16-25 November 2015

Big Data

UK – ICO Recommendations to Committee Inquiry on Big Data

Data anonymisation removes an area of risk for organisations (since the data will no longer be personal data subject to the Data Protection Act); organisations that re-identify individuals from anonymised datasets take on all the responsibilities of a data controller (including telling individuals concerned that they are processing their personal data), and are subject to regulatory action if processing personal data without an individual’s knowledge. [ICO]

WW – MAC addresses: the Privacy Achilles’ Heel of the Internet of Things

A MAC address is a unique identifier for a device, and for something regularly worn or carried by a person, it is effectively a unique identifier for that person. To illustrate what sort of information can be deduced from a MAC address, American designer, innovator and anti-surveillance specialist Adam Harvey demonstrated a program which secretly obtained the MAC addresses of smartphones present at an IT security event. He was able to find the Wi-Fi networks that each phone had connected to and thus trace the owners’ movements around the world. Harvey spoke of how such information could be used: “If I were malicious I could construct a highly targeted phishing attack by saying ‘I see you’ve been to the Grand Hotel, did you enjoy your stay there?'” The MAC address could also be used by malicious actors to trigger a bomb when a certain person enters a room, or by a workplace to secretly track employees’ movements. “The uses are endless, and when you don’t have a way of controlling the MAC address then you’re forced to reveal yourself. It’s not much different to walking around electronically naked, as Edward Snowden said. Of all the metadata consumers are aware of, location is the one that touches intuitively on their privacy sensitivities. It’s why they avoid downloading apps with location permissions, or turn off that service for apps that seek access to location.” Consumers are right to be concerned, location is the most insightful of data. A 2012 survey by the Pew Research Centre (PDF) found that 54% of smartphone users had decided not to install an app after learning how much personal information they would need to share to use it, while 30% disabled location on their phone. A later survey by Trust-e found that after contacts, location data was the information that users are most reluctant to share. [Computing]


CA – 2015 Theme #1: Acceleration of Privacy Class Actions

The past year has seen a number of decisions in privacy class actions. They confirm that privacy claims in tort can co-exist with comprehensive privacy statutes (at least in Ontario), that the tort of “publicity given to private life” may exist in Canadian law, that class representatives in privacy cases may conceal their identities with pseudonyms in appropriate cases, and that the focus of discovery in privacy class actions will be on defendants’ obligations and conduct. All of the decisions discussed in this article eliminate or reduce potential obstacles to privacy class actions, and so they may signal that more privacy class actions will be brought and potentially certified in 2016. [Lexology] See also: [A New Era for Privacy Class Actions – Hopkins v. Kay and Implications for the Health Industry]

CA – SK OIPC Issues Privacy Impact Assessment (PIA) Guidance

The Saskatchewan Privacy Commissioner’s new guidance includes how, when, what questions to ask when conducting a privacy impact assessment (PIAs should conducting to assess whether a project complies with privacy legislation). Some questions organisations should ask is whether PI/PHI will transmitted, processed, and/or stored, does the legislation authorize the collection of PI/PHI, will PI/PHI be stored within the province, and are there policies and procedures in place to guide employees on the handling of the PI/PHI. [Guidance] [Press Release] See also: [Privacy Breach: OIAPC NB Finds Department of Health Did Not Conduct A Privacy Impact Assessment Before Implementing System Changes]

CA – BC OIPC Recommends Social Media Companies, Schools and Government Develop Cyberbullying Strategies

Social networks should develop policies/processes to permit the removal of PI in cases of cyberbullying or where it has been inappropriately posted without consent; schools should ensure their codes of conduct address cyberbullying, and the government should develop prosecution guidelines for the application of criminal law to cyberbullying cases. [Press Release] [Report]

CA – Superior Court Finds IPC Decisions Covered by Parliamentary Privilege

The IPC’s MFIPPA tribunal function relates only to access to information appeals and does not include adjudication of complaints regarding privacy breaches (but it can do so at its discretion to assist in reporting to the legislature on the practices of institutions); requiring the IPC to investigate would undermine the Legislature’s confidence in the IPC’s ability to prioritize cases that warrant investigation, or allocate resources – the Court does not have jurisdiction to decide whether the IPC properly refused to investigate a complaint or not. [de Pelham v Peel Regional Police Services – 2015 ONSC 6558 – CanLII]


US – Data Privacy and Security Curriculum Released for K-12 Schools

It is essential that children learn about data privacy and security. Their lives will be fully enveloped by technologies that involve data. But far too little about these topics is currently taught in most schools. The Internet Keep Safe Coalition (iKeepSafe), a nonprofit group of policy leaders, educators, and various experts, has released the Privacy K-12 Curriculum Matrix. It can be used by any school, educator, or parent. It contains an overview of the privacy issues that should be taught, including which details about each issue should be covered in various grade levels. It includes suggestions for appropriate learning activities for each grade level. Data security is encompassed within this curriculum too, as it is deeply intertwined with privacy. [Daniel Solove]

Facts & Stats

WW – Google Receives 2 Million Privacy Takedown Requests Each Day

Google has come clean about the number of privacy takedown requests it’s currently receiving from copyright holders around the world. The web giant’s latest Transparency Report confirms that it is being served with a staggering 2 million of these requests each day. That figure – which equates to 25 requests a second or around 2,160,000 a day – has doubled over the last year as the war on piracy rages on. These stats include multiple takedown requests for the same website, so last month’s came from 5,492 rights holders about 72,207 domains. [digitalspy.com]


CA – BC Commissioner to Audit Vancouver’s Info Management Practices Following Provincial Scandal

The City of Vancouver’s handling of access to information and protection of privacy is coming under the microscope of the BC Privacy Commissioner, who said it isn’t acting on a complaint but wants to make sure Vancouver’s record-handling practices comply with the provincial Freedom of Information and Protection of Privacy Act. “Unlike the Oct 2015 Access Denied report [Press Release] which was focused on responding to specific complaints, this is a broader, in-depth report. It is part of our audit and compliance program,” said spokeswoman. [Vancouver Sun] SEE ALSO: [Dark Picture Painted of B.C. Information Laws at Vancouver hearings] and [Vancouver Mayor Robertson Defends City Hall’s Access To Information Practices] [B.C. information watchdog says probe of Vancouver city hall will delve deeper than investigation of B.C. governmentText

Health / Medical

AU – Australian DPA Document Identifies When PHI May Be Processed for Research Purposes

Circumstances under which collection may take place without consent include where the research is relevant to public health or safety, it is impracticable to seek consent, were de-identified data does not serve the research purpose, or where collection is required by law or in accordance with rules/guidelines. [Office of the Australian Information Commissioner: Business Resource: Collecting, Using and Disclosing Health Information for Research]

AU – Australian Privacy Commissioner Issues Guidance on Direct/Indirect Collection of PHI

Health information must be collected directly from the patient unless it is not reasonable or practical to do so based on factors such as how sensitive the information is, whether a reasonable person might expect their information to be collected directly or indirectly, what is accepted practice by consumers and the health sector (e.g. a pathologist collecting a specimen and accompanying information from a referring provider) or emergency situations where it is collected from relatives. [OIC Australia – Consultation Information – Collecting Patients Health Information]

Law Enforcement / Security

US – Police Body Cams Found Pre-Installed With Notorious Conficker Worm

Multiple police body cameras manufactured by Martel Electronics came pre-installed with Win32/Conficker.B!inf, according to security firm iPower. When one such camera was attached to a computer in the iPower lab, it immediately triggered the PC’s antivirus program. When company researchers allowed the worm to infect the computer, the computer then attempted to spread the infection to other machines on the network. iPower decided to take the story public due to the huge security implications of these cameras being shipped to government agencies and police departments all over the country. It’s troubling because the cameras can be crucial in criminal trials. If an attorney can prove that a camera is infected with malware, it’s plausible that the vulnerability could be grounds for the video it generated to be thrown out of court, or at least to create reasonable doubt in the minds of jurors. Infected cameras can also infect and badly bog down the networks of police forces, some of which still use outdated computers and ineffective security measures. [Ars Technica]


WW – How Uploading Pictures of Your Pet Cat Can Breach Your Privacy

A Florida professor has shown how innocently uploading a picture of your pet cat can allow stalkers to pinpoint exactly where the image was posted. He created a website ‘I know where your cat lives‘ to raise awareness of how people were giving up their privacy online. Location data is often added to images via the camera itself or an accompanying app, providing details on where the photo was taken to within eight metres. He launched the website in July 2014 which now has 5.3 million cat pictures taken on social media from sites such as Instagram and Flickr plotted on a Google Atlas map. The map can zoom into a specific location. “Geographic data is sensitive. A picture can only say so much. But if someone wants to do you harm or stalk you, or you live in a place where free speech is limited, anyone can track where you are.” [Mail Online]

Other Jurisdictions

WW – Five Things You Need to Know About Transferring Data Out of Europe

The U.S.-EU Safe Harbor agreement on transatlantic data transfers is dead. What now?

  1. It only concerns personal data
  2. It’s not the only way to transfer data legally
  3. Your cloud provider may already have your back
  4. Even the alternatives to Safe Harbor may prove inadequate
  5. January 31 is when things get interesting  [ComputerWorld]

CA – Trans-Pacific Partnership: Key Takeaways from the Legal Text

Multiple elements of the TPP – including the chapters on electronic commerce, telecommunications and intellectual property – will have an impact on privacy. Most notably, the chapter on e-commerce places limits on restricting international transfers of information. The TPP requires each country to allow the cross-border transfer of information, including personal information, by electronic means when this activity is for the conduct of the business of a covered person. A country may, however, have its own rules concerning electronic transfers of information to achieve a legitimate public policy objective, provided that the measure (i) is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and (ii) does not impose restrictions on transfers of information greater than are required to achieve the objective. The TPP also prohibits the imposition of measures requiring a covered person to use in-country data centres as a condition for conducting business in that country, unless the measures can be justified as necessary to achieve a legitimate public policy objective and meet conditions of not being discriminatory, arbitrary or a disguised restriction on trade. Exceptions for the application of the above rules have been provided for financial institutions, public procurement or information processed on behalf of the government. [Osler Law]

Mobile Privacy

WW – Key Takeaways on Mobile Apps and Privacy Study

A new Pew Research Center report examines more than 1 million apps available in the Google Play Store from June to September 2014 and explores the wide range of permissions that Android apps require as a condition of use. Pew Research also surveyed Americans about their privacy concerns relating to apps and found many are cautious when it comes to how apps use their personal data. Here are five takeaways from the report:

1)   6/10 downloaders chose not to install an app when they discovered how much personal information the app required in order to use it. Separately, 43% have uninstalled an app for the same reason after initially downloading it.

2)   A majority cited concerns about how their personal data are used as a reason why they would or would not download an app.

3)   Most Android app permissions seek access to a device’s hardware, rather than a user’s personal information.

4)   The most common Android app permissions allow access to a smartphone’s internet connectivity. The average app requested five permissions before installation.

5)   A majority of Android apps we analyzed were free. On average, free apps ask for two more permissions than paid apps (six permissions vs. four).

[Pew Research] Details on the full methodology are available here.

Workplace Privacy

CA – Employer Cannot Use Video Surveillance for Disciplinary Purposes: Ontario Arbitrator

The collective agreement between the employer and the union prohibited the use of video surveillance for any purpose other than security and the employer’s own policies stated that video footage would only be used in the event of a complaint (there was no complaint against the employee). [The Corporation of the City of Niagara Falls v Amalgamated Transit Union Local 1582 – 2015 ONLA 67502 – CanLII]





Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: