Saskatchewan’s privacy commissioner finds doctors snooped in Humboldt Broncos patient records

[ad_1]

Saskatchewan’s privacy commissioner has found eight people inappropriately gained access to electronic health records of 10 Humboldt Broncos team members involved in a bus crash last April.

Sixteen people were killed and 13 were injured in the crash between the junior hockey team’s bus and a semi trailer at a rural Saskatchewan intersection.

« Due to the high-profile nature of the crash, eHealth Saskatchewan understood the risk of snooping, » said a report from information and privacy commissioner Ronald Kruzeniski.

The report said the health agency began monitoring the profiles of the patients — which include lab results, medication information and chronic diseases — three days after the crash.

The wreckage of a fatal crash outside of Tisdale, Sask., is seen in April. A privacy report says medical records of crash victims were inappropriately accessed by people in the health care system. (Jonathan Hayward/The Canadian Press)

« Between April 9, 2018, and May 15, 2018, eHealth detected eight users of the viewer, mostly physicians, accessed without apparent authority the profiles of 10 patients. »

The report shows eHealth reported the breaches to the privacy commissioner on July 5.

Privacy commissioner ‘disappointed’

Kruzeniski said he’s disappointed that the seven doctors and an office manager inappropriately looked at the records.

« This has been a major tragedy in our province and I’m disappointed that people got tempted, » he said in an interview with The Canadian Press on Monday. « Now that it’s happened, it’s my job to work with others through education and legislative change [to] make the system work. »

His report, which has been posted online, detailed the privacy breaches.

In one case, an employee of a medical clinic examined the health information of three people involved in the collision.

The office manager admitted she consulted the records because « her family members had heard one of the individuals had died and she wanted to verify the information; she thought another individual was a patient … [and] she wanted to verify a detail that was reported by the media about one of the individuals. »

The report said the employee’s access to eHealth was suspended and she was given further training, but she has since resigned from her job.

Another case involved a doctor at a Humboldt clinic who viewed the records of two people, including one who was a patient prior to the crash.

« Dr. D wanted to know what injuries the individual sustained, if the individual received care or if it was an instant fatality, » said the report. « For the other individual, it explained Dr. D was concerned. »

3 emergency care doctors among those reviewing patient records

Other cases included three doctors who provided emergency care at the Nipawin Hospital and who reviewed patient records of those they treated.

« They believed they were in the individuals’ ‘circle of care, »‘ said the report.

The privacy commissioner said the province’s Health Information Protection Act does not address circles of care so the doctors were no longer authorized to access the records.

Another case saw a medical resident view the information of three patients because she wanted to get closure on the cases, which is not an acceptable reason.

During the monitoring period, two other medical residents were found to have looked at the records of one of the people involved in the crash when the residents were reviewing the records of dozens of patients with a particular illness.

Monthly privacy audits recommended

In his report, Kruzeniski has made a number of recommendations to eHealth — including that it conduct regular monthly audits for the next three years of the physicians who inappropriately gained accessed to information.

Kruzeniski also recommended that the organization comply with a need-to-know principle rather than a circle-of-care concept and that it develop a solution to force users of the system to regularly review their training.

[ad_2]

Source link

قالب وردپرس

3 former civil servants file $1.8M suit against former P.E.I. premier, government agency over privacy breach

[ad_1]

Three former government employees who raised concerns about P.E.I.’s provincial nominee program in 2011 have filed a lawsuit against former premier Robert Ghiz, a provincial Crown corporation and others.

A statement of claim was filed in P.E.I. Supreme Court Thursday on behalf of Susan Holmes, Cora Plourd Nicholson and Svetlana Tenetko.

The three women, who call themselves whistleblowers, are seeking $1.8 million in damages plus a further undisclosed amount representing loss of income and out-of-pocket expenses in the aftermath of a privacy breach.

A report from P.E.I.’s privacy commissioner released in Dec. 2017 concluded government was either directly or indirectly responsible for a privacy breach where personal information about the three women was leaked to the P.E.I. Liberal Party during the 2011 election campaign.

Also named in the suit, besides Ghiz and the provincial Crown lending agency Island Investment Development Inc., are former innovation minister Allan Campbell, former deputy minister of innovation Michael Mayne and a lawyer involved with the Liberal Party, Spencer Campbell. 

When reached Thursday afternoon, former premier Robert Ghiz said he had no comment as the issue is before the courts. CBC has not yet been able to reach the other individual defendants.

Susan Holmes is shown at her home in Moncton, N.B., in January 2018. She has said she won’t fade away without being compensated for the economic and emotional toll on her life. (Ron Ward/The Canadian Press)

Personal information leaked to Liberal Party

The three women, who had all worked for the provincial government, made national headlines in September 2011 with allegations of bribery and fraud within P.E.I.’s provincial nominee program.

Later the same day, the Liberal Party of P.E.I. issued a media release that included personal information about the three women, including work histories, details about a human rights complaint and personal emails.

Spencer Campbell, speaking for the Liberal Party at the time, said the information had been leaked to the party and he didn’t know where it came from.

« The Liberal Party is not subject to the information and protection of privacy legislation in this province, » Campbell said at the time.

6-year investigation concluded breach happened

After an investigation that took six years, P.E.I.’s Privacy Commissioner Karen Rose concluded the information had come from government.

Rose said one of two things happened: either, « someone within Economic Development and/or the Premier’s Office and/or Executive Council … deliberately disclosed the personal information to the Liberal Party of PEI, » or, she said, an unknown third party deliberately disclosed the information because those three government bodies « failed to make reasonable security arrangements to prevent unauthorized disclosure to the Liberal Party of PEI. »

In either case, the commissioner concluded a breach of the province’s Freedom of Information and Protection of Privacy Act occurred.

In their statement of claim, the three litigants say Ghiz, Mayne, Allan Campbell and others « conspired with each other and with [Spencer] Campbell and the P.E.I. Liberal Party by knowingly and unlawfully publicly disclosing private information … with the predominant purpose of harming the plaintiffs. »

Allegations not proven in court

They say the defendants acted « with a common design, to injure, embarrass, intimidate and promote bias against the plaintiffs » and should have known « their acts would, in fact, cause harm to the plaintiffs. »

Holmes, Plourd Nicholson and Tenetko say they suffered depression, mental anxiety, loss of income and costs of « moving and uprooting their lives. »

The allegations have not been proven in court.

Investigations by RCMP and border services into the women’s allegations regarding the PNP did not result in any charges.

A spokesperson for the province told CBC News the government is reviewing the statement of claim and referred to the statement provided by current Premier Wade MacLauchlan when the privacy commissioner released her report in 2017.

That statement noted the privacy breach occurred « under the previous government, and the key players involved are not a part of the current administration.

« This is something that would not have been, and will not be, tolerated under this current government, » the statement read. « We do business differently. »

More P.E.I. news

[ad_2]

Source link

قالب وردپرس

Toronto man raises privacy concerns after dealership employee turns off his dashcams – twice

[ad_1]

A Toronto man is speaking out after an employee at his car dealership turned off his dashboard video camera twice while working on his vehicle, and now he’s warning others their devices may be tampered with without their knowledge. 

Haider Firas, 24, took his car to Parkview BMW this past November. Firas has a camera pointing out to capture video of other vehicles and one pointing inside his car to protect his property.

The mechanic was captured on the video noticing the cameras and turning them both off.

« Well that kind of raises a flag, » Firas told CBC Toronto. 

« Why did he do that? Now I don’t know what happened to my car for that time being. It’s under their control now. They could do anything, they could speed off with it, they could have damages done to it, I don’t know. »

Unsatisfied with Parkview BMW’s response after an employee there turned off his dashcam video, Haider Firas went to the media to alert others to what he says could be an industry-wide problem. (Chris Glover/CBC)

Dashcam data deleted on 2nd visit

Firas said he complained to the dealership, but decided to take his car back to the same company a couple of weeks later.

Not only did the employee turn off his recording devices the second time, but that time the employee also deleted the videos on the file, Firas said.

« This is raising a concern with privacy because I have my family in my car and we have conversations. [The employee] actually had to go through footage to find their own footage to delete and this is a 100 per cent no-no, like you can’t access people’s private information to get rid of your own footage. »

Firas also uploads his videos to YouTube, and said they are particularly valuable to him for that reason. 

Firas recorded a phone conversation between himself and the dealership’s director of fixed operations.

The director at the dealership said some employees are not comfortable being watched without their knowledge and argued it is common practice in the trade.

« I don’t think it’s ok for you to disconnect the camera without asking the owner’s permission, » Firas tells the director on the recording.

The two dashcam video recorders in Haider Firas’s vehicle were both turned off by an employee at his dealership. He also says they deleted files on the second occasion. (Chris Glover/CBC)

« For example, if I have a house and I hire contractors to come work in my house … and they disconnect my cameras, … you can’t do that, because I’m recording for my safety for my property. It’s the same thing. It’s my car, you’re not allowed to disconnect it without permission. »

Parkview BMW’s general manager did not respond to CBC Toronto’s request for comment.

Other dealerships weigh in: ‘We don’t touch them’ 

Art Safonov, the parts manager at Volkswagen MidTown Toronto, said at their facility it’s policy not to touch an owner’s property without contacting them first.

« If the technician does decide that they want it off, we would notify the customer that it is going to be turned off … because we are totally transparent, » Safonov said.

« Generally, we don’t touch them; there’s no reason to touch it, » he added.

« But is it standard across the board? I have no idea. From dealer to dealer it may vary. »

Over at Lakeside Motors, owner Mike Colangelo said his shop hasn’t encountered the situation yet, but suggested it would be best to let the owner know.

« I don’t think it’s a bad idea to tell the customer, because if anything happens … they’d say it happened while the camera was off, » he said.

« It’s a bit of a grey area. I don’t know what the logistics are around this. You could go both ways. You’d almost need to be a lawyer. »

Potential privacy violation by employee, not Firas, lawyer says 

Privacy lawyer Alice Tseng says in Canada privacy violations pertain to entities such as businesses or governments, not private individuals or consumers.

She doesn’t think it was against the law for Firas to record the employee, or for the employee to stop the recording.

But she says the situation could be problematic for the employee.

« If the employee just stopped it and no more I don’t see a privacy issue, » Tseng said.

« If the employee deleted files, I don’t think it’s a privacy issue, but I do think the consumer could have some sort of recourse, because you can’t just damage other people’s property or delete other people’s property, » she added.

« To the extent that the employee actually had to access or watch any past files, that could be a privacy violation. »

[ad_2]

Source link

قالب وردپرس

Companies should get ‘meaningful consent’ for user data, privacy watchdog says

[ad_1]

After a year of high-profile data breaches that have shaken the public’s trust in companies’ collection of personal data, Canada’s privacy watchdog is issuing new guidelines for private-sector companies to obtain “meaningful consent” from their users and customers.

The guidelines make clear that it’s no longer sufficient for companies to simply provide a legal disclaimer — that most users will never read — to obtain consent to collect, use and monetize users’ personal information.

Federal Privacy Commissioner Daniel Therrien is issuing new guidelines for private-sector companies to obtain “meaningful consent” from their users and customers.
Federal Privacy Commissioner Daniel Therrien is issuing new guidelines for private-sector companies to obtain “meaningful consent” from their users and customers.  (Sean Kilpatrick / THE CANADIAN PRESS File)

“Under privacy laws, organizations are generally required to obtain meaningful consent for the collection, use and disclosure of personal information. However, advances in technology and the use of lengthy, legalistic privacy policies have too often served to make the control — and personal autonomy — that should be enabled by consent nothing more than illusory,” the guidelines, which come into effect Jan. 1, read.

“Consent should remain central. But it is necessary to breathe new life into the ways in which it is obtained.”

The guidelines, issued by federal Privacy Commissioner Daniel Therrien along with his counterparts in B.C. and Alberta, are organized around seven key considerations for companies collecting user data. They include:

  • Emphasizing key points, including what data is being collected, how it is being used, and who it will be shared with. The risks associated with sharing things like location data — as well as the possibility of physical harm, embarrassment or loss of employment in the event of a data breach — should also be emphasized, the watchdogs said.
  • Providing “layers” of information on privacy policies. Some users may want a quick summary of the dangers, others may want a deep dive into the nitty-gritty legal language of a policy. The watchdogs suggest companies provide both options.
  • Making consent an “ongoing” process. It’s not enough for companies to ask users for their consent once, and then collect their information forever. Any changes to a company’s privacy policy should be run by users, and companies should provide periodic reminders their users can change their privacy settings.

The watchdogs also said children cannot be expected to provide “meaningful consent” for the use of their private information — a particularly pressing issue for those children who unwrapped new gaming systems, mobile phones and other internet-connected goodies over the holidays.

“Where a child is unable to meaningfully consent to the collection, the use and disclosure of personal information … consent must instead be obtained from their parents or guardians,” the guidelines read.

Therrien’s office said children under the age of 13 are considered not being able to consent to the use of their personal information, while children over the age of 13 may be able to — but companies must be sensitive to what they’re asking of minors.

The guidelines are largely voluntary, representing what Therrien’s office considers best practices for companies to follow. But they come at a time when high-profile data breaches — along with cases of companies blatantly taking advantage of their customers’ trust — have shifted the conversation around privacy and data autonomy from the fringes to the mainstream.

While tech giants such as Facebook, Google, Microsoft and Amazon have yet to be hit with substantial fines or penalties for their transgressions, countries around the world — including Canada, the U.S., and the U.K. — are openly talking about reining in those companies’ power.

Public polling released by Therrien’s office showed that Canadians’ awareness and concern about privacy issues have been steadily rising in recent years. In 2012, just 42 per cent of respondents told the Office of the Privacy Commissioner they were concerned or extremely concerned about privacy issues. That grew to 52 per cent in 2014, and 57 per cent in 2016.

Alex Boutilier is an Ottawa-based reporter covering national politics. Follow him on Twitter: @alexboutilier

[ad_2]

Source link

قالب وردپرس

Federal departments and agencies reported 200 serious privacy breaches in 2017

[ad_1]

OTTAWA–The federal government reported more than 200 significant privacy breaches affecting the personal information of thousands of Canadians and Canadian businesses, a number that Ottawa’s privacy watchdog suggests is the “tip of the iceberg.”

The Star obtained documents under access to information law detailing every privacy breach reported by federal departments and agencies in 2017. Over 600 pages, government employees describe breaches ranging from misplaced student loan documents to outing confidential RCMP drug informants.

But privacy commissioner Daniel Therrien’s office suggested the official numbers likely mask the scope of privacy violations at federal departments and agencies.

“Given the sheer volume of personal data that is collected and used by government institutions, we believe many material breaches likely go unreported, if not undetected,” wrote spokesperson Tobi Cohen in a statement to the Star.

In 2014 Treasury Board, the department that handles most internal government rules and regulations, required all federal departments and agencies to report any “material privacy breaches” to the privacy commissioner.

But what amounts to a “material” breach is somewhat open to interpretation. According to Treasury Board rules, a breach is “material” if it involved sensitive personal information and could “reasonably be expected to cause serious injury or harm to the individual” or involves a large number of people.

In 2017, only 27 federal departments and agencies reported a material breach to Therrien’s office. Most of the violations, some 113, were reported by Employment and Social Development Canada. But many of ESDC’s breaches were relatively minor, and most involved single student loan applications.

There were, however, more serious incidents:

  • Public Prosecution Service of Canada (seven breaches): On Jan. 9, 2017, a lawyer with the service provided defence counsel in a drug case with disclosure for the trial. About 30 “Information to Obtain” warrants were included on a CD, related to search warrants granted to police in Atlantic Canada.

The defence lawyer gave a copy of the documents to his client. The problem was that, while the prosecution service “vetted” the documents, it failed to properly censor information about four confidential police informants — meaning the person up on drug charges could see information about four people, including two names, who talked to police about the case.

The police alerted two of the informants whose names had been revealed, but felt the other two were unlikely to be fingered by the information in the documents.

  • Canada Border Services Agency (one breach): In April 2017, Calgary police sent a copy of a “Wanted Bulletin” to CBSA employees at the airport and in the intelligence division. That bulletin was forwarded to the CBSA’s main Calgary email list.

According to the documents, a CBSA employee snapped a cellphone picture of the bulletin and forwarded it to a third party. That person then forwarded the picture to the Calgary police and the person who was wanted by police, who expressed “concerns about the content.”

  • RCMP (11 breaches): In May 2017, the name of an RCMP employee accused of harassment was mistakenly sent to an email list of 73 co-workers. It took the employee’s manager a full day to ask to recall the email, and an undisclosed number of recipients had already opened it.

The RCMP asked the recipients to delete the email from their inboxes.

  • Royal Canadian Mint (one breach): As a sales rep was preparing to leave the Mint, they forwarded information about 705 Mint customers — including 14 customers’ credit card information — to their personal email account.

“This information was used by the individual post-Mint employment to contact Mint customers … to solicit their business in his new professional capacity,” the documents read.

After an investigation, the Mint sent a cease-and-desist letter to the former employee, who agreed to delete all the information purloined from the Mint’s databases.

  • Canada Revenue Agency (24 breaches): Between 2005 and March 2017, employees at one of CRA’s Ontario offices had been uploading social insurance numbers and business numbers to the Electronic Land Registration Database — apparently without knowing that media, lawyers, and financial institutions regularly use the database.

A total of 2,921 individuals and businesses were affected by the breach.

Of all the departments reporting privacy breaches, CRA has likely received the most attention. The 2017 documents show that the agency is still grappling with the problem of employees improperly looking up the tax information of friends, family, colleagues and others.

The largest breach reported by the agency in 2017 appears to be a single employee looking up the tax information of 5,935 Canadians.

A spokesperson for the agency said CRA has cracked down on employees improperly accessing taxpayer information since 2013, including limiting tax workers’ access to just the files they require to do their work. In 2017, the agency brought in a fraud management program that allows the agency to “proactively monitor and detect” unauthorized access.

“When misconduct has been established, the employee is disciplined in keeping with the seriousness of the misconduct and the circumstances of the case,” wrote CRA spokesperson Dany Morin.

Still, Therrien’s office notes that cracking down on unauthorized access at CRA has been a priority for almost five years.

“The fact that unauthorized/inappropriate access by employees is still happening at all, despite the measures CRA has taken, remains an ongoing concern,” wrote spokesperson Cohen.

Cohen said the privacy watchdog’s office is still pushing the government to require all privacy breaches to be reported by law, rather than simply Treasury Board rules.

Alex Boutilier is an Ottawa-based reporter covering national politics. Follow him on Twitter: @alexboutilier

[ad_2]

Source link

قالب وردپرس

Statistics Canada kept Trudeau cabinet, privacy commissioner in the dark about controversial bank data harvest plan – National

[ad_1]

Navdeep Bains, the Trudeau cabinet minister responsible for Statistics Canada, said he first learned of the federal agency’s controversial plan to harvest the financial transaction data of potentially millions of Canadians as a result of media reports and not, as the law requires, in a written notification from the country’s chief statistician.

Bains’ revelation, made Monday at a House of Commons committee, follows a similar revelation earlier this month made by Canada’s privacy commissioner testifying at a Senate committee that, he, too, did not learn of the scope of the StatCan project until reading about it.

Global News first reported on the project on Oct. 26, and at the time, quoted StatCan documents that said the privacy commissioner had been fully briefed on the scope and nature of the project and also said that StatCan was also following all applicable laws, one of which includes a requirement that Statistics Canada notify in writing the responsible minister — Bains, in this case — when a project such as the one StatCan hopes to proceed with was being proposed.

Bains testified Monday that no such notification was provided.


READ MORE:
Statistics Canada failed to disclose key info about project to harvest bank data

Nonetheless, Bains, whose title is Minister for Innovation, Science and Economic Development, told a Commons committee Monday he has full faith in chief statistician Anil Arora and the agency he heads, Statistics Canada.

“I think that Statistics Canada is a world-class statistical agency. It has a lot of respect internationally and within Canada as well … and I have a lot of confidence in the chief statistician,” Bains said.

Arora was appointed by the Trudeau government in 2017.

For more than a year, StatCan has been developing a project in which it would randomly select 500,000 Canadian households, pass information such as social insurance numbers, names, and addresses of members of those households to the country’s nine largest financial institutions, and then require those financial institutions to transfer to Statistics Canada the daily detailed financial transaction data of any of its customers on the list of those 500,000 randomly selected Canadian households.

Statistics Canada has explained that upon receiving that data from the country’s banks and credit card companies, it would “anonymize” the data, stripping personal identifiers after aggregating the financial data with demographic data and use this method to replace a questionnaire it now uses to gather information about the household spending habits of Canadians.


READ MORE:
EXCLUSIVE: Stats Canada requesting banking information of 500,000 Canadians without their knowledge

In correspondence obtained by Global News directed to the banks, Statistics Canada claims the legal authority to require banks and credit card companies to turn over this data with neither the consent nor the knowledge of the affected customers of the financial institutions.

“Canadians continue to express their absolute rejection of the Liberal plan to secretly force banks and other financial institutions to release their personal financial information of their clients without their consent,” Conservative MP Dan Albas said Monday in the House of Commons.

Bains, on Monday, said he now understands that affected Canadians would be informed if their data was collected.

Bains and other government officials describe the plan as a “pilot project” that has yet to collect any data in this way.

Arora has testified before both a Commons committee and a Senate committee that the project to harvest financial transaction data would not proceed until the Privacy Commissioner Daniel Therrien has signed off on the plan.

And while Therrien said he appreciates Arora’s invitation to review StatCan’s plans, he has opened an investigation into the federal agency’s activities after several Canadians complained.

“Your government has not done a very good job of managing Statistics Canada,” Conservative MP Michael Chong told Bains at Monday’s committee meeting. “This is data that is far more intrusive than anything we’ve seen before at a level that would make [Google subsidiary] Alphabet and Amazon blush.”

In the meantime, Conservative MPs had new questions Monday for both Bains and Statistics Canada about StatCan’s decades-old practice of selling custom slices of data it holds to the private sector and how that business might be affected by this new plan to harvest bank data.

“This data is going to be used by some of the largest companies in the world in order to market their services to Canadians and your government proposes to use the coercive power of the state … to get this data,” Chong said to Bains at Monday’s committee meeting. “I think it’s big-time overreach on part of your government.”


READ MORE:
Privacy Commissioner of Canada launches investigation into StatCan over controversial data project

In 2017, StatCan posted $113 million of what it calls “re-spendable” revenue and employed 400 full-time data collectors for this custom data business.

StatCan saw this custom data business shrink by 25 per cent between 2012 and 2015 after the previous Harper government made the mandatory long-form census optional. Many social scientists said that decision made the census data next to useless. Many of Statistics Canada business customers appear to have thought so as well as StatCan’s revenue earned by selling its data dropped from $114 million in 2012 to $86 million in 2015.

But when the Trudeau Liberals made the long-form census mandatory again in 2015, gave Statistics Canada new independence, and provided it with new powers to create projects like the planned bank transaction data collection project, it appears to have made StatCan more valuable in the eyes of business users. StatCan’s sales to the private sector quickly blossomed by 32 per cent from 2015 to 2017.

Albas said he believes StatCan’s revenue from this custom data service will “skyrocket” when business users learn it includes data StatCan has forced from Canada’s banks and credit card companies.

“This information is highly valued by large multinationals who want to sell more of their products,” Albas said.

At no time does Statistics Canada sell or provide, under any circumstance, any personal information it holds. Instead, it packages up data about groups of Canadians, most often sorted by their “postal code walk,” the first three letters of someone’s postal code, so that businesses or marketing organizations might know where, for example, families with young children or Punjabi speakers live.

Albas said the proposed project to collect bank transaction data would make StatCan’s data even more valuable to business users — at the expense, he said, of the privacy rights of Canadians.

  • With files from Andrew Russell

© 2018 Global News, a division of Corus Entertainment Inc.

[ad_2]

Source link

قالب وردپرس

Privacy concerns raised after leaking of Ottawa Senators’ Uber video

[ad_1]

Confidence in passenger privacy has taken a hit after video from an Uber cab was posted online — for all the world to see and hear — as a group of Ottawa Senators players mocked their coach and the performance of team members.

The video, recorded Oct. 29 in Arizona, shows seven players crammed into the moving car while they collectively deride one of their coaches and criticize the team’s penalty killing abilities.

Ottawa Senators assistant coach Martin Raymond (left) and Senators forward Matt Duchene are shown during a team practice in Ottawa on Tuesday. Some players were thrust into the spotlight this week when an Uber video that showed them mocking their coach was posted online.
Ottawa Senators assistant coach Martin Raymond (left) and Senators forward Matt Duchene are shown during a team practice in Ottawa on Tuesday. Some players were thrust into the spotlight this week when an Uber video that showed them mocking their coach was posted online.  (Fred Chartrand / THE CANADIAN PRESS)

As much as being a highly embarrassing team moment, it is a blow to peer-to-peer ride-sharing services, which aren’t stiffly regulated, like taxi cab companies, when it comes to customer privacy.

“This is a clear violation of our terms of service and we worked vigorously to investigate this issue,” said Rob Khazzam, Uber Canada’s general manager, via Twitter, in reference to the Senators’ snafu.

“A video was released by the media today of several Uber passengers being filmed without their consent while having a private discussion during a trip in Phoenix,” he added, referring to the video posted on a Postmedia YouTube page.

“Filming or recording passengers without their consent is totally unacceptable and if reported/detected we will investigate and take action to preserve our communities’ privacy and integrity. In this specific case, we made efforts to have the video taken down,” Khazzam said.

And while filming passengers without their knowledge is against Uber policy, the Senators’ privacy breach comes at a time when drivers in ride-sharing operations install dashboard cameras for their own safety and to disprove passenger accusations.

Cameras are required in municipally regulated and licensed taxi cabs, but protections are in place for passengers, industry experts say.

“In every taxi in the City of Toronto there’s a requirement for a camera installed in the vehicle that takes still photos during trips and it is activated by the opening an closing of the doors,” said Kristine Hubbard, operations manager with Beck Taxi.

“This is designed not only for the safety of passengers and drivers, but also in a case that they are accused of doing something they may, or may not, have done, and those cameras are only accessed by Toronto Police Services (in the event of an investigation), which answers the privacy issue question,” Hubbard said.

“We have a zero-tolerance policy for anyone putting their own cameras in a taxi. We do our own inspections and if someone was found to have a camera it would be taken out,” Hubbard added.

She pointed out that there is a sticker on every taxi warning passengers they are being photographed and that only police have access to download images in an investigation.

“Privacy is all about control, personal control over the use and disclosure of your personal information,” said Ann Cavoukian, former information and privacy commissioner of Ontario, and currently a member of Ryerson University’s Privacy and Data Analytics team.

She called the U.S. Uber driver’s actions “outrageous.”

“You have to draw the line where this is a completely unacceptable practice, unethical and I’m sure there are some grounds to take it to court. Cabs and Ubers theoretically have cams for the security of the drivers, but there should be clear notice when you get in that there is a camera capturing everything you are saying and doing. I don’t think that type of notice is available in Uber,” she said.

“What is completely unacceptable is disclosing that information publicly via the internet. It’s up to Uber’s management to lay down the law and say to all their drivers they cannot disclose the information from your webcam to anybody else, and certainly not online for the whole world to see.”

Cavoukian added that when something bad happens in an Uber, or a driver feels their safety was at risk, the video should be taken to the police, not posted online

“The driver caught a salacious story with the Senators bad mouthing some people and posted it online,” she said. “It not only places the passengers at risk of some repercussions but it is a completely unethical activity.”

She said she agrees people should be cautious in what they say or do in public places, they should expect a certain level of privacy when they pay for a ride service.

“These guys got into the Uber and they were just letting off steam. We all do this and expect a level of decency, as we wouldn’t broadcast it on the internet for anyone to see. I find it appalling and I think Uber senior managers have to step in and say you cannot do that.

“They have to make an example of this person and say: We don’t do things like that.”

David Murakami Wood, Canada Research chair in surveillance studies and professor at Queen’s University, said the way the incident will be viewed and handled depends largely on context, The Canadian Press reports.

If it had played out on Canadian soil, Murakami said the driver would likely be facing legal consequences for making a recording without permission. But laws vary widely by jurisdiction, he said, adding such consequences seem unlikely for the Arizona-based Uber driver.

Henry Stancu is a Toronto-based business reporter. Reach him on email: hstancu@thestar.ca

[ad_2]

Source link

قالب وردپرس

Gap in privacy law leaves elections open to ‘misuse’ of personal information: privacy commissioner

[ad_1]

The next federal election will face « important risks » unless Parliament makes political parties subject to privacy law, Privacy Commissioner Daniel Therrien warned Thursday.

« Canadian political parties’ lack of oversight is unfortunately becoming an exception compared to other countries, and it leaves Canadian elections open to the misuse of personal information and manipulation, » Therrien told members of a parliamentary committee studying the Facebook-Cambridge Analytica scandal.

« The bottom line is that without proper data regulation, there are important risks to a fair electoral process and this applies to the next federal election in Canada. »

Therrien said the time for allowing businesses and political parties to self-regulate is over.

« The government can delay no longer. »

Conservative Trevor Bailey, Liberal Michael Fenrick and New Democrat Jesse Calvert testify before the Access to Information, Privacy and Ethics committee on Oct. 30, 2018. (Elizabeth Thompson)

Therrien said he recently returned from a privacy conference in Europe, where Apple CEO Tim Cook warned that the personal information of individuals was being « weaponized » against them.

« Individual privacy is not a right we simply trade off for innovation, efficiency or commercial gain, » he said. « No one has freely consented to having their personal information weaponized against them.

« Similarly, we cannot allow Canadian democracy to be disrupted, nor can we permit our institutions to be undermined in a race to digitize everything and everyone, simply because technology makes this possible. »​

Therrien’s testimony came as the Access to Information, Privacy and Ethics Committee continued its probe into a massive breach of personal information involving Cambridge Analytica and Facebook.

In the wake of the Cambridge Analytica scandal — which saw the personal data of millions of Facebook users used to help microtarget potential voters in the U.S. and the U.K — the ethics committee has been digging into what Canadian political parties have been doing with the personal information they gather.

Therrien said his office has been working with the office of British Columbia’s information and privacy commissioner to investigate allegations made about Facebook and Aggregate IQ, a B.C.-based company.

Aggregate IQ has been accused of creating a data mining platform for Cambridge Analytica used by a campaign to promote British independence from the European Union, and for the presidential campaigns of Ted Cruz and then Donald Trump. AIQ has denied working for Cambridge Analytica.

Therrien said he is planning to release the first phase of their findings by the end of this year, with a follow-up report scheduled for the spring.

Apple CEO Tim Cook warned last week that personal information is being « weaponized. » (Marcio Jose Sanchez/Associated Press)

With less than a year to go before the next election, political parties still are not subject to any rules governing the personal information they gather on Canadians. Over the years, the Liberals, Conservatives and New Democrats have amassed databases crammed with details about Canadian voters — everything from names and addresses to political opinions.

The Privacy Act governs information held by government bodies. The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to companies. Political parties have been exempt from both laws.

On Tuesday, the New Democratic Party became the only one of Canada’s three largest parties to support making political parties subject to a privacy law like PIPEDA — something the Green Party had already endorsed.

The Conservative Party said it would comply with whatever laws are adopted by Parliament, while the Liberal Party argued that subjecting political parties to privacy laws would hamper their ability to attract volunteers and engage Canadians.

Therrien questioned the Liberal Party’s assertion, pointing out that political parties in B.C and the European Union are subject to privacy laws and nobody has complained that it stops them from campaigning.

« It is absolutely imperative for privacy laws to be applied to Canadian political parties. »

Elizabeth Thompson can be reached at elizabeth.thompson@cbc.ca

[ad_2]

Source link

قالب وردپرس

Privacy expert steps down from advisory role with Sidewalk Labs

[ad_1]

One of the world’s leading privacy experts has stepped down from her advisory role with Sidewalk Labs, Google’s sister company, which is preparing to build a data-driven neighbourhood at the foot of Parliament St.

It’s a development one tech expert characterized as “a major blow to the legitimacy of the project.”

Ann Cavoukian, former Information and Privacy commissioner of Ontario, tendered her resignation letter on Friday, writing that the proposed protection of personal data “is not acceptable.”

Cavoukian believes the plan for the Quayside smart-city development does not adequately protect individual privacy, and data collected from sensors, surveillance cameras and smartphones must be de-identified at source.

“Just think of the consequences: If personally identifiable data are not de-identified at source, we will be creating another central database of personal information (controlled by whom?), that may be used without data subjects’ consent, that will be exposed to the risks of hacking and unauthorized access,” she wrote in her letter to Sidewalk Labs.

The planned collaboration between Sidewalk Labs and Waterfront Toronto plan imagines a city of the future on 12-acres of the eastern waterfront at Parliament and Queens Quay.

The project would be so data-rich that it has been fraught with concern about what would happen to that collected information. Three advisers have previously stepped back from the project citing privacy concerns.

Cavoukian’s resignation came less than a week after Sidewalk Labs published its digital governance proposals, a 41-page document that sought to put people’s privacy fears to rest by detailing how data collected in Quayside would be managed by an independent civic data trust, and not owned or controlled by Google.

While Sidewalk Labs said it would de-identify data, it couldn’t guarantee what third parties would do.

The proposals were given to Quayside’s digital advisory panel three days before they met to approve them on Thursday, leading several members to call for a delay to allow more time to consider privacy before moving forward with the project.

It was only at the meeting that Cavoukian realized “de-identification at source” was not a guarantee.

“When Sidewalk Labs was making their presentation, they said they were creating this new civic data trust which will consist of a number of players — Sidewalk, Quayside, Waterfront Toronto and others — and that Sidewalk Labs would encourage them to de-identify the data involved that was collected but it would be up to the group to decide,” she told The Star Saturday.

“That’s where I just said no.”

Cavoukian said she hopes her resignation will “ignite a discussion” on how to proceed with the Quayside smart city while protecting data and says she remains optimistic that de-identification at the source will be put in place.

David Fraser, a privacy lawyer advising Sidewalk Labs, was surprised Cavoukian’s resignation came when it did.

“Her resignation seems to me a little premature because she would be very influential with (the civic data trust) once it’s established,” he said.

Fraser said the proposal to establish a civic data trust is “revolutionary.”

“This is about giving control to the body,” he said. “(Sidewalk Labs) didn’t parachute in and say, ‘This is what we’re going to do.’ They parachuted in and said, ‘What are we going to do?’ ”

“Nobody has yet dictated how that data trust makes its decisions. It’s going to decide itself.”

Still, there are those who see the Cavoukian resignation as a significant setback to the project.

“Sidewalk Labs is at the centre of a debate about data and data protection. The resignation of Cavoukian is clear evidence that we don’t have proper regulatory infrastructure to deal with these new smart city initiatives,” said Fenwick McKelvey, an associate professor in communication Studies at Concordia University who studies internet policies and governance.

“Her resignation, especially because she was participating in good faith, is a major blow to the legitimacy of the project.”

Chantal Bernier, legal adviser to Waterfront Toronto, said the project is sparing no effort to identify and address privacy issues.

“We are still identifying every privacy risk to which we will apply every privacy protection available to us,” Bernier said in an email.

In a written statement, Sidewalk Labs spokesperson Dan Levitan said: “Sidewalk Labs has committed to implement, as a company, the principles of Privacy by Design. Though that question is settled, the question of whether other companies involved in the Quayside project would be required to do so is unlikely to be worked out soon, and may be out of Sidewalk Labs’ hands.”

[ad_2]

Source link

قالب وردپرس

Privacy commissioner investigating personal data collection at cannabis stores

[ad_1]

P.E.I.’s information and privacy commissioner has launched an investigation to see if the new government run cannabis stores are collecting personal data from customers — and how they’re using any information collected. 

Commissioner Karen Rose said she decided to investigate after being informed by a member of the public that the stores are using electronic ID scanners. 

Why is that practice not taking place at the liquor stores or with people purchasing tobacco?— Kara MacRae

« Our investigation will include any and all personal information which is being collected by the cannabis outlets, » Rose said in an email to CBC News Friday. « We are also investigating how that personal information, if any, will be used, and whether, and how, it will be disclosed. »

Rose said she’ll also look in the security measures that are in place to protect customers’ personal information. 

Data found stored in device

In an email to CBC Friday, Cannabis Management Corporation (CMC) said an IT specialist examined the scanner after concerns were raised and found some data was being kept for 24 hours inside the device.

Customer privacy is a priority, said Zach Currie, director of the province’s cannabis operations. He said that no data is collected about anybody who visits or purchases anything at the new retail stores. (Steve Bruce/CBC)

« This data was immediately wiped and settings have been changed so nothing can be kept in the future, » the email said.

« The privacy commissioner has been in contact with the Cannabis Management Corporation and CMC will be fully briefing her on this matter. »

However, later on Friday CMC announced it would be pulling the scanners from the stores. 

‘Standalone device’

Zach Currie, the director of cannabis operations for CMC, said the scanners were merely a tool to flag fake IDs and not intended to collected personal information from customers.  

Privacy commissioner Karen Rose says she decided to investigate P.E.I.’s cannabis stores after hearing they’re using electronic ID scanners. (Krystalle Ramlakhan/CBC)

« Our core pillar of our customer service piece is ensuring customer confidentiality, so we don’t retain any data, » said  Currie. 

« Those ID scanners are not connected to any sort of internet. They are not connected to our Wi-Fi. They are essentially a standalone device that our folks use. »

Currie said the scanner is an industry standard used in other jurisdictions to validate a wide variety of national and international identification cards.

He says staff have been instructed to scan every person’s ID entering the store, even people who appear to be much older than 19 — the legal age for purchasing cannabis. 

Cannabis stores ‘overdoing it’

Currie acknowledges the scanning practice has prompted several questions and concerns from Islanders, including Kara MacRae, who emailed P.E.I.’s finance minister. 

Valid photo identification cards must be verified by a staff member at every P.E.I. Cannabis location to ensure that no one under the age of 19 enters the store. (Steve Bruce/CBC)

« I question the scanning. What is being done with the information they’re collecting off the ID? Where’s it going? Who has access to it? Is it protected under privacy laws? And why is that practice not taking place at the liquor stores or with people purchasing tobacco? » MacRae said.

Currie said given how new the legal cannabis industry is, and the concerns around young people getting their hands on pot, the province may be « overdoing it in some circumstances to ensure we’re thought of as a retailer very focused on social responsibility. »

He said the practice of using scanners and IDing everyone will be reviewed, and may be changed « in the months ahead. »

The privacy commissioner hasn’t said how long her investigation will take. 

More P.E.I. news

With files from Steve Bruce

[ad_2]

Source link

قالب وردپرس