Annual Report to Parliament 2006Report on the Personal Information Protection and Electronic Documents ActOffice of the Privacy Commissioner of Canada (613) 995-8210, 1-800-282-1376 © Minister of Public Works and Government Services Canada 2007 ISSN 1913-3367 This publication is also available on our Web site at www.privcom.gc.ca. May 2007 The Honourable Noël A. Kinsella, Senator Dear Mr. Speaker: I have the honour to submit to Parliament the Annual Report of the Office of the Privacy Commissioner of Canada on the Personal Information Protection and Electronic Documents Act for the period from January 1 to December 31, 2006. Sincerely,
Jennifer Stoddart May 2007 The Honourable Peter Milliken, M.P. Dear Mr. Speaker: I have the honour to submit to Parliament the Annual Report of the Office of the Privacy Commissioner of Canada on the Personal Information Protection and Electronic Documents Act for the period from January 1 to December 31, 2006. Sincerely, Jennifer Stoddart Table of Contents
Research into Emerging Privacy Issues
Substantially Similar Provincial and Territorial Legislation Complaint Investigations and Inquiries
Public Education and Communications
Message from the Commissioner
The year 2006 proved there has never been a greater need to take the protection of personal information seriously – new data breaches reinforced our concerns about both security issues and trans-border data flows. It was also a year to take stock of Canada’s private-sector privacy regime and look for ways to create even more effective legislation to govern privacy issues. Moving information across bordersFor several years, the Office of the Privacy Commissioner (OPC) has warned of the serious privacy risks introduced when Canadians’ personal information moves across borders. These concerns initially arose when the USA PATRIOT Act granted the US Federal Bureau of Investigation new powers to access personal information held by US organizations. They re-emerged in 2006, when the international press reported that the Society for Worldwide Interbank Financial Telecommunication (SWIFT), a European-based financial cooperative that supplies message services and interface software to financial institutions in more than 200 countries including Canada, had secretly disclosed personal information to the US Treasury. These media reports were alarming and prompted the OPC to launch an investigation. Our conclusions, reached after the reporting period covered in this document, are outlined in my April 2007 Report of Findings. (That report is available on our Web site, www.privcom.gc.ca.) In brief, we found SWIFT did not contravene the Personal Information Protection and Electronic Documents Act (PIPEDA), to which it is subject, when it complied with lawful subpoenas served outside the country and disclosed Canadians’ personal information to foreign authorities. However, the disclosure process could have been more transparent if the government bodies involved had used existing information-sharing mechanisms, which have privacy protections built in. We have asked Canadian officials to work with their US counterparts to encourage them to use these mechanisms, rather than the subpoena route, to obtain information in the future. More data security concernsA separate set of media reports about major data breaches also provoked concern by Canadians toward the end of 2006. A few private sector organizations – notably a mutual fund subsidiary of the Canadian Imperial Bank of Commerce (CIBC) and the US-based owner of Winners and HomeSense stores – acknowledged they had lost huge amounts of sensitive personal information. While these types of data compromises are not a new phenomenon, the massive volume of these privacy breaches and the media headlines brought them to public light in a dramatic fashion. The media coverage also reinforced for the Parliamentary committee reviewing PIPEDA the very serious nature of privacy breaches, as well as the need for further legislative and policy measures to better protect personal information held by private sector companies. An important Parliamentary reviewThe launch of that review of PIPEDA by the House of Commons Standing Committee on Access to Information, Privacy and Ethics marked an important development for private sector privacy issues in Canada. The review began in late 2006. This was the first five-year review of the Act, which came into force in stages beginning in 2001. Long before the committee hearings started, my Office was gearing up to identify measures to improve the Act. Overall, PIPEDA has generally proved to be sound legislation. That said, some parts require updating and fine-tuning to better address the effects of intrusive technologies, the increasingly inquisitive private sector environment, and the heightened desire by governments, post 9/11, for access to personal information held by the private sector. In July 2006, we released a consultation document inviting input about possible amendments. We received more than 60 submissions and presented an analysis of those to the committee in November. The strong response affirmed for us the keen interest among Canadian consumer groups, academics, businesses and citizens to see to it that personal information in the private sector is properly protected. National surveys consistently find that Canadians appreciate the importance of privacy in their daily lives. The end of an eraSadly, 2007 will mark the end of an era for this Office. Heather Black, Canada’s first Assistant Privacy Commissioner for PIPEDA, will retire early in the year. For almost 25 years, Heather has been a guiding force in Canada on privacy matters. Before joining the OPC, she acted as one of the architects of PIPEDA at Industry Canada. She has guided the Act’s interpretation in its first five years of application – first as General Counsel to this Office, then as Assistant Commissioner responsible for PIPEDA. The OPC, colleagues elsewhere in government, organizations subject to PIPEDA and, most of all, the Canadian public, have all benefited from her extraordinary depth of knowledge, and sage and balanced approach. I thank Heather for her tremendous contributions, and I sincerely hope her voice will continue to be heard on privacy issues. Looking aheadWe were busy at the end of 2006, laying the groundwork for what will undoubtedly be an exciting time in our Office’s history. We are hosting the who’s who of the privacy world at the 29th International Conference of Data Protection and Privacy Commissioners in Montreal in the fall of 2007. Our theme, Privacy Horizons: Terra Incognita points to the challenge we face as we enter the uncharted privacy ground of the future. Each year brings new challenges for privacy. Jennifer Stoddart PIPEDA ReviewSection 29 of PIPEDA requires Parliament to review Part 1 of the Act (the portion dealing with data protection) every five years. As the Act came into force in stages starting in 2001, the initial five-year review was scheduled for 2006. The House of Commons Standing Committee on Access to Information, Privacy and Ethics began the review in the late fall. In preparation, our Office issued a consultation paper identifying 12 key issues for consideration. We were delighted to receive more than 60 responses to that paper from a variety of organizations and individuals, which the Commissioner presented to the committee in November. Committee hearings continued into 2007, involving a cross-section of organizations, private sector associations, privacy advocates and individuals. At the time of this report’s writing, the committee had just issued its report. We will include our comments in next year’s annual report. Generally, PIPEDA continues to prove relevant and effective. It strikes an appropriate balance between the right of individuals to maintain the privacy of their personal information and the need of organizations to collect, use and disclose personal information for reasonable purposes. Our form of ombudsman model, which includes litigation and audit powers, continues to provide the Privacy Commissioner with sufficient authority to bring organizations in compliance with PIPEDA; no specific order-making power is required at this time. Nevertheless, there is room for change in other areas. As detailed in the Commissioner’s appearance before the committee, certain amendments could serve to clarify and enhance the Act. Incorporating provincial conceptsMany of the more complex complaints received by the OPC deal with the disclosure of employees’ personal information. The notion that free and informed consent is required from an employee before an organization can collect his or her personal information is out of synch with the realities of the employment environment. Employees in a weak bargaining position may be pressured to consent to the collection, use and disclosure of their personal data. The OPC proposed that the Parliamentary committee explore as an example, Alberta’s private sector legislation, the Personal Information Protection Act, which establishes a reasonableness test for deciding when the collection of personal employee information is acceptable. We also suggested PIPEDA amendments related to this issue incorporate the notion of dignity of the person—an element of Quebec’s private sector law. In addition, we asserted that PIPEDA could benefit from adopting other elements of the second-generation private sector privacy laws of Alberta and British Columbia. Those laws include provisions related to the disclosure of personal information as part of the sale or transfer of a business. Both provinces allow prospective purchasers to see client lists and employee information as part of corporate due diligence. Our Office recommended that PIPEDA allow for similar disclosures, but under stringent confidentiality agreements. We also support adding a provision making it an offence to willfully attempt to collect personal information without consent. This is an element included in Alberta’s private sector law. Disclosure with jurisdictions outside CanadaGrowing cross-border flows of personal data mean that, from time to time, the OPC receives complaints concerning information-access activities occurring outside Canada. Many countries face similar challenges and have introduced provisions for limited information-sharing while carrying out investigations of mutual interest. In its current form, PIPEDA allows the Commissioner to share information and cooperate in investigations with provincial counterparts who have substantially similar legislation. While the Act already includes an Accountability Principle to help protect personal information once it leaves Canada, there is room for improvement. With a view to more effective enforcement and to increasing Canadians’ comfort with trans-border data flow, we recommended that the Privacy Commissioner be given specific authority to share investigation information with international counterparts while cooperating on investigations of mutual interest. The Commissioner will continue to address cross-border challenges related to enforcement of privacy laws in her work as Chair of a Working Group of the Organization for Economic Co-operation and Development (OECD) Working Party on Information Security and Privacy. Disclosure related to national securityIn our November appearance before the committee reviewing PIPEDA, we reiterated our concern about PIPEDA’s provision allowing organizations to collect and disclose personal information for law enforcement and national security purposes. The Public Safety Act, 2002 amended PIPEDA to grant such permission. Our Office had requested that the provision be removed at the time Parliament was reviewing the bill. We contend that it begs removal or, at the very least, restriction to limit its unnecessarily broad scope. Notification of breachesFinally, the Commissioner recommended that PIPEDA be amended to include mandatory breach notification when personal information is lost. We recognize this does not fit easily into the current PIPEDA model, as there is no easy way to penalize organizations failing to notify. As such challenges are considered, the Commissioner is working with relevant and interested stakeholders to develop voluntary guidelines for organizations to follow in the event of a breach. Review of the Privacy ActWe are very pleased that PIPEDA mandates that a review of the legislation be conducted every five years and we look forward to seeing the law keep apace with new challenges. Canada’s quarter-century-old public sector legislation, on the other hand, called only for one mandatory review after three years. A committee did review the Privacy Act, but its recommendations were never acted upon. Subsequent calls for reform have also been overlooked. The Privacy Act is now extremely out of date and in urgent need of its own review and overhaul. PolicyIn today’s global economy, personal information is constantly flowing – within jurisdictions, across provincial boundaries and between countries. Trans-border information flows benefit both private sector companies and consumers. They allow multinational corporations to distribute their business centres throughout the world, take advantage of lower-cost labour and regionally specialized expertise, and transcend the limits of the eight-hour workday. Trans-border flows allow consumers to enjoy exceptional customer convenience. We can now book vacations and shop online, receive customer service 24/7, and tap into bank accounts and credit sources from anywhere in the world. A flood of informationThanks to the falling costs of telecommunication and the enhanced processing and memory capabilities of computers, the volume of personal data being generated by this always-on economy is growing exponentially. One needs only to think of the enormous amounts of information shared during online searches or social networking Web site visits. More organizations have access to more information about more people than ever before. With each transfer of information, the threats posed by hackers, unscrupulous employees and identity thieves increase. Instances of laptop theft or loss, and careless handling of information only intensify the risks. As the threats become clearer and the potential damage apparent, the security of personal information has taken on new importance and created new challenges for entities such as the OPC. 2006 investigationsData breaches are becoming more regular occurrences. At year-end, the OPC was involved in two major data breach investigations. We launched a joint investigation with the Information and Privacy Commissioner of Alberta, Frank Work, into a breach of the database of TJX Companies Inc., operator of Winners and HomeSense stores in Canada. Hackers allegedly gained access to the company’s database, which contained the personal information of Canadian customers. We also began an investigation into a breach involving the personal information of close to half a million clients of Talvest Mutual Funds, a subsidiary of the Canadian Imperial Bank of Commerce (CIBC). We launched this Commissioner-initiated investigation after the bank notified our Office of the disappearance of a hard drive containing the personal information and financial data of approximately 470,000 Talvest clients. Jurisdictional considerationsIn the post-9/11 world, personal information is often seen as valuable intelligence that can help identify security threats and detect transnational crimes such as money laundering and terrorist financing. When personal information moves across borders, it may become subject to different legal regimes. Individuals may lose some of their privacy rights, such as the ability to request access to the information or seek redress if the information is unlawfully used or disclosed. Countries around the globe are recognizing the need to make the protection of personal data as it crosses borders as seamless as possible. The importance of international cooperation has been recognized by a number of bodies, including the International Conference of Data Protection and Privacy Commissioners, Asia Pacific Economic Cooperation, and the European Union’s Article 29 Working Party on Data Protection. With greater awareness of the threats associated with increased trans-border data flows, consensus is emerging around the importance of promoting closer co-operation among privacy enforcement authorities in different countries. International investigationsIn 2006, the OPC learned that US authorities were obtaining access to Canadians’ financial information – without their knowledge – through the Society for Worldwide Interbank Financial Telecommunication (SWIFT). SWIFT is a European-based financial cooperative that supplies messaging services and interface software to financial institutions in more than 200 countries, including Canada. The OPC launched an investigation to determine whether SWIFT was improperly disclosing personal information to foreign authorities. We also reopened our investigation of Accusearch (also known as Abika.com) following a Federal Court ruling which confirmed our jurisdiction to investigate a complaint against an organization that operates out of the US to service customers from many countries, including Canada, by selling personal information about individuals via the Internet. The Federal Court’s decision highlighted the practical difficulties associated with investigating an organization operating outside the country. We have been able to address some of these challenges with the assistance of the US Federal Trade Commission (FTC), which, following the passage of the Safe Web Act by the US Congress, has greater freedom to share information with other authorities. Our active involvement in solving such challenges will continue. In 2006, the Privacy Commissioner was asked to chair an OECD volunteer group that is examining ways to encourage cross-border enforcement cooperation. The OPC also contributed to work by Asia-Pacific Economic Cooperation (APEC) on privacy issues. In light of our increasing data flows with a number of APEC member countries, Canada has been active in ensuring that our privacy values are reflected in APEC data protection rules. APEC ministers endorsed the new APEC Privacy Framework at the end of 2006. Research into Emerging Privacy IssuesOur Contributions Program was launched in 2004 to advance independent research in priority areas. The program has been applauded by the research community and privacy experts as vital to galvanizing action around the broad spectrum of privacy issues we face in Canada. The Contributions Program aims to foster an understanding of the social value of privacy so Canadians may better address emerging issues. Section 24 of PIPEDA requires the Privacy Commissioner to:
Participants and funding levelsA total of 26 research projects have been funded by the Contributions Program in its first three years of operation – 10 in 2004-05, five in 2005-06, and 11 in 2006-07. (Note: The Program follows the government fiscal year, from April 1 to March 31.) The Office selects research projects through a rigorous competition process through which the very best proposals, which represent the diverse research capacity across Canada, are chosen. While the majority of successful applicants have been from universities, projects led by non-governmental organizations and professional associations have also received funding. Researchers enter into signed agreements with the OPC and report quarterly so the Office can monitor their progress. As of March 31, 2007, over $900,000 has been awarded since the program’s inception. A fourth call for proposals was issued in January 2007 for the coming fiscal year (2007-08). Key research themesResearch funded by the OPC in 2006-07 looked at a number of important privacy issues, including:
Contributing to public policy debateOver the last three years, research funded under the Contributions Program has served to advance public debate on privacy issues in Canada and abroad. For example, several studies have focused on compliance with PIPEDA and implementation of relevant guidelines. Research in this area has fed into the five-year review of the legislation by Parliament. Other studies have helped raise awareness of workplace privacy issues, attracting significant national media attention. Looking aheadPriority areas identified for 2007-08 include:
Program evaluationUnder the federal government’s Transfer Payment Policy, contribution programs must be reviewed periodically to affirm their continued relevance, success and cost-effectiveness. The OPC has committed to an independent program evaluation in 2008-09. By year-end, a draft evaluation framework had been developed. It is based on Treasury Board’s 2005 Results-Based Management and Accountability Framework. The evaluation, which will involve consultations with various stakeholders, will facilitate any decision to renew the terms and conditions of the program. It will ultimately ensure the accountability and good management Canadians expect. Substantially Similar Provincial and Territorial LegislationSection 25(1) of PIPEDA requires our Office to report annually to Parliament on the “extent to which the provinces have enacted legislation that is substantially similar” to the Act. In past annual reports, we have reported on legislation in British Columbia, Alberta, Ontario and Quebec which has been declared substantially similar. No provinces or territories enacted legislation in 2006 for which they have sought consideration as substantially similar to PIPEDA. Complaint Investigations and InquiriesIn 2006, the OPC observed some interesting and encouraging trends, stemming in part from increased knowledge and understanding of PIPEDA by private sector organizations. Highly publicized data breaches raised the profile of personal-information protection as a public concern. The events made clear that the relationship of trust between consumers and private sector organizations depends on the organizations’ responsible handling of customers’ personal information. This reinforced PIPEDA’s importance as a mechanism for ensuring private sector accountability. InquiriesWe saw an increase in the number of PIPEDA-related inquiries in 2006. The OPC received 6,050 inquiries, compared with 5,685 in 2005 – an increase of 6.4 per cent. However, there has been an overall decline in inquiries since 2003, when our Office fielded 12,132 inquiries. This decline possibly indicates that Canadian organizations and individuals are becoming more familiar with the legislation. PIPEDA came into effect in stages, beginning in January 2001. Since January 2004, PIPEDA applies right across the board – to all personal information collected, used or disclosed in the course of commercial activities by all private sector organizations, except in provinces which have enacted legislation that is deemed to be substantially similar to the federal law. ComplaintsWe received 424 complaints in 2006, compared with 400 in 2005. Complaints against some of the major sectors covered by PIPEDA since 2001 (financial institutions, insurance companies and the transportation sector) declined slightly, but industries subject to PIPEDA only since 2004 – such as the retail and accommodation sectors – figured in substantially more complaints than in previous years. Going forward, these companies will need to take steps to ensure greater compliance with the Act. Additional pressure for the private sector to adequately safeguard personal information is coming from individual Canadians, who are increasingly demanding a high standard of privacy protection. With the proliferation of identity theft and fraud, more and more consumers will seek protection through PIPEDA and hold organizations accountable. The OPC closed 309 complaints in 2006, compared with 401 the previous year. The majority involved three issues: Use and disclosure (111, or 36 per cent); collection (74, or 24 per cent); and, access (51, or 16 per cent). Disposition of complaints
An analysis of the disposition of complaints completed in 2006 shows that only five per cent were deemed to be well-founded, compared with 10 per cent in 2005. Twenty per cent were resolved, which is an increase of nine per cent over 2005. The total of early resolution, settled and resolved complaints represented 51 per cent of closed complaints. Not well-founded complaints accounted for 21 per cent of the total. Our role as a public advocate for the privacy rights of Canadians is reflected in the large percentage of complaints that are settled during the course of investigation. Many complaints are settled through mediation, negotiation and persuasion, resulting in resolutions that satisfy all parties. In 2006, the number of settled complaints dropped by 13 per cent; yet they still made up the biggest proportion (26 per cent) of closed complaints – the same percentage as in 2005. We will continue to use this approach because settlement is a fundamental aspect of an ombudsman’s role of helping organizations change their culture and find solutions to their problems with clients and employees. Furthermore, the willingness of private industry to settle is encouraging as it demonstrates their recognition of the critical importance of protecting customers’ personal information. Preliminary letters of findingsSending out preliminary letters of findings was a new routine process step introduced in 2006, following policy changes the previous year. These letters are sent to complainants and respondents whenever there is a likely contravention of PIPEDA. Each letter contains specific recommendations and requires the private sector organization to respond to the Commissioner within a prescribed timeframe, detailing how it intends to implement her recommendations. In 2005, the Commissioner adopted a policy of going to the Federal Court in all cases where companies failed to respond within the timeframe. Last year, the OPC issued 26 preliminary reports, which prompted 21 of the organizations to comply with the Commissioner’s recommendations. The other organizations complied after the Office referred the matters to litigation. The 26 preliminary reports were issued to big and small companies, and were spread across various industries. Six of these reports were sent to financial institutions, and six to insurance companies. The fact that almost one-quarter of preliminary reports involved these two sectors reflects the generally large size of financial and insurance organizations and the significant amount of personal information they collect in the course of their day-to-day operations. Sectors such as banking, telecommunications and insurance, which have been operating under PIPEDA since 2001, are often issued recommendations that involve fine-tuning existing privacy policies and procedures, rather than starting such policies from scratch. Nine of the preliminary reports were sent to businesses, such as law firms, fitness clubs, real estate firms and retail sector companies, which only came under the Act in 2004. The recommendations issued to them generally involved setting up privacy policies and procedures such as designating a privacy officer, training staff, and developing information for customers. The new process of sending out preliminary letters of finding has been very effective in encouraging both the OPC and the private sector to find innovative solutions to bridge the privacy gaps uncovered during investigations. It has also strengthened commitments made by organizations to comply with PIPEDA. Treatment timesThe average treatment time for a complaint (calculated from the moment the complaint is received to the mailing of the letter of finding) was 16 months in 2006. This represents an unfortunate increase of five months over 2005, partly attributable to the increased complexity of some investigations and the new internal process requiring preliminary letters of findings to be sent. However, most of the increase is attributable to the loss of experienced personnel in our PIPEDA investigative group through career mobility or leave. People with investigative skills are in high demand across the government, which means we are seeing a higher turnover than in the past and have a bigger challenge recruiting experienced people. We were significantly below our full complement of 17 PIPEDA investigators. Our backlog of complaint files peaked mid-year, however the hiring of some new investigators allowed us to make impressive strides. By year-end, 57 per cent of those files had been assigned to investigators. As outstanding vacancies are filled and new investigators gain experience, we aim to further reduce and eliminate the backlog. Case summariesCase summaries of the Commissioner’s findings under PIPEDA are available on the OPC Web site, www.privcom.gc.ca. Of the 309 cases we closed in 2006, 40 are summarized on our Web site. In general, the OPC summarizes complaints that may be of public interest, have some educational value, examine a systemic issue, or deal with a particular issue for which there is no existing case summary. Major sectors, which collect and use a great deal of personal information, such as banking and insurance, have been a steady source of complaints. Therefore, there are a number of case summaries highlighting related issues that may be of interest to the public. We chose case summaries for complaints against federal works, undertakings or businesses that reflect their experience in working with PIPEDA. For example, one particularly complex case we summarized involved complaints that several workers filed against a telecommunications company regarding the use of a global positioning system in its vehicle fleet. We will no doubt be investigating more complaints of this sort as new technologies play a larger role in our everyday lives. Other summaries include cases from the medical sector, property management companies and law firms, among others. Not surprisingly, more case summaries focusing on identity theft were added to our Web site during 2006. This trend will likely continue as identity theft continues to be highlighted in the news and as people become more aware of their privacy rights, particularly as they relate to how their personal information is safeguarded. On the one hand, some case summaries illustrate this increased consumer awareness. On the other hand, other summaries also show companies are taking steps to verify customers’ identification so that their personal information is well-protected and the possibility of identity theft is reduced. Self-reportingIn 2006, the number of instances where organizations reported data breaches to the OPC jumped by 41 per cent. This significant increase in self-reporting may illustrate an increased awareness by the private sector of the need to accept the responsibilities that come with maintaining customers’ personal information. It is clear that we are seeing a heightened awareness of privacy rights among Canadian companies. Recently publicized data breaches have no doubt also contributed to consumers’ knowledge of their privacy rights. Audit and ReviewSubsection 18(1) of PIPEDA gives the Commissioner the authority to audit the personal information management practices of an organization where reasonable grounds exist to believe the organization may be contravening the fair information practices set out in the Act and its accompanying Schedule. In 2006, the OPC continued to develop its audit capacity in order to apply the audit provision toward the examination of systemic risks. A new organizational structure was developed and a staffing action plan implemented that will allow the OPC to acquire additional audit resources. Audits initiated in 2006Two audits were initiated in 2006, pursuant to subsection 18(1) of PIPEDA. Complaint investigations raised concerns about certain identification and authentication systems and reasonable grounds were found to believe there was inadequate protection of personal information. Audits were deemed the appropriate means to examine the risk. In August 2006, the two entities involved were notified of the audit, given information on how reasonable grounds were reached, and provided with an outline of how the audit would proceed. Introductory meetings were held in October 2006. At year-end, the audits were still in process. Results will be included in the 2007 annual report. Equifax auditOne organization, Equifax Canada Inc., took the position that the Privacy Commissioner did not have reasonable grounds to do an audit. In November 2006, Equifax initiated proceedings in the Federal Court, asking the Court to review the decision that there were reasonable grounds to conduct an audit. It also asked the Court for an interim injunction that would stop the audit. While waiting for a court date, and with the cooperation of Equifax, the audit proceeded to carry out tests of the company’s on-line consumer credit reporting system. An out-of-court settlement was reached with Equifax in March 2007 and the audit is proceeding to its conclusion. Strengthening privacy at CIBCBetween 2001 and 2004, the Canadian Imperial Bank of Commerce (CIBC) misdirected a number of facsimiles containing customers’ personal information. The OPC investigated and identified a number of concerns regarding the privacy protection safeguards within CIBC. The results of the complaint investigation were reported to the bank in March 2005. As a result of the faxing problem, CIBC recognized the need to strengthen its approach to privacy. The bank subsequently informed the OPC of a number of corrective measures it had taken to address privacy issues and concerns. The Audit and Review Branch conducted a review to verify these corrective actions. (This was not an audit pursuant to subsection 18(1) of PIPEDA.) Our findings are summarized below: We concluded that CIBC had addressed the incidents of misdirected faxes by implementing measures to mitigate the risks associated with facsimile data transmission. Such measures included the deployment of a technological solution to ensure internal faxes remain within CIBC, the elimination of fax usage for certain business processes, and the creation of a fax control framework to better manage the dissemination of faxes to internal and external parties. It was suggested to CIBC that compliance with the control framework be addressed in privacy audits undertaken by the bank. In addition, we found CIBC had introduced notable measures to enhance its privacy management framework and had committed significant resources to increase privacy awareness among employees. These included:
Overall, we found that CIBC had fulfilled its commitments. We offered recommendations to the bank to further reinforce and enhance its privacy practices related to the reporting and classification of privacy issues and to employee privacy training. We would like to acknowledge the responsible action taken by the bank to strengthen its management of personal information. Promoting compliance with PIPEDAAudits are by no means the only way to promote compliance. The OPC encourages all organizations to evaluate their own privacy management systems and practices. To this end, in 2006, we made presentations to various associations, including the Chief Privacy Officers Council of Canada, the Canadian Bankers Association, the Canadian Alliance for Business Travel and the International Association of Privacy Professionals. The OPC also developed a self-assessment tool, now slated for release in July 2007. In the CourtsThe Privacy Commissioner initiates court action whenever an organization refuses to adopt her recommendations in well-founded cases. This policy, consistently applied since 2005, has helped to establish a high level of compliance. Settled CasesAll recommendations made by the Commissioner in 2006 had been adopted by year-end. Resolution occurred: through an organization’s timely efforts to resolve issues before the Commissioner issued her final report on its case; through negotiated settlements between litigation counsel shortly following her report before the Commissioner proceeded to file a Court Application seeking a compliance order; or soon after Court Application filing. In 2006, court applications were filed against the Commvesco-Levinson Viner Group (CLV Group) and Air Canada in order to seek their compliance with our recommendations. In the CLV Group case, we went to court in a bid to stop the landlord from collecting personal information from tenants, unnecessarily and without consent, particularly photographs of their apartments. In the Air Canada matter, we applied to the Federal Court to enforce our recommendation that the organization adopt a clear policy recognizing its responsibility to provide access to personal information under PIPEDA, independently of what may or may not be its discovery obligations under civil litigation rules. In each case, the matter settled without the need to pursue it through to an actual court hearing. Although another court application was filed in 2006 against Air Canada, dealing with the extent of personal health information collected by the organization to satisfy itself of an employee’s ability to return to work, the parties were actively in the course of settlement discussions at the time of publication of this annual report and, therefore, the outcome will be reported on next year. In regard to our court application against RBC Action Direct Inc., described in last year’s annual report, we are pleased to say we reached a settlement with the organization and the action was discontinued as RBC Action Direct agreed to disclose certain additional portions of the requested document to the satisfaction of the Privacy Commissioner. Ongoing LitigationOngoing litigation continued in respect of judicial review applications under section 18.1 of the Federal Courts Act examining the extent of the Privacy Commissioner’s jurisdiction, and complainant-initiated court applications filed under section 14 of PIPEDA in which the OPC was involved as an added party. Significant court decisions rendered in 2006 follow. In keeping with the spirit and intent of our mandate, we have respected the privacy of individual complainants by not including their names. Judicial review applications under section 18.1 of the Federal Courts ActThree cases progressed through judicial review this past year, including the Blood Tribe matter (described below) that has been granted permission to proceed further to the Supreme Court of Canada in February 2008. Blood Tribe Department of Health v. The Privacy Commissioner
of Canada et al
|
Complaint type | Count | Percentage |
---|---|---|
Access | 84 | 20 |
Accountability | 11 | 3 |
Accuracy | 11 | 3 |
Challenging Compliance | 3 | <1 |
Collection | 75 | 18 |
Consent | 13 | 3 |
Correction/Notation | 8 | 2 |
Fee | 3 | <1 |
Openness | 1 | <1 |
Retention | 11 | 3 |
Safeguards | 34 | 8 |
Time Limits | 17 | 4 |
Use and Disclosure | 153 | 36 |
Total complaints | 424 |
Complaints received between January 1 and December 31, 2006
Sector | Count | Percentage |
---|---|---|
Financial Institutions | 108 | 25 |
Insurance | 51 | 12 |
Telecommunications | 55 | 13 |
Other | 56 | 13 |
Sales | 58 | 14 |
Transportation | 37 | 9 |
Accommodation | 29 | 7 |
Professionals | 11 | 2 |
Health | 7 | 2 |
Services | 7 | 2 |
Rental | 5 | 1 |
Total complaints | 424 |
Complaints closed between January 1, 2006 and December 31, 2006
Complaint type | Count | Percentage |
---|---|---|
Access | 51 | 16 |
Accountability | 5 | 2 |
Accuracy | 9 | 3 |
Challenging Compliance | 2 | 1 |
Collection | 74 | 24 |
Consent | 11 | 3 |
Correction/Notation | 4 | 1 |
Fee | 6 | 2 |
Openness | 1 | 0 |
Other | 5 | 2 |
Retention | 6 | 2 |
Safeguards | 18 | 6 |
Time Limits | 6 | 2 |
Use and Disclosure | 111 | 36 |
Total closed complaints | 309 |
Complaints closed between January 1, 2006 and December 31, 2006
Finding | Count | Percentage |
---|---|---|
Discontinued | 35 | 11 |
Early Resolution | 15 | 5 |
No jurisdiction | 8 | 3 |
Not well-founded | 65 | 21 |
Other | 2 | 0 |
Resolved | 62 | 20 |
Settled | 81 | 26 |
Well-founded | 14 | 5 |
Well-founded Resolved | 27 | 9 |
Total closed complaints | 309 |
Complaints closed between January 1, 2006 and December 31, 2006
Discontinued | Early Resolution |
No Jurisdiction |
Not Well- founded |
Other | Resolved | Settled | Well- founded |
Well- founded Resolved |
TOTAL | |
---|---|---|---|---|---|---|---|---|---|---|
Access | 6 | 0 | 1 | 7 | 0 | 19 | 14 | 1 | 3 | 51 |
Accountability | 0 | 0 | 0 | 0 | 0 | 0 | 3 | 1 | 1 | 5 |
Accuracy | 0 | 0 | 0 | 4 | 0 | 2 | 3 | 0 | 0 | 9 |
Challenging Compliance | 0 | 0 | 0 | 1 | 0 | 0 | 1 | 0 | 0 | 2 |
Collection | 6 | 3 | 2 | 20 | 0 | 23 | 15 | 3 | 2 | 74 |
Consent | 1 | 1 | 0 | 5 | 0 | 1 | 3 | 0 | 0 | 11 |
Correction/ Notation |
1 | 0 | 0 | 2 | 0 | 1 | 0 | 0 | 0 | 4 |
Fee | 0 | 0 | 0 | 0 | 0 | 5 | 0 | 0 | 1 | 6 |
Openness | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 1 |
Other | 1 | 0 | 0 | 1 | 2 | 0 | 1 | 0 | 0 | 5 |
Retention | 0 | 0 | 0 | 1 | 0 | 2 | 3 | 0 | 0 | 6 |
Safeguards | 4 | 3 | 1 | 1 | 0 | 2 | 4 | 0 | 3 | 18 |
Time Limits | 0 | 0 | 0 | 2 | 0 | 1 | 1 | 2 | 0 | 6 |
Use and Disclosure | 16 | 8 | 4 | 20 | 0 | 6 | 33 | 7 | 17 | 111 |
TOTAL | 35 | 15 | 8 | 65 | 2 | 62 | 81 | 14 | 27 | 309 |
Complaints closed between January 1, 2006 and December 31, 2006
Discontinued | Early Resolution |
No Jurisdiction |
Not Well- founded |
Other | Resolved | Settled | Well- founded |
Well- founded Resolved |
TOTAL | |
---|---|---|---|---|---|---|---|---|---|---|
Accommoda- tions |
0 | 1 | 0 | 2 | 0 | 3 | 11 | 2 | 0 | 19 |
Financial Institutions | 6 | 1 | 4 | 25 | 0 | 15 | 19 | 7 | 15 | 92 |
Health | 1 | 0 | 1 | 7 | 0 | 5 | 1 | 0 | 2 | 17 |
Insurance | 1 | 0 | 0 | 13 | 0 | 9 | 10 | 0 | 2 | 35 |
Other | 5 | 0 | 2 | 6 | 0 | 2 | 10 | 0 | 2 | 27 |
Professionals | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 2 | 1 | 4 |
Rental | 0 | 0 | 0 | 0 | 0 | 0 | 2 | 0 | 0 | 2 |
Sales | 3 | 11 | 0 | 3 | 0 | 1 | 5 | 0 | 3 | 26 |
Services | 0 | 0 | 0 | 1 | 0 | 0 | 1 | 0 | 0 | 2 |
Telecommuni- cations |
10 | 2 | 0 | 4 | 0 | 24 | 13 | 1 | 1 | 55 |
Transportation | 8 | 0 | 1 | 4 | 2 | 3 | 9 | 2 | 1 | 30 |
TOTAL | 35 | 15 | 8 | 65 | 2 | 62 | 81 | 14 | 27 | 309 |
Number of complaints in abeyance on December 31, 2006: 76
Date published: 2007-05-29 |
Important Notices |