You Might be Interested In

Entry written by Scott Hutchinson, Senior Communications Advisor, Office of the Privacy Commissioner of Canada.

As the days tick down to Data Privacy Day itself, it’s time to reflect a little bit more about the words “Less is More,” how they apply and to whom.

What they mean for individuals is pretty clear. To put it another way, “beware what you share, because it could wind up anywhere.” 

But what does “Less is More” mean for organizations and privacy, and governments in particular?

This was one of the questions addressed in remarks provided by Sue Lajoie, Director-General (Privacy Act) of the Office of the Privacy Commissioner of Canada before a group of federal public servants at an event hosted by the Canada School of Public Service in Ottawa.

She explained it this way: “The less personal information you collect, the more you limit the risk of data breaches and the embarrassment and lost trust they cause.”

“The less you collect, the more you protect against government furthering the widely-held stereotype of the state as an increasingly invasive and untrustworthy force in society.”

“And, the less you collect, the more you respect privacy as a long-observed, essential element of human freedom and dignity.”

It was noted that while the OPC is effectively the champion of Canadians’ privacy rights, public servants have an important role to play as guardians by making privacy considerations central to the design and administration of programs and other initiatives that collect personal information.

Sue pointed to the fact that thanks to advances in the power and efficiency of information technology, governments are approaching a veritable fork in the road when it comes to collecting personal information.   She pointed to recent research done by Brookings Institution scholar John Villasenor who notes that the falling costs and of hard drive space and rising capacity of computers will make it possible and even affordable for a government to establish enormous databases of information that could act as “a surveillance time machine, enabling state security services to retroactively eavesdrop on people in the months and years before they were designated as surveillance targets.”

While it’s not imagined that the government of a democratic country such as Canada would comprehend something so sinister, the research makes a point valid for governments of any persuasion.  As Sue noted today, “The question is no longer, can the state appropriate someone’s personal information, up to the point of leaving them as naked and helpless as the defendant in Kafka’s The Trial. The question is should it allow itself to do so? To what extent? And what are the moral, ethical and public policy issues around this?”

In a nutshell, our 2010-2011 Annual Report to Parliament on the Privacy Act asked, “Can the state curb its appetite for information about its citizens?”  And Sue’s remarks suggest that indeed, a moderation-based data diet may in fact be just what the doctor ordered for the ongoing heath of our democracy and respect of Canadians.

Entry written by Kristen Yates, Senior Public Education Officer, Office of the Privacy Commissioner of Canada.

It can be tough raising kids in a digital environment. Many of them use the Internet effortlessly, and easily adapt to new devices that connect to it. For many of us, these tools have become a routine part of our children’s lives, as they use them to chat, surf, post, play and learn. The Internet has become one of the most powerful tools they have to connect with friends and make new ones.

Many kids, however, don’t fully understand the impact that some online activities may have on their privacy. The Office of the Privacy Commissioner of Canada has come up with a new tip sheet that offers 12 practical tips for parents interested in discussing online privacy with their kids. The tips include simple ideas and advice that parents may use to limit risks to their child’s personal information, while allowing them to continue enjoying their time online.

 Here is a quick list of the tips. Look at the tip sheet for detailed information on each tip!

1. Talk to your kids.
2. Try it out.
3. Keep up with the technology.
4. Make restricting privacy settings a habit.
5. Make password protection a priority.
6. Emphasize the importance of protecting mobile devices.
7. Remind your kids that what they post on the Internet is not always private.
8. Teach your kids to think before they click.
9. Stress the importance of knowing your real friends.
10. Teach your kids that their personal information is valuable.
11. Let your kids know that you are there if they make a privacy mistake.
12. Set a good example.

These tips were launched this week as part of our Office’s week-long campaign leading up to Data Privacy Day. For more information on the Office’s Data Privacy Day activities and resources, go to www.priv.gc.ca.

For more information on talking to your kids about how their use of technology can affect privacy, visit www.youthprivacy.ca/en/teachers.html.

Entry written by Kristen Yates, Senior Public Education Officer, Office of the Privacy Commissioner of Canada.

We all know how savvy kids are with the Internet and online tools. Many of them are way ahead of adults in adapting to new technologies, making it difficult to keep up with them – let alone educate them on online privacy.

The Office of the Privacy Commissioner of Canada is here to help. Today, we launched a new video, tip sheet and presentation package  for youth in grades 7 and 8 (Secondary I and II in Quebec) that will help parents and teachers talk to youth about the importance of protecting their privacy online.

The new video speaks to teens and ‘tweens alike, and covers the key privacy concepts kids need to consider when sharing information online. The video may be viewed online or downloaded to support discussion.

The new tip sheet offers 12 practical tips for parents interested in discussing online privacy with their kids. The tips include simple ideas and advice that parents may use to limit risks to their children’s personal information, while allowing them to continue enjoying their time online.

The Grades 7 and 8 presentation package is the latest release in the Office’s Protecting Your Online Rep presentation series. The package includes slides, speaking notes and discussion topics for use by educators and community leaders to speak with young people about online privacy. The new presentation offers much of the practical privacy advice found in the presentation package for grades 9 to 12, which our Office launched last fall, only the graphics and speaking notes have been tailored to the social realities and online activities of younger students.

These tools are being launched this week as part of our Office’s week-long campaign leading up to Data Privacy Day. For more information on the Office’s Data Privacy Day activities and resources, go to http://www.priv.gc.ca/resource/dpd/2012/index_e.cfm.

Entry written by Heather Ormerod, Senior Communications Advisor, Office of the Privacy Commissioner of Canada.

Once a year, privacy advocates and enthusiasts around the world get the chance to collectively shine a spotlight on the issue of online privacy.

Data Privacy Day, which is celebrated annually on January 28, is an annual international celebration designed to promote awareness about privacy and education about best privacy practices. Granted, it doesn’t rank up there with Canada Day or Thanksgiving in terms of food, fun or festivity, nevertheless it is a date worth circling on the calendar.

In this digital age, where our online activities can so easily be tracked, stored, shared and analyzed, and we are under constant pressure to share more and more personal information, we are all feeling a bit uneasy about all that personal data floating around in cyberspace.

It’s not that we want to turn our backs on the limitless potential of the Internet. We just need to figure out how we can all limit the potential for online personal information to be misused and abused.

The answer? When it comes to sharing personal information, think less is more.  

Once our personal information is on the Internet, we have very little control over who sees it, how it is used, or how long it will be available. By sharing less personal information, we can help limit our exposure and the risks of our personal information being misused, abused or disclosed without consent.

So, whether we are social networking, using an app on a mobile device, or signing up for discounts and deals, we need to think carefully about the personal information we are putting into cyberspace.

Less is more is also good advice for businesses and organizations that collect personal information. Collecting and holding excess data raises the risks for customers, but it is also costly for businesses because it increases the risk of data breaches, which can be damaging to businesses’ reputations and expensive to clean up.

This week, the Office of the Privacy Commissioner of Canada is pleased to join governments, privacy professionals, corporations, academics and students from around the world, in marking Data Privacy Day.

Our Office will be engaging in a number of activities in the week to leading up to January 28, such as the launch of some new youth privacy tools, and presentations to youth, public servants, businesses and staff. The Office has also produced some new resources, such as posters and graphics which can be used to raise awareness of privacy in any organization.

For more information on the Office’s Data Privacy Day activities and resources, go to our Data Privacy Day web page or http://www.priv.gc.ca/.

Given the time of year, many Canadians are spending time in malls. 

By now, most have come to terms with the fact that security cameras survey nearly every corner of every store. 

This is well known – and if stores obey Canada’s private sector privacy law, they provide notice.

In short, if you’re out shopping, you’re informed that you’re on camera.

But now, how would you feel if there were people on the other side of the cameras, not simply monitoring to see what you might steal, but instead keeping tabs on the specific stores you visited … of the specific brands, styles, colours and sizes of clothes you tried on … on the magazines you leafed through at a newsstand … of what exactly you ordered from the food court … in addition to everything you actually bought from stores during your visit?  

Copious notes would be recorded throughout and filed upon your exit. 

Upon returning, you would be recognized and new data would be entered into your file accordingly.

This may sound far-fetched, but something similar is happening regularly to eight in 10 Canadians aged 16 and older, according to Statistics Canada’s latest figures.

While it’s not actually happening to people browsing in malls, it is happening to most anyone browsing online, through a practice called behavioural advertising.

Online advertising used to consist of mini billboards that came up for everyone who visited a certain page or made a particular search query.

Today, increasingly, ads are based on profiles compiled on us by tracking our browsing activity over time. 

It’s usually carried out by third-parties who follow users via cookies or web beacons.

These effectively lay a trail of digital bread crumbs which are tracked and analyzed to determine your interests based on where and what you click and, in turn, what ads may interest you which are effectively “beamed” onto pages upon your visit.

Some people appreciate ads being tailored to them.

Others might feel like they’re browsing in that earlier-described mall.    

Either way, the information involved in this practice can identify individuals and will generally constitute personal information under Canada’s private sector privacy law.

As a result, individuals must be made aware of what’s happening when they browse and provide meaningful consent. 

If you were unaware of this practice, you’re not alone. In general, to find out you’re being tracked, you need to dig down deep into a typical website’s lengthy, legalistic privacy policy.

To be fair, this is a fairly new practice in the still evolving digital world. Some advertisers are making an effort to inform users and many may be unsure how to ply their trade in compliance with privacy law.

For example, what constitutes meaningful consent?

This is why my Office has just released a new guidance which explains that “opt-out” consent may be used so long as some conditions are met.

First, individuals must be:

• made aware of the purposes for the practice in a manner that is clear, obvious and understandable.  In other words, one shouldn’t have to hunt for it;
• informed of these purposes at or before the time of collection and should be provided with information about the parties involved in the advertising; and
• able to easily opt-out of the practice, ideally at or before the time the information is collected.

In addition, the opt-out should both take effect immediately and be persistent, while the information collected and used:

• must be limited, to the extent practicable, to non-sensitive information (for example, avoiding sensitive data such as health information); and
• should be destroyed as soon as possible or “anonymised,” so if someone gains access to it through say hacking, it can’t be used to identify specific individuals.

Further, the use of tracking techniques of which users are unaware and can’t decline such as web bugs, web beacons and super cookies in the current context of behavioural advertising should be avoided.

On top of this, websites specifically aimed at kids should not allow tracking for behavioural advertising, as it is difficult to obtain meaningful consent from children. 

Attention to this is needed as a recent report noted 40 percent of kids aged two to four have used a smartphone, tablet or video iPod.

All told, in the months to come, we’ll be watching the watchers to see that our guidance is being followed. 

And if we see troubling trends, we’ll take enforcement action.

The Office of the Privacy Commissioner is pleased to announce the launch of the Contributions Program 2012-13. The Contributions Program, which has funded nearly 80 privacy initiatives over the past eight years, presents a unique opportunity to advance privacy knowledge by drawing on the valuable skills and capacities of academic and not-for-profit organizations in Canada.

 This year, the OPC is looking for innovative research projects which will generate and translate knowledge to the greater public. Our Office is interested in a variety of research topics, which feed into the OPC’s priority areas: Identity Integrity and Privacy; Information Technology and Privacy; Public Safety and Privacy; and Genetic Information and Privacy.

We fund research because we want to learn more about privacy issues in Canada but we also want to help ensure that others benefit from this research. So, we are particularly interested in seeing proposals from researchers and organizations that include a plan for knowledge translation. Knowledge translation is a process by which theoretical research results get transformed into useable outcomes that end-users can apply in practice. Some examples of knowledge translation activities that may be included in eligible proposals include:

• Workshops, conferences and symposia that disseminate research results to relevant stakeholders and provide an opportunity for knowledge exchange between theoretical concepts and practical realities;
• Engagement of relevant end-users as active participants in an iterative process throughout the research project to obtain relevant feedback and enhance the validity and utility of research results;
• Innovative and interactive online approaches for disseminating research findings and raising public awareness of privacy issues;
• Survey, evaluation or other methods of assessing the relevance, effectiveness or impact of knowledge dissemination approaches and strategies aimed at raising privacy awareness and understanding among individuals or organizations; and
• Initiatives that transform research results into useable knowledge for relevant intermediaries (such as parents, teachers, journalists or consumer / industry / professional associations, etc.), who could then further disseminate that knowledge to relevant end-users.

For more details regarding the OPC Contributions Program please refer to the Contributions Program web page.

Entry written by Sophie Paluck-Bastien, Special Advisor to the Assistant Commissioner, Office of the Privacy Commissioner of Canada.

I was listening to Daniel Solove’s presentation at the Reboot Ottawa conference earlier today. His talk was modeled on the main points of his latest book, Nothing To Hide, and he addressed four “fallacies” that skew the debate between privacy and national security in favour of the latter.

The first fallacy is the “nothing to hide” argument. We have all heard about how if we had nothing to hide, we would have nothing to worry about. Solove counters that the “nothing to hide” argument belies a misunderstanding of what privacy is: it doesn’t exist to hide bad things; rather, it is many different, related things that are linked to dignity and integrity.

The second is the deference argument: we have to defer to the authorities because they know best. Solove mentioned that even some eminent jurists in the US are rallying behind the argument that the courts don’t know enough to pass judgement on law enforcement activities. Solove suggests we hold law enforcement and national security authorities accountable for the effectiveness of the measures they propose—they should prove the measures are effective.

The third argument countered by Daniel Solove this morning was the “all or nothing fallacy.” Solove pointed out that you don’t get more security by giving up privacy, and that you don’t get more privacy for giving up security. Rather, privacy can be—and must be—integrated into security measures. In developing this point, he touched on the idea that privacy should not necessarily be viewed as an individual right (to be pinned against collective interests), but rather as a social interest itself. Privacy should be protected on a societal level.

And finally, Solove addressed what he called the failure of the reasonable expectation of privacy test, which according to him asks the wrong question. The “reasonable expectation of privacy” rests on the assumption that people know how their privacy is being violated and that they have the power to do something about it, which is not necessarily the case. He suggests the courts shouldn’t be asking if a security measure violates a reasonable expectation of privacy (which opens up the door to esoteric debates about what is privacy), but rather, should this measure be allowed without judicial oversight and accountability.

It appears this idea of asking the right questions and putting the right elements on the balance was the running theme of Daniel Solove’s presentation: he suggests we shouldn’t be asking ourselves if a security measure in itself violates privacy, but rather if the security measure is acceptable with no oversight, no court order, no probable cause and no accountability. We shouldn’t be questioning whether the state has a right to intrude upon privacy for security reasons, but rather if we are getting better security as a result.

In a nutshell, Daniel Solove suggests what we should weigh on either side of the balance are not privacy and security, but rather a specific security measure by itself, and the same security measure with privacy protection.

A very interesting talk by a very engaging speaker.

The Office of the Privacy Commissioner invites contributions to its blog from members of our External Advisory Committee. Their representation reflects the myriad of public policy perspectives critical to proposing a balanced view on privacy and personal information protection.  While we benefit from their experience and advice, the views they represent in articles appearing here are their own and don’t necessarily represent the views of the Office.

The following blog post is from Professor Michael A. Geist.

Last December, the government celebrated passing eight bills into law, including the long-delayed anti-spam bill. Years after a national task force recommended enacting anti-spam legislation, the Canadian bill finally established strict rules for electronic marketing and safeguards against the installation of unwanted software programs on personal computers, all backed by tough multi-million dollar penalties.

Then-Industry Minister Tony Clement promised that the law would “protect Canadian businesses and consumers from harmful and misleading online threats,” but nearly a year later, the law is in limbo, the victim of a fight over regulations that threaten to undermine important protections and delay implementation for many more months.

One of the most worrying potential changes involves the law’s mandatory disclosure requirements when Canadians install new software programs on their personal computers. With incidents such as the Sony rootkit debacle still fresh in the minds of many – the company surreptitiously installed programs on millions of computers leaving them vulnerable to security breaches – the Canadian law provides welcome protection against spyware and unwanted software.

This issue was hotly debated when the bill came before a House of Commons committee and the compromise language was designed to protect individual privacy and security, while enabling common installations (such as security updates) to proceed unimpeded.

Yet now lobby groups are using the regulatory process to re-open the legislative compromise.

For example, the Information Technology Association of Canada, which represents software and technology companies, argues that software vendors should be permitted to install programs without disclosure provided they notify the user of possible installations within the license agreement. Given the common practice of burying such terms in long agreements that few consumers ever read, few will be aware that they have consented to the secret installation of programs designed to monitor their use of the software.

The law specifically worked to avoid this outcome but it appears that the much-needed privacy and security protections may be in jeopardy.

Professor Michael A. Geist,
Canada Research Chair in Internet and E-commerce Law
University of Ottawa, Faculty of Law

Legal Services, Policy and Research Branch (LSPR Branch) is seeking the assistance of qualified Legal Agents to complement in-house counsel.

The Office of the Privacy Commissioner (OPC) is inviting Expressions of Interest (EOI) from interested lawyers or law firms with demonstrated competence and ability to comply with the criteria set out in the EOI and the related Schedule A. The complete “Expression of Interest for Legal Agents” is available on the OPC website.

Interested lawyers or law firms are invited to qualify themselves on the renewed eligibility list, even if they have already been qualified on previous eligibility lists. This current EOI process will not affect or terminate any current contracts with Legal Agents for legal services with respect to any active matter.

To acknowledge your interest in responding to this expression of interest, and to receive further consideration, your submission must be received by November 30, 2011.

For more information, please contact:

DANIEL CARON, Legal Counsel
Legal Services, Policy and Research Branch
Office of the Privacy Commissioner of Canada
112 Kent Street, 3rd Floor
Ottawa, Ontario K1A 1H3
daniel.caron@priv.gc.ca
613 947 4634

Two countries negotiating a perimeter security agreement can easily be compared to two individuals drastically redefining their relationship. 

Without question, Canada and the United States are certainly neighbours.  To some, a perimeter agreement means removing a fence; to others, it’s tantamount to a sort of marriage.

Regardless, before we take the plunge, we have to think about what we share and where we differ.

Without question, we have a lot in common.  We’re both democracies with enshrined respect for human rights. Canadians and Americans both strongly value their privacy and realize its importance to the vitality of our democracies.

As things stand today however, some key legislative differences on privacy protection exist between our countries. 

I want to explain these and show why, rather than jumping into a newly defined relationship with both feet, we should only do so with both eyes wide-open.

First of all, both of our countries have enacted legislation to protect citizens’ privacy from their governments. 

The U.S. Privacy Act of 1974 fulfils this function for the federal government south of the border, while Canada’s Privacy Act of 1983 does so for Canadians.

The U.S. law includes safeguards to secure Americans’ personal information in the hands of the federal government, but these extend only to citizens and permanent residents.

Conversely, personal information held in Canada is subject to the protection of Canadian privacy law. That said, Canada’s Privacy Act is far from perfect and in need of modernization (as I’ve noted in the past). 

Secondly, when it comes to protecting personal information in the private sector, there are American laws specific to certain sectors and the Federal Trade Commission’s consumer protection law provides some protection with regard to issues of fairness and deception. 

Unlike Canada however, there is no overarching national legislation applying to the private sector as a whole. 

In the Unites States a lack of private sector-wide coverage provides opportunities for commercial data brokers to assemble data bases.

Such databases are made available to subscribers, which include U.S. federal agencies.  There are already several dozen fusion centers across the country doing precisely this sort of search and analysis every day.

Consequently, government authorities can access information from privately-held databases with no strings attached.

It’s also worth noting that the USA PATRIOT Act, enacted weeks after the 9/11 attacks, has the ability to circumvent sector-specific privacy protections to facilitate national security investigations.  National security can be, and has been, defined quite broadly. 

Thirdly, there is a vast difference when it comes to privacy oversight between our two countries.  Law enforcement and national security authorities in the US simply do not operate under the privacy oversight structure that exists in Canada.

In Canada, my office reports directly to Parliament and not the Government, allowing autonomy in holding the Government to account.

In the United States there is no equivalent independent authority mandated to investigate privacy issues with regard to government data-handling.

While the Privacy and Civil Liberties Oversight Board could theoretically fulfill this function, it remains inoperative.

Finally, Canada’s approach to privacy centers on protecting individuals’ right to control their personal information except where limits can be demonstrably justified in a free and democratic society.

This is an approach which should not be compromised or watered-down in order to reach a perimeter security agreement.  

This isn’t to say that Americans value privacy any less than Canadians.  It’s just that our respective legislative frameworks to protect it are very different. 

This all goes to say that if we compare a security perimeter agreement to a marriage and Canadian negotiators wish to enable Canadians to keep control of their personal information, a clear line on privacy needs to be written into a strong “pre-nup.”