You Might be Interested In

Ever wonder what information a government agency might hold about your traveling habits? Thanks to an anonymous U.S citizen, we can sneak a peek at a travel record held by the United States Department of Homeland Security. The scanned copies are posted on philosecurity, and include data like:

• IP address used to make web travel reservations
• Hotel information and itinerary
• Full Name, birth date and passport number
• Full airline itinerary, including flight numbers and seat numbers
• Cruise ship itinerary
• Credit card number and expiration
• Phone numbers, including. business, home & cell
• Every frequent flier and hotel number, even ones not used for the specific reservation

Several countries, including Canada, collect similar information as part of an Advanced Passenger Information or Passenger Name Record program.

While we would all prefer it if the government did not collect information about our travel habits, these programs are meant to provide security agencies with enough advance information to screen travelers and identify potential risks to transport security. If your travel plans include the European Union, Switzerland or the United States, information in Canada’s database will also be shared with their security agencies.

More information about the Canada Border Services Agency’s programs is available, including directions on how each individual can access the travel data the Agency holds on you.

Speaking at the Canadian Bar Association Conference earlier this week, the Privacy Commissioner talked about the privacy implications of courts and administrative tribunals posting to the web decisions and other documents containing personal information.

While her speech generated a handful of articles, her comments created a bit of a stir when one newspaper article misinterpreted what she had said, suggesting that the Commissioner was proposing that all court decisions be scrubbed of personal information before being made widely available.  Of course, neither the Privacy Act nor the Commissioner’s mandate applies to the courts.  In her speech, the Commissioner was actually discussing the legal obligations of government institutions subject to the Privacy Act. (You can read the transcript of her speech here.)  These institutions have tended to evoke the practices of the courts as a justification for the disclosure of personal information, a tendency that inspired the Commissioner’s remarks.  Other interpretations of the Commissioner’s comments better capture her concerns.

Below is the commissioner’s letter to the Toronto Star which appeared yesterday morning.

Re: Hide IDs in court rulings, privacy chief says, Aug. 20

I am writing to correct a false impression left by the article. My mandate does not extend to the courts. However, it is interesting to note that they, like my office, have been wrestling with the issue of posting personal information online. My role is to ensure that federal administrative tribunals respect the privacy rights of Canadians.

Ordinary Canadians provide their personal information to these tribunals for various reasons. They may, for instance, be seeking access to a government benefit or reparation for an alleged government mistake.

A law-abiding citizen fighting for a government benefit should not be forced to expose her medical history or other highly sensitive personal information to public scrutiny. They should not have to abandon their privacy rights.

My office has recently investigated complaints about the online posting of personal information by several administrative tribunals. We expect to release our findings in these cases in the fall.

Jennifer Stoddart, Privacy Commissioner of Canada

The Privacy Act, the federal privacy law requiring federal government bodies to respect individual privacy rights, hasn’t been substantially updated since 1982 – the same year the Commodore 64 was released and we stopped calling July 1 Dominion Day. What’s interesting about these changes is they could be implemented immediately and relatively easily – and the benefit to Canadians would be a privacy law that is modern, responsive and efficient.

As readers of this blog will know we are quite fond of the Top Ten list. So today, we present you with our list of the Top Ten fixes for the Privacy Act:

10. Parliament could create a legislative requirement for government departments to show the need for collecting personal information.

9. The role of the Federal Court could be broadened to review all grounds under the Privacy Act, not just denial of access.

8. Parliament could enshrine into law the obligation of Deputy Heads to carry out Privacy Impact Assessments prior to implementing new programs and policies.

7. The Act could be amended to provide the Privacy Commissioner with a clear public education mandate. PIPEDA contains such a mandate for private sector privacy matters. Why shouldn’t the Privacy Act for public sector matters?

6. The Act could provide the Privacy Commissioner with greater flexibility to report publicly on the government’s privacy management practices. As it now stands, we are limited to reporting by way of annual and special reports only.

5. The Act could grant the Commissioner greater discretion at the front-end to refuse complaints or discontinue complaints if the investigation would serve no useful purpose or is not in the public interest. This would allow the OPC to focus our investigative resources on those privacy issues that are of broader systemic interest.

4. Parliament could amend the Act and align it with PIPEDA by eliminating the restriction that the Privacy Act applies to recorded information only. At the moment, personal information contained in DNA and other biological samples is not explicitly covered. (But fingerprints are, in case you thought otherwise.)

3. Parliamentarians could strengthen the annual reporting requirements of government departments and agencies under section 72 of the Act, by requiring these institutions to report to Parliament on a broader spectrum of privacy-related activities.

2. The Act could be amended to provide for regular five-year reviews of the legislation, as is the case with PIPEDA.

1. Finally, the Act currently does not impose a duty on Canadian government institutions to identify the precise use for which personal information is being disclosed abroad. An amendment to the Act could require the Canadian government to not only identify the precise use for the transfer of personal information to foreign states, but ensure that adequate measures are taken to maintain the confidentiality of shared information.

Read this for more information.

As we close out 2007, we’d like to sound a note of caution for privacy rights in Canada. We are lucky to have a variety of protections for personal information and data at the territorial, provincial and federal levels. Nevertheless, the Commissioner took a moment last week to highlight some of the steps that need to be taken by individuals, corporations and the government in the face of continuing challenges:

“Heightened national security concerns, the growing business appetite for personal information and technological advances are all potent – and growing – threats to privacy rights,” said Commissioner Stoddart. “The coming year will be another challenging one for privacy in Canada.”

What challenges, you may ask? Privacy International, a London-based non-governmental organization, issued their annual report on privacy protection world-wide. Canada was one of three countries recognized as a world-leader, but we were criticized on several fronts:

• Federal commission is widely recognised as lacking in powers such as order-marking powers, and ability to regulate trans-border data flows
• Variety of provincial privacy commissioners have made privacy-enhancing decisions and taken cases through the courts over the past year (particularly Ontario)
• Court orders required for interception and there is no reasonable alternative method of investigation
• Video surveillance is spreading despite guidelines from privacy commissioners
• Highly controversial no-fly list, lacking legal mandate
• Continues to threaten new policy on online surveillance
• Increased calls for biometric documents to cater for U.S. pressure, while plans are still unclear for biometric passports

Parliament passed Canada’s public sector privacy law back in 1982 – the same year the Commodore 64 computer hit the market. At the time, both were considered pioneering.

The Commodore 64, which looked like an over-sized keyboard and had 64 KB of RAM and a 1-Mhz chip, was the first affordable computer designed for home use. This Canadian invention has often been compared to the Ford Model T.

The passage of the Privacy Act marked the first time in Canada that privacy was dealt with under separate legislation. Until then, more limited privacy protections were provided as an appendage to the Canadian Human Rights Act. Privacy rights had taken an important step forward.

But that was a quarter century ago. Back in 1982, Time magazine broke with its tradition of naming a “Man of the Year,” instead naming the computer as its “Machine of the Year.” Time’s article, which described how the computer had become a tool for the masses, was written on a typewriter.

Times have changed – and so too has the privacy environment. Technology has created new and complex privacy issues.

In 1982, the Internet, global positioning systems, Radio Frequency Identification Devices (RFIDs), cross-border outsourcing and data mining were novel ideas. Today, these technologies are commonplace and are the key issues keeping privacy advocates up at night. Another generation of technologies that carry privacy risks – brain scans and smart dust, for example – is just around the corner.

The privacy challenges for government today are compounded by increased globalization and heightened concerns over national security in the wake of the 9-11 terrorist attacks.

The Privacy Act was not designed to address the era we now live in and it is not up to the job of protecting Canadians in this changed world. In fact, it has been desperately out of date for many years.

Proposals for reforming the Act date back to 1987. Unfortunately, successive federal governments have not heeded the numerous – and increasingly urgent – calls for improvements.

Canada’s private-sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), came into effect in 2001 – making the shortcomings of its public sector sister legislation all the more evident. It is unfortunate that Canadians have stronger privacy safeguards for personal information in the hands of the private sector than they do for that held by government. …

(an extract from our 2006-2007 Annual Report on the Privacy Act, tabled in Parliament today)