You Might be Interested In

An Office of the Privacy Commissioner of Canada (OPC) survey of 1,006 companies across Canada shows that many businesses are not employing recommended technological tools or practices to protect the digitally-stored personal information of their customers.

For example, the survey found that while the vast majority of companies are using passwords to protect personal information stored on digital devices, many do not ensure that passwords are difficult to guess or that their employees change them regularly—two practices that can really help thwart online criminals.

The survey also showed that almost 50% of companies that store personal information on portable devices like laptops, USB sticks, and tablets do not use encryption to protect the information on these devices—despite the fact that these types of devices are far more likely to be misplaced, lost or stolen.

While the survey did find that many Canadian companies recognize the importance of protecting privacy, it is vitally important that businesses take the time to get it right—for their customers and for their own survival. Businesses that jeopardize personal information, risk losing their customers’ trust and their business.  

The complete survey, which is considered to be accurate to within +/- 3.1%, 19 times out of 20, can be found on our website.

http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf

A report by Verizon highlights some extremely troubling trends about the types of data breaches occurring around the globe and also how organizations of all sizes are failing to adequately respond to new threats.

Verizon studied 855 breaches in 2011 involving organizations in 36 countries and compromising over 174 million records. Those figures are alarming in themselves.  But just as concerning are some of the statistics drawn from an analysis of these incidents.  Consider:

• 98 percent of breaches examined in the report stemmed from external agents, notably organized criminals, but also an increasing number of activist groups.  Meanwhile, only 4 percent of breaches involved internal employees.
• Hacking was linked to the vast majority of incidents – 81 percent.  As well, increasingly invasive malware was used in 69 percent of the breaches.
• Most breaches were avoidable, with Verizon’s experts concluding that 96 percent of the attacks were not highly sophisticated.
• Almost all of the firms involved – 96 percent – were non-compliant with the Payment Card Industry Data Security Standard.
• Organizations also seemingly had trouble detecting breaches – 92 percent of incidents were discovered by a third party; and typically only weeks or months after the breach occurred.

The report is eminently readable and even occasionally funny (who knew there was a “Sesame Street” method of detecting data breaches).

It also includes a point-of-sale security tip sheet that anyone can cut out and distribute to the stores, restaurants and other businesses they frequent. There are more detailed mitigation strategies at the end of the report.

The report raises some fundamental questions about whether organizations – despite all the warnings and growing evidence of the risks – are taking data protection responsibilities and security standards seriously.

Accountability matters when it comes to privacy. As a business, though, you may not always find it clear what accountability really means when it comes to personal information protection.  

Accountability is the first fair information principle in the federal Personal Information Protection and Electronic Documents Act (PIPEDA). This reflects its importance—it is the bedrock of the Act. It’s also implicit in Alberta and British Columbia’s respective privacy laws, the Personal Information Protection Act (PIPA).  The principle outlines the things organizations need to do to have a compliant and accountable privacy program in place.  But what does that mean in practice?

To help businesses “get accountability right”, Alberta, BC and our Office have released new guidelines —Getting Accountability Right with a Privacy Management Program. These new guidelines outline the elements of an effective privacy management program and offer scalable strategies that can be implemented by any size business.

Why should you care? 

These new guidelines outline how our offices view effective privacy management.  Big or small, an accountable business should be able to demonstrate to Privacy Commissioners that they have an effective, up-to-date privacy management program in place in the event of a complaint investigation or audit.  

Compliance, of course, is essential.  But we think there are a number of other benefits to having a privacy management program in place:

• An organization that has a strong privacy management program may enjoy an enhanced reputation that gives it a competitive edge.
• A privacy management program helps foster a culture of privacy throughout an organization and offers reassurance to customers and clients
• Proper use of risk assessment tools can help prevent problems. Fixing a privacy problem after the fact can be costly so careful consideration of the purposes for a particular initiative, product or service, and an assessment that minimizes any privacy impacts beforehand is vital.
• With a privacy management program, organizations will be able to demonstrate to customers, employees, partners, shareholders, and privacy commissioners that they have in place a robust privacy program that shows only compliance with privacy laws in Canada, but also that they are taking protection of personal information seriously.

Related Documents:

Guidelines: Getting Accountability Right with a Privacy Management Program

Interpretations: “Accountability”

Announcement: Commissioners Outline Building Blocks for Effective Privacy Management

Young people today are sophisticated users of the Internet, using this medium with ease and enthusiasm. It is important that they understand the impact that these technologies can have on their privacy, and that they have the tools and information they need to make smart decisions.

That’s why the Asia Pacific Privacy Authorities (APPA) forum, which includes the Office of the Privacy Commissioner of Canada, has made Privacy Resources for Young People the theme of Privacy Awareness Week 2012, April 29 – May 5. 

Since 2008 our Office has been developing a variety of tools designed to teach young people about the relevance and importance of privacy when using modern technologies. The OPC has a Privacy Awareness Week 2012 web page with links to all of our privacy resources for youth, parents and educators, as well as links to privacy resources for youth developed by members of the APPA forum, at: www.priv.gc.ca/resource/paw/2012/index_e.asp.

If you would like more information on youth privacy, or to stay informed regarding our tips and tools for parents, educators and youth, visit the Office’s youth website at: www.youthprivacy.ca/.

You can also visit http://www.privacyawarenessweek.org for links to a wide variety of international privacy guidance including tips, animations, brochures, discussion topics and interactive website materials.

We also encourage you to follow us on twitter: @privacyprivee, Privacy Awareness Week: #2012PAW.

The Office of the Privacy Commissioner of Canada (OPC) will be hosting its first annual Pathways to Privacy Research Symposium on May 2, 2012, in Ottawa!

The theme for this year’s event is Privacy for Everyone, and we will be discussing the results of research on emerging privacy issues among communities of interest. This year’s event was organized with the assistance of Industry Canada and the Social Sciences and Humanities Research Council of Canada (SSHRC).

Discussions will explore topics such as the changing landscape for youth, reaching diverse populations, cultural perspectives on privacy and frontiers of identification and surveillance among different populations.

This Symposium is a great opportunity to discover privacy-related research funded by the OPC’s Contributions Program and other funders, and will serve as a forum to bring together the people who do the research and those who apply it. Ultimately, we want to enable more people to use and benefit from the excellent privacy research that is being done across Canada. This event is also sure to be a great opportunity to share knowledge, grow partnerships and expand networking among researchers.

A detailed program for the event is available on our web site. If you are interested in participating, please contact Melissa Goncalves at melissa.goncalves@priv.gc.ca or 613-947-7097. Please note that limited audience seating will be available.

The Office of the Privacy Commissioner of Canada would like to extend tremendous thanks to all of the students, teachers and schools who participated in our myprivacy & me national video contest this year.

We would also like to express sincere thanks to Encounters with Canada, and the teens participating in its Politics in Canada week, who selected our winners.

Winning Videos:

The top video artists in the Privacy Issues Related to Cybersecurity category were:

1^st place: Brooke Davis and Alyssa Lynn of Hillcrest High School, Ottawa, ON, with a video titled “Your Online Life.”

The top video artists in the Privacy Issues Related to Mobile Devices category were:

1^st place: Matt Paddison and Julian Figueroa of Chatelech Secondary School, Sechelt, BC, with a video titled “Your Phone is Your Everything.”

2^nd place: Fumina Takara and Maryam Hashim of Hillcrest High School, Ottawa, ON, with a video titled “Mobile Information.”

The top video artists in the Privacy Issues Related to Online Gaming category were:

1^st place: Benjamin Reyes and Zachary Spence of Canterbury High School, Ottawa, ON, with a video titled “Credit and Safety.”

2^nd place: Mason Wik and Pierce Thomson of F.R. Haythorne Junior High, Sherwood Park, AB, with a video titled “Game Over.”

The top video artists in the Privacy Issues Related to Social Networking category were:

1^st place: Pamela Khouri and Hannah Chan of Collège Jean de la Mennais, La Prairie, QC, with a video titled “Unknown Exposure.”

2^nd place: Wajid Jawid Ahmad and Dawut Esse of Centre d’action bénévole Bordeaux-Cartierville, Montreal, QC, with a video titled “Spoken Words Are Fleeting… Written, They Remain.”  

3^rd place: Katie Fitzgerald of Lorne Akins Junior High School, St. Albert, AB, with a video titled “Words Have Life.”

Congratulations to all of our winners!

A recently released study has given further evidence to the link between privacy and personal information protection and consumer confidence.

The Edelman study  released in February 2012 shows that consumer concerns about data privacy and security are actively diminishing their trust in organizations.  For instance, 92% listed data security and privacy as important considerations for financial institutions, but only 69% actually trusted financial institutions to adequately protect their personal information.  An even sharper disconnect can be seen with online retailers, with 84% naming security of personal information as a priority but only 33% trusting online retailers to protect it.

It’s hardly surprising that consumers are nervous.  Stories about privacy and security flaws and breaches abound in the media these days.  From flaws in mobile applications, retroactive release of archives for marketing, service amalgamation and data breaches, users are constantly confronted with evidence that their personal information is at risk.  Lack of transparency on the part of organizations and consumer discomfort with cross-border data traffic, outsourcing and cloud storage only further exacerbate the issue.

This challenge to trust appears to correlate to an increased willingness on the part of consumers to invest in their privacy.  Where a 2009 study concluded that consumers were unwilling to pay extra for privacy, recent research from the European Network and Information Security Agency (ENISA) finds that individuals weigh security and privacy considerations as heavily as those relating to a product’s design, style, and physical dimensions. All other things being equal, the study discovered that consumers were willing to pay a higher price in order to protect their privacy. 

Investing in privacy is not the only way that consumer concerns are indicated – the Edelman data also shows nearly 50% of participants either leaving or avoiding companies that have suffered a security breach.  Following a data breach suffered by an organization with whom they’re already involved, up to 70% of those surveyed expressed willingness to terminate a relationship or switch providers. 

Findings like this should be a wake-up call for organizations, an indicator that it is no longer enough to “manage” security and privacy concerns. Instead, privacy and security need to be prioritized and strengthened to the point where they can be made key parts of branding and corporate identity.   Consumer confidence is key, and reliant upon trust. And new evidence increasingly shows that privacy is not only good business – it’s good for business.

Our Office understands the challenges faced by law enforcement and national security authorities in fighting online crime at a time of rapidly changing communications technologies and the need to modernize their tactics and tools accordingly.

We’re not necessarily opposed to legislation that modernizes police powers online – but it must demonstrably help protect the public, respect fundamental privacy principles established in Canadian law and be subject to proper oversight.

Upon a preliminary review following the tabling of Bill C-30, the Office of the Privacy Commissioner recognizes the government has made improvements to this Bill from previous iterations. On balance, however, significant privacy concerns remain. 

We recognize that the government has reduced the number of data elements which could be accessed by authorities without a warrant or prior judicial authorization.  At the same time, by requiring authorities to conduct regular audits and to provide them both to the relevant Minister and oversight bodies, including our Office, this appears to help address past concerns about a lack of oversight.

On the balance however, the new Bill still contains serious privacy concerns, similar to past versions.

In particular, we are concerned about access, without a warrant, to subscriber information behind an IP address.  Since this broad power is not limited to reasonable grounds to suspect criminal activity or to a criminal investigation, it could affect any law-abiding citizen.

Going forward, we will be reviewing this Bill in full to determine:

How the Government justifies this warrantless access in a free and democratic society?;

How does “after the fact” review by ministerial and non-judicial bodies compare with “up front” oversight by the courts?;

Whether the new powers proposed by the legislation are demonstrably necessary, proportionate and effective?; and

Are there less privacy-invasive alternatives to achieve the desired outcomes?

It is through this lens that our Office will undertake a thorough review of the Bill.  We look forward to sharing our views with Parliament.

Entry written by Scott Hutchinson, Senior Communications Advisor, Office of the Privacy Commissioner of Canada.

As the days tick down to Data Privacy Day itself, it’s time to reflect a little bit more about the words “Less is More,” how they apply and to whom.

What they mean for individuals is pretty clear. To put it another way, “beware what you share, because it could wind up anywhere.” 

But what does “Less is More” mean for organizations and privacy, and governments in particular?

This was one of the questions addressed in remarks provided by Sue Lajoie, Director-General (Privacy Act) of the Office of the Privacy Commissioner of Canada before a group of federal public servants at an event hosted by the Canada School of Public Service in Ottawa.

She explained it this way: “The less personal information you collect, the more you limit the risk of data breaches and the embarrassment and lost trust they cause.”

“The less you collect, the more you protect against government furthering the widely-held stereotype of the state as an increasingly invasive and untrustworthy force in society.”

“And, the less you collect, the more you respect privacy as a long-observed, essential element of human freedom and dignity.”

It was noted that while the OPC is effectively the champion of Canadians’ privacy rights, public servants have an important role to play as guardians by making privacy considerations central to the design and administration of programs and other initiatives that collect personal information.

Sue pointed to the fact that thanks to advances in the power and efficiency of information technology, governments are approaching a veritable fork in the road when it comes to collecting personal information.   She pointed to recent research done by Brookings Institution scholar John Villasenor who notes that the falling costs and of hard drive space and rising capacity of computers will make it possible and even affordable for a government to establish enormous databases of information that could act as “a surveillance time machine, enabling state security services to retroactively eavesdrop on people in the months and years before they were designated as surveillance targets.”

While it’s not imagined that the government of a democratic country such as Canada would comprehend something so sinister, the research makes a point valid for governments of any persuasion.  As Sue noted today, “The question is no longer, can the state appropriate someone’s personal information, up to the point of leaving them as naked and helpless as the defendant in Kafka’s The Trial. The question is should it allow itself to do so? To what extent? And what are the moral, ethical and public policy issues around this?”

In a nutshell, our 2010-2011 Annual Report to Parliament on the Privacy Act asked, “Can the state curb its appetite for information about its citizens?”  And Sue’s remarks suggest that indeed, a moderation-based data diet may in fact be just what the doctor ordered for the ongoing heath of our democracy and respect of Canadians.

Entry written by Kristen Yates, Senior Public Education Officer, Office of the Privacy Commissioner of Canada.

It can be tough raising kids in a digital environment. Many of them use the Internet effortlessly, and easily adapt to new devices that connect to it. For many of us, these tools have become a routine part of our children’s lives, as they use them to chat, surf, post, play and learn. The Internet has become one of the most powerful tools they have to connect with friends and make new ones.

Many kids, however, don’t fully understand the impact that some online activities may have on their privacy. The Office of the Privacy Commissioner of Canada has come up with a new tip sheet that offers 12 practical tips for parents interested in discussing online privacy with their kids. The tips include simple ideas and advice that parents may use to limit risks to their child’s personal information, while allowing them to continue enjoying their time online.

 Here is a quick list of the tips. Look at the tip sheet for detailed information on each tip!

1. Talk to your kids.
2. Try it out.
3. Keep up with the technology.
4. Make restricting privacy settings a habit.
5. Make password protection a priority.
6. Emphasize the importance of protecting mobile devices.
7. Remind your kids that what they post on the Internet is not always private.
8. Teach your kids to think before they click.
9. Stress the importance of knowing your real friends.
10. Teach your kids that their personal information is valuable.
11. Let your kids know that you are there if they make a privacy mistake.
12. Set a good example.

These tips were launched this week as part of our Office’s week-long campaign leading up to Data Privacy Day. For more information on the Office’s Data Privacy Day activities and resources, go to www.priv.gc.ca.

For more information on talking to your kids about how their use of technology can affect privacy, visit www.youthprivacy.ca/en/teachers.html.