You Might be Interested In

Entry written by Scott Hutchinson, Senior Communications Advisor, Office of the Privacy Commissioner of Canada.

As the days tick down to Data Privacy Day itself, it’s time to reflect a little bit more about the words “Less is More,” how they apply and to whom.

What they mean for individuals is pretty clear. To put it another way, “beware what you share, because it could wind up anywhere.” 

But what does “Less is More” mean for organizations and privacy, and governments in particular?

This was one of the questions addressed in remarks provided by Sue Lajoie, Director-General (Privacy Act) of the Office of the Privacy Commissioner of Canada before a group of federal public servants at an event hosted by the Canada School of Public Service in Ottawa.

She explained it this way: “The less personal information you collect, the more you limit the risk of data breaches and the embarrassment and lost trust they cause.”

“The less you collect, the more you protect against government furthering the widely-held stereotype of the state as an increasingly invasive and untrustworthy force in society.”

“And, the less you collect, the more you respect privacy as a long-observed, essential element of human freedom and dignity.”

It was noted that while the OPC is effectively the champion of Canadians’ privacy rights, public servants have an important role to play as guardians by making privacy considerations central to the design and administration of programs and other initiatives that collect personal information.

Sue pointed to the fact that thanks to advances in the power and efficiency of information technology, governments are approaching a veritable fork in the road when it comes to collecting personal information.   She pointed to recent research done by Brookings Institution scholar John Villasenor who notes that the falling costs and of hard drive space and rising capacity of computers will make it possible and even affordable for a government to establish enormous databases of information that could act as “a surveillance time machine, enabling state security services to retroactively eavesdrop on people in the months and years before they were designated as surveillance targets.”

While it’s not imagined that the government of a democratic country such as Canada would comprehend something so sinister, the research makes a point valid for governments of any persuasion.  As Sue noted today, “The question is no longer, can the state appropriate someone’s personal information, up to the point of leaving them as naked and helpless as the defendant in Kafka’s The Trial. The question is should it allow itself to do so? To what extent? And what are the moral, ethical and public policy issues around this?”

In a nutshell, our 2010-2011 Annual Report to Parliament on the Privacy Act asked, “Can the state curb its appetite for information about its citizens?”  And Sue’s remarks suggest that indeed, a moderation-based data diet may in fact be just what the doctor ordered for the ongoing heath of our democracy and respect of Canadians.

Entry written by Heather Ormerod, Senior Communications Advisor, Office of the Privacy Commissioner of Canada.

Once a year, privacy advocates and enthusiasts around the world get the chance to collectively shine a spotlight on the issue of online privacy.

Data Privacy Day, which is celebrated annually on January 28, is an annual international celebration designed to promote awareness about privacy and education about best privacy practices. Granted, it doesn’t rank up there with Canada Day or Thanksgiving in terms of food, fun or festivity, nevertheless it is a date worth circling on the calendar.

In this digital age, where our online activities can so easily be tracked, stored, shared and analyzed, and we are under constant pressure to share more and more personal information, we are all feeling a bit uneasy about all that personal data floating around in cyberspace.

It’s not that we want to turn our backs on the limitless potential of the Internet. We just need to figure out how we can all limit the potential for online personal information to be misused and abused.

The answer? When it comes to sharing personal information, think less is more.  

Once our personal information is on the Internet, we have very little control over who sees it, how it is used, or how long it will be available. By sharing less personal information, we can help limit our exposure and the risks of our personal information being misused, abused or disclosed without consent.

So, whether we are social networking, using an app on a mobile device, or signing up for discounts and deals, we need to think carefully about the personal information we are putting into cyberspace.

Less is more is also good advice for businesses and organizations that collect personal information. Collecting and holding excess data raises the risks for customers, but it is also costly for businesses because it increases the risk of data breaches, which can be damaging to businesses’ reputations and expensive to clean up.

This week, the Office of the Privacy Commissioner of Canada is pleased to join governments, privacy professionals, corporations, academics and students from around the world, in marking Data Privacy Day.

Our Office will be engaging in a number of activities in the week to leading up to January 28, such as the launch of some new youth privacy tools, and presentations to youth, public servants, businesses and staff. The Office has also produced some new resources, such as posters and graphics which can be used to raise awareness of privacy in any organization.

For more information on the Office’s Data Privacy Day activities and resources, go to our Data Privacy Day web page or http://www.priv.gc.ca/.

Two countries negotiating a perimeter security agreement can easily be compared to two individuals drastically redefining their relationship. 

Without question, Canada and the United States are certainly neighbours.  To some, a perimeter agreement means removing a fence; to others, it’s tantamount to a sort of marriage.

Regardless, before we take the plunge, we have to think about what we share and where we differ.

Without question, we have a lot in common.  We’re both democracies with enshrined respect for human rights. Canadians and Americans both strongly value their privacy and realize its importance to the vitality of our democracies.

As things stand today however, some key legislative differences on privacy protection exist between our countries. 

I want to explain these and show why, rather than jumping into a newly defined relationship with both feet, we should only do so with both eyes wide-open.

First of all, both of our countries have enacted legislation to protect citizens’ privacy from their governments. 

The U.S. Privacy Act of 1974 fulfils this function for the federal government south of the border, while Canada’s Privacy Act of 1983 does so for Canadians.

The U.S. law includes safeguards to secure Americans’ personal information in the hands of the federal government, but these extend only to citizens and permanent residents.

Conversely, personal information held in Canada is subject to the protection of Canadian privacy law. That said, Canada’s Privacy Act is far from perfect and in need of modernization (as I’ve noted in the past). 

Secondly, when it comes to protecting personal information in the private sector, there are American laws specific to certain sectors and the Federal Trade Commission’s consumer protection law provides some protection with regard to issues of fairness and deception. 

Unlike Canada however, there is no overarching national legislation applying to the private sector as a whole. 

In the Unites States a lack of private sector-wide coverage provides opportunities for commercial data brokers to assemble data bases.

Such databases are made available to subscribers, which include U.S. federal agencies.  There are already several dozen fusion centers across the country doing precisely this sort of search and analysis every day.

Consequently, government authorities can access information from privately-held databases with no strings attached.

It’s also worth noting that the USA PATRIOT Act, enacted weeks after the 9/11 attacks, has the ability to circumvent sector-specific privacy protections to facilitate national security investigations.  National security can be, and has been, defined quite broadly. 

Thirdly, there is a vast difference when it comes to privacy oversight between our two countries.  Law enforcement and national security authorities in the US simply do not operate under the privacy oversight structure that exists in Canada.

In Canada, my office reports directly to Parliament and not the Government, allowing autonomy in holding the Government to account.

In the United States there is no equivalent independent authority mandated to investigate privacy issues with regard to government data-handling.

While the Privacy and Civil Liberties Oversight Board could theoretically fulfill this function, it remains inoperative.

Finally, Canada’s approach to privacy centers on protecting individuals’ right to control their personal information except where limits can be demonstrably justified in a free and democratic society.

This is an approach which should not be compromised or watered-down in order to reach a perimeter security agreement.  

This isn’t to say that Americans value privacy any less than Canadians.  It’s just that our respective legislative frameworks to protect it are very different. 

This all goes to say that if we compare a security perimeter agreement to a marriage and Canadian negotiators wish to enable Canadians to keep control of their personal information, a clear line on privacy needs to be written into a strong “pre-nup.”

We’re launching our 2010 My Privacy & Me Video Contest for 12-18-year-olds – and the first-place winners will win an iPad!

It’s the same thing this year – but a little different, too! Again, we’re asking them to create their own public service announcements about privacy. But this year, we’d like the videos to fall into one of four categories: Surveillance; Reputation Management; Targeted Advertising; or Online Scams. You can find all contest details here.

This year, teams can consist of one to three people. First-place winners in each category will win an iPad. Second-place winners will win a $200 gift card; and third-place winners will win a $100 gift card. We’ve recognized top-participating schools and teachers in the past, and we have something in store for them in 2010! The deadline is December 10, 2010.

For inspiration, sit down with your young ones and watch the 2009 winning videos. Then, have them start exercising their video-making muscles – we can’t wait to see what they’ve got!

We’ve just sent in our submission to the Digital Economy Consultation, available online here.

In our submission, we argue that privacy isn’t an impediment to innovation. Rather, we believe privacy can support innovation by reinforcing confidence in users that they have the right to control their personal information and that the technology they use is secure. Too often privacy is left out of the design stage, and fixes after the fact can be expensive. We recommend that privacy become an integral part of the business models that rely on technology. We want to see a privacy culture that complements Canada’s digital advantage and, in our submission, we put forward a number of recommendations on how the federal government can help build one.

First of all we recommend strengthening privacy protections within the federal government. We’ve written previously about the need to reform the Privacy Act, but we think the federal government can go even further in being a model user of technology – for example, we’d like to see the federal government make Privacy Impact Assessment (PIA) analysis a requirement as part of preparing Memoranda to Cabinet for program approvals. We’d also welcome the federal government’s use of state-of-the-art authentication and protection technologies. Other countries are already exploring this, including the United States, where they are looking at how open-source products and standards can be used to provide identity verification.

The consultation on the digital economy includes a discussion on the importance of digital skills. We increasingly view privacy literacy and online reputation management as part of a suite of digital citizenship skills necessary for success in the digital economy. To this end, we recommend making privacy literacy an integral component of digital citizenship and would like to see the federal government fund research to support digital citizenship programs.

We also recommend providing tools to help small and medium-sized enterprises (SMEs) – and in particular SMEs that are technology innovators – better understand privacy so that privacy is considered at the outset of the design stage, and built into the end product.

Finally, we’d like the federal government to fund “privacy positive” research and development – for instance, network and security technologies that incorporate privacy protections.

With only a handful of days left, we encourage you to read our submission, and the submissions and ideas of others and offer your comments.

Once again, students from the Encounters with Canada program have selected the winners of our annual student video contest! Here are the winners for our 2009 competition:

The three top video artists in the live action category were:

1^st place: Jeffery Burge, Vanessa Caicedo, Alexandra Georgaras, Gareth Imrie and Fiona Sauder of Canterbury High School in Ottawa, Ontario, with a video titled “Think Before You Click”. They win a $100 gift card and an iPod Touch.

2^nd place: David Borish and Mory Kaba of Glebe Collegiate Institute in Ottawa, Ontario, with a video titled “Friend or Foe”. They win a $250 gift card.

3^rd place: Jennifer Paul from Brampton, Ontario, with a video titled “Too Good to be True”. She wins a $150 gift card.

The three top video artists in the animation category were:

1^st place: Tyler Ford and Matthew Kerr of Osgoode Township High School in Metcalfe, Ontario, with a video titled “Privacy: Think Before You Click”. They win a $100 gift card and an iPod Touch.

2^nd place: Rebecca Kartzmart and Emily Patterson of Osgoode Township High School in Metcalfe, Ontario, with a video titled “Carol the Carrot”. They win a $250 gift card.

3^rd place: Scott Piper of Osgoode Township High School in Metcalfe, Ontario, with a video titled “Privacy Matters”. He wins a $150 gift card.

The three top video artists in the French video category were:

1^st place: Benjamin Dion-Weiss of l’École secondaire publique De La Salle in Ottawa, Ontario, with a video titled “Le réseautage social d’après le Comte Hackula”. He wins a $100 gift card and an iPod Touch.

2^nd place: Stéphanie Lemieux and Emily Vendette of l’École secondaire catholique Embrun in Embrun, Ontario, with a video titled “Le Journal de Lisa”. They win a $250 gift card.

3^rd place: Cosmo Darwin of l’École secondaire publique De La Salle in Ottawa, Ontario, with a video titled “Trouvée & Perdu”. He wins a $150 gift card.

The three top video artists in the Junior category were:

1^st place: Mackenzie Giffen, Chris Johnstone, Chris Nattrass, Curtis Sookhoo and Gabriel Zingle of F.R. Haythorne Junior High in Sherwood Park, Alberta, with a video titled “The Spanish Lottery”. They win a $100 gift card and an iPod Touch.

2^nd place: Trevor Aiello, Connor Bergersen, Chad Bullock and Lochlan Thomson of F.R. Haythorne Junior High in Sherwood Park, Alberta, with a video titled “A lesson In Privacy”. They win a $250 gift card.

3^rd place: Matthew Craner, Scott Deshane, Madison Gilchrist, Joe Matishak and Graeme Wyatt of F.R. Haythorne Junior High in Sherwood Park, Alberta, with a video titled “The Phone Number Test”. They win a $150 gift card.

We also recognized seven teachers for their enthusiastic participation in the contest. They were:

• Crystal Getschel, of F.R. Haythorne Junior High in Sherwood Park, Alberta, with 26 entries.
• Majed Mattar, of Osgoode Township High School in Metcalfe, Ontario, with 21 entries.
• Professor Kaduri, of Tanenbaum Community Hebrew Academy of Toronto, Ontario, with 15 entries.
• Grant Holmes, of École secondaire publique De La Salle, Ottawa, Ontario, with 11 entries.
• Carol Shaw, of Woodstock Collegiate Institute, Woodstock, Ontario, with 8 entries.
• Kevin Shae, of Sir Robert Borden High School, Ottawa, Ontario with 6 entries.
• Stephen Willcock, of Canterbury High School, Ottawa, Ontario, with 5 entries.

Each teacher will receive a $250 gift certificate at Indigo Books and Music to use for personal use or for the school they represent.

The videos will be posted as soon as possible to our youth site. They will also be available on our YouTube channel.

We were thrilled with the number and quality of submissions we received for our second competition. We’ll be launching the 2010 contest in May!

On Data Privacy 2010 we’d like to take a moment to remind everyone that is the responsibility of both individuals and companies to make sure that personal information is safe.

If you own a company, or work for a big one: in the past, you may have had to ensure that your customers’ name and address information (and in some cases credit card and billing information) were safe. Now, many of you are providing technology and tools for your customers to put increasing amounts of personal information online. Does your company have the systems in place to safeguard this information? Do you give your customers the tools and options to control how their information is used?

If you are a user of new and cool technology: in the past a telephone was a telephone, a video game was a video game, a stuffed toy was simply that – a stuffed toy. Today, more and more toys and handheld tools come with the ability to go online. Do you understand how to enjoy your toys and gadgets without putting your personal information at risk?

If you are a parent or guardian, teacher, coach or caregiver: do the young people in your life understand how to use all these new toys and gadgets while keeping their personal information safe? Our office has recently made youth privacy a key priority. Today, we have posted some new resources to the Parents & Teachers section of our youth web site. The resources include information on 12 privacy issues (such as the importance of privacy settings and knowing who your friends are on social networking sites), along with ideas for generating discussion about each issue with young people. You can use these resources to start discussion about personal privacy and the importance of thinking about what you post on the Internet.

Regardless of which group you are in – if you need any information about how to keep personal information secure, visit our web sites – priv.gc.ca and youthprivacy.ca.

Remarks delivered to the Annual Conference of the Canadian Association for Security and Intelligence Studies, October 30, 2009 by Chantal Bernier, Assistant Privacy Commissioner of Canada

… As you may know, I came to the Office of the Privacy Commissioner of Canada from the Department of Public Safety, where I had the privilege of serving as Assistant Deputy Minister in the Community Safety and Partnerships Branch.

As such, I have had substantial engagement in a range of security and intelligence files.

My entire presentation is premised on this tenet: Privacy and security are not at odds.

On the contrary: I would put to you that measures to protect privacy must be integral to any initiatives to fight terrorism or other crimes.

Why? Because we live in a free and democratic society where individuals enjoy the right to live, to move around, to communicate and to go about their daily lives, free from unwarranted interference by the state.

And for practical reasons too:

Any effort towards greater security that is strictly tailored to the actual risk – and that therefore minimizes the infringement of privacy or other rights – will be more targeted and more effective.

For example, an investigation that is carried out in accordance with the law, and in a way that respects privacy and other rights, will yield cleaner evidence and a more compelling case for the prosecution.

In other words, all the work that is poured into greater security is more likely to pay off if it is carried out in a strategic, targeted manner. And an essential consideration in that regard is due respect for the right to privacy.

…

Airport scanners

Another file in which we are deeply involved relates to plans by CATSA, the Canadian Air Transport Security Authority, to install millimetre-wave whole-body imaging scanners at several Canadian airports.

These machines can penetrate clothing to expose concealed objects such as weapons or drugs. Their principal advantage over metal detectors is that they can identify non-metallic objects, such as ceramic weapons or liquid or plastic explosives.

Our Office has examined two Privacy Impact Assessments, or PIAs, prepared by CATSA – first for a pilot test conducted at Kelowna Airport, and more recently for the full program.

As we told CATSA earlier this week in our response to its PIA, we consider this technology to be inherently sensitive as it reveals an outline of the traveller’s body. Many people may perceive it as privacy invasive.

As such, we have worked with CATSA to ensure appropriate privacy safeguards.

One of the key results is that the technology will be used only for secondary purposes, after an individual has already passed through the metal detector. What’s more, the scans will be voluntary, with passengers given the option of going through them, or having a physical pat-down.

And – this is key from a privacy perspective – the images will not be recorded, printed or transmitted. Indeed, they will be deleted as the passenger leaves the scanner.

Four tests

In weighing this and any other government initiative with a potential impact on privacy, our approach is to apply four tests: Necessity, proportionality, effectiveness, and the existence of less-intrusive alternatives.

We ask ourselves: Is the proposed measure really necessary? Have the proponents offered proof of a genuine problem, with no other viable solutions?

Our next criterion is proportionality. Many measures will infringe on privacy; that is just the price we pay for living in a community. Any benefit to the group will generally restrict some liberties of the individual, but the invasion of privacy must be proportionate to the benefit derived.

We also want some assurance of effectiveness. We want to ensure that a measure that infringes on privacy, in the name of the collective good, really meets that specific objective.

As for the fourth test: If a measure is proposed that will affect the privacy of individuals, we want to know that it is justifiable on the grounds that there are no less intrusive alternatives already available.

…

Do your loved ones have toys on their wish lists this holiday? A stuffed animal for a little one… a cell phone or a camera for a teen? These days, these toys and gadgets are more than they used to be. Just a few years ago a stuffed animal was something to cuddle with and a phone was, well, just a phone! Now, many stuffed animals come with codes that allow kids to register them online so that they can play games, feed and care for them, and even chat and play with other kids. And many cellphones are phones, computers and cameras, all in one.

And while such toys and gadgets can be fun, we want people to enjoy them without putting their privacy and personal information at risk.

Here are our tips for protecting your privacy as you and your loved ones enjoy your new gadgets and toys. For parents especially:

Understand new toys and their capabilities – It is important to understand the capabilities of new toys and how your children will use them. Speak with your kids about how they will use the toy and, where appropriate, agree on guidelines and limits.

Pay attention to privacy settings and parental controls – Privacy settings on social networking sites control what people see about you. Only allow your friends to see your page, your posts, your photos and your applications. Parents, if you depend on parental control software that is installed on your desktop, remember that. Those controls won’t be in place on new mobile devices.

Remember, with Wi-Fi, children can access the Internet from anywhere in the house – And if their new toy/gadget has Internet capabilities they can also use it to access the Internet from locations and networks outside your supervision and control.

Here are our tips for protecting your privacy as you and your loved ones enjoy your new gadgets and toys. For everyone:

Think before you click – The Internet is a public arena, and photos and comments you post are permanent. Even if you delete them from a web page, they could continue to exist in archived pages, in your computer’s cache or on the computers of other Internet users who may have copied them. If you don’t want certain people to see something, now or in the future, don’t post it!

Pick and protect the perfect password – Your information is only as safe as your passwords. Use different passwords for different systems; make sure they are strong (eight characters or more and a variety of letters or numbers); never share them with anybody; and change them regularly.

Know your friends – Online, you can’t be 100 per cent sure who you are talking to. Don’t accept friend requests from people you don’t know in real life.

Protect your identity – Identity theft is a growing problem and the Internet is the least private of spaces. Don’t post or e-mail personal details such as your social insurance number, phone number, home address or birth date.

Be careful on online gaming sites – Online gaming sites are hotbeds of people accessing personal information. Be aware that ill-intentioned people can use information from your profile to establish accounts in your name, or use your stolen identity to access your existing accounts.

Be wary of e-mail or instant messages from unknown people – Don’t open online messages that seem odd or are from someone you don’t know. They could contain a virus or let a hacker gain access to your computer.

Have a happy holiday and enjoy all your new toys!

It’s also the 20^th anniversary of the day the United Nations General Assembly adopted the Convention of the Rights of the Child. A significant milestone, this made privacy a basic human right for everyone under the age of eighteen.

Privacy is a right that all young people should enjoy, no matter where they live. With today’s world being so different than it was 20 years ago, this is something they may not think much about. Today, young people are videotaped by security cameras almost everywhere they go. They are asked for their postal code or driver’s license number when they buy a pair of jeans. They can instant message, update their statuses, download music, talk to friends on Facebook and play games on their computers with people all around the world. Twenty years ago, if someone wanted to get in touch with you they had to phone you or send you a postcard!

It is so easy for young people to overlook their privacy rights and why they’re so important. And it’s easy to forget about the risks that are out there if they don’t protect their personal information. These risks can range from nuisance (all those marketers who are looking for people to target their ads to) to serious (from the people on the Internet who are looking for identities to steal, to the predators who are looking for victims). Many of them also tend to forget that when they post comments, photos and videos, online, that information is public and permanent and almost impossible to remove.

So today, on National Child Day, take a minute and remind the young people in your life, in your community, that privacy is their right. Have them look around youthprivacy.ca and click through the pages. Encourage them to find information about how they can have fun online while protecting this valuable basic human right.