Law Times

PAGE 10 FOCUS MAY 5, 2008 / LAW TIMES Proposed privacy guidelines still not in place M BY JULIUS MELNITZER For Law Times • and a proposed requirement that a person who believes per- • proposals permitting disclo- sure of personal information in the context of due diligence in- volving the sale of a business; • content of guidelines on the proper destruction of records containing personal information; committee on access to infor- mation, privacy and ethics is- sued its statutory review of the Personal Information Protection and Electronic Documents Act, proposed amendments to the federal privacy guidelines are still not in place. The silver lining is that the pas- sage of time has allowed for due consideration of the proposals which were issued last October, and most commentary has cen- tered on four items: • proposed exclusion of busi- ness contact information from the definition of per- sonal information; ore than six months after the House of Commons' standing sonal information may have been disclosed without autho- rization provide public notice of the security breach. With regard to business con- tact information, the discussion centres around e-mail addresses. Current federal legislation does state that business contact infor- mation is not personal informa- tion if used for business purposes. "The problem is that the federal legislation doesn't specifically deal with e-mail addresses," says Barba- ra McIsaac of McCarthy Tétrault LLP's Ottawa office. "Alberta and British Columbia do address the is- sue, and it might be a good idea for the federal legislation to follow." McIsaac is also concerned that the amendments may incorporate a one-size-fits-all approach to de- struction of records. "If there are guidelines, they businesses to sell personal infor- mation without going back to the affected individuals for consent. "Let's say you have a property insurance company that wants to sell its policies," he says. "It should be clear that the company doesn't have to go back to each of its policyholders to obtain their agreement to release the personal information involved." Breach notification, however, may be the thorniest issue. "The main problem is that Mandatory disclosure require- ments are not a good idea, says Michael Beairsto. case-specific solutions." And when it comes to disclo- O'Briens EF-11E-CIT-D10 6.0 5/1/08 9:57 AM Page 1 will have to be broadly focused, but the government will have to keep in mind that although there is a general emphasis on not keeping documents any longer than necessary, limitation peri- ods do differ and there may be specific contractual requirements between parties," she says. "I be- lieve that there has to be room for O'BRIEN'S This particular division of O'Brien's is a current collection of precedents by one of the country's leading information technology law practitioners, Louis H. Milrad. This four-volume set delivers all of the essential, up-to-date forms of agreements needed to manage daily IT issues, and also provides checklists and optional clauses that assist in quickly customizing the agreements to your interests. Expedite your work with O'Brien's Online Now available online, this service provides a simple and seamless research experience, allowing you to easily search for clauses, integrate and customize them into fillable documents, and expedites your work process. sure in the context of M&A due diligence, the tail may be wagging the dog. "As a practical matter, people are disclosing personal informa- tion in the M&A context, but it would be better to have the ex- emption written into law," says Michael Beairsto of Fraser Milner Casgrain LLP's Toronto office. More particularly, Beairsto says he'd like to see legislation allowing Internet version included with your print subscription Encyclopedia of Forms, Eleventh Edition Computers and Information Technology, Division X Editor: Louis H. Milrad Benefit from material on: • identifying and protecting intellectual property • Requests for Proposals (RFPs) and Proposals • computer system acquisitions software development and licensing agreements • purchasing software and service companies • Internet transactions • security and privacy issues • agency and manufacturing representative agreements • outsourcing as well as maintenance support and professional agreements • application service provider and service level agreements Order your copy today! Supplements invoiced separately (1-2/yr) • P/C 0886030000 Vol. 1/2/3/4 ISBN 0-88804-267-1/358-9/436-4/467-9 Looseleaf & binders (4) with Internet access • $395 For a 30-day, no-risk evaluation call: 1 800 263 2037 or 1 800 263 3269 www.canadalawbook.ca Canada Law Book is A Division of The Cartwright Group Ltd. • Free Shipping on pre-paid orders. Prices subject to change without notice, and to applicable taxes. LT0505 it's not always in everyone's inter- est that public notification occur because it might exacerbate the problem," Beairsto says. The lawyer posits the case of a thief who makes off with a brief- case with the intention of securing the computer within. "Let's say there's also a CD con- taining personal information in the briefcase," he says. "Do you really want to alert the thief that the briefcase contains something of value other than the computer?" On the whole, Beairsto believes that mandatory disclosure require- ments are not a good idea. "I think people are going to disclose in any event because of the civil liability consequences that could arise from a failure to warn," he says. Beairsto's colleague Peter Nguy- en worries about what he calls notification fatigue. "As much as organizations don't like to admit it, breaches occur often, but the core question relates to the sensitivity of the in- formation," he says. "If people are required to notify each time a breach occurs and no matter how inconsequential the information disclosed, the public may just start ignoring the notices." Beairsto points to a March 2007 ruling by Ontario Pri- vacy Commissioner Ann Ca- voukian under the province's Personal Health Information Act as a reasonable approach to the notification problem. The case (Order HO-004, In- Toronto Parking Authority and a police report the following morn- ing. The police, however, were unable to recover the laptop. The data in the laptop con- sisted of spreadsheets containing identifiable personal health infor- mation of 2,900 current and for- mer Sick Kids patients involved in various research studies. The only laptop security was an eight- character alphanumeric login password with no encryption at either the file or the disk level. As it turned out, the physician could have accessed the data, which was also stored on the hos- pital's main server, by way of en- crypted remote-access software. Cavoukian concluded that formation and Privacy Commis- sioner of Ontario) arose when a physician who was both a clini- cian and researcher at Toronto's Hospital for Sick Children left the hospital with one of its lap- top computers. The physician's intention was to analyze research data stored on the laptop. Before going home, the phy- sician parked his minivan in a municipal lot in downtown Toronto, leaving the laptop be- tween the front seats after cover- ing it with a blanket. When he returned to his vehicle, the front passenger window was broken and the laptop was gone. The physician immediately filed a break-in report with the Sick Kids had offended the act. Cavoukian also ruled that the hospital had failed to comply with s. 10(1) relating to informa- tion practices; s. 13(1) relating to the security of PHI; and ss. 37(1) (j) and 37(3) dealing with the use of PHI for research purposes. But Cavoukian also had to deal with the notification obliga- tions under s. 12(2). The section provides that custodians must "at the first reasonable opportunity" notify individuals whose PHI in- formation had been stolen, lost, or accessed without authorization. In this case, notification pre- sented significant challenges because many of the affected in- dividuals were no longer active patients at the hospital, had be- come adults, or were deceased. "The contact information for these patients was most likely out of date and any attempt to pro- vide written notification might cause a further privacy breach," Cavoukian noted. Sick Kids, however, had dem- onstrated full compliance with the notification provisions by: • sending out letters to active patients with current contact information, notifying them of the breach and providing a contact person should ques- tions arise; • informing active patients whose PHI was of a particu- larly sensitive nature of the breach at their next scheduled appointment; and Cavoukian's decision, the e-com- merce branch of Industry Cana- da released a proposed model for data breach notification. "This document will be used as the basis of proposed legisla- tive amendments for data breach notification under PIPEDA [Per- sonal Information Protection and Electronic Documents Act]," the proposal states. The ministry held an April meeting to provide comments and also invited written submissions. The two key elements of the • issuing a press release, also posted on the hospital's web site, that provided informa- tion about the breach and designated a contact person for the public. In March, about a year after proposal are that an organization must report to the privacy com- missioner any major loss or theft of personal information, and af- fected organizations and individu- als must be notified where there is a high risk of significant harm from the breach. LT www.lawtimesnews.com

• Cover