You Might be Interested In

(from our news release)

The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) has more personal information in its database than it needs, uses or has the legislative authority to receive.

This was one of the key findings of the Privacy Commissioner of Canada’s in-depth audit of the independent agency mandated to analyze financial transactions and identify suspected money laundering and terrorist financing in Canada …

Legislative changes passed in 2006 expanded the types of transactions that must be reported to FINTRAC, as well as the number of professionals and organizations that are required to collect information about clients and to report it to FINTRAC. Examples of entities required to report to FINTRAC include financial institutions, life insurance companies, accountants and casinos.

The audit found that FINTRAC needs to do more to ensure that the amount of personal information it acquires is kept to an absolute minimum. A random sample of files examined in the audit turned up several reports that did not clearly demonstrate reasonable grounds to suspect money laundering or terrorist financing.  For example:

• A reporting entity filed several reports stating it was “taking a conservative approach in reporting this … because there are no grounds for suspecting that this transaction is related to the commission of a money laundering offence, but there is a lack of evidence to prove that the transaction is legitimate.”
• An individual deposited a government cheque for an amount less than $300 and then withdrew the entire amount. The financial institution filed a suspicious-transaction report, but did not indicate why the transaction was deemed suspicious.
• A financial institution filed a report about an individual who had deposited a cheque from a law firm.  The institution was satisfied that the individual had provided legitimate reasons for the source of funds, but decided to notify FINTRAC anyway because of the individual’s ethnic origin and the fact that this person had visited a particular country.

“It is clear that such reports, containing not a shred of evidence of money laundering and terrorist financing, should not be making their way into the FINTRAC database,” says Commissioner Stoddart.

“It is a bedrock privacy principle that you collect only the personal information you need for a specific purpose,” she says. “The federal government needs to have a justifiable need to collect someone’s personal information. Clearly, FINTRAC needs to do more work with organizations to ensure it does not acquire personal information that it has no legislative authority to receive – and that it does not need or use.”

The audit recommended enhanced front-end screening of reports; stronger ongoing monitoring and review to ensure that information holdings are relevant and not excessive, and the permanent deletion of information that FINTRAC did not have the statutory authority to receive.

Under amendments passed in 2006, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act requires the Privacy Commissioner to review FINTRAC every two years and report the results to Parliament.

Now that Canada has officially entered the “second wave” of the H1N1 flu season, and the United States President has proclaimed the H1N1 pandemic to be a national emergency, Canadians are staring at the possibility of a significant flu outbreak. The sense of concern and urgency about how to respond to this situation presents interesting challenges for protecting the right to privacy.

As anyone who has stood in the long lines to get the new H1N1 vaccine can tell you, preparing for the potential disruptions in our daily lives as a result of the flu outbreak may well be new territory for organizations, employees, as well as customers.  And business continuity plans don’t always address important privacy questions!

To help bridge this gap, we’ve developed guidance for organizations and a fact sheet for employees to explain how privacy laws apply in the private sector workplace during the H1N1 pandemic. This important work was prepared in consultation with our counterparts in Alberta and British Columbia.

Right now, in Canada’s current “non-emergency” situation, it’s important to remember that privacy laws apply in the usual way. For example, employers can collect only the minimum amount of personal information necessary to meet a business need.

However, it’s a different story if an emergency is declared. For example, if an outbreak is declared to be a public emergency, the powers to collect, use and disclose personal information to protect the public health may be very broad. Privacy legislation would not prevent the sharing of information in the event that H1N1 is declared to be an emergency pandemic.

This guidance will be updated as circumstances warrant.

Privacy and the 2010 Olympics – some resources

Ever wonder what information a government agency might hold about your traveling habits? Thanks to an anonymous U.S citizen, we can sneak a peek at a travel record held by the United States Department of Homeland Security. The scanned copies are posted on philosecurity, and include data like:

• IP address used to make web travel reservations
• Hotel information and itinerary
• Full Name, birth date and passport number
• Full airline itinerary, including flight numbers and seat numbers
• Cruise ship itinerary
• Credit card number and expiration
• Phone numbers, including. business, home & cell
• Every frequent flier and hotel number, even ones not used for the specific reservation

Several countries, including Canada, collect similar information as part of an Advanced Passenger Information or Passenger Name Record program.

While we would all prefer it if the government did not collect information about our travel habits, these programs are meant to provide security agencies with enough advance information to screen travelers and identify potential risks to transport security. If your travel plans include the European Union, Switzerland or the United States, information in Canada’s database will also be shared with their security agencies.

More information about the Canada Border Services Agency’s programs is available, including directions on how each individual can access the travel data the Agency holds on you.

Speaking at the Canadian Bar Association Conference earlier this week, the Privacy Commissioner talked about the privacy implications of courts and administrative tribunals posting to the web decisions and other documents containing personal information.

While her speech generated a handful of articles, her comments created a bit of a stir when one newspaper article misinterpreted what she had said, suggesting that the Commissioner was proposing that all court decisions be scrubbed of personal information before being made widely available.  Of course, neither the Privacy Act nor the Commissioner’s mandate applies to the courts.  In her speech, the Commissioner was actually discussing the legal obligations of government institutions subject to the Privacy Act. (You can read the transcript of her speech here.)  These institutions have tended to evoke the practices of the courts as a justification for the disclosure of personal information, a tendency that inspired the Commissioner’s remarks.  Other interpretations of the Commissioner’s comments better capture her concerns.

Below is the commissioner’s letter to the Toronto Star which appeared yesterday morning.

Re: Hide IDs in court rulings, privacy chief says, Aug. 20

I am writing to correct a false impression left by the article. My mandate does not extend to the courts. However, it is interesting to note that they, like my office, have been wrestling with the issue of posting personal information online. My role is to ensure that federal administrative tribunals respect the privacy rights of Canadians.

Ordinary Canadians provide their personal information to these tribunals for various reasons. They may, for instance, be seeking access to a government benefit or reparation for an alleged government mistake.

A law-abiding citizen fighting for a government benefit should not be forced to expose her medical history or other highly sensitive personal information to public scrutiny. They should not have to abandon their privacy rights.

My office has recently investigated complaints about the online posting of personal information by several administrative tribunals. We expect to release our findings in these cases in the fall.

Jennifer Stoddart, Privacy Commissioner of Canada

The Privacy Act, the federal privacy law requiring federal government bodies to respect individual privacy rights, hasn’t been substantially updated since 1982 – the same year the Commodore 64 was released and we stopped calling July 1 Dominion Day. What’s interesting about these changes is they could be implemented immediately and relatively easily – and the benefit to Canadians would be a privacy law that is modern, responsive and efficient.

As readers of this blog will know we are quite fond of the Top Ten list. So today, we present you with our list of the Top Ten fixes for the Privacy Act:

10. Parliament could create a legislative requirement for government departments to show the need for collecting personal information.

9. The role of the Federal Court could be broadened to review all grounds under the Privacy Act, not just denial of access.

8. Parliament could enshrine into law the obligation of Deputy Heads to carry out Privacy Impact Assessments prior to implementing new programs and policies.

7. The Act could be amended to provide the Privacy Commissioner with a clear public education mandate. PIPEDA contains such a mandate for private sector privacy matters. Why shouldn’t the Privacy Act for public sector matters?

6. The Act could provide the Privacy Commissioner with greater flexibility to report publicly on the government’s privacy management practices. As it now stands, we are limited to reporting by way of annual and special reports only.

5. The Act could grant the Commissioner greater discretion at the front-end to refuse complaints or discontinue complaints if the investigation would serve no useful purpose or is not in the public interest. This would allow the OPC to focus our investigative resources on those privacy issues that are of broader systemic interest.

4. Parliament could amend the Act and align it with PIPEDA by eliminating the restriction that the Privacy Act applies to recorded information only. At the moment, personal information contained in DNA and other biological samples is not explicitly covered. (But fingerprints are, in case you thought otherwise.)

3. Parliamentarians could strengthen the annual reporting requirements of government departments and agencies under section 72 of the Act, by requiring these institutions to report to Parliament on a broader spectrum of privacy-related activities.

2. The Act could be amended to provide for regular five-year reviews of the legislation, as is the case with PIPEDA.

1. Finally, the Act currently does not impose a duty on Canadian government institutions to identify the precise use for which personal information is being disclosed abroad. An amendment to the Act could require the Canadian government to not only identify the precise use for the transfer of personal information to foreign states, but ensure that adequate measures are taken to maintain the confidentiality of shared information.

Read this for more information.

As we close out 2007, we’d like to sound a note of caution for privacy rights in Canada. We are lucky to have a variety of protections for personal information and data at the territorial, provincial and federal levels. Nevertheless, the Commissioner took a moment last week to highlight some of the steps that need to be taken by individuals, corporations and the government in the face of continuing challenges:

“Heightened national security concerns, the growing business appetite for personal information and technological advances are all potent – and growing – threats to privacy rights,” said Commissioner Stoddart. “The coming year will be another challenging one for privacy in Canada.”

What challenges, you may ask? Privacy International, a London-based non-governmental organization, issued their annual report on privacy protection world-wide. Canada was one of three countries recognized as a world-leader, but we were criticized on several fronts:

• Federal commission is widely recognised as lacking in powers such as order-marking powers, and ability to regulate trans-border data flows
• Variety of provincial privacy commissioners have made privacy-enhancing decisions and taken cases through the courts over the past year (particularly Ontario)
• Court orders required for interception and there is no reasonable alternative method of investigation
• Video surveillance is spreading despite guidelines from privacy commissioners
• Highly controversial no-fly list, lacking legal mandate
• Continues to threaten new policy on online surveillance
• Increased calls for biometric documents to cater for U.S. pressure, while plans are still unclear for biometric passports

Parliament passed Canada’s public sector privacy law back in 1982 – the same year the Commodore 64 computer hit the market. At the time, both were considered pioneering.

The Commodore 64, which looked like an over-sized keyboard and had 64 KB of RAM and a 1-Mhz chip, was the first affordable computer designed for home use. This Canadian invention has often been compared to the Ford Model T.

The passage of the Privacy Act marked the first time in Canada that privacy was dealt with under separate legislation. Until then, more limited privacy protections were provided as an appendage to the Canadian Human Rights Act. Privacy rights had taken an important step forward.

But that was a quarter century ago. Back in 1982, Time magazine broke with its tradition of naming a “Man of the Year,” instead naming the computer as its “Machine of the Year.” Time’s article, which described how the computer had become a tool for the masses, was written on a typewriter.

Times have changed – and so too has the privacy environment. Technology has created new and complex privacy issues.

In 1982, the Internet, global positioning systems, Radio Frequency Identification Devices (RFIDs), cross-border outsourcing and data mining were novel ideas. Today, these technologies are commonplace and are the key issues keeping privacy advocates up at night. Another generation of technologies that carry privacy risks – brain scans and smart dust, for example – is just around the corner.

The privacy challenges for government today are compounded by increased globalization and heightened concerns over national security in the wake of the 9-11 terrorist attacks.

The Privacy Act was not designed to address the era we now live in and it is not up to the job of protecting Canadians in this changed world. In fact, it has been desperately out of date for many years.

Proposals for reforming the Act date back to 1987. Unfortunately, successive federal governments have not heeded the numerous – and increasingly urgent – calls for improvements.

Canada’s private-sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), came into effect in 2001 – making the shortcomings of its public sector sister legislation all the more evident. It is unfortunate that Canadians have stronger privacy safeguards for personal information in the hands of the private sector than they do for that held by government. …

(an extract from our 2006-2007 Annual Report on the Privacy Act, tabled in Parliament today)