one page assignment on ITIL with zero plagiarism
ISSM 561 - Privacy and Security Martin Kratz, QC
© 2021
1
Agenda Introduction to Privacy law
The international context
Which law applies?
Elements of Canada’s privacy law
Focus on the security obligation
Privacy complaints and access requests
2
Privacy in an increasing issue
In the first classes we have seen privacy as a key issue affecting information systems security
We studied search and seizure of devices and information in light of S. 8 of the Charter of Rights and Freedoms
Note the importance of “an expectation of privacy”
Increasingly, Courts are elevating privacy issues as a significant right
3
Privacy in an increasing issue Many countries have mandatory privacy legislation for the private sector
In these laws there is a positive enforceable legal duty to provide adequate security for personal information that is collected, used or retained
The level of security depends on the sensitivity of the information
Privacy concerns are higher when personal information is in digital form
Computer security professionals are in high demand to work closely with privacy professionals on these issues
4
A brief history OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, 1980
Federal Privacy Act
Provincial Privacy and Freedom of Information Legislation
Private sector - model codes - voluntary compliance
European Union Privacy Directive, 1995
Fundamental ‘right to privacy with respect to the processing of personal data’
Transfer to non-EU countries only if country “ensures an adequate level of protection”
Implementation in 1998
EU begins to assess the “adequacy” of other countries laws 5
A brief history USA – 1995-2000, diplomatic efforts to avoid trade war
1998 USA pressures private sector for voluntary compliance
Safe Harbor Agreement with EU, 2000
Safe Harbor found “adequate”
2001 Canada implements PIPEDA
PIPEDA found “adequate”
6
A brief history
EU, General Data Protection Regulation 2015
Shrems I - US-EU Safe Harbor struck down 2017
US - EU Privacy Shield Agreement 2017 (replaces Safe Harbour)
EU, General Data Protection Regulation in force 2018
Schrems II - US-EU Privacy Shield struck down 2020
7
Canada’s response
Various Industry Guidelines had been previously developed
CSA Model Code for the Protection of Personal Information
Federal: Personal Information Protection and Electronic Documents Act (‘PIPEDA’), 2001
EU Working Group finds PIPEDA “adequate”
8
Canada’s response
Provincial Mandatory Private Sector Privacy Legislation:
Quebec (1994)
Alberta (2004) Personal Information Protection Act (“PIPA”)
BC (2004) Personal Information Protection Act
Ontario [health only] (2005)
Manitoba [private bill] (2006)
9
Federal Privacy Law
10
Federal Privacy Legislation
Public Sector Legislation
Applies to all Federal works and undertakings under Federal jurisdiction
Privacy Act
Access to Information Act
11
Federal Privacy Legislation Private Sector Legislation
Personal Information Protection and Electronic Documents Act (PIPEDA)
Applies to all Federal works and undertakings under Federal jurisdiction
Applies to provincial business unless displaced by “substantially similar” law
Applies to organizations engaged in commercial activities
Regulates external and employee information for federal businesses
Does not regulate employee information in provincial businesses
12
Substantially similar laws
PIPEDA permits Provinces to enact “substantially similar” legislation or PIPEDA applies in Province
“Substantially Similar” means:
Ten privacy principles (details to follow)
Independent oversight and redress mechanism with power to investigate
Restrict collection, use and disclosure to purposes that are appropriate
13
Substantially similar laws
Substantially similar provincial Legislation:
Quebec (1994)
Alberta (2004) Personal Information Protection Act (“PIPA”)
BC (2004) Personal Information Protection Act
14
Provincial Privacy Law
15
Alberta Privacy Legislation
Public Sector Privacy Legislation
Applies to provincially regulated entities
Freedom of Information and Protection of Privacy Act
Health Information Act
16
Alberta Privacy Legislation
Private Sector Privacy Legislation
Applies to organizations engaged in commercial activities
Personal Information Protection Act (“PIPA”)
Includes regulation of employee information
17
Which law applies? Each Organization needs to determine:
Public or Private sector?
Federal or Provincial regulated activity?
What kind of information the organization collects, uses and discloses?
Is it health information?
Is it employee personal information?
Is it information collected, used or disclosed on behalf of another party (are they Public or Private?)
Is the information collected, used or disclosed by a third party on behalf of the organization?
18
19
Federal: Personal Information Protection and Electronic Documents Act
BC: Personal Information
Protection Act
Man: Personal Information Protection and Identity Theft Prevention Act
Sask: PIPEDA
Alberta: Personal Information
Protection Act
Ontario: PIPEDA
Private Sector Legislative Overlap
Activities Matter Legislation is activity based Nature and location of the activity (not the organization) dictates applicable legislation Consider all applicable jurisdictions Consider scope of obligations
20
Which laws apply? Businesses doing business in multiple jurisdictions need to be aware of the applicable law in each jurisdiction
Businesses with operations and customers solely located in a province - likely look to the law of that province
Alberta, BC – Personal Information Protection Act
Quebec - Loi sur la protection des renseignements personnels dans le secteur privé Quebec
Manitoba – Personal Information Protection and Identity Theft Prevention Act
Other - PIPEDA
Need to consider inter-provincial transfers of personal information
Common to have blended multi-jurisdictional privacy compliance programs
21
Privacy
Any questions on the history or which laws apply?
22
Personal Information
23
Personal information Personal information is any information about an identifiable individual, other than the person's business title or business contact information when used or disclosed for the purpose of business communications. For example:
Age, income, marital status, dependents and ethnic origin
Social insurance number, drivers license number, credit card numbers,
Employment applications, resumes, reference letters, transcripts
Compensation, financial information
Internet activity and computer usage
Personal information does not include anonymous or non-personal information (i.e., information that cannot be associated with or tracked back to a specific individual).
24
Employee Personal Information
A subset of Personal Information (under PIPA)
Definition of Personal Employee Information is information in respect of an employee or potential employee that is collected, used or disclosed solely for purposes of establishing, managing or terminating an employment relationship, but not personal information unrelated to employment relationship
No such exemption under PIPEDA for federally regulated employees.
PIPEDA does not extend to regulate provincially regulated employees.
25
Personal Information
Questions?
26
10 Fair Information Practices
27
Privacy Fundamentals 10 Fair Information Principles from CSA Guidelines
Accountability
Identifying Purposes
Consent
Limiting Collection
Limiting Use Disclosure & Retention
Accuracy
Safeguards
Openness
Individual Access
Challenging Compliance
28
Accountability
An organization is responsible for personal information under its control.
It must appoint someone to be accountable for its compliance with the fair information principles.
Some one has to be responsible for compliance
That would be a person empowered to receive complaints or discuss the policies or practices of the organization
29
Identifying Purposes
The purposes for which the personal information is being collected must be identified by the organization before or at the time of collection.
Must identify the purposes for which personal information is collected, retained, used or disclosed
Those purposes should be capable of being understood, and must be clear.
30
Consent
Basic principle - that a person should consent to the collection, use, retention and disclosure of his or her personal information
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
Certain exceptions do apply.
31
Types of Consent Express (oral or written)
Deemed (or ‘Opt Out’)
e.g. “We assume, unless you advise us otherwise, that you have consented to the collection, use or disclosure of your personal information in the manner described in this privacy policy”
Implied (by action)
e.g. request a product or service be delivered to your house, and your consent will be implied to the use of your contact and payment information for the purpose of delivering, billing and collecting for such product or service
32
Limiting Collection
The collection of personal information must be limited to that which is needed for the purposes identified by the organization.
Information must be collected by fair and lawful means.
33
Limiting Use, Disclosure & Retention
Unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected.
Personal information must only be kept as long as required to serve those purposes.
34
Accuracy
Personal information must be as accurate, complete, and up-to- date as possible in order to properly satisfy the purposes for which it is to be used.
An individual has a right to challenge the accuracy of the personal information
35
Security
Personal information must be protected by appropriate security relative to the sensitivity of the information.
Legal requirement to maintain the security of the personal information
Level of security depends on the sensitivity of the personal information
We will discuss this is greater detail later
36
Openness
An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.
The organization should disclose its privacy policies and practices
37
Individual Access
An individual has the right to access the personal information collected on them and know for what purposes it is collected, used or disclosed
Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information.
An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
38
Challenging Compliance
An individual has a right to challenge the compliance of an organization in respect of its privacy policy or practices
An individual shall be able to challenge an organization’s compliance with the 10 fair information principles.
Their challenge should be addressed to the person accountable for the organization’s compliance with the privacy law, usually their Chief Privacy Officer.
39
Fundamental Requirements An organization is responsible for personal information that is in its custody or under its control, and is responsible for the compliance of its service providers
An organization must designate one or more individuals to be responsible / accountable for ensuring that the organization complies with its privacy obligations
An organization must develop and follow policies and practices that are reasonable for the organization to meet its obligations / give effect to the principles
40
Fundamental Requirements Except where otherwise permitted or required by law, each organization is obliged to:
Obtain from the individual their consent to the collection, use, and disclosure of their personal information
Use and disclose such information only for the purposes for which the consent was given
Destroy the information after its purpose has been fulfilled
Allow the individual to access and challenge the accuracy of their personal information
41
Minimum Requirements
Appoint a Privacy Officer / Manager
Adopt basic policies (capable of compliance)
Inform the organization of privacy requirements and basic policies
Ensure that privacy matters are referred to Privacy Officer / Manager for handling
Undertake assessment of critical areas / contracts
42
Must be Reasonable
An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
Where an organization collects, use or discloses personal information, it may do so only to the extent that is reasonable for meeting the purposes for which it was collected, used or disclosed.
43
What is reasonable? The CPC has determined that the following purposes would generally be considered inappropriate by a reasonable person (i.e., no-go zones):
collecting, using or disclosing personal information in ways that are otherwise unlawful;
profiling or categorizing individuals in a way that leads to unfair, unethical or discriminatory treatment contrary to human rights law;
collecting, using or disclosing personal information for purposes that may cause significant harm to someone;
publishing personal information with the intent of charging people for its removal;
requiring passwords to social media accounts for the purpose of employee screening;
conducting surveillance on an individual using their own device’s audio or video functions.
44
Privacy Principles
Questions on the basics of privacy?
45
Security Obligation
46
Security Obligation - in more detail
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information, regardless of format
Protection against loss, theft and unauthorized access, disclosure, copying, use or modification
Identify sensitivity of information
Various measures of protection are available
47
Security Obligation - PIPA
“An organization must protect personal information that is in its custody or under its control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction.”
Alberta Personal Information Protection Act, S. 34
48
Security Obligation - PIPEDA
“Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.”
Principle 4.7 PIPEDA
The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection.
Principle 4.7.1
49
Security Obligation - PIPEDA The methods of protection should include
(a) physical measures, for example, locked filing cabinets and restricted access to offices;
(b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and
(c) technological measures, for example, the use of passwords and encryption. Principle 4.7.2
Organizations shall make their employees aware of the importance of maintaining the confidentiality of personal information. Principle 4.7.4
Care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information. Principle 4.7.5
50
Joint Recommendation
The privacy commissioners for Alberta, British Columbia and for the Federal Government issued a joint recommendation on meeting the security requirement under privacy law.
51
Joint Recommendation First step – collect only the personal information needed for the purpose
Reasonable safeguards include several layers of security, including, but not limited to:
risk management,
security policies,
human resources security,
physical security,
technical security,
incident management, and
business continuity planning.
52
Joint Recommendation The reasonableness of security arrangements adopted by an organization must be evaluated in light of a number of factors including:
the sensitivity of the personal information,
the foreseeable risks,
the likelihood of damage occurring,
the medium and format of the record containing the personal information,
the potential harm that could be caused by an incident, and
the cost of preventive measures.
53
Joint Recommendation
Generally accepted or common practices in a particular sector or kind of activity may be relevant to the reasonableness of a security safeguard.
However, generally accepted practices and technical standards must be complemented by elementary caution and common sense.
54
Joint Recommendation Basic Security
Businesses obligated to assess adequacy of existing security measures
where and how is information kept?
who has access to it?
who needs access to it?
how is it retrieved?
industrial security threats?
Businesses need a data governance plan
55
Joint Recommendation Safeguard measures include measures such as:
“clean desk” policy where clients invited in
automatic computer terminal lock-out
restrictions on physical and electronic access
locking offices/filing cabinets/drawers
computer passwords/encryption
segregation of sensitive files
security clearances
encryption
56
Joint Recommendation Safeguard measures include measure such as :
safeguards when transferring information to third parties or between offices
redacting non-essential material prior to transfer
encryption now required?
destruction/disposal
shredding
diskettes/back-up tapes
document retention policy?
systems audits
“hacker-proof” penetration tests?
57
Joint Recommendation Self Assessment Guidance includes:
Risk Management
Policies
Records management
Human Resources Security
Physical Security
Systems Security
Network Security
Wireless Security
Database Security
58
Joint Recommendation Self Assessment Guidance includes:
Operating Systems
Email and Fax Security
Data Integrity and Protection
Access Control
Information Systems Acquisition, Development and Maintenance
Incident Management
Business continuity planning
Compliance
59
PIPA & PIPEDA Security
We will see more security comments and more focus on these elements in the presentation on data breaches
We will see more security comments in the presentation on breach notification requirements
60
PIPA & PIPEDA Security
Questions on the scope of the security obligation?
61
Enforcement of Privacy Obligations
62
Privacy Enforcement Enforcement of privacy obligations arises under several distinct channels
Privacy Commissioner complaints
PIPEDA (federal) Commissioner does not generally have order making power
Can not levy substantial fines for most matters
PIPEDA decisions can be appealed to the Federal Court
Individual can claim damages for humiliation in Court
PIPA has order making power
Can claim damages for breach
Privacy Torts - individuals can sue for breach of the various torts
Competition Commissioner - has begun to pursue enforcement of privacy matters - can levy large fines
63
Privacy Torts Common Law Courts have begun to recognize that a right of privacy is invaded by:
unreasonable intrusion upon the seclusion of another; or
appropriation of the other's name or likeness; or
unreasonable publicity given to the other's private life; or
publicity that unreasonably places the other in a false light before the public.
Individuals can sue for damages due to violation of their privacy rights
We discuss these torts in the Data Breaches lectures.
Note judge made law additional to rights under PIPA and PIPEDA.
64
Competition Law Competition Act prohibits the making of a representation to the public that is false or misleading in a “material respect”.
Competition Bureau has promised to investigate false and misleading statements concerning consumers’ privacy as a violation of the Competition Act
Competition Bureau can issue large penalties
“If it is determined that a business has made false or misleading representations, a variety of remedies may be ordered, including penalties for corporations of up to $10 million on a first offence and up to $15 million for subsequent offences, and/or restitution to purchasers who were affected by the misrepresentation.”
Misrepresentations made knowingly or recklessly can even be prosecuted as criminal offences.
65
Competition Law
The Competition Bureau has the authority to regulate matters where an organization has made representations to a consumer about the collection, use or safeguard of personal information, and then fails to comply with those representations.
The United States Federal Trade Commission (FTC) regularly regulates privacy matters and imposes substantial fines under similar authority to regulate deceptive practices.
Note that the FTC plays an oversight role in the Privacy Shield program.
66
Competition Law
Competition Bureau has expressed the intention to crack down on the collection of consumers’s data in exchange for “free” online products and services, such as web browsers and apps.
Admonishing “lengthy and complex privacy policies”, the Bureau noted that
consumers may not understand precisely what is happening with their personal information,
how it is being collected, and
by whom it is being collected and used.
67
Competition Law The Competition Bureau has identified the following key topics as being most likely to raise concerns around creating a false or misleading general impression:
whether consumers’ data will be collected;
what data will be collected;
how often data will be collected;
why the data is collected and the purposes for its use;
whether the data will be sold to, or otherwise shared with, third parties;
whether consumer data will be retained, how it will be maintained, where it will be stored, and when it will be deleted; and
the level of control that consumers have as it relates to these issues.
68
Competition Law Facebook has agreed to pay a fine of $9 million under the federal Competition Act stemming from the Cambridge Analytica matter. Terms of the settlement also include:
Facebook will reimburse the cost of the inquiry of $500,000 (without any acknowledgment of wrongdoing).
Facebook agrees not to make representations to the public that are materially false or misleading regarding the disclosure of personal information.
Facebook agrees to implement a program to support compliance with the deceptive marketing provisions of the Competition Act, which must be acknowledged and supported by senior management, and includes ongoing reporting obligations to the Commissioner of Competition.
This fine is the first issued for a privacy violation in Canada by the Competition Bureau under its authority to regulate deceptive marketing practices.
69
Competition enforcement learnings Need to have a robust Privacy compliance program
1. Map and Characterize Your Data
Develop a clear understanding of the following (among other things):
the specific categories of personal information collected and the sensitivity of that information;
how you use that information, and whether that use is for a reasonable purpose;
who within the company can access the data and for what purpose;
how employees can access the data and to whom can they transfer it; and
the third-party companies with which the information is shared and for what purpose.
Personal information is broadly defined and includes categories of information beyond the more obvious types such as name, address, government identification numbers, and banking information.
Personal information can include, for example, an individual's preferences (what items the user purchases), habits (frequency of travel and routes), or reactions (what ads the user clicks on).
70
Competition enforcement learnings 2. Review Consent
Analyze the consent obtained from individuals, including the context in which consent is obtained (e.g., is it simply a "click-through" consent), and whether you have obtained valid and meaningful consent. In particular, consider whether it is reasonable to conclude that the individuals understand the following:
the categories of personal information being collected;
the potential uses you will make of the information;
the third parties with whom the information will be shared and the uses the third parties may make of the information; and
the safeguards that will be employed to protect the information by the companies and any third parties.
A consideration of whether the consent is meaningful may require an assessment of the context in which the consent is given in view of the sensitivity of the information involved, and the purpose or potential for repurposing of the collection and use of the information.
71
Competition enforcement learnings
3. Review Third-Party Contracts
Cover transfers of personal information to third parties by written agreements that include:
provisions regarding the permitted uses of the transferred information (which uses correspond to the consent obtained);
controls over the ability of the transferee to process or further transfer the information;
the required safeguards for protection of the information;
audit rights of the transferor; and
obligations of the transferee to notify the company of a potential compromise of the data.
72
Competition enforcement learnings
4. Assess Safeguards
Assess whether the operational, physical and technical safeguards in place, and those of any third parties to which they transfer personal information, are reasonable, in the context of the sensitivity of the information, and the duration of time the information may be kept.
73
Privacy enforcement
Any questions on privacy enforcement?
74
What are the Privacy Commissioner and Courts saying about the security obligation?
75
PIPA Cases … MD Management P2006-IR-005
MD Management offers services to Canadian Medical Association
Laptop with client information is stolen from employee’s car
8,000 individual’s records
Only standard password login security / no encryption
Permits 5 attempts in 24 hour period
Employee notifies police and employer
OIPC Assesses if MD Management made adequate security arrangements
Duty is to provide reasonable security
OIPC Assesses precautions …
76
PIPA Cases … Laptop Policy examined. Requires laptop:
must always be safeguarded from theft
must never be left unattended
must be locked in secure cabinets when leaving the office even if the laptop can be secured to the workstation
must be carried on the plane when traveling
must never be left unattended in a car or hotel room etc.
MD Management trains staff on policy
Also had technical defensive measures in place
Password secure pre-configured by IT Dept.
Users to password protect files – not done in this case
Encryption on part of disk – but not used in this case
Employee found to have violated the policy
77
PIPA Cases … OIPC assess if reasonable security measures were taken considering:
if the security risk was foreseeable
likelihood of damages occurring
Seriousness of the harm
Cost of preventive measures
Relevant standards of practice
78
PIPA Cases … Here OIPC find:
Risk to a laptop in a case is well known
High likelihood of damages
Harm could be fraud or identity theft
Protective measures – minimal cost / encryption / file level passwords
Standards suggest encryption
MD Management responsible for the employee, violated duty to safeguard the personal information in its custody
79
PIPA Cases … Linen’s & Things (LNT) P2005-IR-001
Edmonton Police notify OIPC located retailers documents containing customer information during a police investigation
Found return receipts, names, phone numbers, purchase info, etc.
Some records with credit card numbers, some not
Investigation reveals many receipts found in a dumpster
OIPC assesses if proper safeguards in place
80
PIPA Cases … OIPC review LNT return procedures
Identify flaw that thermal POS receipt printed out credit card number
Copies of receipts locked up, access limited to manager
Manager only can reconcile transactions
Manager only to do return transactions
However, store did not safeguard records through their lifecycle
OIPC conclude that the organization failed to properly dispose of sensitive customer information by permitting them to be placed in a garbage bin without being securely shredded
81
PIPA Cases … Linen’s & Things changes its practices
1. All return receipts are placed in locked cabinets at each day’s end and logged.
2. At each month end, that month’s logged return receipts are segregated and placed in a locked cabinet.
3. At each month end, the records that are 90 days old are placed in a sub-contractor’s secured box for shredding by a secure, bonded shredding company and destroyed. The destruction is also to be logged.
4. Store manager level authorization is required to access any records which are locked in secure storage.
5. At any point in time, the records for a particular day can be accounted for as being either in specific storage or as having been destroyed.
6. LNT formally appointed a Privacy Officer accountable for the personal information handling practices for LNT.
7. LNT has initiated an internal audit of all of its personal information handling practices and will revise its policies and procedures as required.
82
PIPA Cases … Edmonton Public School District F2012-IR-01
USB memory stick used to save files when reimaging a hard drive
USB stick is lost
Records of over 7,000 employee files
2,826 individuals file contained personal information including SIN, drivers license details, etc.
Not password protected, not encrypted
Lock down drill during period when USB stick is lost
OIPC investigates
School policy not to store data on a local hard drive
School notified employees
83
PIPA Cases … OPIC assesses whether reasonable security measures were taken
Reasonable does not mean perfect
Here sensitivity of the personal information is high
OIPC studies School policy – not followed in this case
School believes USB lost in the secure part of the building
but USB stick is mobile, not password protected, no encryption
Find School failed to protect the personal information as required by law
84
PIPEDA Cases … PIPEDA Case #2003-232
Employee of a nuclear facility complained that his employer was requiring employees to provide personal information of spouses for the purpose of a security clearance check without the spouse's consent e.g. not voluntary
CPC assess if collecting such information is reasonable
Special security concerns of nuclear plant suggest background checks on staff are reasonable
Issue – requirement to get the spouse’s consent?
CPC assumed that spouses have intimate knowledge of each other, share common goals, income and expenses
it would be inappropriate to not conduct an investigation into the background of the current spouse or partner
a reasonable person would likely view the collection of spousal information to be appropriate
85
PIPEDA Cases …
PIPEDA Case #2003-232
CPC found that it would not be appropriate for the company to obtain separate consent
The onus is on the employee to discuss the matter with the spouse or partner and seek consent
Should the spouse not agree, the employee would need to review their options, such as seeking alternative employment
86
PIPEDA Cases … PIPEDA Case #2004-264
Employee complaints about picture on a swipe card & digital cameras in the workplace
Here workplace evidence of health & safety incidents justify enhanced security measures
CPC company has clearly demonstrated a need to enhance the safety and security of staff and visitors to the worksite, to reduce vandalism and damage to property, and to manage the risk of liability claims
Reasonable person would find such appropriate
Company advises & educates staff
Complaint about swipe card not well founded
87
PIPEDA Cases … PIPEDA Case #2004-264
CPC found supervisor showing pictures to other staff unnecessarily
That complaint was upheld
CPC find digital cameras purpose is not to collect personal information
not trained on work areas,
no intent to use cameras to manage the productivity of employees
no reasonable expectation of privacy at entrance/exit areas
not necessary that the company obtain employee consent to the collection of any personal information recorded by the cameras
88
What is adequate security? PIPEDA Report 2019-1 (Equifax)
Equifax Inc. / Equifax Canada Co. hacked in 2017
About 143 million individual’s information compromised
Includes 19,000 Canadian’s credit reports, contact information and SINs
Equifax Inc. and Equifax Canada separately collect personal information from customers
Equifax Inc. collected personal information directly to facilitate delivery of products in Canada
Security frameworks highly integrated
CPC investigates the adequacy of the security safeguards, reports
Attackers gained access from a known vulnerability in the Apache Strut software platform supporting an online dispute portal
Notice of patch March 8, 2017
Attack occurred May 13, 2017 (over 2 month delay)
Attack detected July 29, 2017 and contained the next day
89
What is adequate security?
CPC attack highlights unacceptable deficiencies in Equifax’s security program
1. Inadequate vulnerability management
2. Inadequate network segregation
3. Inadequate basic information security practices
90
Inadequate vulnerability management
Must have adequate systems in place to address known vulnerabilities in all internet facing platforms, operating systems and applications
Must accurately and quickly identify vulnerabilities in need of correction
Must implement fixes to correct vulnerabilities promptly
Must verify that vulnerabilities have been fixed
Here no mechanism to automatically patch known vulnerability
91
Inadequate network segregation
Attackers able to access information in hundreds of databases out side the breached server
CPC: Organizations should institute network segregation that meaningfully segregates databases containing information based on sensitivity and function of the personal information
Here, firewalls between databases were inadequate to separate the databases as they allowed a broad range of data to flow between them
Canadian data should have been fully segregated from the online dispute portal available only for the US
92
Inadequate basic information security practices
Equifax had tripled its spend on IT security between 2014 to 2017
CPC: Clear disconnect between policies and practices in a range of security domains
Clear that Equifax’s security program had critical gaps and that oversight mechanisms were inadequate
Since the attack Equifax took numerous steps to improve its security program
93
Retention … PIPEDA requires that once personal information is no longer required by an organization to fulfill identified purposes, it should be destroyed, erased or made anonymous and all organizations must develop guidelines (and implement actual procedures) to govern the destruction of personal information.
Equifax’s Global Retention Policy required the personal information of 8,000 Canadians should have been deleted either after five years (for account registration information), two years (for other account information), or after one year (for credit reports and alerts contained in the GCS) respectively.
In reality, there was no process in place to delete Canadian personal information in compliance with this policy.
No Canadian personal information had been deleted since at least 2010.
94
Retention …
CPC found that no one at Equifax seemed able to identify who the record owner was for personal information held in the GCS databases or even the name of the person at Equifax responsible for the compliance functions described in the retention policy.
Note the importance of data retention and destruction practices at the corporate level (the less data held, the less will be exposed in the event of a breach), as well emphasizing the need for proper employee training and verified compliance monitoring for policies of this nature.
95
Accountability … PIPEDA’s accountability principle requires an organization remains responsible for personal information under its control (including information that has been transferred to a third party for processing) and must use contractual or other means to provide a comparable level of protection while the information is being processed by the third party.
Equifax handled payments made by Canadians who purchased fraud alert services on their Equifax Canada credit card file and Canadians interested in obtaining direct-to- consumer products were directed to apply to the GCS system, hosted in the U.S.
Both companies tried to argue that Canadian consumers knew that they were contracting separately with ECS, rather than Equifax Canada.
However, the application process took place on the Equifax.ca webpages and Equifax Canada’s terms of use asserted that the products and product features available via its website were provided by Equifax Canada.
96
Accountability … At the time of the breach, the Equifax Canada CPO did not have such controls in place (including any formal written arrangement with Equifax that spelled out the specific rules, regulations and standards that need to be complied with in the handling of personal information, information security obligations, acceptable uses of the information, retention and destruction obligations, or reporting and oversight arrangements) nor were there any basic accountability controls.
CPC identified that “as Equifax Canada is the controller for this personal information,” Equifax Canada’s designed privacy officer is accountable for the personal information, wherever it is held or processed.
CPC expects organizations to take further measures to assess the security of Canadian personal information held by third parties and ensure any necessary corrective measures are undertaken in a timely way.
97
Mitigation … PIPEDA requires organizations to undertake appropriate mitigation measures to protect against future unauthorized use of personal information.
Here the Equifax Canada CPO was not notified by Equifax of the breach until hours before Equifax itself went public on September 7, 2017, despite the involvement of Canadian data.
The companies did not coordinate in the initial breach notification to affected Canadians, with the first letter to them inviting them access credit monitoring through a portal that did not actually allow access and was set up for Equifax customers only.
CPC was unimpressed that initially Canadians were only offered one year of free credit monitoring versus their U.S. counterparts (this was eventually changed to four years in total).
Canadian customers never did receive access to the ‘Lock & Alert’ credit freeze service provided to U.S. consumers that would have allowed them to lock and unlock their credit file on demand.
98
Consent … CPC said that Equifax Canada should have obtained valid express consent of Canadians before disclosing personal information across the border to Equifax (given the sensitive nature of the financial data involved and that individuals would not have reasonably expected their data to be transferred to a third party outside of Canada).
Historically a transfer for processing is a "use" of the information, not a disclosure. If the information is being used for the purpose it was originally collected, additional consent for the transfer is not required; it is sufficient for organizations to be transparent about their personal information handling practices. This includes advising Canadians that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities.
In this case, presumably due to the active roles of each Equifax and Equifax Canada collecting personal information a higher consent standard was required.
99
Equifax summary learnings
CPC gave specific guidance on the requirements to meet the security standard under PIPEDA.
Security policies must not only be able to address current vulnerabilities and threats but must be implemented.
The case highlights the importance of thoughtful assessment of cross-border arrangements where parties share personal information.
100
Joint investigation of Facebook CPB and BC OIPC investigation - PIPEDA Report of Findings #2019-002
Complaint about Facebook’s disclosure of the personal information of its users to 3rd party application information that was later used by 3rd parties for targeted political messaging.
Three issues:
1. consent of users,
2. safeguards against unauthorized access, use and disclosure, and
3. accountability for the information under Facebook’s control.
101
Joint investigation of Facebook
Consent of users
Facebook relied on apps to provide consent from users for its disclosure to those apps. but Facebook could not demonstrate that:
1. the 3rd party app actually obtained meaningful consent for its purposes, or
2. Facebook made reasonable efforts to ensure that the 3rd party app was obtaining meaningful consent.
102
Joint investigation of Facebook
Safeguard against unauthorized access, use and disclosure
Facebook relied on contractual terms with apps to protect user information
But Facebook’s monitoring of those terms was reactive and ineffective
Facebook could not show any enforcement action on those terms
103
Joint investigation of Facebook
Accountability for the information under Facebook’s control
Facebook did not take responsibility to provide real and meaningful effect to privacy protection of users
Facebook abdicated any responsibility for the personal information under its control
Facebook’s security safeguards were superficial and ineffective
104
PIPA & PIPEDA Cases
We will see more cases in the data breach lecture
Any questions on how the Commissioners review the security obligation?
105
Breach Notification Notification can be an important means of risk mitigation
Effort to communicate to individuals affected by a breach
Empower customers to protect themselves
Can mitigate reputational impact
Important to provide first stage of remediation
Mandatory in Alberta since 2010 under PIPA
Mandatory nationally under PIPEDA as of November 1, 2018
We will examine these notification rules in more detail in the data breaches session
106
Access Requests and Complaints
107
PIPA Complaint Process Mediation
Review & Investigation
Commissioner’s Orders (PIPA)
Access to Records
Correction of Records
Organization to stop collecting, using, or disclosing personal information
Destruction of Records
Audits
Fines for certain activities of up to $10,000 for Individuals, $100,000 for Organizations
108
Complaint escalation … Complaint Handling Process
Internal process
Process by the organization
Verify identity and authority of requesting person
Verify scope of request
Respond as applicable in the circumstances
Escalation
Internal escalation in the organization?
Privacy Commissioner
Court process
109
PIPA Complaint Process
An individual has a right to ask the Commissioner to review an organization’s decisions, conduct or response
Individual has to exhaust other available processes
Complaint of the organization’s decision must be filed with Commissioner within 30 days of decision
Extension is possible
Commissioner may provide copy of complaint to the organization or others
110
PIPA Complaint Process
Commissioner has very broad powers to conduct investigations or inquiries
Power to examine records - even those not subject to PIPA
An organization is obligated to produce any records notwithstanding any other enactment or any privilege of the law of evidence
111
PIPA Complaint Process PIPA provides for mediation to seek to settle the complaint
If not settled, Commissioner may conduct an inquiry
All parties notified of the inquiry may make representations
May be represented by legal counsel
Inquiry to be concluded within 90 days from receipt of complaint
Burden of proof on the organization to justify a refusal to provide access or information on collection, use or disclosure
112
PIPA Complaint Process Commissioner resolves complaint by making an order
The commissioner has broad order making power including, in case of an access request:
require organization to provide access
confirm decision of the organization
require the organization to reconsider its decision
require the organization to refuse access
The order is final.
Judicial review application within 45 days 113
PIPA Complaint Process
Any questions on the complaint process generally?
114
Access Right
115
Access Right
Individuals have a general right to request access to their personal information, subject to some exceptions
Requests for access can also be made by:
Mature minors who understand the consequences of exercising a right of access
Legal guardians of minors
Personal representative of a deceased person, if related to the administration of their estate
116
What can they ask for?
An individual’s personal information that is under the custody or control of the organization – s.24(1)(a)
The purposes for which this information has been and is being used – s.24(1)(b)
The names of the persons to whom and the circumstances in which this information has been and is being disclosed – s.24(1)(c)
Response by the organization must consider what is reasonable
Must provide a written request with sufficient detail to enable the organization, using a reasonable effort, to identify the information pertaining to the request
117
How are requests made? Requests must be in writing – s.26
OIPC expects organizations to reasonably assist applicants who are unable to make a written request
If applicant refuses but is able to put in writing, organization does not have to respond
May respond to a verbal or e-mail request but organizations have an obligation to ensure that any personal information disclosed is disclosed only to a person authorized to request it
Applicant must give enough information to allow the relevant information to be found but is not required to state why they want it.
118
Issues the organization should consider Access issues:
authority of person requesting access
requirement for formal written request
signature/customer account number/password
identification if in person
ease of retrieval of personal information
specificity of the information requested
fee
obligation to retain or destroy/dispose of information
loss of data
119
Can the request be ignored?
Is the request repetitious, frivolous or vexatious in nature?
Is there a mechanism to permit the organization to disregard the request?
PIPA s.37 allows an application to the Commissioner for authority to disregard
What does the organization’s Privacy Policy say?
120
Fees A reasonable fee may be charged to applicant –s.32
No fees allowed for a correction request, or for providing access to personal employee information
Must provide a detailed estimate of fees before providing the service
Reasonable fees can mean:
Flat fee
“Per page” copying fee
Actual cost to retrieve records from off-site storage
Minimum or clerical wage for time taken to retrieve and respond
121
Time to respond? 45 - day time limit to respond from date of receiving the request [PIPEDA: 30 days] (s.31)
Can extend for another 30 days, or longer with Commissioner’s permission, if:
Not enough detail to identify records or personal information
Large amount is requested or must be searched
45 day limit unreasonably interferes with operations
Need to consult with another organization or public body to determine whether or not to give access to requested personal information or record
122
Extensions?
If time period is extended, the applicant must be told:
The reason for the extension
When they can expect a response
That they may ask the Commissioner to review whether the extension is reasonable
Decide quickly how long a response will take you, and be sure you can justify an extended time period if you select it
123
Exceptions to the Access Right Organizations may refuse to provide access to personal information that:
Is subject to a legal privilege
Solicitor-client privilege
Litigation privilege
Reveals confidential commercial information
Was collected for an investigation or legal proceeding
Might result in that kind of information no longer being provided to the organization
Was collected or created in the course of an arbitration or mediation
Relates to or may be used in the exercise of prosecutorial discretion
124
Exceptions to the Access Right Legal privilege” falls into two classes:
relating to direct communications passing between the client and the lawyer (solicitor-client)
concerning confidential communications with third parties relating to an action in place or a prospective action. (litigation)
Solicitor - Client Privilege
Generally speaking, 3 conditions:
1. the communication is intended to be confidential
2. the communication is for the purpose of seeking or giving legal advice
3. the communication is between a lawyer and client
125
Exceptions to the Access Right
Litigation Privilege
Communication with a third party
The person who authorized the creation of the record intended for it to remain confidential
If prepared by a lawyer, then lawyer’s intention governs even if lawyer authorized by another
The dominant purpose for the creation of the record was to submit it to a legal advisor for advice and use in existing or reasonably contemplated prospect of litigation
126
Exceptions to the Access Right
An organization may refuse to give access to a record if the information was collected for an investigation or legal proceeding
Important for security investigations!
127
Practical considerations in an investigation
Document being prepared in respect of an investigation or legal proceeding, existing or contemplated - clearly marked as such on the document
At document creation, investigations of employee / third party behaviour or performance should be clearly stated as the purpose on any document to prevent debate about intention if these documents are the subject of an access request or complaint
128
Exceptions to the Access Right Organizations must refuse to provide access to personal information where:
The disclosure could reasonably be expected to threaten the life or security of another individual
Personal information about another individual would be revealed
The identity of an individual who provided a confidential opinion about another individual would be revealed, and the opinion provider does not consent to the revealing of their identity
129
Exceptions to the Access Right
Records may be stripped of information that an organization cannot or will not disclose
Burden is on the organization to show that the information and records not disclosed meet one of the exceptions.
130
What should be in a response? Whether the applicant is entitled to everything that they requested
Whether or not all or part of the records containing the applicant’s personal information will be provided
When access will be given
Reasons for refusing access to some records, and the sections of PIPA authorizing the refusal
Name of a person in the organization the applicant can speak to about any refusal
Advisory to applicant that they may ask the Commissioner to review the decision of the organization
131
Severing records …
Where part of the information on a record may or must be withheld, an organization may sever that information, and disclose the rest.
Keep a copy of the original unsevered document, as well as a copy of the document as disclosed to the applicant
On the copy of the document as severed, write down the sections of PIPA used as authority to sever
132
Key questions to ask
Which jurisdiction applies? Which of the federal or provincial acts apply?
Does the individual requesting access have a right of access?
Is the information requested “personal information”?
What are the time lines to respond to the request?
133
Responding considerations In what form of record is the information contained (i.e. paper or electronic)? How will the individual be provided access? Will they receive a copy or be able to review the file itself?
Will the information need to be converted into a paper copy or translated?
Why was the information collected? What was the purpose for its use? To whom has the personal information been disclosed and under what circumstances?
Have you removed any information that you must not provide or may not be required to provide? Can you prove that you redacted information meets the criteria?
Does the response from the organization provide the specific information which is required to be provided to the individual under the legislation?
134
Can you prove it? At an inquiry into a decision under which an individual was refused
(a) access to all or part of the personal information about the individual or a record relating to the information, or
(b) information respecting the collection, use or disclosure of personal information about the individual,
it is up to the organization to establish to the satisfaction of the Commissioner that the individual has no right of access to the personal information about the individual or no right to the information requested respecting the collection, use or disclosure of the personal information about the individual.
135
PIPEDA Case #2017-009 The complainant was denied transportation on an airline flight
On the day of departure, officials responsible for screening passengers determined that the complainant was lacking appropriate documentation, and advised the airline to prohibit the complainant from boarding the aircraft.
Some months later, the complainant received a letter from the airline confirming that the airline tickets would not be reimbursed as having the appropriate travel documentation was the responsibility of the passenger.
The airline stated that “officials present at the airport for the purpose of screening passengers determined that [the complainant] was apparently lacking appropriate documentation, and consequently advised the airline to deny [the complainant] boarding.”
The airline advised that it must “strongly consider this expert advice failing which it risks incurring liability for improperly documented arriving passengers.”
136
PIPEDA Case #2017-009 The complainant submitted an access request to the respondent for his complete Passenger Name Record (PNR) and/or PNR history; and documents and/or notes and/or correspondence internally and/or with third parties relating to the airline denying him transportation.
The Airline acknowledged receipt of the request and advised a response would be provided within the next 30 days.
The Airline provided the complainant with a copy of all records under the airline’s booking reference number including an interception report.
The complainant believed the information received to be incomplete and submitted a complaint to the Office of the Privacy Commissioner regarding the airline’s refusal to respond to his access request, specifically pertaining to the access request related to all documents exchanged with third parties on the day of the incident.
137
PIPEDA Case #2017-009 The airline responded to CPC and claimed it would not be able to provide any documents, notes and correspondences internally and/or with third parties relating to the complainant being denied transportation due to s. 7(1)(b) and 7(3)(c.1)(ii) of PIPEDA.
s. 7(1)(b)- an organization may collect personal information without the knowledge or consent of the individual only if it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province.
s. 7(3)(c.1)(ii) - an organization is not required to give access to personal information if the information was collected under s. 7(1)(b).
The CPC investigated. 138
PIPEDA Case #2017-009
On the day of the incident, officials determined that the complainant lacked appropriate documentation required for entry into the country.
The information was collected in order to investigate potential non-compliance to the Immigration and Refugee Protection Act and a recommendation by the government provided to the airline to disallow boarding of the complainant.
The airline asked the government agency if they could disclose this information.
The agency said no.
139
PIPEDA Case #2017-009 CPC: The exemption s. 7(1)(b) applied in this case and so the complainant’s consent was not required for the collection.
Since the complainant’s personal information was collected in order to assess his travel status, CPC found it reasonable to expect that if the complainant had known the purpose for which his personal information was to be collected, the true exchange of information between the complainant and the government institution could have been compromised.
Ultimately, international airline organization have a responsibility to ensure the accuracy of all travel information and documents.
There was no disclosure as the airline disclosed the complainant’s personal information within the exemption to consent parameters of s. 7(3)(c.1)(ii).
Specifically, the airline disclosed the complainant’s personal information to a government institution that was investigating and gathering intelligence for the purpose of enforcing the Immigration and Refugee Protection Act.
140
PIPEDA Case #2017-009 S 9(2.1) to 9(2.4) set out a scheme that organizations must respect when individuals seek information regarding disclosures of information made under s.7(3)(c.1)(ii).
The purpose of the scheme is to protect the integrity of lawful investigations.
Accordingly, where an individual seeks either: (a) to be informed about a disclosure to which these provisions apply or the existence of any information that the organization has relating to such a disclosure, or (b) access to such information itself, then the organization has an obligation to follow the process set out under s. 9(2.2).
This provision requires the organization, where it has made a disclosure to a government institution or a part of it, to ask the institution whether it objects to the disclosure of the information sought on certain grounds.
If the government institution objects, then the organization becomes subject to s. 9(2.4), which require refusing the request, informing CPC, and not disclosing any of the information.
CPC finds the airline was limited in the manner it could respond to the complainant’s request for information, in accordance with s. 9(2.4).
Specifically, under s. 9(2.4)(c), all the information the airline had, namely, the complainant’s personal information, was related to the disclosure to the government institution, which it was prevented from disclosing pursuant to s. 9(2.4)(a).
141
Privacy resources Federal Privacy Commissioner’s web site http://www.privcom.gc.ca/ index_e.asp
E-Kit for Business http://www.privcom.gc.ca/ekit/ekit_e.asp
Alberta FOIP web site http://www3.gov.ab.ca/foip/
Alberta Office of the Information and Privacy Commissioner
http://www.oipc.ab.ca/
Alberta PSP web page and resource links http://www.psp.gov.ab.ca/
142
Access Requests and Complaints
Questions?
143
Privacy
Any final questions?
144