PIPEDA – PrivaSecTech https://privasectech.com/ Wed, 13 Nov 2019 18:34:17 +0000 en-US hourly 1 https://wordpress.org/?v=5.4.2 Canadian Patriot Act back as bill C-12 https://privasectech.com/canadian-patriot-act-back-as-bill-c-12/ Tue, 23 Oct 2012 20:03:20 +0000 http://privasectech.com/?p=329 Continue reading Canadian Patriot Act back as bill C-12]]> If you’ve followed this blog for some time, I first wrote about the introduction of the bill in May 2010, and then a follow up redux in August 2010 (a summary of a few key points). It was officially called Bill C-29 which has just been re-introduced as a new Bill C-12 and is on the order paper for discussion today [PDF]. You can read the legislative summary here. This is the most important of privacy related legislation in Canada, so it’s worth paying attention to.

 

“Bill C-12: Safeguarding Canadians’ Personal Information Act – Eroding Privacy in the Name of Privacy” – Tamir Israel

“C-29: The Anti-Privacy Privacy Bill” – Michael Geist

“The report recommends that Bill C-12, An Act to amend the Personal Information Protection and Electronic Documents Act, be significantly toughened to require all data breaches be reported promptly to the Federal Privacy Commissioner, who in turn should have the power to order companies to notify individual consumers when there is a real risk of significant harm to them. The report also recommends Bill C-12 be amended to give the Privacy Commissioner of Canada order-making power to enforce the requirements and a fining power for non-compliance.” – Public Interest Advocacy Centre

]]>
What info does Facebook have on me? https://privasectech.com/what-info-does-facebook-have-on-me/ Thu, 29 Sep 2011 15:45:08 +0000 http://privasectech.com/?p=191 Continue reading What info does Facebook have on me?]]> After the F8 conference, there is even more concern than before about what personal information Facebook has on an individual. I was sent Facebook’s personal data request form which I was told was created specifically for people in the EU. It made me think that the same request could be made under PIPEDA which is a Canadian law that gives individuals the right to expect the personal information an organization holds about them to be accurate, complete and up-to-date, and what better way to ensure this than to have the data to verify against.

As an aside, for those also in British Columbia, there is PIPA which states you have the right to:

  • request corrections to your personal information
  • request access to your personal information

PIPA provisions that consent must be garnered for collection of personal information; once you receive this data they have on you, did you consent to it? It’s also worth nothing that they give 40 days as a turn around time, but my understanding is under Canadian legislation they must respond within 30 days.

Interested? Fill out the form here, referencing PIPEDA and/or PIPA depending on your jurisdiction.

]]>
LinkedIn to approve the closing of your account? https://privasectech.com/linkedin-to-approve-the-closing-of-your-account/ Thu, 11 Aug 2011 18:48:58 +0000 http://privasectech.com/?p=167 Continue reading LinkedIn to approve the closing of your account?]]> After writing an article yesterday on how LinkedIn opts your name and photo into social advertising by default, it was brought to my attention today that if you’ve had enough and want to close your account, that is only possible if you have less than 250 followers!

A few hours ago, snookca said on twitter, “Apparently, when you try closing your LinkedIn account, if you have more than 250 connections, a representative has to contact you.” 

He included a couple of screen captures that demonstrate his experience:

LinkedIn close account info

as well as:

LinkedIn customer support message

]]>
The cloud is still a bad idea… keep your user’s personal information off US soil at all costs. https://privasectech.com/the-cloud-is-still-a-bad-idea-keep-your-data-off-us-soil-at-all-costs/ Mon, 04 Jul 2011 22:47:39 +0000 http://privasectech.com/?p=142 Continue reading The cloud is still a bad idea… keep your user’s personal information off US soil at all costs.]]> There’s an article in the register today highlighting that American organizations are all bound by the US Patriot act, which essentially allows the US government access to any data it asks for. In this case, it’s Microsoft pro-actively disclosing this to be the truth. This is why if you want to protect the personal information of your users, or citizens, you have to do whatever you can to keep it off US soil and away from access by Americans. Canada is a great place to store this information, as we have the almost opposite legislation called PIPEDA. We also have privacy regulators called privacy commissioners both provincially as well as federally. Mind you, the current Canadian government tried to pass through a Canadian version of the patriot act last year as a minority government, and they now have a majority, so they want to use this chance to implement a more totalitarian regime, we’ll keep you up to date when and if things change!

]]>
Canadian Patriot Act redux https://privasectech.com/canadian-patriot-act-redux/ Wed, 18 Aug 2010 15:06:40 +0000 http://privasectech.com/?p=32 Continue reading Canadian Patriot Act redux]]>

The article posted in May on the Canadian Patriot Act being introduced to the House of Commons didn’t seem to go much further than “preaching to the choir”. I will try to summarize the changes, which will hopefully show you how Canada’s privacy landscape went from one of the top 2 in the world, to near the bottom, in this single change to legislation.

While you may have read about the other changes to PIPEDA at the end of May, the following changes were conveniently left to the end of the document, and most people didn’t make it that far. In fact, I don’t believe I’ve seen any mainstream media report on these drastic and impacting changes to the privacy of all Canadians.

  • a new provision allowing the disclosure of personal information without consent for private sector investigations and fraud prevention will replace a regulatory process that has been burdensome for small and medium-size organizations.

Your personal information is no longer only provided to law enforcement for investigations, businesses can now provide your information to any company claiming to do investigations or fraud prevention. As one of the top privacy and security investigative organizations in British Columbia as of writing this, we don’t want to see those organizations have such sweeping access to your information!

  • amendments would make it clear that organizations may collaborate with government institutions, such as law enforcement and security agencies that have requested personal information, in the absence of a warrant, subpoena, or order.

This is a major change. No longer do law enforcement or security agencies require a warrant, subpoena or order to request, to receive your personal information, from any business in Canada!

  • new provisions would prohibit organizations from notifying an individual about the disclosure of their personal information to law enforcement and security agencies where the government institution to whom the information was disclosed objects.

In case you didn’t think these changes were significant enough, companies that have provided your personal information are no longer permitted to tell you that they have provided your information to law enforcement or any security agency if those agencies object to that disclosure.

What should you do if you’re upset with these changes? Contact your MP, and write them as well as your local media. These changes, contained in Bill 29, have only had first reading, and it’s not too late for changes.

Industry Canada press release
Bill C-29 @ parl.gc.ca

Status of the Bill

]]>
Was I notified either verbally or in writing, of the reason each piece of my information is being collected? https://privasectech.com/was-i-notified-either-verbally-or-in-writing-of-the-reason-each-piece-of-my-information-is-being-collected/ https://privasectech.com/was-i-notified-either-verbally-or-in-writing-of-the-reason-each-piece-of-my-information-is-being-collected/#comments Wed, 28 Jul 2010 19:24:32 +0000 http://privasectech.com/?p=24 Continue reading Was I notified either verbally or in writing, of the reason each piece of my information is being collected?]]>

Recently, I was in a local brewery buying a keg, and they asked for a copy of my driver’s licence to write down the number on the deposit form. And then a few days ago, I was filling out an online form for a social network that required I specify my gender to create an account. It is cases like this that inspired me to write this article.

The Personal Information Protection and Electronic Documents Act (PIPEDA) handles protection of personal information in the private sector in Canada. This applies to small business owners as well as federal corporations. Today I will write on one of the 10 principles of the act, which refers to identifying the purpose for which the information is collected. Whenever a Canadian business asks you (a consumer) for your information, you should first ask yourself, “Was I notified either verbally or in writing, of the reason each piece of my information is being collected?” If not, you can ask for this to be explained to you, and the organization must respond.

For small business owners, this means you should now have a written policy on why you are collecting any and all personal information, and for what reason each piece of information is being requested. You should not be asking for any information that is above basic requirements for you and your clients to complete the transaction. If at any time you have a new purpose for this information, you should seek consent from the individual before using it. These requirements will also help you with the Openness and Individual Access principles that I will write about at a future date.

From section 11 of PIPEDA:

An individual may file with the Commissioner a written complaint against an organization for contravening a provision of Division 1 or for not following a recommendation set out in Schedule 1.

For more reading:

The Canadian Privacy Commisioner’s website

PIPEDA

]]>
https://privasectech.com/was-i-notified-either-verbally-or-in-writing-of-the-reason-each-piece-of-my-information-is-being-collected/feed/ 1
Canadian Patriot Act introduced https://privasectech.com/canadian-patriot-act-introduced/ Tue, 25 May 2010 23:50:14 +0000 http://privasectech.com/?p=13 Continue reading Canadian Patriot Act introduced]]>

Today a couple of changes to Canada’s privacy landscape were introduced under the infamous banner of “safety and security”. This will create significant changes to PIPEDA and FISA, Canada’s legislation around private sector privacy and spam respectively. I’ve been asked what this means, so I will try to summarize:

The changes introduced today to PIPEDA propose:

  • if your organization is breached, you will notify the federal privacy commissioner as well as individuals where there is a risk of harm.
  • a requirement that organizations to consider the ability of their target audience to comprehend the consequences of sharing their personal information. (It mentions children and the vulnerable, but no technical details on how this requirement would be implemented)
  • exceptions to allow for the release of personal information to help protect victims of financial abuse, to help locate missing persons and to identify injured, ill or deceased individuals (again, no details on technical implementation).
  • exceptions to consent for the collection, use and disclosure of information needed for, among others, managing the employment relationship, information produced for work purposes (“work product”), and information used for due diligence in business transactions.
  • organizations will also be able to share and use business contact information that is required to conduct day-to-day business.
  • a new provision allowing the disclosure of personal information without consent for private sector investigations and fraud prevention will replace a regulatory process that has been burdensome for small and medium-size organizations.
  • amendments would make it clear that organizations may collaborate with government institutions, such as law enforcement and security agencies that have requested personal information, in the absence of a warrant, subpoena, or order.
  • new provisions would prohibit organizations from notifying an individual about the disclosure of their personal information to law enforcement and security agencies where the government institution to whom the information was disclosed objects.

Today the Fighting Internet and Wireless Spam Act (FISA) was also reintroduced, which is anti-spam legislation. For more information, see the Marketwire press release

]]>