare occasions.
  • Based on the above laid down principles, the court granted the employees’ motion to suppress the evidence in both cases, because the employers obtained the evidence while unlawfully invading the privacy of their employees.

Employers should carefully study the opinion and make all necessary adjustments to comply with its requirements. Specific attention should be given to the corporate policies, employment contracts, adequate consent processes and to harmonizing the corporate information security system and policies with a new pro-privacy workplace environment. [Source]

+++

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: