6th CACR Information Security 6th CACR Information Security Workshop 1st Annual Privacy and Workshop 1st Annual Privacy and Security Workshop (November 10, Security Workshop (November 10, 2000) 2000) Incorporating Privacy Incorporating Privacy into the Security into the Security Domain: Issues and Domain: Issues and Solutions Solutions Barry Sookman, Barry Sookman, Partner, McCarthy Tétrault Partner, McCarthy Tétrault Chair, Internet and Electronic Commerce Law Group Chair, Internet and Electronic Commerce Law Group (Toronto) (Toronto) [email protected]CANADA’S NATIONAL LAW FIRM McCarthy Tétrault
Transcript
6th CACR Information Security Workshop 1st 6th CACR Information Security Workshop 1st Annual Privacy and Security Workshop Annual Privacy and Security Workshop
(November 10, 2000)(November 10, 2000)
Incorporating Privacy into the Incorporating Privacy into the Security Domain: Issues and Security Domain: Issues and
SolutionsSolutions
Barry Sookman,Barry Sookman,Partner, McCarthy TétraultPartner, McCarthy Tétrault
Chair, Internet and Electronic Commerce Law Group (Toronto)Chair, Internet and Electronic Commerce Law Group (Toronto)[email protected]@mccarthy.ca
(416) 601-7949(416) 601-7949CANADA’S NATIONAL LAW FIRM
McCarthy Tétrault
CANADA’S NATIONAL LAW FIRM
McCarthy Tétrault
Importance of PrivacyImportance of Privacy
» Privacy protection for personal information is an Privacy protection for personal information is an important social goalimportant social goal• OECD Guidelines 1980OECD Guidelines 1980• Council of Europe Convention 1985Council of Europe Convention 1985• United Nations Guidelines 1990United Nations Guidelines 1990• CSA Model Code for Protection of Personal CSA Model Code for Protection of Personal
Information 1995Information 1995
CANADA’S NATIONAL LAW FIRM
McCarthy Tétrault
Legal Basis for PrivacyLegal Basis for Privacy
» Common lawCommon law
» Constitutional lawConstitutional law
» Criminal lawCriminal law
» Privacy legislationPrivacy legislation• EU Directive on the Protection of EU Directive on the Protection of
Personal InformationPersonal Information• Quebec Privacy LegislationQuebec Privacy Legislation• Sectorial LegislationSectorial Legislation• Bill C6 Protection of Information in the Bill C6 Protection of Information in the
Private SectorPrivate Sector• Other Provincial LegislationOther Provincial Legislation
CANADA’S NATIONAL LAW FIRM
McCarthy Tétrault
Fair Information Practice PrinciplesFair Information Practice Principles» OECD Guidelines 1980
» CSA Model Code for the Protection of Personal Information
» US Information Infrastructure Task Force
» Bill C-6 Protection of Personal Information in the Private Sector - modifies CSA Model Code
» Quebec Privacy Legislation
» Foreign Legislation - EU Directive on the Protection of Personal Information, COPPA
» Many reports, guidelines, and model codes set out fair information practices for private sector.
CANADA’S NATIONAL LAW FIRM
McCarthy Tétrault
Bill C-6 - PurposesBill C-6 - Purposes
» Express purposes “is to establish, in an era in which Express purposes “is to establish, in an era in which technology increasingly facilitates the circulation technology increasingly facilitates the circulation and exchange of information, rules to govern the and exchange of information, rules to govern the collection, use and disclosure of personal collection, use and disclosure of personal information in a manner that recognizes the right of information in a manner that recognizes the right of privacy of individuals with respect to their personal privacy of individuals with respect to their personal information and the need of organizations to collect, information and the need of organizations to collect, use or disclose personal information for purposes use or disclose personal information for purposes that a reasonable person would consider appropriate that a reasonable person would consider appropriate in the circumstances.”in the circumstances.”
CANADA’S NATIONAL LAW FIRM
McCarthy Tétrault
Phase-in of ActPhase-in of Act
» April 13, 2000April 13, 2000: Received Royal Assent: Received Royal Assent
» January 1, 2001January 1, 2001: applies to federally regulated private : applies to federally regulated private sector; sector; federal works, undertakings and businesses; inter-federal works, undertakings and businesses; inter-provincial and international disclosure for considerationprovincial and international disclosure for consideration
» January 1, 2002January 1, 2002: applies to personal health information: applies to personal health information
» January 1, 2004January 1, 2004: applies to : applies to all private sector commercial all private sector commercial activitiesactivities
CANADA’S NATIONAL LAW FIRM
McCarthy Tétrault
To Whom Does It Apply?To Whom Does It Apply?
» Applies to every organization in respect of personal Applies to every organization in respect of personal information that information that • (a) the organization collects, uses or discloses in the (a) the organization collects, uses or discloses in the
course of commercial activities; or course of commercial activities; or • (b) is about an employee of the organization and that the (b) is about an employee of the organization and that the
organization collects, uses or discloses in connection organization collects, uses or discloses in connection with the operation of a federal work, undertaking or with the operation of a federal work, undertaking or business. business.
» ““commercial activity” means “any particular transaction, commercial activity” means “any particular transaction, act or conduct or any regular course of conduct that is a of act or conduct or any regular course of conduct that is a of a commercial character”a commercial character”
CANADA’S NATIONAL LAW FIRM
McCarthy Tétrault
What is Personal Information?What is Personal Information?» Means “information about an identifiable individual, but does Means “information about an identifiable individual, but does
not include the name, title or business address or telephone not include the name, title or business address or telephone number of an employee of an organization”. number of an employee of an organization”.
» Does not need to be sensitive or private. Does not need to be sensitive or private.
» Includes information relating to race, national or ethnic origin, Includes information relating to race, national or ethnic origin, colour, religion, age or marital status; educational or medical or colour, religion, age or marital status; educational or medical or criminal history; information relating to financial transactions criminal history; information relating to financial transactions in which the individual has been involved; any identifying in which the individual has been involved; any identifying number, symbol or other data assigned to the individual.number, symbol or other data assigned to the individual.
» Can be in any form.Can be in any form.
» Is data collected about an identifiable individual?Is data collected about an identifiable individual?
CANADA’S NATIONAL LAW FIRM
McCarthy Tétrault
CSA Model Code PrinciplesCSA Model Code Principles
1.1. AccountabilityAccountability
2.2. Identifying purposesIdentifying purposes
3.3. ConsentConsent
4.4. Limiting collectionLimiting collection
5.5. Limiting use, disclosure and retentionLimiting use, disclosure and retention
Identifying Purposes of CollectionIdentifying Purposes of Collection
» The purposes for which personal information is collected The purposes for which personal information is collected must be identified by the organization at or before the time must be identified by the organization at or before the time the information is collected. the information is collected.
» The identified purposes should be specified at or before The identified purposes should be specified at or before the time of collection to the individual from whom the the time of collection to the individual from whom the personal information is collected.personal information is collected.
» When personal information that has been collected is to be When personal information that has been collected is to be used for a purpose not previously identified, the new used for a purpose not previously identified, the new purpose must be identified prior to use. purpose must be identified prior to use.
CANADA’S NATIONAL LAW FIRM
McCarthy Tétrault
Information AuditsInformation Audits
» To determine all information being collected by the To determine all information being collected by the organization about each product and service. organization about each product and service.
» A detailed A detailed privacy analysisprivacy analysis is performed to examine is performed to examine the privacy implications of the company’s the privacy implications of the company’s information practices and especially the need to information practices and especially the need to collect different categories of personal data. collect different categories of personal data.
CANADA’S NATIONAL LAW FIRM
McCarthy Tétrault
Technology AuditsTechnology Audits
» New products and services are often subject to New products and services are often subject to review by review by technology auditstechnology audits. .
» This inquiry is directed to determining the privacy This inquiry is directed to determining the privacy implications that might result from the introduction implications that might result from the introduction or use of a new information technology product or or use of a new information technology product or service.service.
» For example see Ontario Privacy Commissioner For example see Ontario Privacy Commissioner report related to Smart Card Applications.report related to Smart Card Applications.
CANADA’S NATIONAL LAW FIRM
McCarthy Tétrault
ConsentsConsents» Traditionally, two types of choice/consent regimes have been Traditionally, two types of choice/consent regimes have been
considered: opt-in or opt-out.considered: opt-in or opt-out.
» Opt-in regimes require affirmative steps by the consumer to Opt-in regimes require affirmative steps by the consumer to allow the collection and/or use of information; opt-out regimes allow the collection and/or use of information; opt-out regimes require affirmative steps to prevent the collection and/or use of require affirmative steps to prevent the collection and/or use of such information. such information.
» Choice can also involve more than a binary yes/no option. Choice can also involve more than a binary yes/no option. Entities can, and do, allow consumers to tailor the nature of the Entities can, and do, allow consumers to tailor the nature of the information they reveal and the uses to which it will be put. information they reveal and the uses to which it will be put.
» Any choice regime should provide a simple and easily-Any choice regime should provide a simple and easily-accessible way for consumers to exercise their choice. accessible way for consumers to exercise their choice.
» Difficulties associated with obtaining consents Difficulties associated with obtaining consents
» Building systems to handle consents.Building systems to handle consents.
CANADA’S NATIONAL LAW FIRM
McCarthy Tétrault
Limiting Use and Disclosure Limiting Use and Disclosure of Informationof Information
» Personal information must not be used or disclosed for purposes Personal information must not be used or disclosed for purposes other than those for which it was collected, except with the other than those for which it was collected, except with the consent of the individual or as required by law. consent of the individual or as required by law.
» Principle poses challenges for:Principle poses challenges for:• data miningdata mining• profilingprofiling• intelligent agents intelligent agents • data modellingdata modelling• use of cookiesuse of cookies
CANADA’S NATIONAL LAW FIRM
McCarthy Tétrault
Data Accuracy Data Accuracy
» Personal information shall be as accurate, complete, and up-to-Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. date as is necessary for the purposes for which it is to be used.
» Information shall be sufficiently accurate, complete, and up-to-Information shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information date to minimize the possibility that inappropriate information may be used to make a decision about the individual. may be used to make a decision about the individual.
» An organization must not routinely update personal information, An organization must not routinely update personal information, unless such a process is necessary to fulfil the purposes for which unless such a process is necessary to fulfil the purposes for which the information was collected. the information was collected.
» Personal information that is used on an ongoing basis, including Personal information that is used on an ongoing basis, including information that is disclosed to third parties, should generally be information that is disclosed to third parties, should generally be accurate and up-to-date, unless limits to the requirement for accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out. accuracy are clearly set out.
CANADA’S NATIONAL LAW FIRM
McCarthy Tétrault
SecuritySecurity
» Principle 7 states that "personal information shall be Principle 7 states that "personal information shall be protected by security safeguards appropriate to the protected by security safeguards appropriate to the sensitivity of the information". sensitivity of the information".
» ””Security safeguards shall protect personal Security safeguards shall protect personal information against loss or theft, as well as information against loss or theft, as well as unauthorized access, disclosure, copying, use or unauthorized access, disclosure, copying, use or modification". modification".
» The obligation applies regardless of the format in The obligation applies regardless of the format in which the information is held.which the information is held.
CANADA’S NATIONAL LAW FIRM
McCarthy Tétrault
SecuritySecurity
» Information that is made available over the Internet is Information that is made available over the Internet is particularly vulnerable to unauthorized access, disclosure and particularly vulnerable to unauthorized access, disclosure and use. Here appropriate security will involve both managerial use. Here appropriate security will involve both managerial and technical measures to protect against the loss and and technical measures to protect against the loss and unauthorized access, destruction, use, or disclosure of data. unauthorized access, destruction, use, or disclosure of data.
» Technical security measures to prevent unauthorized access Technical security measures to prevent unauthorized access might include encryption in the transmission and storage of might include encryption in the transmission and storage of data, limits on access through use of passwords, use of fire data, limits on access through use of passwords, use of fire walls, and the storage of data on secure servers.walls, and the storage of data on secure servers.
» The security principle will require that appropriate measures The security principle will require that appropriate measures being taken to guard against the unauthorized access, being taken to guard against the unauthorized access, disclosure, copying or use of such information.disclosure, copying or use of such information.
CANADA’S NATIONAL LAW FIRM
McCarthy Tétrault
IntegrityIntegrity
» The security principle extends to security safeguards The security principle extends to security safeguards against the "modification" of personal information. against the "modification" of personal information.
» The security principle will create the need for security The security principle will create the need for security mechanisms to assure the integrity of information. mechanisms to assure the integrity of information.
» This principle will be particularly relevant to electronic This principle will be particularly relevant to electronic commerce applications where transmission integrity is commerce applications where transmission integrity is important such as in electronic payment systems where important such as in electronic payment systems where security is critical.security is critical.
CANADA’S NATIONAL LAW FIRM
McCarthy Tétrault
Third Party UsesThird Party Uses
» The security principle includes the obligation to The security principle includes the obligation to prevent unauthorized use of information. This principle prevent unauthorized use of information. This principle requires the organization not only to monitor its own requires the organization not only to monitor its own uses, but also uses by third parties of information. uses, but also uses by third parties of information.
» An organization that maintains personal information on An organization that maintains personal information on a web site might have to take measures to block access a web site might have to take measures to block access to search engines if the processing by the person to search engines if the processing by the person launching the search is unauthorized, such as where the launching the search is unauthorized, such as where the person performing the search seeks to use the person performing the search seeks to use the information contrary to the limiting use principle. information contrary to the limiting use principle.
CANADA’S NATIONAL LAW FIRM
McCarthy Tétrault
Retention of Information Retention of Information
» Organizations should develop guidelines and Organizations should develop guidelines and implement procedures with respect to the retention of implement procedures with respect to the retention of personal information. These guidelines should include personal information. These guidelines should include minimum and maximum retention periods. minimum and maximum retention periods.
» Personal information that is no longer required to fulfil Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or the identified purposes should be destroyed, erased, or made anonymous.made anonymous.
» Personal information must also be retained only as long Personal information must also be retained only as long as necessary for the fulfillment of those purposes.as necessary for the fulfillment of those purposes.
CANADA’S NATIONAL LAW FIRM
McCarthy Tétrault
Individual AccessIndividual Access» Upon request, an individual must be informed of the Upon request, an individual must be informed of the
existence, use, and disclosure of his or her personal existence, use, and disclosure of his or her personal information and must be given access to that information. information and must be given access to that information. An individual must also be able to challenge the accuracy An individual must also be able to challenge the accuracy and completeness of the information and have it amended as and completeness of the information and have it amended as appropriate. appropriate.
» Access must encompass timely and inexpensive access to Access must encompass timely and inexpensive access to data, a simple means for contesting inaccurate or incomplete data, a simple means for contesting inaccurate or incomplete data, a mechanism by which the data collector can verify the data, a mechanism by which the data collector can verify the information, and the means by which corrections and/or information, and the means by which corrections and/or consumer objections can be added to the data file and sent to consumer objections can be added to the data file and sent to all data recipients.all data recipients.
CANADA’S NATIONAL LAW FIRM
McCarthy Tétrault
Challenging ComplianceChallenging Compliance
» An individual shall be able to address a challenge concerning compliance to the designated individual or individuals accountable for the organization's compliance.
» Organizations must put procedures in place to receive and respond to complaints or inquiries about their policies and practices relating to the handling of personal information. The complaint procedures should be easily accessible and simple to use.
» Organizations must inform individuals who make inquiries or lodge complaints of the existence of relevant complaint procedures.
» An organization must investigate all complaints. If a complaint is found to be justified, the organization shall take appropriate measures, including, if necessary, amending its policies and practices.
6th CACR Information Security Workshop 1st 6th CACR Information Security Workshop 1st Annual Privacy and Security Workshop Annual Privacy and Security Workshop
(November 10, 2000)(November 10, 2000)
Incorporating Privacy into the Incorporating Privacy into the Security Domain: Issues and Security Domain: Issues and
SolutionsSolutions
Barry Sookman,Barry Sookman,Partner, McCarthy TétraultPartner, McCarthy Tétrault
Chair, Internet and Electronic Commerce Law Group (Toronto)Chair, Internet and Electronic Commerce Law Group (Toronto)[email protected]@mccarthy.ca
(416) 601-7949(416) 601-7949CANADA’S NATIONAL LAW FIRM
