Archive for the ‘Public Organizations’ Category

10 Feb 2017

Privacy Tech-Know Blog: The actual privacy benefits of virtual private networks

Virtual Private Networks (VPNs) let you establish a secure communications channel between your computing device and a server. After connecting to the server, you could gain access to a private network that has work files or applications, or use the server as a relay point to then access Internet content when browsing from a public network.

There are several reasons for using a VPN: you might need to remotely access information held on corporate servers while travelling or working from home; you might be wary of the insecure wireless networks you’re using; or you might want to access online content that’s blocked on the network you’re connected to but is accessible from the server somewhere else. Sometimes a company will require you to use a VPN, meaning the company will dictate the security and type of VPN you use (for example, your employer). Whereas when you make a consumer decision to use a VPN you’re responsible for making these decisions on your own.

In the wake of Edward Snowden’s revelations, a large number of consumer VPN providers have sprung up, and security experts now often suggest that you use a VPN when accessing the Internet from an insecure network (e.g., a café, public library, or other free Wi-Fi hotspot). This blog post will help you understand what to look for when choosing between different VPN services.

Read the rest of this entry »

11 May 2016

Mending the consent model: A call for solutions


We all encounter scores of user agreements when we go online. Do you read the full terms and conditions governing your use of a site, or do you just hit the “I accept” button and surf on?

If you were to read everything, research suggests you’re spending more than 10 full, 24-hour days of your life every year, immersed in privacy policies and related legalese. If you’re more inclined to skip that stuff and hit “OK”, then know that you’re explicitly allowing the organization to collect, use and share your personal information, exactly as it said it would in that fine print you ignored.

Providing meaningful consent is a cornerstone of Canada’s federal private sector privacy legislation.

Read the rest of this entry »

8 May 2013

Be prepared for a crisis with our Privacy Emergency Kit

It’s Emergency Preparedness Week in Canada – time to encourage Canadians to become better prepared to face an emergency with basic steps such as keeping bottled water and canned goods in the basement.

The Office of the Privacy Commissioner of Canada is also encouraging organizations to ensure they are prepared to address privacy issues that may arise during a time of crisis.

Personal information can play an important role in an emergency situation.  Uncertainty around the sharing of personal information could result in unnecessary confusion and delays – and have significant consequences for people.

Our Office, in consultation with several provincial and territorial counterparts, has created a Privacy Emergency Kit to help both private and public sector organizations ensure they are prepared.

Privacy laws do allow for appropriate sharing during a time of crisis, but it is crucial that organizations understand the legislation that applies to them and consider privacy issues in advance of an emergency situation.

The Government of Canada’s Get Prepared site advises individual Canadians: “Whatever you do, don’t wait for a disaster to happen.”

That’s also good advice for organizations subject to privacy legislation.

11 Jan 2013

Privacy Commissioner launches investigation of Human Resources and Skills Development Canada breach of student loan recipient information

The Office of the Privacy Commissioner of Canada (OPC) announced today that it is launching an investigation into a breach involving the personal information about more than half a million clients of Human Resources and Skills Development Canada (HRSDC) and 250 departmental employees.

The OPC was informed by HRSDC of the disappearance of an external hard drive containing personal information and financially related data of approximately 583,000 clients of the Canada Student Loans Program and 250 HRSDC employees. Upon receiving this notification, the Assistant Commissioner determined that there are reasonable grounds for a commissioner-initiated complaint against HRSDC to ascertain whether there has been a contravention of the Privacy Act. The Privacy Act stipulates that the Commissioner has the authority under subsection 29(3) to investigate a matter under the Act where she is satisfied that there are reasonable grounds to do so.

The law empowers the Commissioner to launch an investigation in cases where she believes there is a serious possibility that an investigation would disclose a contravention of the Privacy Act.

The OPC is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights of Canada. The OPC has a number of resources available on its web site to help individuals protect their personal information, and a section specifically about “Identity Theft” that includes frequently asked questions and fact sheets entitled Protecting your personal information and Identity Theft: What it is and what you can do about it.

For more information go to

21 Nov 2012

Employee privacy – a balancing act

Companies are always seeking ways to improve productivity.  The most innovative and successful methods can create some positive buzz around a company.

Other approaches can sometimes be ill-advised, premature or ineffective, and this can make waves within an organization.

Last month, a law firm in Toronto was the subject of some media interest over its highly controversial plan to use fingerprint-scanning technology to monitor the comings and goings of its administrative staff. The plan was meant to ensure that staff were not “abusing the system” with lengthy lunch breaks and short work days. Media reports and blog posts zeroed in on the privacy implications of such a plan.

Our Office wouldn’t have oversight over this specific employment matter – we only have oversight into matters of employee privacy in federal works, undertakings, or businesses (lovingly referred to as “FWUBs”). Otherwise, employee privacy is largely a provincial matter, with several provinces having passed privacy legislation that applies to personal information of private sector employees. It’s unfortunate that there is little redress for employees in those provinces that do not have legislation in place, this being one such case in point.

An employer’s need for information should be balanced with an employee’s right to privacy. While employers may be focused on increasing productivity, they should seek to ensure that they weigh the benefits of any potentially privacy-invasive plans against the costs — and not just economic  costs.  Cost considerations should include potential impact on staff morale, loss of trust and loss of human dignity.

Law firms, in particular, could set a model example in how they handle personal information when managing their law practice. In Girao v. Zarek Taylor Grossman Hanrahan LLP, Hon. Justice Richard Mosley wrote,

““Law firms providing advice to clients who deal with the personal information of their customers must be knowledgeable about privacy law and the risks of disclosure. Lawyers also have a public duty to protect the integrity of the legal process. The failure of lawyers to take measures to protect personal information in their possession may justify a higher award than that which would be imposed on others who are less informed about such matter.”

While the Federal Court was referring to the personal information of clients rather than employees in those circumstances, it’s still a significant message about the high standards of conduct judges expect lawyers to live up to.

We hope law firms will take the opportunity to consult our privacy guidance for lawyers. And we hope organizations will take advantage of the other resources we have on dealing with workplace privacy issues, including our fact sheet for human resources professionals.


15 Feb 2012

Preliminary reaction from the Office of the Privacy Commissioner of Canada to Bill C-30

Our Office understands the challenges faced by law enforcement and national security authorities in fighting online crime at a time of rapidly changing communications technologies and the need to modernize their tactics and tools accordingly.

We’re not necessarily opposed to legislation that modernizes police powers online – but it must demonstrably help protect the public, respect fundamental privacy principles established in Canadian law and be subject to proper oversight.

Upon a preliminary review following the tabling of Bill C-30, the Office of the Privacy Commissioner recognizes the government has made improvements to this Bill from previous iterations. On balance, however, significant privacy concerns remain.

We recognize that the government has reduced the number of data elements which could be accessed by authorities without a warrant or prior judicial authorization.  At the same time, by requiring authorities to conduct regular audits and to provide them both to the relevant Minister and oversight bodies, including our Office, this appears to help address past concerns about a lack of oversight.

On the balance however, the new Bill still contains serious privacy concerns, similar to past versions.

In particular, we are concerned about access, without a warrant, to subscriber information behind an IP address.  Since this broad power is not limited to reasonable grounds to suspect criminal activity or to a criminal investigation, it could affect any law-abiding citizen.

Going forward, we will be reviewing this Bill in full to determine:

How the Government justifies this warrantless access in a free and democratic society?;

How does “after the fact” review by ministerial and non-judicial bodies compare with “up front” oversight by the courts?;

Whether the new powers proposed by the legislation are demonstrably necessary, proportionate and effective?; and

Are there less privacy-invasive alternatives to achieve the desired outcomes?

It is through this lens that our Office will undertake a thorough review of the Bill.  We look forward to sharing our views with Parliament.

This post is closed to comments.

27 Jan 2012

Time for government, individuals to think “Less is More”

As the days tick down to Data Privacy Day itself, it’s time to reflect a little bit more about the words “Less is More,” how they apply and to whom.

What they mean for individuals is pretty clear. To put it another way, “beware what you share, because it could wind up anywhere.”

But what does “Less is More” mean for organizations and privacy, and governments in particular?

This was one of the questions addressed in remarks provided by Sue Lajoie, Director-General (Privacy Act) of the Office of the Privacy Commissioner of Canada before a group of federal public servants at an event hosted by the Canada School of Public Service in Ottawa.

She explained it this way: “The less personal information you collect, the more you limit the risk of data breaches and the embarrassment and lost trust they cause.”

“The less you collect, the more you protect against government furthering the widely-held stereotype of the state as an increasingly invasive and untrustworthy force in society.”

“And, the less you collect, the more you respect privacy as a long-observed, essential element of human freedom and dignity.”

It was noted that while the OPC is effectively the champion of Canadians’ privacy rights, public servants have an important role to play as guardians by making privacy considerations central to the design and administration of programs and other initiatives that collect personal information.

Sue pointed to the fact that thanks to advances in the power and efficiency of information technology, governments are approaching a veritable fork in the road when it comes to collecting personal information.   She pointed to recent research done by Brookings Institution scholar John Villasenor who notes that the falling costs and of hard drive space and rising capacity of computers will make it possible and even affordable for a government to establish enormous databases of information that could act as “a surveillance time machine, enabling state security services to retroactively eavesdrop on people in the months and years before they were designated as surveillance targets.”

While it’s not imagined that the government of a democratic country such as Canada would comprehend something so sinister, the research makes a point valid for governments of any persuasion.  As Sue noted today, “The question is no longer, can the state appropriate someone’s personal information, up to the point of leaving them as naked and helpless as the defendant in Kafka’s The Trial. The question is should it allow itself to do so? To what extent? And what are the moral, ethical and public policy issues around this?”

In a nutshell, our 2010-2011 Annual Report to Parliament on the Privacy Act asked, “Can the state curb its appetite for information about its citizens?”  And Sue’s remarks suggest that indeed, a moderation-based data diet may in fact be just what the doctor ordered for the ongoing heath of our democracy and respect of Canadians.

14 Nov 2011


Two countries negotiating a perimeter security agreement can easily be compared to two individuals drastically redefining their relationship. 

Without question, Canada and the United States are certainly neighbours.  To some, a perimeter agreement means removing a fence; to others, it’s tantamount to a sort of marriage.

Regardless, before we take the plunge, we have to think about what we share and where we differ.

Without question, we have a lot in common.  We’re both democracies with enshrined respect for human rights. Canadians and Americans both strongly value their privacy and realize its importance to the vitality of our democracies.

As things stand today however, some key legislative differences on privacy protection exist between our countries. 

I want to explain these and show why, rather than jumping into a newly defined relationship with both feet, we should only do so with both eyes wide-open.

First of all, both of our countries have enacted legislation to protect citizens’ privacy from their governments. 

The U.S. Privacy Act of 1974 fulfils this function for the federal government south of the border, while Canada’s Privacy Act of 1983 does so for Canadians.

The U.S. law includes safeguards to secure Americans’ personal information in the hands of the federal government, but these extend only to citizens and permanent residents.

Conversely, personal information held in Canada is subject to the protection of Canadian privacy law. That said, Canada’s Privacy Act is far from perfect and in need of modernization (as I’ve noted in the past). 

Secondly, when it comes to protecting personal information in the private sector, there are American laws specific to certain sectors and the Federal Trade Commission’s consumer protection law provides some protection with regard to issues of fairness and deception. 

Unlike Canada however, there is no overarching national legislation applying to the private sector as a whole. 

In the Unites States a lack of private sector-wide coverage provides opportunities for commercial data brokers to assemble data bases.

Such databases are made available to subscribers, which include U.S. federal agencies.  There are already several dozen fusion centers across the country doing precisely this sort of search and analysis every day.

Consequently, government authorities can access information from privately-held databases with no strings attached.

It’s also worth noting that the USA PATRIOT Act, enacted weeks after the 9/11 attacks, has the ability to circumvent sector-specific privacy protections to facilitate national security investigations.  National security can be, and has been, defined quite broadly

Thirdly, there is a vast difference when it comes to privacy oversight between our two countries.  Law enforcement and national security authorities in the US simply do not operate under the privacy oversight structure that exists in Canada.

In Canada, my office reports directly to Parliament and not the Government, allowing autonomy in holding the Government to account.

In the United States there is no equivalent independent authority mandated to investigate privacy issues with regard to government data-handling.

While the Privacy and Civil Liberties Oversight Board could theoretically fulfill this function, it remains inoperative.

Finally, Canada’s approach to privacy centers on protecting individuals’ right to control their personal information except where limits can be demonstrably justified in a free and democratic society.

This is an approach which should not be compromised or watered-down in order to reach a perimeter security agreement.  

This isn’t to say that Americans value privacy any less than Canadians.  It’s just that our respective legislative frameworks to protect it are very different. 

This all goes to say that if we compare a security perimeter agreement to a marriage and Canadian negotiators wish to enable Canadians to keep control of their personal information, a clear line on privacy needs to be written into a strong “pre-nup.”

3 May 2010

Transparency, search engines and government appetite for data

There has been a long-standing debate between privacy advocates and government officials about the extent of government interest in the information transmitted across domestic and international networks. The passage of USA PATRIOT Act intensified this debate and prompted concern from a more general audience as well. Ever since, the digerati and online crowd have been whispering and wondering about the interface between search engines, particularly Google, and law enforcement and national security bodies.

In brief, this comes up in classrooms and at conferences in roughly the following exchange:

Q. “So, should I worry about what Google knows about me?”

A. “Maybe, but I’d worry more about what the government gets out of Google, then matches with what they already know about you.”

Around this issue, researchers like Chris Soghoian in the US (as well as Ben Hayes and Simon Davies overseas) have been pushing for greater transparency from both companies and government on the use of broad data production powers.  Last week, to their great credit, Google took a big first step and published an interactive map on the numbers and types of data requests they recieve from governments around the world.  This coincides with another important US private sector push – – that is asking for clear, consistent and accountable measures to be put in place when government ask companies to ‘check up’ on their customers.

We commend Google and others involved for this significant first step, look forward to improvements and more details as they tweak the reporting model and sincerely hope other companies (and, ahem! governments) follow suit.

28 Jan 2010

It’s Data Privacy Day 2010: Are you taking the proper steps to ensure that your personal information is safe?

On Data Privacy 2010 we’d like to take a moment to remind everyone that is the responsibility of both individuals and companies to make sure that personal information is safe.

If you own a company, or work for a big one: in the past, you may have had to ensure that your customers’ name and address information (and in some cases credit card and billing information) were safe. Now, many of you are providing technology and tools for your customers to put increasing amounts of personal information online. Does your company have the systems in place to safeguard this information? Do you give your customers the tools and options to control how their information is used?

If you are a user of new and cool technology: in the past a telephone was a telephone, a video game was a video game, a stuffed toy was simply that – a stuffed toy. Today, more and more toys and handheld tools come with the ability to go online. Do you understand how to enjoy your toys and gadgets without putting your personal information at risk?

If you are a parent or guardian, teacher, coach or caregiver: do the young people in your life understand how to use all these new toys and gadgets while keeping their personal information safe? Our office has recently made youth privacy a key priority. Today, we have posted some new resources to the Parents & Teachers section of our youth web site. The resources include information on 12 privacy issues (such as the importance of privacy settings and knowing who your friends are on social networking sites), along with ideas for generating discussion about each issue with young people. You can use these resources to start discussion about personal privacy and the importance of thinking about what you post on the Internet.

Regardless of which group you are in – if you need any information about how to keep personal information secure, visit our web sites – and