Privacy News Highlights
16—22 June 2006
Contents:
CA – Privacy
Commissioner Tables Annual Report on Federal Privacy Act
CA – Privacy Rules
Broken at Border, Audit Finds
CA – Require
Photo ID to Vote, MPs Urge Elections Canada
US – Site Caters
To Children With Privacy, Parental Controls
EU – Commission
Vows Swift Action on US Passenger Data.
UK – Government
Launches New Data Retention Consultation
US – Ohio
University Alums, Donors Weigh in on Data Breaches
CA – Light is
Dimming on Open Government: Information Commissioner John Reid
US – Privacy
Language Urged for Bill to Digitize Federal Employee Health Records
US – Health Diamonds
in the (Pandemic) Data
US – AIG Laptop
& File Server with Data on 970,000 Stolen
US – ING Laptop
With 13,000 DC City Employee Data Stolen
UK – Equifax Says
Laptop with Employee Data was Stolen
AU – Report:
Australian SmartCard Must Not Become ID Card
UK – ‘Rushed’ ID
Card Scheme is a Missed Opportunity, IT Suppliers Warn MPs
CA – B.C. and
Washington State Call to Delay Passport Requirement
EU –
Cross-National Testing of Electronic Passports at ‘Global Summit’
US – Coalition
Urges Strong International Privacy Rules
US – Myspace.Com
Sued For Failing to Protect Minors
CA – Lawyer:
Change Law to Keep Names of Accused Private
US – Police to
Receive Student Data for Checks Against Offender List
AU – Australia
Government Security ‘insufficient’: Auditor-General
CA – Rogers,
IBM Introduce Encryption e-Mail Service
US – Federal
Breaches Spark Security Review Push
US – Tech Giants
Lobby Congress for Consumer Privacy Law
US – Sen. Hillary
Clinton Says White House Needs Privacy Czar
US – Sen. Hillary
Clinton Calls for Privacy Legislation to Protect Americans’ Information
CA – Ontario
Privacy Commissioner Issues RFID Guidelines
CA – Quebec
Privacy Commissioner Publishes Analysis of RFID Technology
CA – Ontario
Public Library System, Provincial Agency Trying Out RFID
US – GAO Publishes
Report on Information Security:
WW –Security
Survey: Cyber Security a Growing Problem for Financial Institutions
US – NASCIO Makes
the Case for IT Security
CA – Trucking
Alliance supports Electronic On-Board Recorders
CA – Vancouver
Cops Take a New Look at Public Video Cameras
CA – Customer
Complains About Alleged Telus Use of Private Information
SA – Direct
Marketing Association: Consumer Privacy Bills Would Hurt Businesses
US – House Panels
Hold Privacy Hearings This Week
US – Will a
Federal Data Security Breach Legislation Pass this Congressional Session?
The Privacy Commissioner of Canada (OPC) tabled her
2005-06 Annual Report on the Privacy Act,
stating “[c]onsiderably more could be done to protect Canadians’ personal
information, especially with respect to information flowing across the border
and a federal privacy law that simply isn’t up to standard...” On transborder
data flows: “We see the federal strategy as a very positive step toward
addressing Canadians’ concerns.” The report also discusses the OPC’s “major
audit” of the CBSA and the audit’s 19 recommendations (see next item, below).
The Commissioner observed “that, at times, federal departments and agencies
incorrectly interpret the Privacy Act
in response to calls for disclosures of information in the public interest.”
Identity management will be a focal point for next year’s research and policy
agenda, and the Office is “planning for a significant increase - close to 50% -
in human and financial resources over the next two years.” [Press Release]
[Annual
report] [Coverage]
The Privacy Commissioner of
§
Information is often disclosed without first obtaining approval from a
designated CBSA official. There are also weaknesses in the record keeping associated
with disclosures of information.
§
There is no coordinated method of identifying and tracking all flows of
its transborder data. The CSBA cannot, with a reasonable degree of certainty,
report on how much and how often it shares information with the
§
The CBSA has not evaluated the effectiveness of the High-Risk Traveller
Identification Initiative with the
§
The CBSA needs to explore ways to improve the quality and control of
data it acquires under the Advance Passenger Information/Personal Name Record
initiative for accuracy and completeness.
§
More transparency is needed for activities associated with sharing data
across borders.
[Source] [Audit Report]
A House of Commons panel that studied possible voter
fraud is set to recommend electors be required to produce a government-issued
photo ID or two other pieces of government ID before casting ballots in a
federal election. The Commons committee will also recommend Elections Canada be
instructed to put the date of birth of each elector on the permanent voters
list used in polling stations as another safeguard. In addition, MPs on the
committee have agreed Elections Canada must place warning signs in all polling
stations citing Elections Act offences and the penalties for voter fraud. If
Parliament accepts the committee’s recommendations, it would be the first time
government photo ID – or even second-tier government identification cards –
would be mandatory for a federal election in
Industrious Kids, a
The European Commission vowed this week to take swift
action to safeguard an anti-terrorism measure requiring EU states to supply
advance details of passengers heading to
The
Ohio University (OU) officials are feeling the fallout
from a number of recently disclosed data security breaches that exposed
personal data, including SSNs of thousands of students and alumni. Many have
informed the school they will no longer be making donations, and some have
questioned why the school retains alumni SSNs, including those of alumni who
have never donated to the university. OU has spent more than US$77,000 to send
letters to affected alumni and other donors. Two breaches were publicly
disclosed last month; while these were being investigated, evidence of other
breaches was uncovered. [Source]
All of the promised reforms to Access to Information
and the hype surrounding transparency in government after the Sponsorship
Scandal, the 39th general election and a change in government, was all for
nothing because there has been no progress to opening up the culture of secrecy
in federal politics, says Canada’s Information Commissioner. “Somehow, while we
were feeling pretty good about the future of accountability through transparency,
it all seems to have fallen apart,” said John Reid, at the
Employee groups this week urged a House panel to
include in a health information technology bill language to protect the privacy
of federal employees who would be covered under the bill. The bill, H.R. 4859,
is currently under consideration in the House Subcommittee. The measure would
require participating health plans and providers to collect claims and services
data into e-health records by 2008. It also would authorize funding from a
federal health IT trust to provide incentives to contracted providers. [Source]
At this moment, public health officials are poring
over terabytes of health care data to detect the first signs of a possible
pandemic flu outbreak, bioterrorism attack or other contagion. The Centers for
Disease Control and Prevention began a biosurveillance program in 2003, but
advances in information exchange standards and concerns about pandemic flu have
accelerated its national implementation. The federal initiative, called
BioSense, analyzes existing health care records, such as diagnoses, laboratory
test results, physician visits and hospitalizations. The results help public
health officials discover where an event is occurring and decide when to
intervene with vaccines or quarantines. The CDC works with regional hospital
systems to create secure connections between their health care databases and
the federal database. The data does not contain patient names, medical numbers
or personal identifiers. [Source]
Insurance giant American International Group (AIG)
said that it has lost personal identifying information on about 970,000
consumers through a burglary at an undisclosed office in the
A laptop containing personal data – including SSNs –
of 13,000 District workers and retirees was stolen this week from the
Equifax said this week that a laptop computer
containing employee names and Social Security numbers was stolen from a worker
traveling on a train near
New laws may be needed to stop the federal
government’s SmartCard from becoming a de facto national identity card, a
report suggests. A government-appointed taskforce has released its first
discussion paper on the $1.1 billion project to replace cards for Medicare and
more than a dozen other services with a single swipe card. The report says the
government faces major privacy, security and administrative challenges in
getting the project running. Taskforce chairman Allan Fels, a former consumer
watchdog chief, said he acknowledged there was widespread community concern
about the smartcard turning into a national identity card. Professor Fels said
overcoming that concern would involve giving consumers as much control over the
cards as possible. One option could be legislating to stop other sectors
demanding the card as identification. [Source]
[Source] [Source]
[Warning
on ID card by stealth] [Privacy
fears linger over smartcard]
The
The
Experts from 38 countries participated in a
cross-national testing of electronic passports at the Global Interoperability
Test Summit on Electronic Passports, held in
A coalition of privacy groups has urged the U.S.
Department of Commerce to strengthen privacy rules to protect personal data
being transferred between and out of APEC. The privacy groups emphasized the
need for binding laws to protect privacy, given the often-weak enforcement of
self-regulatory industry schemes. The privacy groups jointly commenting on the
plan included Consumer Federation of America, EPIC, the National Consumers
League, Privacy Rights Clearinghouse, Privacy Times, U.S. Public Interest
Research Group, and the World Privacy Forum. [Coalition comments]
A 14-year-old
The lawyer representing a Newfoundland man found not
guilty on two sex-related charges wants laws changed to protect the identity of
people accused of such offences. Keith McGrath, 49, was found not guilty in
Virginia’s public and private colleges and
universities soon will be required to submit the names and SSNs of tens of
thousands of students they accept each year to state police for cross-checking
against sexual offender registries. The little-noticed but groundbreaking law
is raising concerns among privacy experts about giving police access to a vast
new database of student information. They say the data could be stored
permanently on hard drives and mishandled, stolen or used for unrelated
homeland security or law enforcement purposes. [Source]
Computer systems controlling
Richard Branston, General Manager of Security
Solutions at IBM Canada, notes that stealing information via the Internet has
become big business for cybercriminals. For $8.95 monthly, Rogers Secure Mail encrypts
information sent between a sender and the recipient. The service, hosted by IBM
Canada, will allow registered users to view an encrypted email by entering
their password. Those who are not subscribers can view an encrypted email after
they provide an answer to a secret question known only to the sender and
recipient. [Source]
[Background]
The massive data breach disclosed last month by the
U.S. Department of Veterans Affairs has triggered sweeping reviews of
information security policies at the VA and at several other government
agencies that recently suffered smaller data losses. And last week, officials
at the Government Accountability Office and the White House Office of
Management and Budget (OMB) said that federal agencies as a whole need to
review their processes for collecting and storing data and controlling access
to it. [Source]
[Latest Information on the
Theft from Veterans Affairs]
A group of high-profile companies announced that they
would support in principle the creation of a national consumer privacy law that
governs how companies treat the information they collect from consumers.
Eastman Kodak, eBay, Eli Lilly, Google, Hewlitt and Associates, Hewlett
Packard, Intel, Microsoft, Oracle, Procter & Gamble, Sun Microsystems and
Symantec all signed onto a statement that calls for a process intended to lead
to the enactment of a robust but flexible legal framework that protects
consumers while allowing for the appropriate use of information. [Consumer Privacy
Legislative Forum Statement], [Coverage]
Sen. Clinton chided the Bush administration for its
privacy lapses and called on the White House to appoint a privacy czar. Citing
recent incidents that jeopardized the privacy of Americans, including the Department
of Veterans’ Affairs security breach that exposed the personal information of
1.5 million veterans,
During her most recent policy speech, Sen. Hillary
Rodham Clinton Friday called for a “privacy bill of rights” to protect
Americans’ personal privacy. Noting her experience as the former First Lady
whose tenure included numerous investigations and personal hardships, Clinton
called herself an “expert” in the loss of privacy as she advocated for
legislation to inform consumers what information companies are collecting and
using.
Dr. Ann Cavoukian, Information and Privacy
Commissioner of
Extraitt : La technologie RFID est en pleine
émergence et plusieurs applications dans différents domaines d’activités sont
actuellement en voie d’essai ou d’implantation, notamment dans le domaine
commercial, de la santé, du transport et autres secteurs de la vie quotidienne.
Cette technologie suscite un intérêt marqué par l’industrie tant du point de
vue de l’efficacité opérationnelle que de la réduction des coûts
d’exploitation. Toutefois, les utilisations que permettrait cette technologie
puissante et révolutionnaire ont des répercussions sur les individus. Plus
particulièrement, elle conduit à une préoccupation en regard de la protection des
renseignements personnels et de la vie privée puisqu’elle permettrait,
notamment, la filature d’un individu à son insu. [Source] [CAI Paper:
“Radiofrequency identification technology (RFID): is there reason to mistrust
it?”]
The Toronto Public Library system has implemented a
pilot project to place radio frequency identification tags on books in two of
its libraries and set up self-checkout kiosks. Currently, about 70–80% of users
take advantage of the self checkout capability. The Ontario Financial Services
Commission’s Motor Vehicle Accident Claims Fund (MVACF) has also implemented an
RFID File Tracking System. The ministry has some 65,000 paper files on cases,
about 6,500 of which are currently at its offices. Under the old chit file
tracking system, files would easily get misplaced or misfiled and clerks would
sometimes spend a day-and-a-half looking for them. Now, staff can find a file
with the touch of a button. [Source]
The U.S. GAO has published a report entitled
“Information Security: Leadership Needed to Address Weaknesses and Privacy
Issues at Veterans Affairs” GAO-06-897T, June 20. [Source] [Highlights]
Just about every Canadian finanical institution in a
survey has experienced a security breach, say financial analysts at Deloitte
Touche Tohmatsu. In the market-analysis company’s annual global study of the
state of security in the financial sector, 100% of Canadian institutions
surveyed confirmed they had been experienced such a breach. The financial
sector is experiencing a surge in the number of security attacks, specifically
from external sources. More than three-quarters (7%, up from 26% in 2005) of
respondents confirmed a breach from outside the organization and almost half
(49%, up from 35%in 2005) experienced at least one internal breach. Other
results:
95% (of participants) have increased their information
security budgets since last year
72% experiencing a breach estimate that it cost their
organization greater than US$1 million
71% indicate that they now have a defined information
security governance structure in place
The US National Association of State Chief Information
Officers (NASCIO) has released a brief on making the business case for
sustainable IT security funding. NASCIO, which represents
The Canadian Trucking Alliance supports Electronic
On-board Recorders (EOBRs) -- often referred to as black boxes. The carrier
association firmed up that policy decision more than two years ago, and is waiting
for Transport
Telus customers are trying to put the phone company on
the hotseat over what they claim is an invasion of privacy. One says he was
horrified to discover that a third party firm retained by Telus to do customer
contact work has access to all his old phone bills. [Source]
The South African Protection
of Personal Information Bill and the new Consumer Protection Bill would significantly change the ability of
financial services, retail industries, call centers and list brokers to use
customer databases to cultivate new business, according to the Direct marketing
Association of South Africa (DMA). The key issue is individual consent for the
inclusion of information stored on a database used for marketing purposes. The
DMA prefers an opt-out system through a national “Do Not Contact” list. [Source]
House Subcommittees held hearings this week on the
topic: “Internet Data Brokers and Pretexting: Who has Access to Your Private
Records?” Law enforcement agencies have accessed private telephone records from
data brokers, most often without warrants and without paying for the
information. One committee head, said an investigation into how data brokers
gather the private information of consumers revealed that federal and local
authorities have tapped data brokers for information “because it is easily
obtained and you can gather a lot of information very quickly.” [Source]
According to DM News, the question of whether data
security breach legislation will pass this year was debated at the 2006 DM Days
--------