Meeting Your Privacy Obligations
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
2009 Privacy Compliance Conference
May 27, 2009
Speaking Notes for Jennifer Stoddart,
Privacy Commissioner of Canada
(Check against delivery)
Good morning ladies and gentlemen. I’m so pleased to be at a conference called Meeting Your Privacy Obligations. From a Privacy Commissioner’s point of view, a conference title doesn’t get much better than that!
It’s a pleasure to have been invited to take part in a conference that covers such a wide range of important issues related to the protection of personal information. And it’s always a pleasure to be with a room full of people who care about privacy.
This morning I’d like to offer a bit of an update on some of the things my Office has been working on in recent months – all of them aimed at helping organizations understand and meet their privacy obligations.
As you’ve no doubt noticed, we’ve expanded our outreach efforts. As part of that work, we’re publishing more guidance documents for business. Our newest guidelines will cover issues related to covert surveillance. This morning I can offer an overview.
The covert surveillance guidelines come on the heels of a variety of other guidance documents – on trans-border data flows, on video surveillance and on the collection of driver’s licence information, for example.
Wherever possible, we’ve been working on these guidelines with provincial counterparts who have responsibility for enforcing private-sector legislation.
We see a clear need for strong cooperation and harmonization – and there have also been some other recent developments on that front that I can tell you about.
I also thought you would be interested to hear about what we’ve learned by taking a close look at the data breaches reported to my Office over the last couple of years. This new analysis sheds light on where organizations need to put more effort in order to prevent data spills.
I’d like to leave a fair bit of time for your questions – that way we can cover the issues that really matter to you in your daily work.
Businesses increasingly operate across provincial boundaries and national borders.
My Office has devoted a great deal of energy to international efforts aimed at advancing global privacy protection for Canadians.
We’re creating increasingly strong partnerships with data protection authorities, international associations, civil society groups, global corporations and other regulators such as the U.S. Federal Trade Commission.
We also see a clear need to ensure we are working cooperatively with my fellow provincial and territorial commissioners. Strengthening privacy in Canada requires a joint effort.
Privacy issues are much the same across the country – we all worry about identity theft, health issues, video surveillance and a number of other issues. In many cases, these fall under areas covered both by my Office and provincial offices.
For example, my Office has a role in addressing privacy concerns about the federal government’s promotion of electronic health records, while provincial offices are involved in ensuring health information is used appropriately.
We are cooperating with provincial and territorial offices in a number of ways – on outreach and public education, on guidance to organizations and in our investigations.
For example, earlier this year, my Office, together with the New Brunswick, Quebec and Saskatchewan provincial privacy offices and children’s advocacy groups from across Canada, established the Children’s Online Privacy Working Group. This group is exploring ways to better protect the online privacy of children.
There is an even greater need for strong working relationships with provincial offices which have responsibility for enforcing private-sector privacy legislation.
Over the last couple of years, there has been a marked increase in collaboration with our counterparts in British Columbia, Alberta and Quebec.
In 2008, our Office issued a Statement of Intent, spelling out how we would work with provincial and territorial commissioners and ombudsmen on privacy matters.
The document outlined our commitment to consult with provincial and territorial offices in certain priority areas, such as proposed federal legislation with major implications for the collection, use or disclosure of personal information within a province or territory.
Under this umbrella, we also developed a Memorandum of Understanding with B.C. and Alberta to address how Commissioners with shared jurisdiction over the privacy sector will work together.
Businesses operating across Canada are looking for harmonization and clarity in their responsibilities to protect personal information. Canadians are looking for effective privacy protection across the country.
Working together with the provincial offices yields practical benefits as well, such as efficient and effective use of resources between the offices.
This was illustrated by the case of Ticketmaster Canada – a parallel investigation involving our office and the Alberta Information and Privacy Commissioner. Our close collaboration ensured a consistent approach to many of the findings and recommendations.
We have also worked with provincial offices on guidance documents for business.
For example, we worked with Alberta and B.C. to produce guidelines on overt video surveillance in the private sector as well as a guide for retailers on the collection of driver’s licence information.
With my colleagues in B.C., Alberta and Quebec, we recently issued guidance on street-level imaging technologies – Google Street View and Canpages, for example.
This kind of guidance is playing an increasingly important role in our outreach efforts.
Earlier this spring, I attended the Forum on International Privacy Law in Barcelona, where leading IT lawyers Europe and the U.S. emphasized the growing prominence of soft law – which is essentially realistic guidance from regulators.
Organizations here in Canada have also told us that guidance setting out the expectations of my Office would be welcome. In fact, if you’ve got suggestions for what kind of other guidance might be needed, please do let us know!
Covert Surveillance Guidelines
Last year, we realized that covert surveillance is an area where guidelines would be helpful.
We’ve recently seen an increase in complaints involving the insurance industry, some involving techniques that insurance adjusters use to evaluate or substantiate claims. Covert surveillance – where a private investigator follows a targeted person and captures his or images on video – clearly raises many significant privacy issues.
We prepared draft guidelines, posted them on our web site and launched a consultation process. We received submissions from 15 stakeholders, representing the insurance industry, private investigators, unions and employers.
We consider covert video surveillance to be an extremely privacy invasive form of technology. It entails the collection of a great deal of personal information.
A common misconception is that organizations don’t have to worry about privacy issues if covert video surveillance is conducted in a public place. This is not the case!
Organizations thinking about using covert video surveillance need to be aware of the criteria they need to satisfy in order to collect, use and disclose video surveillance images in compliance with PIPEDA.
For example, you need to think about what you want to achieve with covert surveillance. Under PIPEDA, an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances. A number of questions must be considered.
- Is there a strong basis to support the covert video surveillance as a means of collecting personal information? (Mere suspicion is not enough to act on.)
- Is there a strong likelihood that collecting the personal information through covert surveillance will help the organization achieve its objective?
- It the cost to privacy too great? There’s a need to weigh the individual’s right to privacy against the organization’s commercial need to collect, use and disclose personal information. The fundamental right to privacy is a key consideration.
- Is the loss of privacy proportional to the benefit gained? Are there less privacy-intrusive measures that could be used?
Consent is another important issue to consider. While PIPEDA generally requires consent to collection, use and disclosure of personal information, the law recognizes there are situations where consent is not required.
For example, consent may be implicit if an individual has initiated a formal legal action against an organization and the organization is collecting information to defend itself.
In order to collect information through video surveillance without consent, an organization must be reasonably satisfied that:
- First, collection with the knowledge and consent of the individual would compromise the availability or accuracy of the information; and,
- Second, that the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of law.
Our guidelines also caution organizations to take care to limit the personal information that they collect.
A particular concern for us is the collection of information about a third party who has nothing to do with the reason for the surveillance.
For example, the neighbour of someone under surveillance should not face the risk that images of an over-the-fence conversation will wind up being circulated as part of the package an investigator turns over to a company.
We had a complaint involving a company which had hired a private investigator to conduct covert video surveillance of an employee because of doubts about the seriousness of an on-the-job injury. The investigator videotaped the employee’s wife taking their children to school – even though the surveillance target was not with them!
When innocent individuals are inadvertently captured on video, their images should be deleted or depersonalized as soon as practicable. For example, people’s faces can be blurred out.
In this way, you’ve protected the privacy of people who have absolutely nothing to do with an investigation.
You’ll find more detail in the guidelines themselves, which we expect to post on our web site today.
There are clearly many issues for organizations to consider before they undertake covert video surveillance. Our new guidelines should help organizations to strike the appropriate balance between the legitimate need to collect commercial information and the right to privacy.
This is a difficult balance; but privacy needs to be respected.
Another issue that – unfortunately – continues to keep my Office busy is data breaches.
We recently completed an analysis of the private-sector data breaches reported to our Office between 2006 and 2008 in order to better understand how breaches are happening and how to prevent them.
The number of reported breaches has climbed significantly since we published a privacy beach checklist for businesses in 2007 and breach reporting guidelines in 2008.
Reported breaches jumped from 23 in 2006, to 48 in 2007, and then to 65 last year.
Despite the growing numbers, it’s clear that we’re still not hearing about all breaches. Reporting is not yet mandatory under PIPEDA.
We remain hopeful that there will be amendments to PIPEDA dealing with breach notification – as well as other issues such as disclosure of personal information in the course of mergers and acquisitions and the definition of business contact information.
What was striking as we looked at the stories behind these breaches was how often low-tech issues were involved.
Employee awareness and training was almost as big a factor as system security. Deliberate employee misbehavior was at the heart of almost a third of breaches.
Meanwhile, procedures related to employees taking data out of the office – for example, to do some work at home or while on a business trip – were a factor in one in five incidents. This is rather disheartening given the many, many headlines we’ve seen about data breaches involving laptops stolen from parked cars!
Types of Breaches
As a first step in our analysis, we categorized breaches by type….
Unauthorized access, use or disclosure breaches accounted for more than a third of all reported breaches. Most of the time, the culprit was a rogue employee using – or trying to use – personal information in order to commit fraud.
Accidental disclosure includes mailing foul-ups; improper destruction and disposal; online disclosure; e-mailing mistakes and errant faxing.
Theft includes breaches where documents and electronic devices containing personal information were stolen from vehicles, from offices or stores, and from courier mailbags.
Loss of personal information included paper documents and portable devices such as memory sticks going missing.
Issues Leading to Breaches
Our analysis also examined the issues behind all of these types of breaches. In most cases, multiple factors led to the breach.
What should you be most worried about?
As I mentioned a moment ago, our analysis showed the most common issue was poor system security, followed closely by inadequate employee training.
Even in this post-TJX world, we continue to see too many organizations underestimating security risks and the need to protect personal information. Technologies are constantly changing and it is critical for organizations to ensure their security systems remain up to the task of safeguarding personal data.
I understand this is a challenging area – but it’s an absolutely critical one.
It was also disappointing – but not surprising – to see that inadequate training of employees is playing a role in so many breaches.
A poll commissioned by my Office in 2007 found only a third of all businesses reported having trained staff about the practices and responsibilities under Canada’s privacy laws. (Larger organizations, however, seemed to be doing a better job.)
Training – ongoing training – is a central element of a robust privacy management system.
Another significant issue identified in our analysis was deliberate employee misbehaviour. This is a somewhat harder one to address. How do you predict which of your employees is going to try to steal personal information? Certainly one important way in which you can reduce this risk is by ensuring that personal information is accessible to your staff only on a “need to know” basis.
Other issues for organizations to consider in their efforts to decrease the threat of data breaches include: administrative procedures, including destruction and disposal practices; third-party service providers and their capacity to protect personal information; and security and procedures related to employees taking data out of the office.
Our hope is that these findings will be food for thought for organizations as they work to reduce the risk of data spills.
Our ability to analyze this kind of data will improve when we move to mandatory reporting and have a more complete picture.
Privacy and the Economy
It seems to me that the recent economic turmoil we’ve seen makes it even more important to require breach notification as an added incentive for businesses to take data breach prevention seriously.
There’s a risk that businesses looking to cut costs during a downturn will skimp on security.
A poll we commissioned a few months ago found 87 per cent of Canadians were concerned that businesses may choose to spend less to protect customers’ personal information during a time of economic uncertainty.
The threat to personal information may be higher during tough economic times as crooks look for vulnerabilities to exploit. Earlier this year, the Government of Canada warned businesses and consumers to be on the lookout for an increase in fraudulent activity by scammers during the current downturn.
This is absolutely not the time to try to do security on the cheap.
Corporate belt tightening may be counterproductive when it comes to privacy and security measures. Studies have shown that it’s far less expensive to get security right in the first place than to mop up after a data breach caused by inadequate security.
We are encouraged by the fact that many businesses have expressed to us their commitment to privacy, which they view as a competitive advantage.
I’ve covered a lot of ground in a short time. I hope I’ve left you with good sense of some of our latest initiatives aimed at helping organizations meet their privacy obligations.
We’re working outside of Canada in an effort to develop global privacy standards that will help protect your customer data once it leaves the country.
We are working with provincial counterparts to help ensure that offices with responsibility for oversight of private sector legislation are consistent in their approaches. As much as possible, we want to offer you the same guidance.
We are also working to provide you with more guidance. Guidelines set out the expectations of my Office and help organizations to implement good privacy practices – and avoid problems.
It’s become one of the foremost privacy research funding programs in the world.
Ultimately, our goal as an Office is to help you to succeed in protecting the personal information that Canadians entrust to your care.
Our door is always open, and we welcome your ideas and suggestions.
And now I’d welcome your questions ….
- Date modified: