01-21 February 2018

Biometrics

US – Customs Aims to Replace Airport Boarding Pass with Facial Recognition

The U.S. Customs and Border Protection plans to use facial recognition technology to replace traditional travel documents at U.S. airports. The federal agency recently started a joint facial recognition initiative with the U.S. Transportation Security Administration at Los Angeles International Airport. The plan is to streamline the travel process and bolster security by matching travelers’ facial image with travel documents. “The future of travel is going to be transformed by biometrics,” CBP Office of Field Operations Executive Director of Planning, Program Analysis and Evaluation Colleen Manaher explained. The hope, according to Manaher, is to allow a passenger to “go from reservation to destination and back home again” without using a passport, RFID document or boarding pass. NextGov

US – Study: Facial Recognition Accuracy Varies by Skin Color, Gender

A researcher at the MIT Media Lab found the accuracy of facial recognition technology depended on the subject’s skin color. Joy Buolamwini conducted an experiment to see if facial recognition technology could accurately identify a subject’s gender. When testing 385 photos of lighter-skinned males, the technology was accurate 99 percent of the time, but when testing 271 photos of darker-skinned females, the number of errors shot up to 35 percent. Buolamwini noted, “You can’t have ethical AI that’s not inclusive. And whoever is creating the technology is setting the standards.” The New York Times See also: The Verge, Global News and PCMag]

Big Data / Analytics

EU – Commission Clarifies Promotion of Big Data Analytics

This European Commission issued a press release highlighting changes imposed by the GDPR. The GDPR encourages the use of data protection techniques (anonymisation, pseudonymisation and encryption), which allows raw data to be retained for Big Data, while simultaneously protecting the rights of individuals; however, a business should be able to anticipate and inform individuals of the potential uses and benefits of Big Data, even if the exact specifics of the analysis are not yet known. [European Commission – Questions and Answers – General Data Protection Regulation]

CA – Canadian CEOs and Academics Push Ottawa for National Big-Data Strategy

Canadian CEOs and academics have been pushing Ottawa for months to develop a national strategy for harnessing data’s burgeoning power – an approach advocates say will pay dividends on everything from boosting economic growth to improving health care. Rapidly expanding technologies like artificial intelligence depend on vast amounts of high-quality data and the expertise to properly analyze it and use it. The potential benefits cut across sectors – from optimizing industrial processes, to improving the detection and treatment of disease, to exporting the resulting expertise abroad. But the big-data prize lies on the other side of some privacy and sovereignty minefields, demanding a thoughtful and careful approach. [Globe& Mail]

CA – Bank of Canada Warns of Threat from Big Data

The Bank of Canada is calling for tougher regulation to stop the spoils of innovation from being concentrated in the hands of a clutch of superstar tech giants. The benefits of the growing global economy are being spread unevenly across society, leaving too many people behind, senior deputy governor Carolyn Wilkins [here] said [ PR here& remarks here] to a gathering of top officials from Group of Seven countries in Montebello, Que. The world’s five largest global technology companies have a market capitalization of US$3.5-trillion, or nearly a fifth the size of the entire U.S. economy, she pointed out. Those companies are Google parent Alphabet, Amazon, Apple, Facebook and Microsoft. Too much market and pricing power in the hands of few companies raises concerns about monopolistic behaviour, she said. Ms. Wilkins also raised a red flag about the impact of too much big data – massive amounts of data collected and analyzed by computers – falling into the hands of a few powerful companies. Ms. Wilkins is not alone in expressing concern about the robustness of Canada’s competition and privacy protections in the face of rapid technological change. Federal Privacy Commissioner Daniel Therrien, for example, has called for an update of the country’s privacy laws to give regulators more power and consumers more protection. [G&M see also: Financial Post and CBC News]

US – Researcher Exploring Economic Inequality with Facebook User Data

A study is currently underway to explore economic inequality in the U.S. by using Facebook user data. Stanford economist Raj Chetty, “a favorite among tech elites for his focus on data-driven solutions to the nation’s social and economic problems,” is leading the study, the report states. The research is focusing on the social connections of U.S.-based users. It is estimated that three out of five Americans currently use Facebook. Cecilia Muñoz, who led President Barack Obama’s Domestic Policy Council, said, “For a policy nerd like me, being able to see that quantifiable evidence about things lots of us have been debating in theory for a long time is absolutely huge.” Politico

WW – New Tool Uses AI to Automatically Read Privacy Policies

Researchers from Switzerland’s Federal Institute of Technology at Lausanne, the University of Wisconsin and the University of Michigan have developed a new tool designed to read privacy policies for users. Polisis is a website and browser extension designed to use machine learning to automatically examine an online service’s privacy policy. Within 30 seconds, Polisis can offer a user a readable summary of a privacy policy, tell a user what data the service collects and where it could be sent, and inform users whether they can opt out of the collection and sharing. The tool also has a chat interface to answer any questions about the privacy policy it has scanned. Wired

Canada

CA – Parliament Could Authorize CSE to Disable Computers Abroad

On February 13, Shelly Bruce, associate chief of the Communications Security Establishment (CSE), told [see here] the House of Commons Standing Committee on Public Safety and National Security [see here] that A Liberal bill [Bill C-59 see here] would help the Communications Security Establishment counter various forms of cyberaggression and violent extremism. The bill would give the agency the ability to disable computers located abroad, and possibly “corrupt information sitting on foreign servers.” The CSE has offered its assurances that it will not use any of its powers to build profiles on citizens. Rather, the agency seeks to only use the abilities to go after foreign servers if the CSE can determine information has been stolen from the Canadian government and to help in “covertly dismantling foreign-based systems used to disrupt the democratic system.”  A December report by leading Canadian cybersecurity researchers [see 90 pg PBF here] said there is no clear rationale for expanding the CSE’s mandate to conduct offensive operations. It said the scope of the planned authority is not clear, nor does the legislation require that the target of the CSE’s intervention pose some kind of meaningful threat to Canada’s security interests. Bruce stressed the proposed legislation contains safeguards that would prohibit the agency from directing active cyberoperations at Canadians. It would also forbid the CSE from causing death or bodily harm, or wilfully obstructing justice or democracy. [The Globe and Mail | National Post | Here’s what you need to know about Canada’s ‘extraordinarily permissive’ new spying laws  | If Canadian spies found a flaw in the iPhone, would they tell Apple? Make the policy public, critics say | Electronic spy agency watchdog asks for more powers

CA – OPC: Canadians Concerned Over ‘Growing Risks to Their Reputation’

The OPC recently issued a report [see OPC PR here, report here& pre-report consultation info here] stressing both existing and proposed new legal measures to achieve better protection against online reputation harm, including the right to request search engines to de-index web pages that contain inaccurate, incomplete, or outdated information about themselves. The [report] says Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) [here], the federal privacy law for private-sector organizations, already includes certain protections for individuals. “At the core of the interpretation is Principle 4.6 [see here], which requires organizations to collect, use and disclose information that is accurate, complete and up-to-date,” said Commissioner Daniel Therrien. The report also highlights Principle 4.9, which states that “an individual shall be able to challenge the accuracy and completeness of [his or her personal information] and have it amended as appropriate.” Principle 4.9.5 states that “when an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization shall amend the information as required.” However, noted Therrien, there is currently no explicit reference in PIPEDA to de-indexing or the right to reputation, and so the OPC is asking Parliament to examine this issue to resolve any potential ambiguity. The OPC said that after seeking stakeholder views on the proposals outlined [see here], it will finalize its position and develop an action plan to put the new measures into practice. The OPC also announced that it is seeking enhanced powers with respect to protecting online privacy, including reputation. “I think it is important that we have order making powers and the authority to impose fines. This is an authority that other countries have given to their privacy commissioner or data protection authority,” said Therrien. [Lawyer’s Daily See also: Right to be Forgotten, eh? Canada’s Privacy Commissioner Says Law Requires Search Engine De-indexing | Éloïse Gratton Blog, Michael Geist Blog, Teresa Scassa Blog, Barry Sookman Blog, All About Information Blog, and The Canadian Privacy Law Blog]

CA – Why a Canadian Right to be Forgotten Creates More Problems Than it Solves

The right to be forgotten faces the challenge of balancing privacy protections with the benefits of the internet for access to information and freedom of expression. The Privacy Commissioner of Canada waded into the debate on Friday with a new draft report [see OPC PR here and report here] concluding that Canadian privacy law can be interpreted to include a right to de-index search results The commissioner envisions a system that would allow Canadians to file de-indexing requests with leading search engines, who would be required to evaluate the merits of the claim and, where appropriate, remove the link from the search index or lower its rank to obscure the search result. Moreover, the commissioner would require search engines to actively block Canadians from accessing the offending links by using geo-identifying technologies to limit access in Canada to the results. The Privacy Commissioner’s proposal raises a plethora of concerns: 1) the claim that existing law includes a right to de-index search results stands on shaky ground; 2) the report’s conclusions stand at odds with the majority of responses generated by the Privacy Commissioner’s consultation [read submissions here]. [One] can be forgiven for wondering whether the report’s recommendations were a foregone conclusion; 3) the proposed approach features a remarkable level of micro-managing of search engine activity; 4) [It proposes] search engines to use geo-identifying technologies to block access in Canada to offending links; and 5) the report empowers search engines to play the role of judge and jury over the relevance and harm associated with links to content. [By Michael Geist – January 26, 2018 – The Globe and Mail]

CA – Will PEI’s Expanded FoI Law Diminish Solicitor-Client Privilege?

Solicitor-client info must be kept from information commissioner’s prying eyes, say lawyers. A provincial-government discussion paper [9 pg PDF here] is asking for feedback when it comes to the possibility of expanding P.E.I.’s Freedom of Information and Protection of Privacy Act (FOIPP) to include municipalities, post-secondary institutions and police forces. [It] also talks of a possible amendment that would give P.E.I.’s information and privacy commissioner the ability to access information claimed as solicitor-client privileged in order to assess that privilege when answering an information request. The paper’s release comes just as the [Canadian] Senate discusses Bill C-58 [here], a set of proposed changes to the “Access to Information Act” that could see the granting of similar power to Canada’s information commissioner. And it comes merely months after information commissioners from across Canada called for the legislative power to order the production of privileged materials [see here]. Charlottetown lawyer Jonathan Coady of Stewart McKelvey says such a move would mean the erosion of “a substantive right that is fundamental to the proper function of our legal system” and could lead to legal challenges. [The] discussion paper is asking for feedback when it comes to the possibility of expanding P.E.I.’s FOIPP to include municipalities, post-secondary institutions and police forces. [The Lawyer’s Daily] See also: CBA warns of court challenge to Bill C-58 if Ottawa persists with ‘incursions’ on privilege

CA – Quebec CAI Okays Retailer’s PI Collection

The Commission d’Accès à l’Information du Québec investigates Canadian Tire’s alleged violations of the Act Respecting the Protection of Personal Information in the Private Sector. In response to a customer’s complaint that the retailer collected personal data that was unnecessary for returning a product. According to the CAI, the processing of customer names, addresses and phone numbers and viewing of their ID is necessary and proportionate for identity verification, and fraud detection (for the return or exchange of products); the PI is not used for other purposes or stored at other locations, the ID is not retained, access to the PI is restricted and the PI is destroyed after 24 months, and the retailer clearly tells customers of its practices (online, in-store and on sales receipts). [CAI QC – Decision 1010268-S – Canadian Tire]

CA – ON Police Records Bill Has Yet to Go into Effect

Despite having been passed more than two years ago, the Police Records Check Reform Act has yet to go into effect. The law would prevent unproven allegations, mental health incidents, and withdrawn charges from appearing on the police records of innocent citizens. A report from the John Howard Society finds the delay has resulted in individuals losing out on career and volunteer opportunities. Ministry of Community Safety and Correctional Services Spokesperson Dorijan Najdovski said the agency is working on developing regulations to support the bill, while Toronto criminal defense lawyer John Struthers said the law is in danger of dying if it is not worked on by Ontario’s June election. [Toronto Star]

ON – IPC ON Highlights Gaps in Draft Children and Minors Regulation

The Ontario OIPC commented on proposed regulation to support the implementation of the Child, Youth and Family Services Act, 2017 that creates obligations for entities using PI for research and disclosing PI to prescribed and non-prescribed entities; approved research entities should not publish identifiable information, make contact with individuals without consent, use PI for non-permissible purposes, and minimum standards should be set for non-prescribed entities receiving PI to limit further PI disclosures, and contact with individuals. [IPC ON – Comments on the Proposed Regulation under Part X of the Child, Youth and Family Services Act 2017]

Consumer

CA – Invasion of Privacy Class-Action Against Equifax Proceeds in Ontario

A class-action lawsuit arising from last year’s Equifax cyber breach is proceeding in Ontario on the basis of a new invasion-of-privacy tort that has caught the eye of Canada’s property and casualty insurers because it allows courts to award damages even when no economic loss is proven. In a ruling released Jan. 24, Ontario Superior Court Justice Benjamin Glustein ruled [see here] that law firm Sotos [see statement of claim here] can proceed with a class action against Equifax Inc. and Equifax Canada Co. The representative plaintiffs are Bethany Agnew-Americano and a “Jane Doe” plaintiff who is requesting anonymity from the court because of the sensitivity of information that Jane Doe says fell into the wrong hands. At the same time, Justice Benjamin Glustein stayed a separate class action lawsuit against Equifax filed by Merchant Law Group on behalf of Laura Ballantine. The Jan. 24 ruling was not on the merits of the lawsuit but rather on which of two class-actions would proceed. Merchant Law – whose lawsuit is now pretty much dead in the water – had argued unsuccessfully that the Sotos lawsuit should not proceed. This is because Sotos wants one cause of action to be “intrusion upon seclusion,” which was recognized in 2012 by the Court of Appeal for Ontario as a new tort in 2012 [see Jones v. Tsige here]. Justice Glustein decided it was not obvious that an intrusion-upon-seclusion lawsuit against Equifax would fail. [Canadian Underwriter]

CA – OPC Placing Focus on Children’s Online Reputation

The Office of the Privacy Commissioner of Canada released a draft report on protecting online reputations, with part of the paper focusing on the reputation of children. The commissioner’s report states young people face a tougher road when dealing with their online reputation, as they are essentially forced to operate on the internet. The agency also believes young people should be granted the ability to remove content from the internet once they become adults. While some instances may be as simple as deleting a photo, other material may be difficult to remove given the ease in making and distributing copies of online content. CBC News

EU – Survey: 34% of UK citizens will use RTBF once GDPR arrives

A survey conducted by 7stars found 34% of U.K. citizens will enforce their “right to be forgotten” once the EU General Data Protection Regulation goes into effect. Of the respondents to the survey, 75% said the U.K. government needs to make it clear how the GDPR will affect their lives, while 58% said the GDPR is a positive step in protecting their privacy. U.K. citizens said the GDPR would help them think higher of businesses, as 32% of customers said the rules would lead them to place more trust in organizations in handling their data. [ComputerWeekly]

E-Government

CA – Privacy Act May Be Too ‘Permissive’ in Allowing Government Data Use

In documents prepared for Privacy Commissioner of Canada Daniel Therrien, the Privacy Act may be too “permissive” in the ways it allows the federal government to collect and use the personal data of Canadian citizens. “We’ve seen numerous instances where — despite government itself not seeking to identify or track individuals — their program delivery decisions risked doing precisely (that),” the document states. The analysis is a warning for senior bureaucrats charged with finding new ways to deliver government services via technology, while ensuring privacy and transparency concerns are addressed. [Toronto Star]

US – Study: Federal Agencies Suffer Higher Volume of Data Breaches

A study conducted by the cybersecurity company Thales and analyst firm 451 Research found U.S. federal agencies suffer a higher volume of data breaches compared to the rest of the world. The study found 57% of U.S. federal agencies suffered a data breach last year, while only 26% of non-U.S. government agencies worldwide reported an incident. U.S. agencies also said they were more vulnerable than their global counterparts, with 68% saying they are “very” or “extremely” vulnerable, compared to 48% of worldwide agencies. Thales suggests budget plays a part in the problem for U.S. agencies, as the overall federal budget dropped by $6.2 billion in 2017, with a large portion of the budget going toward maintaining older legacy systems. ZDNet

CA – BC to Require All Land Owners to Reveal True Identities in Registry

British Columbia announced it will be launching a public registry where all landowners within the province will need to reveal themselves. In a provincial budget document, the registry will help reveal who owns expensive properties and can help deter tax evasion schemes, money laundering and other criminal activities. York and Harvard Universities Professor of Corporate Governance Richard LeBlanc called the move “long overdue.” “It shows leadership, especially in the real estate market where owners can withhold their name,” LeBlanc said. “This puts pressure on key provinces such as Ontario, Quebec. [Metro]

US – FPF Releases Assessment of Seattle’s Open Data Program

The Future of Privacy Forum released its City of Seattle Open Data Risk Assessment, a holistic assessment that aims to help city officials navigate the complexities of privacy-protective open data programs and address the privacy risk of the landscape. FPF Policy Counsel and lead author of the assessment Kelsey Finch, said, “Although there is a growing body of research on open data privacy, open data managers and departmental data owners need to be able to employ a standardized methodology for assessing the privacy risks and benefits of particular datasets.” She added: “The City of Seattle is one of the most innovative cities in the country, with an engaged and civic-minded citizenry, active urban leadership, and a technologically sophisticated business community.” FPF

Electronic Records

US – Comments Sought on Nationwide EHR Exchange Framework

The Office of the National Coordinator for Health IT has released its draft Trusted Exchange Framework to promote interoperability among health information networks. The framework sets out principles to generate trust among participating health information networks (standardization of policies and procedures, transparency, cooperation, data security and integrity, and individual access to their information), and proposes minimum terms and conditions for participants (reporting of adverse events, publicly available privacy practices, access controls, backup procedures, audit logs, and breach notification). [Draft Trusted Exchange Framework – Office of the National Coordinator for Health IT | Health IT Groups Want ONC to Clarify Exchange Framework

CA – OIPC BC Issues Guidance on Health Data Research

The OIPC BC has issued guidance outlining the requirements and legal provisions applicable to disclosure of personal information and personal health information for health research purposes. PI or PHI disclosure for research purposes without consent is subject to a number of statutes (e.g., FIPPA, PIPA, E-Health Act) depending on the origin of the data, and is therefore subject to a wide array of conditions and prohibitions, which can include storage of the PI only in Canada, a prohibition on disclosure for market research purposes, and compliance with prescribed confidentiality policies and procedures. [OIPC BC – Access to Data for Health Research]

Encryption

US – NIST Releases Draft Blockchain Technology Overview

On January 25, 2018, the National Institute of Standards and Technology (NIST) division of the U.S. Department of Commerce released a draft report of Blockchain technology (Overview)[See PR here]. The Overview draft report provides a high-level discussion of the technical components of Blockchain technology, addressing how data is encrypted, and how the data is verified and then distributed among the participating Blockchain parties. NIST is seeking comments on the scope and completeness of the draft Overview, which are due by February 23, 2018. While the NIST draft Overview provides a useful summary for those that seek an introduction to the subject, it might have been beneficial to have include a brief discussion on the ongoing governmental efforts to regulate the various applications of Blockchains. It is likely that some of these issues will be addressed in the comments that are due by February 23, and be incorporated into the final report. [Source see also: Bitcoin Magazine and TechStartups and 5 Blockchain Opportunities No Company Can Afford To Miss | How blockchain is revolutionising the legal sector | The Bitcoin Hype And The Potential Disruptive Power Of Blockchain Technology | Blockchain Explained: How It Works, Who Cares and What Its Future May Hold – Is Blockchain the Swiss Army Knife to All of Our Cyber-Insecurities? | New chip links blockchain to industrial IoT devices | Could blockchain unshackle us from the corporate internet? | New cryptocurrencies offer better anonymity, new security challenges | 6 use cases for blockchain in security | The role of blockchain in helping organizations meet GDPR compliance ]

US – House Holds Hearing on Blockchain Technology

Speaking at a U.S. House Committee on Science, Space, and Technology hearing, IBM Fellow Jerry Cuomo advocated for government use of blockchain. Cuomo called for the government to take the lead in promoting and deploying blockchain. Cuomo did warn the government about overregulation, saying cryptocurrency does not represent the potential of blockchain. At the same hearing, Benjamin N. Cardozo School of Law Associate Clinical Professor Aaron Wright recommended the creation of an advisory group to handle various blockchain issues and to provide “a unified approach to the numerous regulatory decisions.” [Computerworld]

EU – European Commission Outlines Blockchain Development Plans

The European Commission outlined its efforts to develop a common approach on blockchain technology for the European Union. Among the projects are the EU Blockchain Observatory and Forum, which will map blockchain initiatives in Europe and monitor trends with the technology, and calls for a feasibility study to determine whether there is an opportunity for an EU Blockchain Infrastructure. The European Commission also plans to examine the potential for blockchain to help improve European cross-border services related to customs, taxation, environmental and financial reporting, and health record and identity management. [Europa]

CA – Canada Testing App to Store Traveler Data Using Blockchain

The Canadian government will be assisting in the testing of a new app allowing travelers to digitize information with authorities before flying. The “Known Traveler Digital Identity” system gives individuals the opportunity to store data such as their residency cards, countries they have visited, and biometric information such as facial recognition scans and fingerprints. The data would be securely stored via blockchain. Launched at the World Economic Forum, the system will be tested in several pilot projects, aiming to allow airport authorities to focus on investigating high-risk travelers, according to a WEF report. [Global News]

EU Developments

EU – Article 29 WP Revises Breach Notification Guidelines Under GDPR

The Article 29 Working Party updated previous guidance on personal data breach notification under the GDPR. Revisions include implementing measures to ensure immediate awareness of breaches (to comply with timely notification requirements), documenting incidents where personal data is made temporarily unavailable (even if notification is not required), ensuring joint controller contracts include identifying who is responsible for taking the lead on notification. Non-EU entities caught in the territorial scope of the GDPR (i.e. offering goods or services to EU data subjects) must comply with notification obligations. [Article 29WP – Guidelines on Personal Data Breach Notification Under the GDPR – WP 250 Revision 1]

EU – WP 29 Releases Updated Guidelines on Profiling

The Article 29 Working Party updated guidelines on automated decision-making and profiling under the EU General Data Protection Regulation. The Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 cover definitions, general provisions on both, specific provisions “solely on automated decision-making defined in Article 22,” children and profiling, and data protection impact assessments and data protection officers. The WP29 has opened up a comment period for its guidelines on the accreditation of certification bodies under the GDPR (link is behind registration). The period is open until March 29. [IAPP.org]

EU – Rise of the Data Protection Officer

Data protection officers are suddenly the hottest properties in technology [as] companies across the globe scramble to comply with the EU’s GDPR, which goes into effect in May and represents the biggest shake-up of personal data privacy rules since the birth of the internet It requires that all companies whose core activities include substantial monitoring or processing of personal data hire a DPO. More than 28,000 will be needed in Europe and U.S. and as many as 75,000 around the globe as a result of GDPR The need for DPOs is expected to be particularly high in any data-rich industries, such as tech, digital marketing, finance, healthcare and retail. Those companies who have DPOs, meanwhile, are braced for poaching. [Reuters See also: Benefits PRO and Independent (Ireland)]

EU – CJEU: EU-Wide Class Action Cannot be Brought Against Facebook

The EU Court of Justice considered the admissibility of Max Schrems’ class action suit against Facebook Ireland Ltd. for alleged privacy breaches. The EU Advocate General previously provided their opinion. The CJEU confirmed that an individual can file claims against Facebook’s use of his personal data in his Member State of Austria, however, he cannot file claims on behalf of other individuals living in other countries (he is not a party to their contract with Facebook). [Max Schrems v. Facebook Ireland Ltd – Case C-498-16 – CJEU]

EU – German Court Finds Fault With Facebook’s Default Privacy Settings

A court in Germany has ruled that Facebook’s default privacy settings and some of its terms and conditions breached local laws. The Berlin court passed judgement late last month but the verdict was only made public this week. The legal challenge, which dates back to 2015, was filed by a local consumer rights association, the vzbv. It successfully argued Facebook’s default privacy settings breach local consent rules by not providing clear enough information for the company to gather ‘informed consent’ from users when they agreed to its T&Cs. Pre-formulated declarations of consent are clearly on borrowed time in the European Union, as the bloc will shortly have an updated data protection framework — GDPR And pre-ticked consent boxes buried at the end of lengthy, opaque and vague T&Cs will not pass muster under the new standard. So the regional court’s finding on that aligns with wider incoming personal data processing consent standards that will be enforced across the entire EU from this May. …Last month Facebook announced incoming changes to how it approaches privacy — including outing a set of ‘privacy principles’ and trailing a new global privacy settings hub — which are part of its compliance efforts to meet the EU’s new data protection standards. [TechCrunch See also: Naked Security (Sophos), Deutsche Welle, The Guardian, Reuters, ZDNet and ITPro and also: Facebook makes privacy push ahead of strict EU law | Facebook starts polishing its privacy messaging ahead of GDPR | Facebook to roll out new tools in response to EU privacy laws]

Facts & Stats

CA – Study: 41% of Companies Had Sensitive Info Exposed in Breaches

A study conducted by IDC Canada for Scalar Decisions found 87% of Canadian organizations suffered a data breach last year. Of the 420 respondents who work on their company’s cybersecurity efforts, 41% said sensitive data was exposed when they were hit by the breach. The study found one in five cyberattacks was classified as “high impact,” with sensitive customer or employee information compromised. The estimated cost of a breach in 2017 came to $3.7 million on average, factoring in network downtime, employee work days and lost data. [The Canadian Press]

US – Study: Average Cost of Stolen Health Care Record Rose in 2017

A study from the Ponemon Institute found the cost for a stolen health care record rose in 2017, while the global average for other industries went down. The study found a stolen health care record cost an organization $380 last year, up from $355 in 2016. The global average for other industries was $141 in 2017, down from the $158 average the year before. Ponemon’s study also states 52% of incidents in 2017 was a result of malicious attacks, up 4% from 2016. Another study released by MediaPro found 24% of physicians could not identify a phishing email. [HealthITSecurity]

WW – Study: 93% of Breaches Reported in 2017 Were Preventable

A report from an internet society noted that key causes of breaches included not promptly patching known vulnerabilities, unencrypted data, misconfigured devices and servers, use of unsupported devices, systems and applications, employee errors and accidental disclosures, and not blocking malicious emails; recommendations include data inventories, ongoing assessments of IoT devices, service providers, and operational processes, and ongoing employee training. [Cyber Incident and Breach Trends Report – Online Trust Alliance]

US – Research: A Strong Privacy Policy Can Save Your Company Millions

New research shows that data breaches sometimes harm a firm’s close rivals (due to spillover effects), but sometimes help them (due to competitive effects). The study found that a good corporate privacy policy can shield firms from the financial harm posed by a data breach — by offering customers transparency and control over their personal information — while a flawed policy can exacerbate the problems caused by a breach. Together, the report’s evidence is the first to show that a firm’s close rivals are directly, financially affected by its data breach and also to offer actionable solutions that could save some companies hundreds of millions of dollars. The research shows that the severity of, or number of customers affected by, a breach is a key to understanding whether close rivals will be harmed or helped by their competitor’s bad fortune. In large data breaches, customers increasingly desire to leave the breached firm. Expected switching behavior ultimately benefits the breached firm’s competitors The research finds that firms can protect or inoculate themselves from their own or a rival’s breach by implementing two important privacy-focused practices that benefit customers: 1) they can clearly explain to customers how they are using and sharing their data; and 2) firms can give customers ample control over the use and sharing of their data. [HBR]

FOI

CA – Report Finds Telcos Demand Fees for Detailed Customer Info Requests

A study from the University of Toronto measured how different companies responded to consumer requests for personal data. “Approaching Access” tracked 24 requests drawn from 6,000 customers made through the Access My Info tool created by the report’s lead author, Andrew Hilts. Most of the companies that responded gave different answers when faced with the same type of requests. When consumers pushed for more detailed answers from telecom companies, they were told they had to pay a fee, a response Hilts disagrees with. “I think any request for a payment acts as a barrier to access, because what we’ve seen from people who’ve requested their data is any sort of roadblock they encounter can serve to discourage them,” Hilts said. [CBC Radio | Canadian Citizens Face Barriers to Accessing Data]

UK – Companies Tested on Responding to Subject Access Requests

A UK newspaper filed subject access requests to six companies to see whether the companies complied with the U.K. 1998 Data Protection Act and whether they would have complied with the upcoming EU General Data Protection Regulation. The media company sent written requests to the six companies to see the information held about a data subject. Of the six companies, Apple, drink retailer Majestic Wine, clothing company Charles Tyrwhitt, and the loyalty card company Nectar responded in a timely manner, while Facebook and Amazon did not send a response to the requests. The three smaller companies sent info on customers’ names, addresses and lists of transactions, while Apple sent 3,314 different data points. Financial Times

CA – OIPC BC: Quality Assurance Records Can be Disclosed

The OIPC BC reviewed the College of Physicians and Surgeons of BC’s decision to withhold access to records requested under the Freedom of Information and Protection of Privacy Act. A BC health regulator must disclose to a physician the requested records related to an assessment of his medical practice; participants knew the physician was aware that they were involved (questionnaires were distributed from the physician) and provided their consent for the release of their responses). [OIPC BC – Order F18-01 – College of Physicians and Surgeons of BC]

Health / Medical

CA – Every Yukon Organization Needs a Privacy Primer

The Yukon privacy commissioner is highlighting steps needing to be taken to enhance the protection of citizens’ personal information. Health care providers in Yukon’s public and private sectors must comply with the Health Information Privacy and Management Act (HIPMA) [see 124 pg PDF here also see here& here], which requires reporting of any breaches. A health care provider must notify an individual (and Yukon’s privacy commissioner) following a privacy breach where there is a risk of significant harm to the individual. If found guilty of failing to do this, fines are between $10,000 and $100,000. The best way for public or private sector organizations in Yukon to avoid being found in violation of mandatory breach reporting requirements is to identify a “privacy contact,” i.e. someone in the organization to be responsible for privacy and to develop breach reporting policy and procedure. All staff need to be trained on the policy and procedure, so that they know what a privacy breach is and who to call when one is discovered. The policy should require employees to notify the organization’s privacy contact immediately upon learning of a breach. The privacy contact must be trained on how to effectively manage a breach and on the mandatory breach reporting requirements in applicable laws. [Yukon News]

CA – AB Court Quashes OIPC Decision Regarding Doctors’ Access to Patient Information

In [the recently decided] “Gowrishankar v JK” [see here], two physicians and Alberta Health Services sought judicial review of an adjudicative order [see Order H2016-06 here] of the [Alberta] Office of the Information and Privacy Commissioner. The OIPC’s adjudicator had determined that the Applicants accessed or permitted access to a patient’s medical information in contravention of the “Health Information Act” [see here]. In a ruling that has far-reaching implications on physicians’ right to access, use and disclose health information stored in the province’s Electronic Health Record [see here], the Alberta Court of Queen’s Bench quashed the Adjudicator’s decision. The practical impact of the Adjudicator’s decision is that it would have prevented physicians from using Netcare to effectively respond to patients’ complaints about the health services they provide. While the decision in “Gowrishankar v JK” brings some much needed clarity to this issue, it also demonstrates that the HIA requires a revisit. The statute is overly vague, incompatible with current modalities and, as was clearly demonstrated, capable of producing absurdities. Consequently the Court encouraged the parties in this action to reach out and consult with their provincial legislators to amend the HIA. He explained that with a little tweaking, the HIA would leave less room for doubt. [MCross]

EU – Study Finds ‘Numerous’ Shortcomings in Health Apps

A recent study of popular health apps found “numerous” shortcomings in the privacy and data protection of user data. To be included in the study, the app had to be free, in English, downloaded more than 100,000 times, and require users to input health or personal data that would be transmitted to a third party. The researchers wrote that the majority of the apps failed to follow “well-known practices and guidelines, not even legal restrictions imposed by contemporary data protection regulations, thus jeopardizing the privacy of millions of users.” Meanwhile, HealthITSecurity reports that a recent survey shows half of organizations cite security and privacy concerns as a leading factor for why mobile and digital health tools are not more widespread. [MobiHealthNews]

Horror Stories

CA – PEI Whistleblowers Seek Financial Compensation for Privacy Breach

Two of the former PEI government employees who had their private information released to the press are seeking financial compensation for the incident. The two whistleblowers came forward to reveal issues with the province’s provincial immigration program but found their emails and personnel records were leaked to the media. Despite the province’s privacy commissioner releasing a report stating the women’s privacy rights were violated, the two former employees are asking for a monetary sum to address the fallout they faced following the leak. One of the women, Susan Holmes, said she has been refused a meeting with Premier Wade MacLauchlan to discuss the privacy commissioner’s findings. [CBC News | PEI Whistleblowers Whose Private Info Was Leaked Consider Legal Options

Identity Issues

US – Identity Fraud Hits All Time High

The 2018 Identity Fraud Study released February 6 revealed that the number of identity fraud victims increased by 8% (rising to 16.7 million U.S. consumers) in the last year, a record high since Javelin Strategy & Research began tracking identity fraud in 2003. The study found fraudsters successfully [hit] 1.3 million more victims in 2017 [over 2016], with the amount stolen rising to $16.8 billion. The Study found four significant trends: 1) Record high incidence of identity fraud; 2) Account takeover grew significantly; 3) Online shopping presents the greatest fraud opportunity; and 4) Fraudsters are getting more sophisticated consumers can minimize their risk and impact of identity fraud. The following are five recommendations for consumers to follow: 2) Turn on two-factor authentication wherever possible; 2) Secure your devices; 3) Place a security freeze; 4) Sign up for account alerts everywhere; and 5) Protect yourself from unauthorized online transactions [Javelin See also: Dark Reading, CBS News, CNBC, MediaPost and Wall Stree Journal]

AU – Australian Government Agrees to Medicare Card Access Recommendations

Following an independent review of health providers’ access to Medicare card numbers, the Australian government has agreed to the 14 recommended changes made in the examination. The recommendations include transitioning from a Public Key Infrastructure to Provider Digital Access, making the terms of the authentication services simpler for users to understand, and ensuring Medicare cards remain a valid form of identification. “The government takes seriously its obligation to protect the significant personal information of Australians, and is working to maintain and strengthen its defences against ever more sophisticated cyber and criminal attacks,” the government wrote in its response to the findings. [ZDNet]

IoT

CA – OPC Issues Guidance on Minimum IoT Security

In “PIPEDA Report of Findings #2018-001” [see PR here& report here], the Office of the Privacy Commissioner of Canada (OPC) reported on its investigation of VTech Holdings Limited [here], a manufacturer of electronic learning products for children. The case arose following a complaint from an affected individual whose information was compromised when VTech’s global server was breached between Nov. 12 and Nov. 29, 2015. The hacker gained access to various VTech environments and ultimately to customer data, in a live production environment, copying customer data off of VTech’s network. The OPC estimated that the breach affected more than 316,000 Canadian children and more than 237,000 Canadian adults. The decision provides some useful guidance in connection with minimum security standards required for Internet of Things/web-connected devices, particularly those that collect personal information and data from children. [Canadian Lawyer Magazine | See also: VTech Data Breach Enforcement Actions – Guidance for Data Security and Privacy Law Compliance | What Toymakers Can Learn From VTech Breach And Settlement | VTech Settlement Resolves COPPA Allegations in FTC’s First Connected Toy Case | VTech breach investigation highlights security failures | FTC Cracks Down on Internet-Connected Toys]

US – Smart TV’s Privacy Capabilities Placed Under the Microscope

Consumer Reports conducted an analysis of the privacy and security capabilities of smart TVs. The group tested televisions from five major brands using their new Digital Standard, finding TVs made by Samsung, TCL and others using the Roku TV platform could be vulnerable to unsophisticated hackers who could change channels or play offensive content. Consumer Reports also examined the data collection practices of the televisions, finding smart TVs can collect information related to viewing habits to share targeted advertising. The group also discovered customers could lose television functionality if they attempt to limit data collection. Meanwhile, the Future of Privacy Forum released their views on the findings from Consumer Reports. In an extensive article for Gizmodo, Kashmir Hill described her experience living in a fully equipped smart home for two months. Full Story

WW – Google-Nest Merger Raises Privacy Issues

Tech giant Alphabet is merging its Google and Nest [here] divisions together [see blog post here] to aid its efforts to build hardware and software to “create a more thoughtful home”. Nest had run as a standalone unit since its $3.2bn (£2.3bn) takeover in 2014. Its smart home products benefit from gathering data about its users. Nest previously pledged the data would be kept separate from Google’s other operations. Privacy campaigners have raised concerns at the reorganisation. But Google has said it will be “transparent” about any changes that might be made. Nests’s products include: 1) internet-connected security cameras for inside and outside the home; 2) thermostats that use motion-detecting sensors to detect when the owners are about; 3) a camera-equipped doorbell; and 4) a movement-detecting alarm system and smoke detector. The division’s app can be set to gather data from other products – including cars, ovens, fitness trackers and even sensor-equipped beds …The Big Brother Watch [here] campaign group said it was concerned by the development. “Google already harvests an incredible amount of detailed information about millions of internet users around the globe,” said director Silkie Carlo. “Now, Google is becoming embedded in the home, through ‘smart’ soft surveillance products. “Adding data from Nest’s home sensors and security cameras will significantly expand Google’s monopoly on personal data. Many customers will be justifiably anxious about Google’s growing, centralised trove, especially given that its business model relies on data exploitation.” [BBC See also: Gizmodo, TechCrunch, CNET and Yahoo News UK]

US – NIST, DHS Co-Host Conference on Smart Cities

The Global City Teams Challenge announced its 2018 kickoff conference, where this year’s Smart and Secure Cities and Communities Challenge aims to encourage municipal governments and technology innovators to focus on cybersecurity and privacy concerns while also working towards replicability, scalability and sustainability. The 2018 GCTC is co-hosted by the National Institute of Standards and Technology and the U.S. Department of Homeland Security Science and Technology Directorate. The conference will be held Feb. 6-8, in Washington, and registration is free but required before Jan. 30. [NIST]

Law Enforcement

CA – OIPC AB Investigates Unlawful Disclosure by Alberta Police

The Alberta OIPC has investigated a complaint against the Edmonton Police Service, alleging violations of the Freedom of Information and Protection of Privacy Act. A police service disclosed to an individual’s employer details of police investigations he was subject to as a teenager, and allegations made against him as an adult (resulting in his termination); the waiver signed by the individual for a police check did not state that investigations, allegations and non-convictions would be used, and no review was done to determine if it was necessary to inform his employer of the information. [OIPC AB – Order F2017-87 – Edmonton Police Service]

Online Privacy

US – Report: Schools Must Strike Balance with Personalized Learning, Privacy

A report from the National Association of State Boards of Education found that, although school privacy policies can often conflict with personalized learning, it is up to state policymakers to develop laws and policies that harmonize a balance between the two. In the report, authors state that “good student data privacy policies recognize the potential for personalized learning to accelerate student achievement while also guaranteeing safe, secure access to a predetermined, transparent set of student data.” The study reviewed policies in Louisiana, Kansas and California. [EdScoop]

US – WSJ Uses Machine Learning to Determine Likelihood of Subscriptions

The Wall Street Journal has been using machine learning to determine the likelihood a user will subscribe to their site. More than 60 signals are used to analyze a user’s behavior on WSJ’s website, including what stories they click on, their location, and their operating system. From there, the company places users into three categories. If it is determined the user will likely subscribe to the Journal, they will face a hard paywall, but if a user scores lower, they may be granted an additional free session before facing the call for a subscription. [Niemen Labs]

CA – Study: Canadians Avoid Privacy Policies Due to Length, Complexity

A report commissioned by the Canadian Marketing Association examined whether citizens read privacy policies. Released on International Data Privacy Day, the study found 60% of Canadians only read portions of privacy policies, while 25% said they do not read policies at all. Respondents said they do not read the full privacy policy due to length, complexity of the language, and lack of choice. When asked about how informed they are regarding Canadian privacy laws and data rights, 39% said they are not informed, while 40% said they only have a basic understanding of their rights and the laws. [CMA]

US – FTC Offers Advice on Using, Researching VPNs

The FTC has released a guide offering advice to individuals looking to use a virtual private network. The FTC offers a rundown of what VPNs are, why people use them, and the privacy concerns surrounding the technology. The agency offers several pieces of advice to those interested in VPNs, including to research VPN apps before using them and reviewing the permissions the app requests, while warning potential VPN users the apps do not always encrypt information and of the possibility of VPNs sharing information with third parties, as well as debunking the idea the apps will make a user completely anonymous. [Full Story See also: Don’t Trust the VPN Facebook Wants You to Use]

Other Jurisdictions

UK – NHS Publishes Healthcare Risk Assessment for Public Cloud Services

The UK National Health Service has issued guidance on the use of cloud services for patient information, including: a one-page overview; a good practice guide; a risk framework; and a data risk model. The 4-step process involves understanding how the healthcare organisation handles data (e.g., the volume and retention period), a specific risk assessment (does the calculated risk classification align with the organisation’s risk appetite), implementing proportionate controls (selecting a provider based on required security standards), and monitoring (ensure the provider notifies of any detrimental changes to its security. [National Health Service, United Kingdom – NHS and Social Care Data: Off-Shoring Data and the Use of Public Cloud Services | NHS – Overview | NHS – Good Practice Guide | NHS – Risk Framework | NHS – Data Risk Model]

Privacy (US)

US – FTC Releases PrivacyCon 2018 Agenda

The Federal Trade Commission has released the final agenda for PrivacyCon 2018. The third annual PrivacyCon will focus on the privacy implications of artificial intelligence, the internet of things and virtual reality, while also highlighting the economics of privacy, such as quantifying harm when organizations do not properly protect consumer data. The conference will host sessions on the collection and leakage of private data, consumer preferences and research tools related to privacy management. This year’s event will also have a Student Poster Session designed to encourage a new wave of privacy researchers. PrivacyCon 2018 will take place Feb. 28. FTC | Source]

Privacy Enhancing Technologies (PETs)

WW – Should There Be A ‘Do No Harm’ Principle for Tech Developers?

Data scientists met this week to start drafting an ethics code for their profession, continuing an evolving discussion around whether programmers and data scientists should have to sign an industry equivalent to the Hippocratic Oath. A recent release by Microsoft argued that it “could make sense” to tie coders to a similar “first, do no harm” principle sworn to by physicians. DJ Patil, chief data scientist for the United States under President Barack Obama, said, “We have to empower the people working on technology to say, ‘Hold on, this isn’t right.’” [Wired]

EU – Privacy by Design Paper Wins CNIL Award

France’s data protection authority, the CNIL, and public research body Inria handed out their 2017 “privacy protection” prize at the CPDP conference last week in Brussels to the research behind the paper “Engineering Privacy by Design Reloaded.” The prize was created in 2016 as a way to encourage privacy research, while also aiming to raise awareness of data protection issues in the scientific community. The paper analyzed the methods engineers use to apply privacy by design in practice and provides practical guidelines for using privacy engineering to minimize the amount of data collected and held by data controllers and processors. CNIL

Security

US – HHS Issues Recommendations to Avoid Attacks

The Office for Civil Rights of the U.S. Department of Health and Human Services has issued recommendations regarding cyber extortion. Organizations should implement a risk management program that identifies cyber risks throughout the organization, train employees to identify suspicious communications, patch systems, limit internal network access to deny/slow attackers’ movements, and encrypt and back up sensitive data. [HHS – Cyber Extortion]

US – Study: State and Local School Websites Among the Most Vulnerable

A study by EdTech Strategies found that state education departments and local school systems are among the most vulnerable websites, with many failing to implement the HTTPS protocol. The report found that 49 of 51 states and 158 of 159 school systems used tracking software to compile user data and employ targeted advertising. When reviewed in comparison to the state education departments’ and school systems’ privacy policies, such tracking was found to be in violation of their policy. Douglas Levin, president of EdTech Strategies and director of the study, said, “Based on that review, it’s clear there’s a disconnect,” adding that many websites in the study “made demonstrably false statements.” Levin said the report suggests “a widespread lack of attention to issues of online security and privacy.” Levin estimated the average IT support-to-user ratio in companies is between 50 and 300 per IT support person, but in schools it can be up to 1,000. And many school districts likely don’t have a full-time IT staff; they may be part-time, or it might be a third-party contractor. [EdScoop See also: DARKReading, T.H.E. Journal and EdSurge]

Smart Cars

WW – Who Owns the Data Connected Cars Generate?

While many automakers have pledged to follow the Alliance of Automobile Manufacturers’ privacy principles, privacy concerns have been raised over automakers’ data collection practices. A panel at the Washington Auto Show discussed the difficulty of controlling data collected by connected cars, particularly when it is time to wipe a user’s data from a vehicle, like upon driver’s return of a rental. At the same time, the panel found the adoption of the voluntary privacy principles set forth by the AAM to be sufficient. Catherine McCullough, executive director of the Intelligent Car Coalition, said, “I don’t know of any carmakers specifically that are proactively giving drivers control over data here.” [Yahoo]

US – FPF Publishes Automotive Privacy Principles on 2017 Models

The National Automobile Dealers Association and Future of Privacy Forum has published a guide that explains what personal data is collected in cars. Sensitive personal data is collected and used by event data recorders, on-board diagnostics, and apps, including geolocation data, driver behavioral data and biometrics; manufacturers commit to the 3 principles of transparency (providing clear and concise privacy policies), affirmative consent for sensitive data (prior to use for marketing or sharing with unaffiliated third parties), and sharing with government and law enforcement (clearly stating when they do so. [Personal Data In Your Car – National Automobile Dealers Association and Future of Privacy Forum]

CA – Report: Canada ‘Ill-Prepared’ for Autonomous Vehicles

A report from the Senate Committee on Transport and Communications found Canada is “ill-prepared” for autonomous vehicles. The committee states Canada needs to begin to prepare for the disruptions caused by self-driving cars as soon as possible to ensure it “is ready for this upcoming period of technological change.” Despite issues surrounding privacy and security, Senator Dennis Dawson argued the technology will be implemented regardless. The report offered 16 recommendations to help Canada answer concerns surrounding the vehicles, including continuously assessing the need for privacy regulations in connected and autonomous cars and developing connected-car frameworks with privacy protections as a key component. [IT World Canada | Driving Change – Senate of Canada]

Surveillance

US – Police Use of Commercial License Plate Database Lawful

A US Court considered a criminal defendant’s motion to suppress evidence obtained through a license plate query on a database. The database relies on random observations of license plates on public streets by digital cameras placed on repossession and law enforcement vehicles; the cameras cannot be easily manipulated, do not permit police to continuously track the location of a particular vehicle or individual, and the image of license plates are taken on public streets. [United States of America v. Jay Yang – 2018 U.S. Dist. LEXIS 11967 – United States District Court for the District of Nevada]

US – California Senate Rejects License Plate Privacy Shield Bill

The California Senate has rejected S.B. 712 [with a 12-18 vote, see here]. It would have allowed drivers to protect their privacy by applying shields to their license plates when parked. The simple amendment to state law would have served as a countermeasure against automated license plate readers (ALPRs) that use plates to mine our location data. Just last week, news broke that Immigrations & Customs Enforcement would be exploiting a database of more than 6.5 billion license plate scans collected by a private vendor. Indeed, the federal government—including the Drug Enforcement Agency and Immigrations & Customs Enforcement—are ramping up their efforts to use ALPR data, including data procured from private companies. Major vulnerabilities in computer systems are revealing how dangerous it can be for government agencies and private data brokers to store our sensitive personal information. [EFF.org]

US – Seattle Dismantles Controversial Wireless Mesh Surveillance Network

In 2013, Seattle police installed (using $3.6 million from the Department of Homeland Security) surveillance cameras and a network that could track wireless devices throughout downtown — after unwanted publicity, they turned it off [see here]. Now the city has budgeted $150,000 to remove dozens of surveillance cameras and 158 “wireless access points” The mesh network, according to the ACLU, news reports and anti-surveillance activists from Seattle Privacy Coalition, had the potential to track and log every wireless device that moved through its system This isn’t the first time SPD has been pressured to abandon a Homeland Security-funded tool. In 2013, it gave up its drones. Like the mesh network, they were quietly bought with federal money and became a flashpoint for public outcry. [Seattle Times | Activist Post]

CA – City of Hamilton to Study Allowing Home Cameras to Point at Street

[Hamilton, Ontario] will study allowing residents to point their security cameras at the street. But a council decision won’t be made until city lawyers report back on the prospect, including concerns made public by Ontario’s privacy commissioner Brian Beamish [see PR here & Letter here]. Right now, Hamilton bylaws [see here] ban home cameras from pointing anywhere other than a homeowner’s own property. Beamish said he’s uncomfortable with any government law change that sets out to “empower a private citizen to act as a police agent” via homeowner surveillance of the public realm. At the same time, relatively few other Ontario cities currently enforce such a bylaw. Those include Milton, Oshawa and Brampton. [Hamilton Spectator | CBC News See also: Hamilton councillors endorse studying expanding surveillance cameras guidelines | The Spectator’s view: Right to privacy a quaint notion? | Should Hamilton homeowners be allowed to point cameras at the street? | Hamilton to consider expanding use of private surveillance camera footage for police use

CA – OIPC BC Admonishes Government Surveillance

B.C.’s acting privacy commissioner singled out Kelowna in a public memo [read here] as potentially violating privacy by monitoring surveillance cameras  In the memo, acting information and privacy commissioner Drew McArthur acknowledged consulting with the Kelowna, as well as Richmond and Terrace over their own plans for surveillance cameras. These proposals all assume that video surveillance prevents crime and justifies the persistent invasion of the privacy of law abiding people who are just going about their day-to-day business,” he writes. “But what Richmond, Terrace and Kelowna are ignoring is that for all its monetary and privacy costs, there is little evidence that surveillance works.” Kelowna risk manager Lance Kayfish said the surveillance monitoring program was designed under guidelines provided by the privacy commissioner which he says do show monitored cameras to be more effective than those that simply record automatically. [OIPC BC – Use of Video Surveillance by Local Governments | BC Legality of Surveillance Cameras Enters Review Process | Civil Liberties Association warns B.C. city against surveillance cameras in public park | | InfoTel | InfoTel News, Kelowna Capital News, Castanet and KelownaNow | Vancouver Councilor Calls for Return of Surveillance Cameras Following Homicide]

CA – Security Cameras Back on in Yellowknife, New Policy Adopted

Some public surveillance cameras are back on in Yellowknife, and a new security camera policy is in place [see PR here & new policy here]. The city shut down the cameras last month, after CBC News and local media reported the technology was used by some city staff, including the head of the municipal enforcement division, to allegedly zoom in on and ogle women. The allegations date back to 2014. The policy states the cameras can only be installed and monitored when deemed necessary to address a specific issue, when there isn’t another way that’s “less privacy-invasive” to address that issue. It says the footage should only be accessed by authorized employees, the city’s chief lawyer, specific employees from the municipal information technology division and others, with approval from the city’s senior administrative officer. The city also put out a public notice of a special municipal services committee meeting Thursday to discuss the inquiry into allegations of workplace misconduct in the city’s municipal enforcement division. Earlier this month, the city held a secret meeting to discuss the inquiry, and no records were kept of that meeting. [CBC | See also: Encrypted surveillance video may solve Yellowknife’s security camera woes: former privacy commissioner | Yellowknife city councillor proposes using security cameras as webcams | Inquiry into Yellowknife bylaw department goes dark | Yellowknife security cameras go offline following reports city staff abused their use | Former employee alleges inappropriate behaviour by head of Yellowknife’s bylaw

CA – Surveillance Cameras Allowed in Quebec’s Long-Term Care Homes

Beginning March 7, residents of publicly funded long-term/chronic care institutions (CHSLDs) in Quebec will have the right to install surveillance equipment in their rooms to prevent mistreatment.[See here] The new policy was initially made public in October, although the government has now announced some slight modifications to its original guidelines. These include extending the regulations to permit the use of smartphones and electronic tablets, as well as surveillance cameras. Each long-term care facility will have a designated representative to assist residents who want to install cameras. That person’s mandate will be to ensure the footage respects privacy rules, among them: 1) The camera can’t be used to capture images and sounds from outside the user’s room; 2) The camera also cannot capture images from a bathroom, unless it’s justified; 3) When it is installed in a shared room, the camera cannot be used to capture images or sounds of the other residents; and 4) The camera must be removed if its use is no longer necessary for the purposes sought by its installation. There will also be signs posted at the entrance of CHSLDs, advising visitors and staff of the possibility of surveillance cameras in the rooms. [CBC See also: Patients’ advocate slams decision to allow cameras in Quebec long-term care homes |No hidden cameras allowed in P.E.I. long-term care facilities | ‘Cloak of privacy’ keeping nursing home abuse secret, advocate says]

Workplace Privacy

CA – OIPC NFLD Cautions Against Social Media Access

The Newfoundland and Labrador OIPC issued recommendations on collecting employee information from social media. Even where job candidates consent, employers should avoid collection and use of information from their social media platforms; there is a reasonable expectation of privacy in these accounts, and information collected can be unreliable, inaccurate, irrelevant and prejudicial. Employees may authorize checks of their social media platforms (through employment terms and conditions), however, do not contract a third party to perform the check to avoid privacy obligations. [OIPC NL – Collecting Information via Social Media – Employee and Background Checks]

 

+++

 

 

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: