Question

Hey there,

I understand that at any time I can request that a company tell me what information about me they have on file. I also understand that I can get them to correct any errors in that information, and that I can file a complaint if I feel that my personal information has been inappropriately used or sold.

But what happens if I withdraw my consent? Can I ask/demand that my personal information that has been stored be destroyed? Do they need to destroy the info once I asked for it to be destroyed?

And if the information is destroyed, how can I verify that it HAS been indeed destroyed?

Thanks for your time,

Answer

Hi Jon,

On the surface, PIPEDA does not seem to give individuals the right to request that organizations delete their personal information upon command.

This doesn’t mean that the personal information an organization collects has to linger in a database forever. If we dig deeper into the legislation we find privacy principles at play that work harmoniously to achieve a similar objective.

Let’s see what PIPEDA says about consent, data retention, and personal information after an organization has collected it.

Withdrawing Consent under PIPEDA

According to the third privacy principle of PIPEDA — Consent — an individual has the right to withdraw his or her consent at any time subject to any legal or contractual restrictions.

The individual must give the organization reasonable notice and the organization must inform the individual about the implications of withdrawing consent, if any.

That doesn’t solve our problem though. An organization is still in possession of your personal information even if you withdraw consent from it being used or disclosed. Data retention periods determine how long personal information will be kept for.

Minimum and Maximum Retention Periods

The fifth privacy principle of PIPEDA — Limiting Use, Disclosure, and Retention — states that an organization should implement minimum and maximum retention periods for personal information and should only retain personal information for as long as it is required to fulfill its intended purposes.

An organization may choose to hold all personal information it collects for a minimum of one year after its intended use and disclosure. It should be long enough to allow an individual to request his or her personal information, especially if it has been used to make a decision about that individual (e.g. a pre-employment check).

An organization may also be subject to legislative requirements with respect to retention periods.

If an organization is subject to an access request it should retain that information for as long as is necessary to allow the individual to exhaust any recourse under PIPEDA.

Once an organization has retained personal information for a maximum period, it must destroy, erase (delete), or make the information anonymous.

Destroying, Deleting, and Anonymizing Personal Information

Clause 4.5.3 of PIPEDA’s Limiting Use, Disclosure, and Retention principle states:

Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.

Rather than deleting or erasing full records containing personal information, many organizations find benefit in “anonymizing” personal information instead. This allows organizations to retain statistics about records while at the same time removing all traces of personal information from a record.

The problem with this technique is that it is sometimes possible to reverse-engineer “anonymous” data sets by combining that information with other publicly available information.

For example, in 2006 Netflix published 10 million movie rankings by 500,000 customers. The data set was made anonymous by removing personal information descriptors from the set. Through reverse engineering, researchers at the University of Texas were able to de-anonymize some of the data by comparing rankings and timestamps with public information available from the Internet Movie Database (IMDb) (full story).

Arstechnica has news of another story where an anonymous data set was used to unique identify patients from hospital records.

Legal Recourse under PIPEDA

PIPEDA’s Openness principle states that organizations need to be open about their policies and practices with respect to how personal information is managed.

If you want to know how long your personal information is retained for or how it is disposed of after its retention, write a letter or email to the organization. The privacy officer or personal responsible for privacy compliance should be able to explain what happens with your personal information.

If you think the organization retains your personal information for too long or does not dispose of it properly, try working it out with the organization. If that does not work or you are unsatisfied with the response, you may file a compliant with the Office of the Information and Privacy Commissioner of Canada. The routine is similar for organizations subject to privacy legislation in BC, Alberta, and Quebec.

Jon, I am unaware of any way you can guarantee that your personal information has been destroyed short of being able to inspect every database, record, and backup that an organization may have. If others have any input on this subject, I invite their comments below.

Hope this helps,
M.G.

Copyright © 2011 PrivacySense.net. | Permalink | No comment | Add to del.icio.us
Tags:

Question

If you provide personal contact (including email) and emergency contact information to a community group (theatre group or dance class for example), do they not need your consent to share your personal information with any other member of the group?

For example, hiding your email address in a distribution list?

Thanks,

Answer

Hi Robin,

A community group needs your consent to share personal information (e.g. contact information) if it is located in BC, Alberta, or Quebec.

The privacy legislation in those three provinces applies to all organizations whenever they collect, use, or disclose personal information. These non-profit organizations include charities, clubs, amateur sport associations, religious organizations, and community groups like theatre and dance class.

If you are not located in those three provinces, there is no private-sector privacy legislation that will apply. PIPEDA is Canada’s federal privacy legislation, but it only applies to an organization if it is engaged in commercial activities.

Assuming you are located in BC, Alberta, or Quebec, chances are that the community group you belong to shared your contact information because it thought it may be in the best interest of the group. They would also be unlikely to know that privacy laws apply to their operations.

A simple message to the offending individual (e.g. group administrator) stating that you would like your privacy and that of the group’s to be respected will likely prevent the same occurence from happening in the future.

Best,
M.G.

Copyright © 2011 PrivacySense.net. | Permalink | No comment | Add to del.icio.us
Tags:

Question

On an application form can an employer ask the following questions:

1. Do you have a criminal record?
2. Do you have any medical illnesses?

Thanks,

Answer

Hi Todd,

Whether an employer can ask you if you have a criminal record or medical illness is an interesting question because of its potential impact on your privacy and human rights. This question is usually asked by potential employers in the pre-employment screening stage of applying for a new job.

From a privacy perspective, an organization under PIPEDA must abide by the 10 Privacy Principles of PIPEDA, the fourth being Limiting Collection which states that the collection of personal information should be limited to what is necessary for the purposes identified.

In other words, an organization has no reason to ask about the existence of a criminal record or medical illness unless it has a justifiable reason for doing so.

From a human rights perspective, as a general rule, employers in Canada are forbidden to discriminate on certain grounds. These include:

1. Race
2. Religion
3. National/ethnic origin
4. Colour
5. Age
6. Sex/sexual orientation
7. Marital/Family Status
8. Physical/mental disabilities
9. Pardoned criminal offences

However, an employer can discriminate on these grounds if there is a “bona fide occupational requirement” — that means the organization can prove that discrimination is necessary to fulfill the requirements of the position.

The employer has an obligation to prove that the position would be impossible to accommodate without undue hardship.

Criminal Records

If an employer is asking you to declare any criminal offences, they will usually ask you to list those that have not been pardoned. The reasons for that are two-fold:

1. The criminal record check, if shared directly with the employer, should not contain any pardoned offences
2. An employer cannot discriminate on pardoned offences, so it doesn’t make sense to collect that information in the first place

The rules may be slightly different if you need to undergo a Vulnerable Sector Check.

You are not obligated to admit to a criminal record, but it is generally a better idea to be honest and up-front with a potential employer as a criminal record check should reveal all offences that have not been pardoned.

If you have an unpardoned criminal record, an employer can refuse to hire you depending on certain factors such as the nature of the offence and how long ago it occurred. This will depend on how relevant your offence is to the position and how comfortable the organization feels in hiring you for the position.

How to Get a Pardon

If you want to learn more about getting a pardon, contact Pardons Canada at http://www.pardons.org/ or 1 (877) 929 – 6011.

Medical Illnesses

Similar to asking if you have a criminal record, an employer can ask you if you have any medical illnesses which may make it impossible for you to fulfill the requirements of the position.

However, an employer must make every reasonable effort to accommodate someone who falls under the protected grounds of discrimination mentioned earlier. An employer does not need to accommodate if doing so would cause undue hardship.

Legal Recourse

If you believe you have been discriminated against, your legal recourse includes contacting your local human rights tribunal to file a complaint.

For contact information and a handy guide on workplace discrimination, the Commission for Labor Cooperation offers a free guide to employment discrimination laws in Canada.

Copyright © 2011 PrivacySense.net. | Permalink | No comment | Add to del.icio.us
Tags:

Question

I had subscribed for [Subscription Service]. Few months after I found out that they obtained my credit report without my consent or knowledge.

I have escalated this issue (and unsubscribed their service due to this concern) and [Provider] said I provided them implied consent by choosing to do business with them.

PIPEDA outlines that Consent must be obtained prior to collecting, using and sharing personal information and a person should be aware what one is consenting to.

My questions to you are:

1. Did [Provider] violate my privacy right under PIPEDA and/Privacy Act?
2. I live in Nova Scotia. Did they also possibly violate Provincial privacy laws by failing to obtain consent and notifying me about my Credit Check?
3. What legal recourse do I have against [Provider]?

Thank you.

Answer

Hi Rob,

One of the different types of consent an organization can obtain under PIPEDA or provincial privacy laws is implied consent — consent that can be reasonably inferred from an action.

Performing a credit check, however, usually cannot be done under implied consent. Credit bureaus will only allow member companies to perform credit checks on their applicants with express, written consent.

Rob, I have a hunch that two things have happened:

1. Whoever you spoke with on the phone may have not fully understood how your consent was obtained to perform a credit check and instead told you erroneous information.
2. An organization the size you are dealing with will likely have obtained your written consent somewhere throughout the contracts you signed.

My suggestion to you is to get the contact information of the individual or team responsible for privacy compliance and send your concern in an email or letter. You will likely receive a response back with the section of the contract you signed that permitted a credit check.

If the official response is that your credit was pulled with implied consent by way of doing business with that organization, submit a complaint to the Office of the Privacy Commissioner of Canada under PIPEDA. This is your legal recourse.

There is no specific private sector privacy legislation in Nova Scotia and as such, PIPEDA will apply to your scenario.

All the best,
M.G.

Copyright © 2011 PrivacySense.net. | Permalink | No comment | Add to del.icio.us
Tags:

Question

I have a complaint with the Human Rights Tribunal against my former employer. I suspect they are lying and it can easily be proved through my personal file at work.

Through PIPEDA could I apply to have access to it?

Answer

Hi Wayne,

PIPEDA most commonly applies to personal information that an organization collects, uses, or discloses in the course of commercial activities.

The information you are requesting is better referred to as “employee personal information” and PIPEDA only applies if it is used or disclosed “in connection with the operation of a federal work, undertaking or business.”

In other words, if your organization is federally regulated and falls under the legislative authority of the Parliament of Canada, such as the telecommunications and broadcasting industry, or is a local businesses in Yukon, Nunavut, or the Northwest Territories, then PIPEDA will apply.

If that doesn’t apply to you, you may also have a chance to access your employee personal information if you live in BC, Alberta, or Quebec, where their privacy legislation applies to all personal information collected, employee or customer related.

If your organization is a federal work, undertaking, or business, or you work in the private sector of BC, Alberta, or Quebec, write a letter to your employer requesting all personal information subject to the relevant privacy legislation.

If you are not satisfied with the response and cannot work out the matter, you may file a complaint to the privacy commissioner’s office in the appropriate jurisdiction (BC, AB, QC, or Canada federally).

Best,
M.G.

Copyright © 2011 PrivacySense.net. | Permalink | No comment | Add to del.icio.us
Tags:

One of the easiest and most inexpensive ways to create a clear screen policy is to use a template or learn and adapt from other policies online.

Below you will find a list of clear screen templates and policies created by other organizations. Feel free to browse them, learn from them, and adapt them to your own organization:

Clear Screen Policy Templates

• Clean Desk and Clear Screen Template (Desktopauditing.com)
• Clear Desk Clear Screen Procedure (Somerset Gov’t UK)
• Clear Desk and Clear Screen Policy (Emporia University)
• Clear Desk and Clear Screen Policy (Hampshire Fire and Rescue Services)
• Clear Desk and Clear Screen Policy (University of Mannheim)
• Clear Desk and Clear Screen Guidelines (Georgia Department of Human Resources)
• Clear Desk and Clear Screen Policy and Procedure (Concordia College)

Copyright © 2009 PrivacySense.net. | Permalink | No comment | Add to del.icio.us
Tags: clear screen policy, clear screen policy templates

One of the easiest and most inexpensive ways to create a clear desk policy is to use a template or learn and adapt from other policies online.

Below you will find a list of clear desk templates and policies created by other organizations. Feel free to browse them, learn from them, and adapt them to your own organization:

Clear Desk Policy Templates

• Clean Desk and Clear Screen Template (Desktopauditing.com)
• Clear Desk Clear Screen Procedure (Somerset Gov’t UK)
• Clean Desk Policy (sans.edu)
• Clear Desk and Clear Screen Policy (Hampshire Fire and Rescue Services)
• Clear Desk and Clear Screen Policy (Emporia University)
• Clean Desk Policy (University of Cincinatti)
• Clean Desk Policy and Guidelines (City of Toronto)
• Clean Desk Policy (BankersOnline.com)
• Clear Desk and Clear Screen Policy (University of Mannheim)
• Clear Desk and Clear Screen Guidelines (Georgia Department of Human Resources)
• Clear Desk and Clear Screen Policy and Procedure (Concordia College)

Copyright © 2009 PrivacySense.net. | Permalink | No comment | Add to del.icio.us
Tags: clear desk policy, clear desk policy templates

According to the study which surveyed more than 600 IT security professionals across the country:

IT security breaches cost the average Canadian organization an estimated $834,000 in 2009 – a 97 per cent increase from the $423,000 reported by the study last year (source).

IT security breaches happen when systems get compromised or sensitive information voluntary or involuntarily leaks from the system, often due to carelessness or dishonest employees. When a security breach involves the loss of people’s personal information it is commonly referred to as a privacy breach.

Many organizations are bound by privacy legislation to properly secure their systems with respect to the sensitivity of personal information collected but many still fail to do so.

Can we attribute these numbers to the state of the economy?

Not necessarily:

“Canadian organizations are finding it difficult to improve their security posture within the current economic climate.

However, we found several organizations that performed well despite the adversity. Those organizations tended to review whether or not they were focusing on the right threats and conducted regular assessments of their capabilities to prevent, detect and respond to security concerns,” said Alan Lefort, managing director, TELUS Security Labs.

While some organizations will not place a priority on keeping your personal information safe in a weak economy, many still do, so it is not an excuse.

Businesses must remember that personal information is a liability and it must take appropriate measures to secure it and properly train staff to handle it.

Advice for Organizations

Here’s some advice for organizations wanting to minimize the possibilities of a privacy breach:

• Hire a Privacy Officer. This will ensure that you have someone responsible for privacy compliance in the office. The privacy officer will need to work closely with security personnel from IT to secure systems containing personal information.
• Conduct Privacy Training Regularly. Employees need to be constantly reminded about the proper way to handle sensitive information (e.g. A document destruction and data destruction policy) so that it does not carelessly slip into the wrong hands.
• Hire Professional Help. If your organization realizes it has suffered a privacy breach, finding and hiring a privacy lawyer can be one of the smartest moves to make.

Copyright © 2009 PrivacySense.net. | Permalink | No comment | Add to del.icio.us
Tags: Privacy Breach

If you’re unfamiliar with the services of a privacy lawyer and the benefit they can bring to your organization, read the article on hiring a privacy lawyer.

In addition to hiring a privacy lawyer, you may also want to read the article on hiring a privacy officer — especially if your organization has not made an effort to become privacy compliant yet.

Copyright © 2009 PrivacySense.net. | Permalink | No comment | Add to del.icio.us
Tags:

Becoming privacy compliant is not an option for most organizations — it’s the law.

Not being prepared with the appropriate policies and procedures to handle your customers’ and clients’ personal information can cost your organization dearly later on in the form of legal services, deteriorating company image, and loss of business revenue.

One of the quickest and most surest ways of becoming privacy complaint is by hiring a privacy lawyer.

The Benefits of Hiring a Privacy Lawyer

Your organization has other options for ensuring privacy compliance. For example, you can hire a privacy officer. However, there are numerous immediate benefits by hiring the services of an experienced legal professional.

Get it Done Right — Right Away

Hiring a privacy lawyer means expertise immediately within your reach. Sure, they may cost more initially, but your organization will benefit by having results that you can count on now.

Developing Policies and Procedures

A privacy lawyer is able to create policies and procedures for the collection, usage, disclosure, and management of personal information that is consistent with your organization’s business processes.

You can rest assured that your organization’s policies and procedures are developed using best practices and backed by a professional.

Understanding Tricky, Cross-Border Issues

Many organizations are large, diverse, and have offices scattered throughout the globe.

For example, your organization may collect personal information from people in Canada, process that information in India where labour is cheap, and finally store the information in a data warehouse in the US.

When personal information crosses borders and is subject to difference privacy legislation, it is vital to have a privacy lawyer review your situation to ensure you are aware of your risks and responsibilities and are compliant in each area.

Responding to Access Requests and Complaints

What happens when you receive a nightmare access request?

A customer who seemingly knows privacy legislation better than the back of his hand is demanding volumes of records containing personal information and is demanding information about how his data is collected, used, stored, and deleted.

On top of that, he’s also threatening to make a complaint with the privacy commissioner if you do not provide a satisfactory response within thirty days.

Are you prepared to handle difficult privacy access requests and complaints?

Mitigating a Privacy Breach

Everyone knows about the financial damage that TJX corporation suffered when it failed to provide adequate security measures to protect the personal information it had collected.

A privacy lawyer can mitigate the chances of a privacy breach which has the power to cripple your organization. If your organization has already suffered a privacy breach, a privacy lawyer can help minimize its impact.

Privacy Training

For larger and more specialized organizations, training privacy officers, employees, and creating educational materials needs to be done properly. Some organizations can simply not afford to make mistakes.

Privacy training done properly will create knowledgeable, trained employees and reduce the risks of an employee making a careless mistake with your organization’s sensitive information.

Contracts

Perhaps the most important, a privacy lawyer can assess, create, or modify your legal contracts to ensure that your organization is legally covered in its business activities when collecting, using, and disclosing personal information.

Finding a Privacy Lawyer

PrivacySense offers a free Privacy Lawyer Directory where you can search for law firms practicing privacy law in Canada. Take a look at the law firms in your area and see what services they have to offer.

Conclusion

Privacy law is relatively young and not fully understood by a majority of businesses. Although hiring a privacy lawyer can seem expensive on the onset, your organization will save valuable time and costs in the long-run and will get started on the right foot by having dependable professional resources from an experienced law firm.

Once your organization has employed the use of a privacy lawyer, continuing to use one can be an ongoing, costly expense. Consider using the resources of a privacy lawyer to properly train a privacy officer you hire to handle the management of personal information in your organization.

Copyright © 2009 PrivacySense.net. | Permalink | No comment | Add to del.icio.us
Tags: