Archive for the ‘Privacy Act’ Category

13 Jun 2017

Privacy Tech-Know Blog: Who’s Watching Where You’re Driving?

When you drive down the road or park your car, have you considered who might be recording where your car was at any given time, and where that information is stored and shared? Public agencies and private companies are using Automated Licence Plate Recognition (ALPR) systems to track vehicles throughout Canada, today.

ALPR systems have privacy implications because they record where specific vehicles are at given times, often without the driver realizing that such information is being captured.

Read the rest of this entry »

9 Jul 2013

Safe journey, Bon voyage !

Learn more about privacy at airports and border crossings by referring to the new featured topic, and have a safe journey! 

Canadian border crossing

photo by 12th St David

There’s a common expression that says, “It’s not the destination that counts, it’s the journey.” Well, if you’re like me, when I have to travel—especially with moody teenagers—I get anxious just thinking about all of the hoops I have to jump through before I arrive at my destination. At airports, border crossings and sea ports, there are security screenings everywhere.

Security measures are presented as a trade-off for safer skies for travellers. But that doesn’t mean you have to check your privacy rights with your luggage.

It is important to know that as a Canadian traveller, your privacy rights kick in from the moment you book a flight—online or through a travel agency—and continue on through the airport terminal and into the pre-boarding area.

However, the measures used to ensure your safety make you wonder: where do your privacy rights begin and end? To help you answer that question, the Office of the Privacy Commissioner of Canada (OPC) just posted a new topic page entitled Privacy Rights at Airports and Border Crossings. It contains explanations of the law, describes the impact of security measures on your personal information and privacy rights, and lets you know where you can turn to if you feel your rights have been violated.

The topic page presents all of the OPC’s materials related to airports and border crossings in one place: fact sheets, reports, publications, Parliamentary appearances and audits to give you an overview from a privacy perspective of key security initiatives that have been implemented over the last 10 years.

Want to learn more? Click here to consult the new page.

11 Jan 2013

Privacy Commissioner launches investigation of Human Resources and Skills Development Canada breach of student loan recipient information

The Office of the Privacy Commissioner of Canada (OPC) announced today that it is launching an investigation into a breach involving the personal information about more than half a million clients of Human Resources and Skills Development Canada (HRSDC) and 250 departmental employees.

The OPC was informed by HRSDC of the disappearance of an external hard drive containing personal information and financially related data of approximately 583,000 clients of the Canada Student Loans Program and 250 HRSDC employees. Upon receiving this notification, the Assistant Commissioner determined that there are reasonable grounds for a commissioner-initiated complaint against HRSDC to ascertain whether there has been a contravention of the Privacy Act. The Privacy Act stipulates that the Commissioner has the authority under subsection 29(3) to investigate a matter under the Act where she is satisfied that there are reasonable grounds to do so.

The law empowers the Commissioner to launch an investigation in cases where she believes there is a serious possibility that an investigation would disclose a contravention of the Privacy Act.

The OPC is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights of Canada. The OPC has a number of resources available on its web site to help individuals protect their personal information, and a section specifically about “Identity Theft” that includes frequently asked questions and fact sheets entitled Protecting your personal information and Identity Theft: What it is and what you can do about it.

For more information go to

21 Sep 2012

Citizens watching citizens

Waiting for his bus, a man watches as two people smash a glass window in an attempt to break into a building.  He takes his phone out of his jacket pocket, points it towards the couple across the street, and snaps a photo. He posts it to Twitter. “Incredible,” he writes. “At the corner of Wellington and Fifth.”

Welcome to the world of citizen journalism, where the ubiquity of camera-enabled smartphones and the exploding popularity of social media has led to the rise of citizens watching, and reporting on, the actions of other citizens.

In June 2011, bystanders documented  the scene as a riot broke out in downtown Vancouver following Game Seven of the Stanley Cup Finals. Tips were submitted by the public to the Vancouver police, which included over 1,000,000 photos and over 1,000 hours of video. These events provide a real-life scenario to study the emergence of citizen journalism and the potential for misuse of personal information that comes with it.

We commissioned two independent papers intended to further discussion on this topic. We asked Internet strategist Jesse Hirsh and lawyer Kent Glowinski to explore the technology and legal implications, and to consider possible legal protection for privacy within social media. These papers are now available on our website. We invite you to read them and let us know in the Comments section below what you think.

23 Aug 2012

OPC launches new online complaint form

Canadians who are concerned that their privacy has been compromised now have another way to submit complaints to the Office of the Privacy Commissioner of Canada (OPC). The Office has launched an online complaint form on its website. The form helps users compile and submit electronically all the information needed to properly file a privacy complaint under the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private-sector privacy law, or under the Privacy Act, which applies to the federal public sector.

The new form reflects the OPC’s commitment to meeting the needs and expectations of Canadians, and further improving its service to Canadians. All information submitted to the Office via the online form is encrypted and appropriate measures have been taken to ensure that all submitted information will be stored securely.

As always, the Office encourages Canadians who have privacy concerns to first try to resolve them by directly contacting the organization associated with their complaint. However, if they are not satisfied with response, they can visit our website or call our Office at 1-800-282-1376 toll-free for more information about how to file a complaint.

27 Jan 2012

Time for government, individuals to think “Less is More”

As the days tick down to Data Privacy Day itself, it’s time to reflect a little bit more about the words “Less is More,” how they apply and to whom.

What they mean for individuals is pretty clear. To put it another way, “beware what you share, because it could wind up anywhere.”

But what does “Less is More” mean for organizations and privacy, and governments in particular?

This was one of the questions addressed in remarks provided by Sue Lajoie, Director-General (Privacy Act) of the Office of the Privacy Commissioner of Canada before a group of federal public servants at an event hosted by the Canada School of Public Service in Ottawa.

She explained it this way: “The less personal information you collect, the more you limit the risk of data breaches and the embarrassment and lost trust they cause.”

“The less you collect, the more you protect against government furthering the widely-held stereotype of the state as an increasingly invasive and untrustworthy force in society.”

“And, the less you collect, the more you respect privacy as a long-observed, essential element of human freedom and dignity.”

It was noted that while the OPC is effectively the champion of Canadians’ privacy rights, public servants have an important role to play as guardians by making privacy considerations central to the design and administration of programs and other initiatives that collect personal information.

Sue pointed to the fact that thanks to advances in the power and efficiency of information technology, governments are approaching a veritable fork in the road when it comes to collecting personal information.   She pointed to recent research done by Brookings Institution scholar John Villasenor who notes that the falling costs and of hard drive space and rising capacity of computers will make it possible and even affordable for a government to establish enormous databases of information that could act as “a surveillance time machine, enabling state security services to retroactively eavesdrop on people in the months and years before they were designated as surveillance targets.”

While it’s not imagined that the government of a democratic country such as Canada would comprehend something so sinister, the research makes a point valid for governments of any persuasion.  As Sue noted today, “The question is no longer, can the state appropriate someone’s personal information, up to the point of leaving them as naked and helpless as the defendant in Kafka’s The Trial. The question is should it allow itself to do so? To what extent? And what are the moral, ethical and public policy issues around this?”

In a nutshell, our 2010-2011 Annual Report to Parliament on the Privacy Act asked, “Can the state curb its appetite for information about its citizens?”  And Sue’s remarks suggest that indeed, a moderation-based data diet may in fact be just what the doctor ordered for the ongoing heath of our democracy and respect of Canadians.

23 Jan 2012

On Data Privacy Day, think less is more.

Once a year, privacy advocates and enthusiasts around the world get the chance to collectively shine a spotlight on the issue of online privacy.

Data Privacy Day, which is celebrated annually on January 28, is an annual international celebration designed to promote awareness about privacy and education about best privacy practices. Granted, it doesn’t rank up there with Canada Day or Thanksgiving in terms of food, fun or festivity, nevertheless it is a date worth circling on the calendar.

In this digital age, where our online activities can so easily be tracked, stored, shared and analyzed, and we are under constant pressure to share more and more personal information, we are all feeling a bit uneasy about all that personal data floating around in cyberspace.

It’s not that we want to turn our backs on the limitless potential of the Internet. We just need to figure out how we can all limit the potential for online personal information to be misused and abused.

The answer? When it comes to sharing personal information, think less is more.

Once our personal information is on the Internet, we have very little control over who sees it, how it is used, or how long it will be available. By sharing less personal information, we can help limit our exposure and the risks of our personal information being misused, abused or disclosed without consent.

So, whether we are social networking, using an app on a mobile device, or signing up for discounts and deals, we need to think carefully about the personal information we are putting into cyberspace.

Less is more is also good advice for businesses and organizations that collect personal information. Collecting and holding excess data raises the risks for customers, but it is also costly for businesses because it increases the risk of data breaches, which can be damaging to businesses’ reputations and expensive to clean up.

This week, the Office of the Privacy Commissioner of Canada is pleased to join governments, privacy professionals, corporations, academics and students from around the world, in marking Data Privacy Day.

Our Office will be engaging in a number of activities in the week to leading up to January 28, such as the launch of some new youth privacy tools, and presentations to youth, public servants, businesses and staff. The Office has also produced some new resources, such as posters and graphics which can be used to raise awareness of privacy in any organization.

For more information on the Office’s Data Privacy Day activities and resources, go to our Data Privacy Day web page or

14 Nov 2011


Two countries negotiating a perimeter security agreement can easily be compared to two individuals drastically redefining their relationship. 

Without question, Canada and the United States are certainly neighbours.  To some, a perimeter agreement means removing a fence; to others, it’s tantamount to a sort of marriage.

Regardless, before we take the plunge, we have to think about what we share and where we differ.

Without question, we have a lot in common.  We’re both democracies with enshrined respect for human rights. Canadians and Americans both strongly value their privacy and realize its importance to the vitality of our democracies.

As things stand today however, some key legislative differences on privacy protection exist between our countries. 

I want to explain these and show why, rather than jumping into a newly defined relationship with both feet, we should only do so with both eyes wide-open.

First of all, both of our countries have enacted legislation to protect citizens’ privacy from their governments. 

The U.S. Privacy Act of 1974 fulfils this function for the federal government south of the border, while Canada’s Privacy Act of 1983 does so for Canadians.

The U.S. law includes safeguards to secure Americans’ personal information in the hands of the federal government, but these extend only to citizens and permanent residents.

Conversely, personal information held in Canada is subject to the protection of Canadian privacy law. That said, Canada’s Privacy Act is far from perfect and in need of modernization (as I’ve noted in the past). 

Secondly, when it comes to protecting personal information in the private sector, there are American laws specific to certain sectors and the Federal Trade Commission’s consumer protection law provides some protection with regard to issues of fairness and deception. 

Unlike Canada however, there is no overarching national legislation applying to the private sector as a whole. 

In the Unites States a lack of private sector-wide coverage provides opportunities for commercial data brokers to assemble data bases.

Such databases are made available to subscribers, which include U.S. federal agencies.  There are already several dozen fusion centers across the country doing precisely this sort of search and analysis every day.

Consequently, government authorities can access information from privately-held databases with no strings attached.

It’s also worth noting that the USA PATRIOT Act, enacted weeks after the 9/11 attacks, has the ability to circumvent sector-specific privacy protections to facilitate national security investigations.  National security can be, and has been, defined quite broadly

Thirdly, there is a vast difference when it comes to privacy oversight between our two countries.  Law enforcement and national security authorities in the US simply do not operate under the privacy oversight structure that exists in Canada.

In Canada, my office reports directly to Parliament and not the Government, allowing autonomy in holding the Government to account.

In the United States there is no equivalent independent authority mandated to investigate privacy issues with regard to government data-handling.

While the Privacy and Civil Liberties Oversight Board could theoretically fulfill this function, it remains inoperative.

Finally, Canada’s approach to privacy centers on protecting individuals’ right to control their personal information except where limits can be demonstrably justified in a free and democratic society.

This is an approach which should not be compromised or watered-down in order to reach a perimeter security agreement.  

This isn’t to say that Americans value privacy any less than Canadians.  It’s just that our respective legislative frameworks to protect it are very different. 

This all goes to say that if we compare a security perimeter agreement to a marriage and Canadian negotiators wish to enable Canadians to keep control of their personal information, a clear line on privacy needs to be written into a strong “pre-nup.”

7 Sep 2010

Know a Young Person Who’d Like to Win an iPad?

We’re launching our 2010 My Privacy & Me Video Contest for 12-18-year-olds – and the first-place winners will win an iPad!

It’s the same thing this year – but a little different, too! Again, we’re asking them to create their own public service announcements about privacy. But this year, we’d like the videos to fall into one of four categories: Surveillance; Reputation Management; Targeted Advertising; or Online Scams. You can find all contest details here.

This year, teams can consist of one to three people. First-place winners in each category will win an iPad. Second-place winners will win a $200 gift card; and third-place winners will win a $100 gift card. We’ve recognized top-participating schools and teachers in the past, and we have something in store for them in 2010! The deadline is December 10, 2010.

For inspiration, sit down with your young ones and watch the 2009 winning videos. Then, have them start exercising their video-making muscles – we can’t wait to see what they’ve got!

9 Jul 2010

Privacy, Trust and Innovation – submission to the Digital Economy Consultation

We’ve just sent in our submission to the Digital Economy Consultation, available online here.

In our submission, we argue that privacy isn’t an impediment to innovation. Rather, we believe privacy can support innovation by reinforcing confidence in users that they have the right to control their personal information and that the technology they use is secure. Too often privacy is left out of the design stage, and fixes after the fact can be expensive. We recommend that privacy become an integral part of the business models that rely on technology. We want to see a privacy culture that complements Canada’s digital advantage and, in our submission, we put forward a number of recommendations on how the federal government can help build one.

First of all we recommend strengthening privacy protections within the federal government. We’ve written previously about the need to reform the Privacy Act, but we think the federal government can go even further in being a model user of technology – for example, we’d like to see the federal government make Privacy Impact Assessment (PIA) analysis a requirement as part of preparing Memoranda to Cabinet for program approvals. We’d also welcome the federal government’s use of state-of-the-art authentication and protection technologies. Other countries are already exploring this, including the United States, where they are looking at how open-source products and standards can be used to provide identity verification.

The consultation on the digital economy includes a discussion on the importance of digital skills. We increasingly view privacy literacy and online reputation management as part of a suite of digital citizenship skills necessary for success in the digital economy. To this end, we recommend making privacy literacy an integral component of digital citizenship and would like to see the federal government fund research to support digital citizenship programs.

We also recommend providing tools to help small and medium-sized enterprises (SMEs) – and in particular SMEs that are technology innovators – better understand privacy so that privacy is considered at the outset of the design stage, and built into the end product.

Finally, we’d like the federal government to fund “privacy positive” research and development – for instance, network and security technologies that incorporate privacy protections.

With only a handful of days left, we encourage you to read our submission, and the submissions and ideas of others and offer your comments.