Nova Scotia begins consultation on Personal Health Information legislation

The Province of Nova Scotia has for some time been consulting with inside stakeholders on the development of health information legislation. It has just launched a consultation, seeking input from interested parties. I haven't had a chance to look at the discussion paper yet, but I understand they've been using Ontario's PHIPA as the model:

Personal Health Information Legislation for Nova Scotia Department of Health Government of Nova Scotia

For the past several years the Department of Health has been working with health sector partners on initiatives related to the protection and use of personal health information. As part of the evolution of standards, policy and law on these issues, .the Department is developing a Personal Health Information Act for the province.

The Department is pleased to present the Discussion Paper Personal Health Information Legislation for Nova Scotia (PDF: 70p). Throughout the Discussion Paper, key issues related to the collection, use, disclosure, retention and destruction of personal health information are discussed, and legislative provisions for a Personal Health Information Act are proposed.

Public and stakeholder input to this legislation is critical to its success. Any feedback on the issues raised in the paper, and on any issues related to the management of personal health information in Nova Scotia can be submitted through the online questionnaire, by e-mail to mailto:phia@gov.ns.caor by regular mail to the Personal Health Information Project, Department of Health, 1690 Hollis Street, P.O. Box 488 , Halifax , Nova Scotia , B3J 2R8

The deadline for comments is November 1, 2008.

• Personal Health Information Legislation for Nova Scotia Discussion Paper (PDF:70p)
  
• Frequently Asked Questions - Foire aux questions (PDF)
  
• Questionnaire (MS Word) Questionnaire French (MS Word)
  
• Personal Health Information Legislation Online Questionnaire

Supreme Court rules on Privacy Commissioner's power to review privileged documents

The Supreme Court of Canada has just handed down its decision in Canada (Privacy Commissioner) v. Blood Tribe Department of Health, which was a question of whether the Privacy Commissioner could review documents to determine whether claims of privilege have been properly applied. The unanimous Court, on appeal from the Federal Court of Appeal, determined that she cannot.

From the headnote:

Privacy — Investigations of complaints — Powers of Privacy Commissioner — Production of documents — Solicitor‑client privilege — Dismissed employee filing complaint with Commissioner and seeking access to her personal employment information — Employer claiming solicitor‑client privilege over some documents — Whether Commissioner can compel production of privileged documents — Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, s. 12.

Following her dismissal, an employee asked to have access to her personal employment information because she suspected that the employer had improperly collected inaccurate information and used it to discredit her before its board. The employer denied the request, and the employee filed a complaint with the Privacy Commissioner seeking access to her personal file. The Commissioner requested the records from the employer in broad terms. All records were provided except for those over which the employer claimed solicitor‑client privilege. The Commissioner then ordered production of the privileged documents pursuant to s. 12 of the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which confers the powers to compel the production of any records “in the same manner and to the same extent as a superior court of record” and to “receive and accept any evidence and other information . . . whether or not it is or would be admissible in a court of law”. The employer applied for judicial review of the Commissioner’s decision. The reviewing judge determined the Commissioner was empowered to compel production of documents over which solicitor‑client privilege was claimed in order to effectively complete her statutory investigative role. The Federal Court of Appeal set aside the decision of the reviewing judge and vacated the Commissioner’s order for production of records.

Held: The appeal should be dismissed.

Solicitor‑client privilege is fundamental to the proper functioning of our legal system. The complex of rules and procedures is such that, realistically speaking, it cannot be navigated without a lawyer’s expert advice. However, experience shows that people who have a legal problem will often not make a clean breast of the facts to a lawyer without an assurance of confidentiality “as close to absolute as possible”. Without that assurance, access to justice and the quality of justice in this country would be severely compromised. It is in the public interest that the free flow of legal advice be encouraged. [9]

When the appropriate principles of statutory interpretation are applied to the general language of PIPEDA, the right of the individual or organization that is the target of the complaint to keep solicitor‑client confidences confidential must prevail. The Commissioner is an officer of Parliament vested with administrative functions of great importance, but she does not, for the purpose of reviewing solicitor‑client confidences, occupy the same position of independence and authority as a court. It is well established that general words of a statutory grant of authority to an office holder, including words as broad as those contained in s. 12 of PIPEDA, do not confer a right to access solicitor‑client documents, even for the limited purpose of determining whether the privilege is properly claimed. That role is reserved to the courts. Express words are necessary to permit a statutory official to “pierce” the privilege. Such clear and explicit language does not appear in PIPEDA. [1-2]

An adjudication of a claim of privilege by the Commissioner, who is an administrative investigator not an adjudicator, would be an infringement of the privilege. Client confidence is the underlying basis for the solicitor‑client privilege, and infringement must be assessed through the eyes of the client. To a client, compelled disclosure to an administrative officer, even if not disclosed further, would constitute an infringement of the confidentiality. The objection is all the more serious where, as here, there is a possibility of the privileged information being made public or used against the person entitled to the privilege. Furthermore, in pursuit of its mandate, the administrative officer may become adverse in interest to the party whose documents it wants to access. Not only may it take the resisting party to court but it may decide to share compelled information with prosecutorial authorities without court order or the consent of the party from whom the information was compelled. [20‑21] [23]

Here, the only reason the Commissioner gave for compelling the production and inspection of the documents in this case is that the employer indicated that such documents existed. She does not claim any necessity arising from the circumstances of this particular inquiry. The Commissioner is therefore demanding routine access to such documents in any case she investigates where solicitor‑client privilege is invoked. In the Commissioner’s view, piercing the privilege would become the norm rather than the exception in the course of her everyday work. Even courts will decline to review solicitor‑client documents to adjudicate the existence of privilege unless evidence or argument establishes the necessity of doing so to fairly decide the issue. [17]

The Commissioner has not made out a case that routine access to solicitor client confidences is necessary to achieve the ends sought by PIPEDA. There are other less intrusive remedies. Firstly, she may, at any point in her investigation, refer a question of solicitor‑client privilege to the Federal Court under s. 18.3(1) of the Federal Courts Act. Secondly, within the framework of PIPEDA itself, the Commissioner has the right to report an impasse over privilege in her s. 13 report and, with the agreement of the complainant, bring an application to the Federal Court for relief under s. 15. The court is empowered, if it thinks it necessary, to review the contested material and determine whether the solicitor‑client privilege has been properly claimed. This procedure permits verification while preserving the privilege as much as possible. [31] [33‑34]

Some past coverage of this case on this blog: Canadian Privacy Law Blog: Decision: Blood Tribe (Dept. of Health) v. Canada (Privacy Commissioner), Canadian Privacy Law Blog: Commissioner cannot compel privileged documents: FCA.

Ask the privacy lawyer: Data in transit outside of Canada

I received the following question the other day:

In terms of personal data that was captured by a healthcare company while
a patient in Canada, and relayed to another city in Canada for analysis, further
use, etc., does that patient data have to remain in Canada ? or is it allowed to
traverse the US border at any time during its journey across the continent ?
My concern is that communication networks don't seem to be restricted to
intra-Canada operation or due to congestion or failure, most have to use large
data highways that may cross over into the United States.

Under PIPEDA, is patient or personal data limited to just traverse within Canada ?

In Canada, there are no restrictions on the export of personal information except for personal information that is subject to the Freedom of Information and Protection of Privacy Acts of Alberta, British Columbia and Nova Scotia, and the equivalent in Quebec. Each of those provinces have enacted laws in response to the USA Patriot Act. The Patriot Act gives American law enforcement with much easier access to information, including personal information. The laws in these provinces don't deal with information in transit, but talk about the storage and access to that information. For example, from Nova Scotia's PIIDPA:

5 (1) A public body shall ensure that personal information in its custody or under its control and a service provider or associate of a service provider shall ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless...

While there is no caselaw on this issue, I doubt that any of the privacy regulators of those provinces or the courts would find a contravention of this law if data packets containing personal information were routed through the United States on their way between two points in Canada. The information may be intercepted while in transit, but there users have little control over how this data travels. For example, a traceroute function from my home computer to ubc.ca shows that most of the data travels through the US:

Tracing route to ubc.ca [64.40.111.228] over a maximum of 30 hops:

1 2 ms 1 ms 1 ms [REDACTED]

2 20 ms 9 ms 9 ms [REDACTED]

3 17 ms 12 ms 10 ms [REDACTED]

4 11 ms 8 ms 8 ms hlfx-br1.eastlink.ca [24.222.79.205]

5 18 ms 28 ms 18 ms te-3-1.car2.Boston1.Level3.net [4.79.2.89]

6 22 ms 19 ms 18 ms ae-2-5.bar2.Boston1.Level3.net [4.69.132.250]

7 19 ms 19 ms 22 ms ae-0-11.bar1.Boston1.Level3.net [4.69.140.89]

8 46 ms 54 ms 49 ms ae-5-5.ebr1.Chicago1.Level3.net [4.69.140.94]

9 44 ms 52 ms 39 ms ae-68.ebr3.Chicago1.Level3.net [4.69.134.58]

10 73 ms 72 ms 70 ms ae-3.ebr2.Denver1.Level3.net [4.69.132.61]

11 99 ms 90 ms 90 ms ae-2.ebr2.Seattle1.Level3.net [4.69.132.53]

12 90 ms 89 ms 89 ms ae-22-52.car2.Seattle1.Level3.net [4.68.105.35]

13 90 ms 89 ms 88 ms unknown.Level3.net [64.154.178.134]

14 93 ms 91 ms 102 ms p2-1.pr0.yvrx.hgtn.net [66.113.197.5]

15 93 ms 93 ms 91 ms r1-hgtn.netnation.com [64.40.127.254]

16 102 ms 95 ms 93 ms itservices.ubc.ca [64.40.111.228]

Trace complete.

This leads to the question of whether your information is safe from interception during transit through the US. It's really not safe from interception at any point on the internet. At each point above, the signals can be intercepted. There was recent speculation that a collaboration between AT&T the National Security Agency allowed national security organs of the US to vacuum international internet and telco traffic from at least one AT&T facility. (See: EFF's class action against AT&T.) Do they have the tools to single out particular traffic? Probably.

So what to do? If sensitive information is being transferred between two points on the internet, it should be encrypted and sent through a secure "tunnel".

Update: Added reference to Quebec statute. Thanks, commenter.

Privacy protections disappear with a judge's order

More commentary on the Viacom v. Google/YouTube case, this time from MIT's Technology review:

Technology Review: Privacy protections disappear with a judge's order

Privacy protections disappear with a judge's order

By Associated Press

NEW YORK (AP) _ Credit card companies know what you've bought. Phone companies know whom you've called. Electronic toll services know where you've gone. Internet search companies know what you've sought.

It might be reassuring, then, that companies have largely pledged to safeguard these repositories of data about you.

But a recent federal court ruling ordering the disclosure of YouTube viewership records underscores the reality that even the most benevolent company can only do so much to guard your digital life: All their protections can vanish with one stroke of a judge's pen.

"Companies have a tremendous amount of very sensitive data on their customers, and while a company itself may treat that responsibly ... if the court orders it be turned over, there's not a lot that the company that holds the data can do," said Jennifer Urban, a law professor at the University of Southern California.

In the past, court orders and subpoenas have generally been targeted at records on specific individuals. With YouTube, it's far more sweeping, covering all users regardless of whether they have anything to do with the copyright infringement that Viacom Inc., in a $1 billion lawsuit, accuses Google Inc.'s popular video-sharing site of enabling.

It's a scenario privacy activists have long warned about.

"What we're seeing is (that) the theoretical is becoming real world," said Lauren Weinstein, a veteran computer scientist. "The more data you've got, the more data that's going to be there as an attractive kind of treasure chest (for) outside parties."

U.S. District Judge Louis L. Stanton dismissed privacy arguments as speculative.

Last week, Stanton authorized full access to the YouTube logs -- which few users even realize exist -- after Viacom and other copyright holders argued that they needed the data to prove that their copyright-protected videos for such programs as Comedy Central's "The Daily Show with Jon Stewart" are more heavily watched than amateur clips.

"This decision makes it absolutely clear that everywhere we go online, we leave tracks, and every piece of information we access online leaves some sort of record," Urban said. "As consumers, we should all be aware of the fact that this sensitive information is being collected about us."

Mark Rasch, a former Justice Department official who is now with FTI Consulting Inc., said the ruling could open the floodgates for additional disclosures.

Though lawyers have known to seek such data for years, Rasch said, judges initially hesitant about authorizing their release may look to Stanton's ruling for affirmation, even though U.S. District Court rulings do not officially set precedence.

The YouTube database includes information on when each video gets played. Attached to each entry is each viewer's unique login ID and the Internet Protocol, or IP, address for that viewer's computer -- identifiers that, while seemingly anonymous, can often be traced to specific individuals, or at least their employers or hometowns.

Elsewhere, search engines such as Google and Yahoo Inc. keep more than a year of records on your search requests, from which one can learn of your diseases, fetishes and innermost thoughts. E-mail services are another source of personal records, as are electronic health repositories and Web-based word processing, spreadsheets and calendars.

One can reassemble your whereabouts based on where you've used credit cards, made cell phone calls or paid tolls or subway fares electronically. One can track your spending habits through loyalty cards that many retail chains offer in exchange for discounts.

Though companies do have legitimate reasons for keeping data -- they can help improve services or protect parties in billing disputes, for instance -- there's disagreement on how long a company truly needs the information.

The shorter the retention, the less tempting it is for lawyers to turn to the keepers of data in lawsuits, privacy activists say.

With some exceptions in banking, health care and other regulated industries, requests are routinely granted.

Service providers regularly comply with subpoenas seeking the identities of users who write negatively about specific companies, at most warning them first so they can challenge the disclosure themselves. The music and movie industries also have been aggressive about tracking individual users suspected of illegally downloading their works.

Law enforcement authorities also turn to the records to help solve crimes.

The U.S. Justice Department had previously subpoenaed the major search engines for lists of search requests made by their users as part of a case involving online pornography. Yahoo, Microsoft Corp.'s MSN and Time Warner Inc.'s AOL all complied with parts of the legal demand, but Google fought it and ultimately got the requirement narrowed.

In the YouTube case, Viacom largely got the data it wanted.

Google has said it would work with Viacom on trying to ensure anonymity, and Viacom has pledged not to use the data to identify individual users to sue. The YouTube logs will also likely be subject to a confidentiality order.

But privacy advocates warn that there's no guarantee that future litigants will be as restrained or that data released to lawyers won't inadvertently become public -- through their inclusion as an attachment in a court filing, for instance.

And retailers, government agencies and others are regularly announcing that personal information, stored without adequate safeguards, is being stolen by hackers or lost with laptops or portable storage drives.

"You just never know," said Steve Jones, an Internet expert at the University of Illinois at Chicago. "There are some circumstances under which what seems to be private information is going to be shared with a third party, and the court says it's OK to do that."

Copyright Technology Review 2008.

Trojan software compromises Alberta's electronic health record system

This is not good and should have been avoidable:

Commissioner urges vigilance in wake of computer virus outbreak at Alberta Health Services

July 8, 2009

The Office of the Information and Privacy Commissioner has been notified by Alberta Health Services that a virus was present on the Alberta Health Services network in Edmonton. The virus impacted the network and Netcare, Alberta’s electronic health record, before it was discovered and removed.

The virus is a new variant of a Trojan horse program called coreflood and is designed to steal data from an infected computer and send it to a server controlled by a hacker. Coreflood captures passwords and data the user of the computer accesses. The virus was active from May 15 to 29 before it was detected and removed.

AHS identified two groups who are potentially at risk. Patients whose health information was accessed in Netcare through an infected computer and employees who accessed personal banking and email accounts from work using an infected computer. AHS is sending letters to the 11,582 patients whose information may have been exposed and has notified all affected employees.

Commissioner Frank Work says this does not necessarily mean Netcare itself has been infected by the virus; rather the virus may have captured patient data accessed through Netcare from an infected computer and sent it to an external party. “While it appears the risk to patients is low, viruses don’t discriminate and this is an important message to everyone about the need to run up to date anti virus software”, says the Commissioner.

The Commissioner’s office is investigating. In the meantime Work is expecting a full forensic report from Alberta Health Services on how this happened and what steps will be taken to prevent future breaches. Work says “AHS responded quickly when the virus was detected and that steps have been taken to notify users and patients with advice on what they should do to protect personal and health information”.

Saskatchewan Commissioner releases annual report

The Information and Privacy Commissioner of Saskatchewan, Gary Dickson QC, has released his annual report today. Here is the "Quick Overview":

A Quick Overview

This is my fifth Annual Report as
Saskatchewan’s first full-time
Commissioner.

Some good progress has been achieved
in terms of access to information and
privacy compliance in a number of areas.
In other areas, not enough has been
achieved.

My intention is that this Annual Report
provide both some perspective on the last
four and one-half years and an outline of
the challenges ahead for this office.
The people of Saskatchewan deserve an
access and privacy regime that is both
robust and effective.

My commentary in this Annual Report
needs to be qualified by the recognition
that achieving such a regime captures
much more than just the activities of our
oversight office. It entails other features
such as:

• Effective and up-to-date legislation;
  

  Strong network of FOIP Coordinators
  in all government institutions and local
  authorities;
  

• Comprehensive training program for
  all new public sector employees and
  contractors;
  
• System of
  in-service
  training for
  all existing
  public sector employees; and
  
• Detailed and practical manual that
  explains statutory requirements in
  plain language with checklists,
  specimen forms, and ‘decision trees’.

From the perspective of the individual in

Saskatchewan, a robust access and
privacy regime would feature:

• Relatively simple process to access
  one’s own personal information and to
  correct errors in that information;
  
• Full and timely response to any
  access requests;
  
• Relatively simple process to make a
  complaint that privacy requirements
  for a public body have not been met;
  
• A senior, properly trained and qualified
  FOIP Coordinator for the relevant
  public body who can assist the citizen
  to exercise the rights created by our
  three access and privacy laws; and
  

  Reviews by our office to be completed
  in majority of cases within five months.

Two central themes have crystallized
since I started in November 2003.

1. One is the largely unfinished state of
our access and privacy regime despite
the fact that FOIP is 16 years old.

2. The other is the burgeoning demand
by Saskatchewan citizens and
organizations for assistance from us in
coping with what is seen as a
fragmented, confusing and underresourced
trio of laws.

This includes demand from public
sector employees who want to do the
right thing and who do wish to ensure
their organizations meet access and
privacy requirements.

Our last four and one-half years have
seen significant increases in almost all
areas of service. Formal reviews of
access decisions and privacy complaints
received by our office for the 2007-2008
fiscal year are 40% higher than the
previous fiscal year. Requests to our
office for summary advice are up 29%.
Visitors to our website are up 20% over
the previous year.

This increase in demand for assistance
may be at least partly attributable to a lack
of tools and resources available to those
who need them.

That demand for service also reflects new
developments that have dramatically
sharpened the focus on personal health
information, technical threats to privacy
and the demand for transparent and
accountable government at all levels.

The OIPC is supported by the Legislative
Assembly Office that provides an array of
services. We appreciate and rely on
those resources.

I am very proud of what our small office
has accomplished in the last four and onehalf
years. The credit goes to the
wonderful team of men and women in this
office led by Diane Aldridge, Director of
Compliance and Pamela Scott, Manager
of Administration.

Cross-border movement of personal health information

Earlier this week, I co-chaired Insight Information's conference on electronic health records here in Halifax. I was very pleased to see a lot of expertise in privacy developing in Atlantic Canada, which is necessary as Nova Scotia, New Brunswick and Newfoundland move towards developing and implementing health privacy laws and as electronic health record projects are driving forward.

I gave a presentation on the mess and uncertainty related to the cross-border movement of personal health information in Canada. The complicated overlap of laws that we see in provinces such as Nova Scotia is compounded when the information is disclosed out of the province.

If you're interested, the presentation is here and can be flipped through below:

Alberta Commissioner fed up with unencrypted laptops

I can just imagine Frank Work's expression of exaperation in uttering the quote attributed to him in the following media release:

Level of security on stolen laptops simply not acceptable, says Commissioner

June 24, 2009

Level of security on stolen laptops simply not acceptable, says Commissioner

Information and Privacy Commissioner Frank Work is perplexed with news that two laptops containing health information stolen from Alberta Health Services (AHS) were not encrypted. “This is shocking for me...I don’t know what we have to do to drive this message home” says the Commissioner. “The standard in Alberta for storing personal or health information on portable devices is encryption. I can’t accept anything less. This is highly sensitive information and an issue of public trust. How can the public have faith in public bodies if they can’t provide security for personal information?”

Two laptops with health information of more than 300,000 people were stolen earlier this month. Information on the laptops included names, birth dates, personal health numbers and lab test results for communicable and reportable diseases.

The Commissioner says AHS did have layers of protection on those laptops, but the final layer simply was not there, and while the risk might be low, there is still a risk, “A person with motivation and sufficient skills could still access the information. Risk remains without properly implemented encryption. The measures they had in place are better than nothing, but not good enough.”

Works says, “Encryption technology is readily available, and if you are going to store personal information on a portable device, you had better make sure that encrypting that information is a priority, a part of your business model, and an everyday occurrence, like making sure the door is locked before you leave home.”

The Office of the Information and Privacy Commissioner has launched an investigation into this matter. Work says, “We will be working very closely with AHS to make sure they understand their obligations and to ensure that steps are taken to prevent this from happening again”.

I pity the (next) fool who loses an unencrypted laptop in Alberta.

Ontario Commissioner releases 2007 annual report

The Information and Privacy Commissioner of Ontario tabled her Annual Report 2007 this past week. Apparently it was a good year:

IPC - Office of the Information and Privacy Commissioner/Ontario
Major advances made in Access and Privacy, says Commissioner Ann Cavoukian

Major advances made in Access and Privacy,
says Commissioner Ann Cavoukian

Court rulings, key decisions by her office and other developments all helped to make 2007 a year of significant progress in advancing both freedom of information and protection of privacy, Ontario Information and Privacy Commissioner Ann Cavoukian said today, as she released her 2007 Annual Report.

“I have never felt as positive about the future of privacy in Ontario as I do right now,” said the Commissioner. “And there have been some very important advances related to access to government-held information.”

PRIVACY PROTECTION

Among the positive developments she cites related to privacy protection:

• A key court ruling and subsequent ground-breaking order the Commissioner issued that addressed the same core issue – that the collection of extensive personal information from individuals whose only wish was to sell one or more second-hand items to a used-goods store should not end up in police files.
  
• In July, the Ontario Court of Appeal struck down a City of Oshawa bylaw that had required used-goods retailers to collect extensive personal information from people who wanted to sell second-hand items to used-goods stores. This personal information was then to be transmitted to, and stored centrally in, a police database – without any restrictions on its use or any judicial oversight.
  
• Two months later, following an investigation into a privacy complaint received by her office, the Commissioner invoked – for the first time in the 20-year history of her office – the power to order an institution to cease the collection of personal information and to destroy collections of information collected previously. She ordered the City of Ottawa and the Ottawa Police to stop collecting extensive personal information from individuals selling used goods to second-hand stores and to destroy personal information already collected (with limited exceptions).
  
• A ruling by Justice Edward Belobaba of the Ontario Superior Court of Justice that sections of the Adoption Information Disclosure Act breached the Canadian Charter of Rights and Freedoms. “As the Court noted,” said the Commissioner, “the Charter, ‘… is intended primarily to protect individuals and minorities against the excesses of the majority,’ and, accordingly, in this case, the Charter protected the minority who wished to preserve their privacy. I want to emphasize the significance of one of the statements in that Court decision:
  

  ‘People expect, and are entitled to expect, that the government will not share their confidential or personal information without their consent. The protection of privacy is undeniably a fundamental value in Canadian society.’”
  

  “It is of critical importance,” said the Commissioner, “that we never forget the Court’s words, ‘… privacy is undeniably a fundamental value in Canadian society,’ because privacy forms the very underpinning of liberty – the very foundation upon which our freedoms are built.”
  

• Positive steps were also taken in the development of “transformative technologies” – a new term for privacy-enhancing technologies applied to technologies of surveillance. For example, the Ontario Lottery and Gaming Corporation is evaluating facial biometrics for its “self-exclusion” program, under which some gamblers seek the OLG’s assistance in barring them from gambling in casinos operated by the OLG. Under a contract with the OLG, a University of Toronto team has been researching novel Biometric Encryption (BE) solutions. The system attempts to identify the subjects in the self-exclusion program while protecting the privacy of stored personal information. This information can be accessed only if a correct biometric, i.e. the facial image of a self-excluded person, is presented. In other words, the personal information is in effect “encrypted” with the person’s biometric – extremely privacy protective.

ACCESS IMPLICATIONS

Among the positive developments in 2007 related to freedom of information were several pivotal court rulings. These included:

• A very significant ruling by Ontario’s Divisional Court which upheld two decisions made by the Commissioner’s office on the application of the solicitor-client exemption to legal fees. “This ruling was a strong endorsement of our approach to the disclosure of legal fee information and underscores our consistent message that governments should actively disclose information about the expenditure of public funds,” said the Commissioner.
  
• Another key ruling, which applied the Canadian Charter of Rights and Freedoms, expanded the circumstances under which the public interest may override certain exemptions to accessing information under the Freedom of Information and Protection of Privacy Act (FIPPA). The Ontario Court of Appeal, in effect, amended FIPPA in a way that the IPC had been advocating since 1994, but did not have the authority to change. Section 23 of FIPPA states that where a “compelling public interest” in disclosure “clearly outweighs” the purpose of certain exemptions from the right of access, those exemptions do not apply. As a result of this decision, the IPC (subject to an appeal the Supreme Court of Canada will hear this fall) now has the ability to decide independently whether records subject to the law enforcement and solicitor-client privilege exemptions should be disclosed in the public interest.

RECOMMENDATIONS

Among the recommendations the Commissioner makes in her Annual Report:

• She is urging Ontario to make a privacy-protective electronic health record a priority.
  
• She is calling on the Premier and John Wilkinson, the Minister of Research and Innovation, to advance the development of transformative technologies (privacy-enhancing technologies applied to technologies of surveillance), not only in the area of research, but particularly in the commercialization of such research to facilitate its entry into the marketplace.
  
• She is urging all police services in Ontario to abide by the law and give a broad and generous interpretation to recent amendments to the provincial and municipal freedom of information and protection of privacy Acts that now allow police to disclose – in compassionate circumstances – the personal information of someone who has died to his or her family members.
  
• Rather than require individual provinces to build their own extensive databases of citizenship information from scratch, she is urging the federal government to make citizenship information available to provinces that want to provide an enhanced drivers’ licence (EDL) that citizens could use as an alternative to a passport, for the purpose of crossing the U.S. border.

FOI REQUESTS SET ANOTHER RECORD

Among the statistical information released by the Commissioner:

• The number of freedom of information requests filed with provincial or municipal government organizations across Ontario in 2007 – 38,584 – set an all-time high, surpassing the previous record of 36,739, set in 2006. Much of this increase is due to a jump in the number of requests filed with municipalities and police services.
  
• The number of privacy complaint files opened under the two public sector privacy Acts – 213 – was the highest in 11 years. (There were 170 privacy complaints in 2006.)
  
• And, the number of complaint files opened under the Personal Health Information Protection Act – 338 – set a record. (The old record was 269 in 2006.) Of the 338 complaint files, 227 were privacy complaints and 111 were access or correction complaints.

Commissioner Cavoukian’s 2007 annual report is available on the IPC’s website, www.ipc.on.ca.

The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly, and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act, the Municipal Freedom of Information and Protection of Privacy Act, and the Personal Health Information Protection Act, and helping to educate the public about access and privacy issues.

Ontario Commissioner releases 2008 annual report and prepares for battle with Victoria University

The Information and Privacy Commissioner of Ontario has released her 2008 Annual Report, which makes broad recommendations for changes to the laws in Ontario and calls for the adoption of better practices:

IPC - Office of the Information and Privacy Commissioner/Ontario Commissioner Cavoukian lays out path for increased privacy protection & accountability – doing battle with Victoria University

Commissioner Cavoukian lays out path
for increased privacy protection & accountability – doing battle with Victoria University

TORONTO – Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, is urging the provincial government to make specific legislative changes and take additional steps to protect privacy and ensure greater accountability.

In her 2008 Annual Report, released today, the Commissioner cites how her sweeping recommendations from her seminal investigation into a privacy complaint against the video surveillance program of Toronto’s mass transit system have been hailed in the United States as a model that cities around the world can build upon, and in Canada as “a road map for the most privacy-protective approach to CCTV.”

Among the recommendations she is making in her 2008 Annual Report, are:

Amend the law to make it clear that all Ontario universities fall under FIPPA

The Commissioner is calling on the government to fix a potential omission in the Freedom of Information and Protection of Privacy Act related to which organizations are covered under the Act.

Under amendments that came into force in mid-2006, publicly funded universities were brought under the Act. Due to the wording of an amended regulation, the University of Toronto, in response to a freedom of information request received under the Act, argued that Victoria University, an affiliated university, was not covered under the Act.

“An IPC adjudicator determined that, based on the financial and academic relationship between the two, Victoria was part of the University of Toronto for the purposes of FIPPA,” said Commissioner Cavoukian. “The University of Toronto has not accepted our ruling and is now appealing it – having it ‘judicially reviewed.’ They have chosen to fight openness and transparency, expending valuable public resources in the process. We find this completely unacceptable, which is why we are prepared to go to battle on this issue, in our effort to defend public sector accountability. We should add that this is contrary to our normal process of working co-operatively with organizations to mediate appeals and resolve complaints informally. In this case, however, the university, having thrown down the gauntlet, left us no choice but to respond in kind and aggressively defend our Order in the courts.”

There are more than 20 other affiliated universities in Ontario that may have a different relationship with the university they are affiliated with, says Commissioner Cavoukian. “I am calling on the government to ensure that all affiliated universities are covered by the Act. There is no rationale for these publicly funded institutions to fall outside of the law.”

The government needs to set specific fees for requests for patients’ health records under PHIPA

The IPC has received a number of inquiries and formal complaints from the public regarding the fees charged by some health information custodians when patients ask for copies of their own medical records.

Ontario’s Personal Health Information Protection Act (PHIPA) provides that when an individual seeks copies of his or her own personal health information, the fee charged by a health information custodian shall not exceed the amount set out in the regulation under the Act or the amount of reasonable cost recovery, if no amount is provided in the regulation. No such regulation has been passed.

Commissioner Cavoukian, in her August 2008 submission to the Standing Committee on Social Policy, which conducted a statutorily mandated review of PHIPA, again raised the need for a fee regulation. Two months later, in its report to the Speaker of the Assembly, the Standing Committee indicated its agreement with the Commissioner’s recommendation, stating that the determination of what constitutes “reasonable cost recovery” should not be left to the discretion of individual health information custodians and their agents.

“The Minister of Health,” said the Commissioner, “should make the creation of a fee regulation a priority.”

Ontario’s enhanced driver’s licence (EDL) needs a higher level of protection

The Commissioner is calling on the Minister of Transportation to provide better privacy protection for the EDL. “The radio frequency identity (RFID) tag that will be embedded into the card can be read not only by authorized readers, but just as easily by unauthorized readers,” said Commissioner Cavoukian. “Over time, these tags could be used to track or covertly survey one’s activities and movements.”

The electronically opaque protective sleeve that will come with these enhanced licences – which drivers without a passport will need as of June 1 to drive across the U.S. border – “only provides protection when the driver’s licence is actually encased in the sleeve,” said Commissioner Cavoukian. “But individuals who voluntarily sign up for these enhanced driver’s licences will not only be required to produce them at the border, but will still have to do so in other circumstances where a driver’s licence or ID card is presently required, including in many commercial contexts. The reality is that most drivers will abandon the use of the protective sleeve.”

“An on-off device on the RFID tag would provide greatly enhanced protection,” said the Commissioner. “The default position would be off since drivers don’t need the RFID to be ‘on’ when routinely taking their licence in and out of their wallets, unless they are actually crossing the border. I am urging the government to pursue adding a privacy-enhancing on-off device for RFID tags embedded in the EDLs.”

FOI REQUESTS

The number of freedom of information requests filed across Ontario in 2008 was the second highest ever – 37, 933, trailing only the 38,584 filed in 2007. Nearly two-thirds of the 2008 requests were filed under the Municipal Freedom of Information and Protection of Privacy Act (24,482), to such organizations as police service boards, municipalities, school boards and health boards. In fact, there were more requests filed to police service boards (13,598) than there were for all organizations under the provincial Act (13,451).

FOI requests may be filed for either personal information or general records (which encompasses all information held by government organizations except personal information). And, the majority of requests each year have been for general records. In 2008 – for the second year in a row – the average cost of obtaining general records under the provincial Act dropped – this time, to $42.74 from $50.54, continuing a reversal of what had been a lengthy trend. The average cost of general records under the municipal Act was $23.54, up only a nickel from the previous year.

Among other key statistics released by the Commissioner:

· Since the IPC began emphasizing in 1999 the importance of quickly responding to FOI requests, in compliance with the response requirements set out in the Acts, the provincial 30-day compliance rate has more than doubled, climbing to 85 per cent from 42 per cent. After achieving a record 30-day compliance rate in 2007 of 84.4 per cent, provincial ministries, agencies and other provincial institutions promptly broke the record in 2008, producing an overall 30-day compliance rate of 85 per cent.

· The Commissioner also reported that her office received 507 complaints in 2008 under Ontario’s three privacy Acts, and 919 appeals from requesters who were not satisfied with the response they received after filing an FOI request with a provincial or local government organization. Overall, the IPC resolved 966 appeals and 534 complaints in 2008.
The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly, and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act, as well as the Personal Health Information Protection Act, which applies to both public and private sector health information custodians, in addition to educating the public about access and privacy issues.

Privacy and internet log files

Just posted on slaw.ca:

In the past two weeks, the New York Times reported that Microsoft has made a minor concession with European privacy authorities about how long it retains its log files. A committee of European privacy regulators had asked that these logs be kept for only six months. Microsoft's response? Eighteen months.Yahoo used to keep them for thirteen months and just announced it will cut retention to 90 days. Google keeps them for nine.

The privacy implictions of these innocuous log files have been underestimated, particularly when you think about the fulsome picture of your private life that companies like Google may be assembling about you. The information in an ordinary web-server log usually contains the just a tid-bit of information. One "hit" on a website may look like this (but all on one line):

127.0.0.1 - frank 
[10/Oct/2000:13:55:36 -0700] 
"GET /apache_pb.gif HTTP/1.0" 200 2326 
"http://www.example.com/start.html" 
"Mozilla/4.08 [en] (Win98; I ;Nav)" 

The first bundle of numbers is the IP address of the computer that requested a particular web-page. "Frank" refers to a userid, which is usually not eabled. The next field is the date" Following that, and usually preceded by "GET" is the command your web-browser sent to the server. The next bits are the status code returned by the server and then the size of the entity requested. Next is something called a "referer" (mis-spelled) , followed by details about your browser.

Since many people often share the same IP address (it could be one IP for an entire company or just a group of people in a house using the same internet connection), some have argued it is not personal information and a log-file doesn't contain personal information. The problem is that even if an IP address is not directly connected to one individual, one can do some easy analysis to make the connections. After AOL released supposedly de-identified search logs to researchers, an intrepid reporter was able to track down at least one of the users who had some very personal health-related searches in the logs (see: Users identifiable by AOL search data).

What's additionally troubling from a privacy point of view is that the large inernet companies, like Google, Yahoo and Microsoft, don't just have your search queries. Increasingly, they have a huge trove of data sources in their logs.

Take Google, for example. Google has their famous Google search. They also have GMail, Google Analytics, Google AdSense, Google Documents, Google Toolbar and more. Each time you "hit" one of their sites, you're in their logs. Most internet users hit Google's logs dozens of times a day and on many of those occasions aren't even aware that they're using a Google service. Google has what is probably the most popular and widely used network of online advertising: AdSense. Each time you go to a website that features Google's ads, your computer sends a request to Google's servers and that "hit" goes into their logs, along with the information about what site you were visiting, when you visited and what ad was served. If you click on the ad, even more information is collected and logged. But even if you don't visit a site with Google's ads, there's a very good chance that the webmaster is using Google Analytics to find out about useage of his or her site. (Full disclosure: I use Google Analytics for my site at www.privacylawyer.ca.) I should also note that Yahoo! and MSN also have advertising networks, which collect the same sort of information.What this means is that Google, Yahoo and Microsoft register in their logs a significant portion of your usage of the internet.

And if you have a Google, Yahoo! or MSN account, that hit can be connected to your account details, includig your name.

I don't think it's too far fetched to think of a day when it will become standard for all investigations involving the internet to inlcude a warrant served on Google or Yahoo! or Microsoft for all logs related to a particular user or IP address or both.

Next week, I'll discuss efforts being made by governments and law enforcement to make log rentention mandatory.

Federal Commissioner tables annual report on Privacy Act

The Federal Privacy Commissioner has today tabled her annual report on the Privacy Act. And she isn't happy with how certain government departments handle personal information:

News Release: Privacy issues given short shrift in passport operations and tribunal Internet postings, Commissioner says (December 4, 2008) - Privacy Commissioner of Canada

News Release

Privacy Commissioner’s 2007-2008 Annual Report to Parliament on the Privacy Act outlines audit of Passport Canada; investigative findings regarding online posting of personal information by administrative and quasi-judicial bodies

Ottawa, December 4, 2008 — Privacy concerns are not given enough weight in the day-to-day operations of a number of federal government institutions, the Privacy Commissioner of Canada says.

The Commissioner’s latest Annual Report to Parliament on the Privacy Act, which was tabled today, describes how privacy and security problems in Canada’s passport operations added up to a significant risk for Canadians applying for passports.

The annual report also highlights the Commissioner’s concerns that the online posting of personal information by some federal administrative and quasi-judicial bodies does not strike the right balance between the public interest and privacy rights.

Privacy Commissioner Jennifer Stoddart says her Office’s audit of passport operations raised a broad range of concerns about how personal information was handled.

“Given the high sensitivity of the personal information involved in processing passport applications, better privacy and security measures are needed,” says Commissioner Stoddart. “Unfortunately, the shortcomings we found raised the risk that Canadians’ information could wind up in the wrong hands.”

The audit found that passport applications and supporting documents were kept in clear plastic bags on open shelves; documents containing personal information were sometimes tossed into regular garbage and recycling bins; and some documents that were shredded could be easily put back together. Meanwhile, computer systems allowed too many employees to access passport files. The investigation also concluded there was inadequate privacy training for employees – an issue which is a concern across government institutions.The Commissioner is pleased that Passport Canada and the Department of Foreign Affairs and International Trade have indicated they will act on her recommendations and improve privacy and security safeguards.

The annual report also outlines the Commissioner’s concerns about the online posting of federal administrative and quasi-judicial bodies’ decisions which contain highly sensitive personal information.

The OPC investigated 23 complaints regarding the disclosure of personal information on the Internet by seven bodies created by Parliament to adjudicate disputes. The complaints involved: the Canada Appeals Office on Occupational Health and Safety; the Military Police Complaints Commission; the Pension Appeals Board; the Public Service Commission; the Public Service Staff Relations Board; the RCMP Adjudication Board; and Umpire Benefits decisions.

Decisions of these bodies often include highly personal information such as an individual’s financial status, health and personal history.

“This is private information. Law-abiding citizens fighting for a government benefit should not be forced to expose the intimate details of their lives to everyone with an Internet connection,” says Commissioner Stoddart.

The Commissioner agreed that the “open court” principle is an important part of Canada’s legal system, but noted there is a crucial distinction between the courts and the bodies the OPC investigated: The Privacy Act does not apply to the courts, but it does apply to many administrative tribunals and quasi-judicial bodies.

In order to respect their obligations under the Privacy Act, the Commissioner recommended, among other steps, that the bodies reasonably depersonalize decisions posted online by replacing names with random initials. However, the Commissioner noted that, where there is a genuine and compelling public interest in such a disclosure, these bodies have the legal authority under the Act to exercise discretion in disclosing personal information.

Service Canada and Human Resources Development Canada agreed to fully implement the OPC’s recommendations. Other bodies took important but incomplete steps towards compliance with the Commissioner’s recommendations.

Currently, unlike its private-sector counterpart, the Privacy Act does not empower the Privacy Commissioner to enforce her recommendations through legal actions. The OPC has recommended an overhaul of the legislation to address this and other concerns.

The OPC has also asked Treasury Board Secretariat to develop centralized policy guidance on the online posting of personal information by administrative and quasi-judicial bodies.The annual report outlines key activities undertaken by the OPC during 2007-2008, including audits, investigations and policy work. The report notes that new complaints against government institutions dropped slightly to 759 in 2007-2008 from 839 the previous year.

The report is available on the OPC website.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

• Annual Report to Parliament 2007-2008 — Report on the Privacy Act (PDF Version)
  
• Privacy Audit of Canadian Passport Operations (PDF Version)

Missing Alberta health care provider hard drive had thousands of patient images

An unencrypted hard-drive has gone missing at Covenant Health in Alberta, leading to an investigation by the province's Information and Privacy Commissioner. The drive, it appears, contained exclusively images, but many of them would be considered to be highly sensitive including video of surgeries. The names and hospital numbers of the 3,600 relevant patients are also apparent from the directory and file naming systems. The drive apparently went missing when an employee was moving offices. Because it was not a "portable" drive, the data was not encrypted.

See: Missing hard drive had thousands of patient images - Calgary - CBC News.

Nova Scotia to table health information legislation today

The Nova Scotia Minister of Health is expected to table the latest iteration of the Personal Health Information Act in the Nova Scotia legislature this afternoon. Expect to see the text of the bill here as soon as it's tabled.

See: Health minister expected to table personal information bill today - NovaScotia - TheChronicleHerald.ca.

---

Update: The text of Bill 89 is available here.

Text of Bill 64, Personal Health Information Act (Nova Scotia) now available

The text of Bill 64, the Personal Health Information Act has now been posted on the Nova Scotia Legislature website.

Personal Health Information Act introduced in Nova Scotia

The Minister of Health for Nova Scotia has today introduced the Personal Health Information Act in the legislature. I'll have a link to the text of the bill tomorrow, but in the meantime you can read the release:

Personal Health Information Legislation Introduced News Releases Government of Nova Scotia

Personal Health Information Legislation Introduced

Department of Health

November 4, 2009 2:46 PM

Nova Scotian's personal health information would be better managed under proposed legislation introduced today, Nov. 4.

The Personal Health Information Act would provide consistent provincial rules for the management of personal information in health care.

"Patient privacy is a fundamental principle in delivering health care. At the same time, it is important that health care professionals can share information in ways that can improve care," said Health Minister Maureen MacDonald. "This legislation balances these important objectives."

The proposed legislation sets out rules for how health information is collected, used, disclosed, retained and destroyed by the health-care sector in Nova Scotia. It better supports a system that uses electronic as well as paper health records and helps provide a more seamless flow of information.

Specific rules include provisions for privacy breach notification audit reports to track who has had access to electronic health records, and requests for people to access to their health information.

Nova Scotia does not have clear health information legislation. It is governed by a mix of federal and provincial laws, health profession codes, and organizational policies and procedures. Nova Scotia joins eight other provinces who have comprehensive legislation to manage personal health information.

I understand that the legislature session ends shortly, so the Bill will not be debated until the new year. It's also reported that the Department plans to have the Bill come into force in January 2011.

Government declines proposed reforms to access and privacy laws

The Minister of Justice has responded to the Standing Committee on Access to Information, Privacy and Ethics' reports on reform to the Privacy Act and the Access to Information Act with a robust "thanks, but no thanks".

House of Commons Committees - ETHI (40-2) - Reports and Government Responses

Report 11 - The Access to Information Act: First Steps Towards Renewal (Adopted by the Committee on June 15, 2009; Presented to the House on June 18, 2009)

Government Response: 11th Report of the Standing Committee on Access to Information, Privacy and Ethics, "The Access to Information Act: First Steps Towards Renewal" (Presented to the House on October 9, 2009)

Report 10 - The Privacy Act: First Steps Towards Renewal (Adopted by the Committee on June 8, 2009; Presented to the House on June 12, 2009)

Government Response: Tenth Report of the Standing Committee on Access to Information, Privacy and Ethics, "The Privacy Act: First Steps Towards Renewal" (Presented to the House on October 9, 2009)

Thanks to Michael Geist for the pointer.

Some media coverage from the Canadian Press:

The Canadian Press: Harper government refuses to expand information, privacy laws

Harper government refuses to expand information, privacy laws

By Joan Bryden (CP) – 2 hours ago

OTTAWA — The Harper government has quietly nixed recommendations to expand and modernize Canada's access-to-information and privacy laws.

Justice Minister Rob Nicholson's rejection of reforms to the 26-year-old laws sparked accusations Thursday that the Tories have reneged on campaign promises to bring openness and transparency to the federal government.

"The access system now does not work," said Michel Drapeau, a lawyer and a leading expert on accessing government documents.

"They appear to like it this way."

Nicholson's rejection was also greeted with disappointment by privacy experts, who warned that Canada's outdated Privacy Act does not cover modern technologies, such as surveillance cameras and DNA samples collected from suspects.

Nor does it give the privacy commissioner any recourse to the courts when the government inappropriately discloses personal information, no matter how serious the breach.

"We're very disappointed, actually," said Chantal Bernier, assistant privacy commissioner.

"While we agree with the minister that privacy is well protected in Canada, we feel we can do better."

A Commons committee had recommended, among other things, that the information commissioner be given more power to force the government to disclose information in a timely manner.

Drapeau said only 10 to 20 per cent of access requests receive a response within 30 days, as intended under the law. The rest routinely take up to two years with some dragging on as long as four years.

Suzanne Legault, interim information commissioner, said Drapeau's view of the access system is overly pessimistic. She said 57 per cent of requests get a response within 30 days.

Still, she acknowledged there's an "urgent need" to modernize legislation to remedy some "very long delays" in responding to access requests.

Legault pointed out that the act was drafted in the days when bureaucrats kept paper records "in a neat file folder." Now, they are inundated with digital information, such as streams of emails with attachments, that is harder to manage and takes longer to sift through.

"We really live in a world of digital information and the system hasn't adjusted," Legault said.

The Commons committee had also wanted the privacy law expanded to cover new technologies. And it wanted to beef up provisions governing the disclosure of personal information by the Canadian government to foreign states - one of the most urgent needs in the wake of the Maher Arar case, according to Bernier.

Based on information provided by Canadian security authorities, Arar was detained in the U.S. and deported to Syria, where he was tortured.

In responses to the committee tabled quietly last week, Nicholson rejected the proposed reforms as too cumbersome, unnecessary or ill-considered.

He said giving the information commissioner more powers would shift the nature of the job "from an ombudsman model towards a quasi-judicial model," which would be inconsistent with other independent parliamentary watchdogs.

He rejected the notion that information requesters should have direct recourse to the Federal Court if access is refused, arguing that such a reform "would increase the caseload burden on the Federal Court."

On the privacy recommendations, Nicholson ruled out legislative restrictions on the disclosure of personal information to foreign states, arguing that law enforcement and security agencies "require a flexible approach" to information sharing.

"They must be able to share their intelligence within Canada and well as with their foreign partners," he wrote.

Moreover, Nicholson argued that efforts to combat international child abductions, forced marriages and worldwide health threats would be "seriously hampered" by restrictions on information sharing.

Nicholson maintained both the Access to Information Act and the Privacy Act are strong pieces of legislation. And he suggested "administrative alternatives, such as enhanced guidance and training" could be "equally effective" in improving both the access and privacy regimes.

Copyright © 2009 The Canadian Press. All rights reserved.

Trend to privacy seen as hurting research

An article in the September 24, 2008 National Post cites a new journal article that concludes that privacy laws are hampering important health research. I haven't read the journal article yet, but plan to. While this argument is not new, I don't agree with the conclusions. I have served on Research Ethics Boards and on a special privacy committees of an REB and I haven't seen that happen.

One researcher is quoted as saying that health research should be exempted from privacy laws, which is, in my view, a very bad idea. Perhaps some tweaking is called for, but a blanket exemption would be a very bad idea and may lead to a backlash against research using identifiable personal information.

Trend to privacy seen as hurting research

Many scientists deprived access to patient data

Tom Blackwell , National Post

Published: Wednesday, September 24, 2008

As Canadians place more and more emphasis on safeguarding personal privacy, the trend is taking an inadvertent toll on medical research, often impeding access to intimate but crucial health information, scientists are warning.

Privacy laws not only make public-health studies more time-consuming and costly, they can also significantly skew research results, argue University of British Columbia epidemiologists in a recent journal article.

"I think it's something that everyone should consider because good research is basically how we make advances in public health," said Anne Harris, lead author of the paper. "We need to be able to trust the results we get."

The paper in the Canadian Journal of Public Health suggests that medical research be exempted in some way from privacy rules.

A leading Ontario scientist echoed the B. C. group's concerns: "A lot of the advances we have had in the past might not happen because of privacy legislation and the way it's interpreted," said Dr. Jack Tu, a cardiac health researcher with a University of Toronto-affiliated institute.

Time for a privacy check-up

Today's Halifax Chronicle Herald has an opinion piece by Bob Doherty, the former head of privacy and access with the Nova Scotia Department of Justice:

Time for a privacy check-up - Nova Scotia News - TheChronicleHerald.ca

Time for a privacy check-up Laws need to be understandable, consistent

By BOB DOHERTY
Wed. Jan 28 - 7:25 AM

With today being International Data Privacy Day, it is useful to see just how far society in Atlantic Canada has come in dealing with the complex issue of privacy since the last, almost unnoticed, celebration of this event locally a year ago.

Positive signs are emerging in the efforts to create more privacy consciousness in the region. Dalhousie University hosted a privacy event yesterday, and there have also been other events over the past 12 months. Most recently, CBC Radio’s Maritime Noon hosted a privacy "phone in" with Kostas Halavrezos and local privacy lawyer David Fraser. All of these events and others point to an increase in privacy consciousness in the past year.

However, as one listened to the calls that were received on the CBC Radio privacy segment, it became apparent there was substantial confusion as to what privacy choices, rights, obligations and remedies exist in a variety of settings. A good part of this confusion would seem to arise from a misunderstanding as to what "privacy" is.

In a nutshell, privacy is about legal choices, rights, obligations and remedies for the collection, use and disclosure of non-public, usually recorded, information about us, as individuals, in certain public and private-sector situations. However, even further than this, there are usually only four categories of personal information about us in which privacy choices, rights and obligations may or may not exist:

•Our secrets: This includes information about our personal or work lives, such as employment record, sexual orientation, personal preferences, digital photos or video recordings, records of library loans, video rentals, etc.

•Our identity: Such things as our social insurance number, health card number, blood type, society membership cards, etc., fall into this category.

•Our health: This includes our medical and psychological history.

•Our finances: Examples are our financial and credit status, bank account information, credit card identification and usage history, etc.

While some of the information in all categories may not be considered particularly sensitive and of little privacy interest to some individuals, for others this information is very personal and its disclosure would be viewed as highly privacy-invasive. Regardless of the sensitivity, there is always the potential for public embarrassment, denial of services or financial loss if the information is disclosed, or disseminated widely or indiscriminately.

However, while all of these categories involve our privacy choices, not all of the situations in these categories are subject to privacy laws.

All of this information we willingly (or reluctantly) give to selected individuals or organizations, either as a matter of trust, social interaction, contract or as required by law. However, there seems to be confusion among the general population on choices, rights, obligations and remedies (if any) in many of these situations where our personal information is involved.

In many cases, as Esther Dyson points out in a September 2008 Scientific American article entitled Reflections on Privacy 2.0, "People often have a better bargaining position than they realize, and are gaining the tools and knowledge to exploit that position."

So, how do we lessen that confusion and achieve that level of knowledge and understanding? For those who have tried to navigate the patchwork landscape of privacy laws in Canada, the answer should be obvious. Current laws need to be made more understandable to the average person and consistent across Canada. Penalties should be clear and significant for egregious privacy breaches, and oversight mechanisms must be provided with broad educational mandates and the budgets to implement them.

At the federal level, this would include passage of the proposed "identity theft" amendments to the Criminal Code, and development of clarity amendments to federal public and private-sector privacy legislation.

In Nova Scotia, this would mean proclamation of the recently passed Privacy Review Officer Act. It would also mean a provincial health information law, along with legislation to deal with privacy in the workplace and electronic surveillance (e.g. video, digital cameras including cellphone cameras, and computers).

If these changes, along with increased privacy education about choices, rights and obligations regarding our personal information in the schools, the workplace and the community are implemented, perhaps at this time next year we will not only have an increased level of privacy consciousness – we will also have a better understanding and the capacity to engage in a more informed debate on the future directions privacy-protection policy and laws should take.

Bob Doherty is a Halifax access and privacy consultant who teaches and works with access and privacy law courses in Nova Scotia and Alberta.

I think that Bob and I may think about privacy a bit differently. I probably wouldn't have used the categories he did. To me, words like "non-public" aren't very helpful and everything may fit into the category of "secrets". It just depends on how much an individual decides to disclose and how they propose to disclose it. Public information can be subject to privacy rights, as is the case in PIPEDA where publicly available information is still subject to legal limitations. But no matter what, the public should be educated about privacy rights and should have a say in shaping privacy laws.

Personal Health Information Act for Researchers

I was invited to give a presentation to staff and physicians at the IWK Health Centre in Halifax on the impact of the new Personal Health Information Act on researchers and research activities.

For anyone who may be interested, here is a copy of the presentation:

(If the embedding above is not working for you, this link should take you to the presentation: https://docs.google.com/present/view?id=ddpx56cg_32947mwh5hq&interval=30&autoStart=true&loop=true)