Privacy @ Gowlings

A federal judge in New York has rejected the Department of Justice's request to track people's cell phone information without first providing probable cause for such investigations. Magistrate Judge James Orenstein, of the Eastern District of New York, issued an order on October 24 denying the Justice Department's application for disclosure of information regarding wireless subscribers.

If approved, the application would have allowed law enforcement officials to essentially use cell phones as tracking devices to observe where people are traveling and with whom they are speaking without first proving in court why it should be allowed to do so.

The New York ruling concurs with a similar decision handed down in a Texas District Court in September that blocked the same practice in that state. In both cases, the applications had been filed in regard to ongoing investigations being pursued by the Justice Department against specific individuals.

Cell Phone Tracking II: Becomes Popular in South Korea

More than 4 million Koreans who have signed up for various services using technology that can determine a cellular subscriber's location. One, costing $3 per month, will send a message with your coordinates to friends and family periodically while you're traveling. Another will automatically dispatch a text message to friends who get within a block or so of each other as they move around town. Yet another, costing 29 cents a day, will send a message if a person isn't at a specified place at a certain time and then allows the tracker to see the person's movements over the previous five hours. And 20,000 parents pay $10 per month for alerts if their children stray from the route between school and home. The Korea Association of Information & Telecommunication reckons such services are growing by 74 per cent annually, with revenues expected to triple in 2007, to $1.54 billion, from $500 million last year.

In Korea, the future may have arrived early. Elsewhere it might take a while before consumers warm up to the idea of cell phone tracking. In the U.S., a company called Teen Arrive Alive offers parents a $20-a-month tracking service for their teens. But to date the company has sold the service to only one cell phone carrier, Nextel.

In other countries, consumers are proving more open to cellular tracking. In Britain, The Carphone Warehouse offers mapAmobile, a $52-a-year service that lets parents track their cell-toting kids. In Japan, subscribers can sign up for text messages advertising bargains at department stores as they pass by.

Korea, though, is clearly at the forefront - and not just for consumers. Sales of business-related tracking services in Korea are expected to jump more than fivefold this year, to $248 million, from $43 million last year.

Japan: Privacy concerns spur census change

The government has decided to change the way it conducts the census after participation dropped in the latest survey due in part to rising concerns about privacy.

By the end of 2005 the Internal Affairs and Communications Ministry will form a panel that will examine the possibility of conducting the survey on the Internet or collecting census forms through the mail, officials said.

About 100 cases were reported in which people pretending to be authorized census personnel were found to be collecting census forms.

Ontario: First Compliance Order Issued under PHIPA

An investigation into how personal health records ended up being strewn across the streets of downtown Toronto on October 1 as a backdrop for a film production has resulted in a ruling by Information and Privacy Commissioner Ann Cavoukian that both a Toronto X-ray/ultrasound clinic and a paper disposal company had breached Ontario's Personal Health Information Protection Act (PHIPA).

Commissioner Cavoukian ordered the clinic to review its information practices to ensure that the location of all personal health information within its custody or control is documented, and that this personal health information is adequately secured.

The Commissioner ordered the clinic to put into place a written contractual agreement with any agent it retains to dispose of personal health information. The agreement must set out the obligation for secure disposal and requires the agent to provide written confirmation once secure disposal has been carried out.

Similarly, the paper disposal company, which fell under PHIPA because it functioned as an agent having been given personal health information directly by a health information custodian, was ordered by the Commissioner to put into place a written agreement that includes the requirement for the disposal company to engage in secure shredding and provide an attestation confirming destruction of records.

PRIVACY COMMISSIONER of CANADA FINDINGS:

NO. 313: Bank Outsourcing and the USA PATRIOT Act

The Office of the Privacy Commissioner of Canada received a number of complaints after the Canadian Imperial Bank of Commerce (the CIBC) sent a notification to its VISA customers in the fall of 2004, amending its credit cardholder agreement. The notification referred to the use of a service provider located in the United States and the possibility that U.S. law enforcement or regulatory agencies might be able to obtain access to cardholders' personal information under U.S. law.

While each complainant raised slightly different issues, all complainants primarily objected to the possible scrutiny of their personal information by U.S. authorities within the context of foreign intelligence gathering.

The Privacy Commissioner of Canada has gone on record stating that the privacy implications of anti-terrorism legislation and outsourcing need to be the focus of continued public debate. The central issue to be decided in these complaints, however, was whether the bank acted in accordance with its obligations under the Personal Information Protection and Electronic Documents Act (the Act).

While the Act does not prohibit the use of foreign-based third-party service providers, it does oblige Canadian-based organizations to have provisions in place, when using third-party service providers, to ensure a comparable level of protection.
In keeping with its obligations under Principle 4.1.3 of the Act and in accordance with OSFI's guidelines (which are also consistent with this Principle), CIBC has in place a contract with its third-party service provider that provides guarantees of confidentiality and security of personal information.
The contract allows for oversight, monitoring, and an audit of the services being provided. CIBC maintains custody and control of the information that is processed by the third-party service provider.
The Assistant Commissioner noted, however, that while customer personal information is in the hands of a foreign third-party service provider, it is subject to the laws of that country and no contract or contractual provision can override those laws.
The Assistant Commissioner therefore determined that CIBC was in compliance with Principle 4.1.3.
She went on to reaffirm this Office's publicly stated position: that, at the very least, a company in Canada that outsources information processing to the United States should notify its customers that the information may be available to the U.S. government or its agencies under a lawful order made in that country.
In keeping with this direction, CIBC notified its customers of the risk that their personal information might be accessed under the provisions of the USA PATRIOT Act whilst in the hands of a U.S.-based third-party service provider.
Thus, by providing such information, the bank was informing its customers about its policies and practices related to the management of their personal information, in accordance with Principle 4.8.
She concluded that the Act cannot prevent U.S. authorities from lawfully accessing the personal information of Canadians held by organizations in Canada or in the United States, nor can it force Canadian companies to stop outsourcing to foreign-based service providers. What the Act does demand is that organizations be transparent about their personal information handling practices and protect customer personal information in the hands of foreign-based third-party service providers to the extent possible by contractual means. This Office's role is to ensure that organizations meet these requirements. In the case of these complaints, these requirements have been met.

The Assistant Commissioner therefore concluded that these complaints were not well-founded.

No. 314: Insurance company denies access to personal information in statement of claim

A third party had filed a claim alleging that the complainant had damaged the third party's vehicle. The incident was investigated by the adjuster under contract with the complainant's insurance company. The adjuster accepted the claim and determined that the complainant was at fault. The complainant, however, disputed the claim.

The complainant, the adjuster, and the insurance company's claims manager exchanged correspondence on several occasions with regard to the dispute over the complainant's liability. During these exchanges, the complainant asked for various pieces of information about the claimant, such as the name of her insurance company and a written account of the claim. This correspondence was exchanged prior to January 1, 2004, when the insurance company became subject to the Personal Information Protection and Electronic Documents Act (the Act).

In making her determinations, the Assistant Privacy Commissioner deliberated as follows:

Based on her review of the statement of claim in question, the Assistant Commissioner was of the opinion that some of the information in the statement of claim was the complainant's personal information.
While she noted that the statement also contained the third party claimant's personal information, this information could be severed in the manner described in subsection 9(1), and the complainant's personal information provided to her.
As this had not been done, and instead the complainant was denied access to the entire document, the Assistant Commissioner determined that the insurance company had denied the complainant access to her personal information, contrary to Principle 4.9.

No. 315: Web-centred company: Safeguards, access & privacy complaint management

An individual complained that a web-centred company, with which she had an e-mail account, did not: adequately protect her personal information (she alleged that her e-mail account had been improperly accessed); provide her with a satisfactory explanation when she tried to resolve her concerns; or give her access to the personal information she had requested.

In making her determinations, the Assistant Privacy Commissioner deliberated as follows:

The company refused the complainant's request in writing, as per subsection 8(7), and indicated that she would need to subpoena the information. The company's reluctance to release the IP addresses was based in part on the fact that it is typically law enforcement officials or lawyers who request this information, and not clients. The company was also concerned that such information could lead to incorrect conclusions on the part of the requester (in other words, he or she might get the impression that a number of individuals are changing his or her password, for example, when in fact the IP address may be linked to the account holder's computer only).

The Assistant Commissioner was satisfied that the complainant had been given access to her personal information, in accordance with Principle 4.9 and therefore concluded that the access complaint was resolved.

The Assistant Commissioner reviewed the company's measures for changing the password. She noted that the information that is requested, which is matched to the information provided at registration, may be information that is known by another individual close to the account holder. A challenge question, which is selected by the account holder when the account is set up, is then posed.

The Assistant Commissioner noted that while organizations are responsible for protecting the personal information in their possession, there is some onus on the individual to protect his or her own personal information. It was therefore difficult for the Assistant Commissioner to hold the company accountable, when the complainant had not taken the company's advice to fully protect her own personal information. The Assistant Commissioner deemed the company's measures reasonable and found that the company was not in contravention of Principle 4.7 and concluded that the safeguards complaint was not well-founded.

The Assistant Commissioner commented that the privacy officer still has ultimate responsibility, regardless of whether a complainant has followed what staff have told him or her to do, or not. In this case, the complainant had specifically requested the name and telephone number of the person to whom she could escalate the matter. It was at that point that the employees who had been dealing with her should have brought the matter to the attention of the company's privacy officer. She therefore found that the company was not in compliance with Principle 4.10 and concluded that the compliance complaint was well-founded.

Cell Phone Tracking I: NY Court Bans Tracking

Cell Phone Tracking II: Becomes Popular in South Korea

Japan: Privacy concerns spur census change

Ontario: First Compliance Order Issued under PHIPA

PRIVACY COMMISSIONER of CANADA FINDINGS:

NO. 313: Bank Outsourcing and the USA PATRIOT Act

No. 314: Insurance company denies access to personal information in statement of claim

No. 315: Web-centred company: Safeguards, access & privacy complaint management