1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Privacy is permanent…not temporary

A few days ago, the UK data protection watchdog (ICO) released a warning to organisations that employ temporary or agency workers. The ICO warned that employers must ensure that a temporary worker, who is involved in the handling of personal data, has been provided with adequate data protection training.

This warning follows the telling off given by the ICO to the Great Ormond Street Hospital Children NHS Foundation Trust (GOSH), after 3 out of their 4 recent data breaches involved temporary staff sending letters (containing medical information) to the wrong address.

Sally Anne Poole (the ICO’s Enforcement Group Manager) said in a News Release issued by the ICO:  “This time of year often coincides with a rise in the number of temporary workers being employed across the UK. However the temporary nature of their employment doesn’t absolve employers of their legal responsibilities for making sure people’s information is being looked after correctly.

So what does this mean for employers? Well, it means you will need to invest in proper data protection training for temporary or agency workers as well as for your full time staff. This can be a costly exercise, especially where a temporary worker is only taken on for limited period.

Employers could consider developing a “one pager” of data privacy “do’s and don’ts” which can be provided to temporary workers when they start. Or perhaps, the temporary worker agency could provide data protection training to workers, so that they are “data protection ready” when they start their placement with an organisation. But it is ultimately the employer who remains responsible for making sure that its staff (permanent and temporary) are adequately trained in data protection to ensure that the information they hold about people is being looked after correctly.

The Chief Executive of GOSH has signed an Undertaking by which GOSH promises the ICO that “temporary staff are provided with sufficient data protection training before they carry out work that involves regular contact with personal data, especially sensitive personal data“. According to GOSH’s undertaking, the ICO decided not to serve an “Enforcement Notice” on GOSH due to the “remedial action” that was taken. It is not clear what this “remedial action” was, but since a warning has now been released by the ICO, it seems prudent for employers to make sure their training policies are adequate and the scope of such training is expanded to cover all employees (full time or part time) that handle personal data, so as to avoid being next in line.

Thank you to Danielle van der Merwe for assisting in writing this post.


Privacy is permanent…not temporary

Canadian Advertisers Self-Regulate Online Behavioural Advertising

Call to Action on OBA

The Office of the Privacy Commissioner (OPC) is aware of the challenges associated with balancing privacy in the online advertising environment, and wants the ad industry to step up.  On the day Privacy Commissioner of Canada Jennifer Stoddart announced the publication of a new set of guidelines on Privacy and Online Behavioural Advertising in late 2011, she said that:

[t]o best address these complexities, all stakeholders in the advertising community, including website operators and browser developers, have a role to play to ensure that the issues of transparency and meaningful consent are addressed.

The following year, the OPC followed up with more specific expectations in its Policy Position on Online Behavioural Advertising.

Industry Response: Self-Regulation

Led by the Digital Advertising Alliance of Canada (DAAC), the advertising industry has responded with the Canadian Self-Regulatory Program for Online Behavioural Advertising, with a website geared to consumers and companies alike at http://youradchoices.ca/.  The Program is not quite “made-in-Canada”, nor should it be, considering the need to integrate data governance solutions across borders.  It is based on the U.S. Digital Advertising Alliance (DAA) OBA Ad Choices program and principles.  It also shares some common principles and approaches with the European Advertising Standards Alliance (EASA) OBA Framework.  For consistency and broad consumer recognition, the “Ad Choices” program in participating countries use the identifying icon consisting of a lower case letter “i” within a blue triangle.

The DAAC Program has been tailored to meet the requirements of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), as well as the OPC guidelines.  The non-profit industry body Advertising Standards Canada (ASC) will be responsible for monitoring compliance, dealing with complaints, initiating investigations, and publishing reports.  The OPC will no doubt be watching closely – particularly as the program takes its first steps in Canada – to come to its own conclusions on whether industry self-regulation is meeting its expectations under PIPEDA and its OBA guidelines.  However, once the Program has matured and proved itself, there is precedent for a regulator to stand down and consider the self-regulatory body to be at least the “first resort” for complaints in the area.  The Canadian Radio-television and Telecommunications Commission (CRTC) generally takes this position with the ASC’s review of advertising standards.

The Canadian Self-Regulatory Program for Online Behavioural Advertising incorporates the following principles:

  1. Education [both individuals and businesses]
  2. Transparency [clear, meaningful, prominent notice to consumers]
  3. Consumer Control [the ability to exercise choice with respect to the collection, use and disclosure of data for OBA purposes]
  4. Data Secutity  [safeguards, data retention, and treatment of OBA data]
  5. Sensitive Data  [children and sensitive personal information]
  6. Accountability [accountability program is managed and operated by the ASC in accordance with its Online Behavioural Advertising Compliance Procedure]

Self-regulation does not, however, cover the whole OBA territory.  Certain types of activities are expressly excluded from the Program, such as “online advertising of entities within a web site they own or control” and “contextual advertising”, including ads based on the content of a web page being visited, a consumer’s current visit to a web page, and a search query.

While legal compliance may have been the main driver for the implementation of the new Program, the DAAC also points to the benefits for consumers:

As an online consumer, you can find out more about online behavioural advertising and how it helps provide you with more relevant ads on the websites that you visit. You’ll learn how online behavioural advertising supports the content, products and services that you use on the web, what online ad choices you have, and how to use browser controls to enhance your privacy.

In short, while the Office of the Privacy Commissioner has noted that some consumers find OBA “creepy”, the DAAC and its member associations know that many consumers don’t mind OBA as long as it’s transparent:  they don’t want to see irrelevant ads, and they’re OK with the idea of the right ads “finding them”.

It’s early days for the DAAC Program.  As it rolls out and expands, Canadians will become increasingly familiar with the Ad Choices icon appearing on web pages.  Advertisers – and the OPC – have a lot at stake in that little blue icon.

, , , , ,

Canadian Advertisers Self-Regulate Online Behavioural Advertising

Homework for the Privacy Commissioner of Canada: Guidelines to Follow

The House of Commons Standing Committee on Access to Information, Privacy and Ethics tabled its Report, entitled “Privacy and Social Media in the Age of Big Data” on April 23, 2013.

The report is the result of 15 meetings of the Committee and 30 witnesses between May 29, 2012 and December 11, 2012. The Committee’s Report summarizes the witness’s testimony but doesn’t suggest any legislative response. Some issues are punted to the Office of the Privacy Commissioner of Canada (OPC) to establish guidelines. Other issues, such as children’s privacy interests, enforcement powers of the OPC, Do Not Track and “privacy as the default” are discussed but the Committee offers no recommendations.

OPC’s Homework

The Committee may not have had advice or solutions on many of the issues, but it was ready to recommend that the OPC develop more guidelines. Among the guidelines that the Committee wishes to see the OPC develop are:

  • Guidelines for social media and data management companies regarding accountability and openness
  • Guidelines for drafting policies, agreements and contracts in clear, accessible language that facilitates meaningful and ongoing consent
  • Guidelines for mechanisms to ensure individuals have access to personal information held by them, mechanisms to limit how long information could be held, and mechanisms to facilitate deletion of information

Protection of Children

Although the Committee recognized the special issues of obtaining informed, meaningful consent and protecting children on the Internet, there were no calls by the Committee for a U.S.-style Children’s Online Privacy Protection Act (COPPA). Instead, the Committee simply recommended that the Government of Canada and social media companies “continue to provide support to organizations that provide education and training on digital activities and privacy.” The Committee also urged social media companies to promote safe online environments that are protective of the privacy interests of children and young persons.

No Comment on Enforcement Powers for the OPC

Intriguingly, after reviewing the competing perspectives on increasing the enforcement powers of the Office of the Privacy Commissioner, the Committee ducked the issue by stating that the Committee hoped the discussion would be of benefit to future legislative review:

“The evidence presented to the Committee demonstrates the competing views regarding the enforcement powers of the Privacy Commissioner. On the one hand, the current model facilitates the constant flow of information and good will between the private sector and the Privacy Commissioner, and has proven effective in ensuring that this relationship remains cordial and non-adversarial. On the other hand, much can and has been said regarding how the current model favours self-regulation and is not adequately prepared to ensure compliance when self-regulation fails. The Committee hopes that this valuable discussion will be of benefit to any future legislative review in this regard.”

Many will be disappointed, no doubt, with the lack of substance to the recommendations. No doubt we will hear more in the coming weeks as Canada’s approach is compared and contrasted with the U.S.’s recent  revamp of COPPA Rules and the U.S. Commerce hearings on Do Not Track.

Homework for the Privacy Commissioner of Canada: Guidelines to Follow

M-Commerce Privacy & Security

I recently had the pleasure of presenting on privacy and security issues in mobile e-commerce (“M-Commerce”) at the 7th Managing Privacy Compliance Seminar organized by Federated Press.

In my presentation, I described some important issues to consider in designing privacy compliance programs for mobile e-commerce. The topics included:

            • Main takeaways from recent Canada and U.S. guidelines
            • Dealing with Address Book Information
            • Online Behavioural Tracking and Analytics
            • Geolocation Data
            • Collecting Information from Children
            • Transparency and Accountability in Design
            • Consent, Representations and Disclaimer

Learn more by viewing the Slideshare presentation below.

Privacy and Security in Mobile E-Commerce

View more presentations from FMC Law.
This presentation contains examples of the kinds of issues companies dealing with privacy and security in mobile e-commerce could face. If you are faced with one of these issues, please retain professional assistance as each situation is unique. 
M-Commerce Privacy & Security

General, Overbroad “Agreement” Does Not Permit Reference Check on Disabled Child

On February 22, 2013, the Office of the Privacy Commissioner of Canada (OPC) released a summary of findings in two cases arising out of inappropriate sharing of information between two summer camps about a child following an online application for a summer camp spot.

The issue arose when the child’s legal guardian completed an online application for a position at a camp. The child had spent the previous two summers at a different camp. The OPC report of findings notes that the child is disabled. During the online application process, the legal guardian accepted an “Additional Agreement”, which, according to the OPC, provided that “camp directors, at their discretion, could use the information supplied in applications for any means.”

The prospective camp contacted the first camp and asked questions about the child’s history at the previous camp and the level of support that the child required as a camper. The exchange came to light when the prospective camp allegedly refused the child’s application on the basis that the child could not be supported at the camp and that the “child’s disabilities would not be fair to other campers.”

Although the camps claimed that sharing of information about children was commonplace in order to assure that campers have a successful summer, the camps were members of the Ontario Camps Association, which adheres to a Code of Professional Ethics, requiring camps to adhere to the Personal Information Protection and Electronic Documents Act (PIPEDA).

The previous camp did not obtain any form of consent to the disclosure of a child’s application history or experience at the camp. This was a fairly open and shut violation of the requirement of PIPEDA to obtain consent to the disclosure of personal information.

However, the prospective camp defended against the complaint on the basis that the legal guardian had consented to the collection, use and disclosure of personal information about the child when the legal guardian accepted the “Additional Agreement”.

Not so, found the OPC.  The “Additional Agreement” was too general and overly broad to obtain meaningful consent to the collection, use and disclosure of personal information.

“This Office does not share the view of the first camp’s director that the complainant’s consent was obtained by her agreeing to the terms of the application she submitted, including the terms of the application’s “Additional Agreement”. We examined the application as well as that organization’s privacy policy and believe that the general statements regarding how the information supplied is to be used are overly broad and not sufficient to obtain consent to collect personal information from a third party as part of the enrolment process.”

The prospective camp made four errors:

  • The prospective camp used information in the application to conduct a background check on the child by contacting the previous camp.
  • The prospective camp disclosed information to the previous camp in order to elicit information about the child.
  • The prospective camp collected information from the previous camp.
  • The prospective camp used the information from the previous camp in order to evaluate the child’s application.

The OPC findings with respect to the previous camp, can be found here. The OPC findings with respect to the prospective camp can be found here.


General, Overbroad “Agreement” Does Not Permit Reference Check on Disabled Child