privacy james newland compliance officer november 12, 2003
Post on 21-Dec-2015
220 views
TRANSCRIPT
Privacy
James Newland Compliance Officer
November 12, 2003
Medical records turn up on real estate flyers
CBC News, February 20, 2003
A hospital in Ottawa is trying to find out how some of its medical test results ended up on the back of real estate flyers delivered to homes in Toronto this week.
The flyer shows pictures of houses for sale on one side, and the results of a mammogram done at the Ottawa Hospital on the other.
Careless disposal of records imperils privacy
Hartford Courant, May 14, 1999
Aetna health insurance claim forms blew out of a truck on the way to a recycling center and scattered on I-84 in East Hartford during the evening rush hour. Aetna … quickly dispatched employees - some of them on their way home from work - to scoop up forms containing names and personal health information. The papers should have been shredded under company policy, but they were not.
Computers containing customers' banking info listed on EBay
CBC News, September 19, 2003
Two computers originally owned by the Bank of Montreal and containing thousands of customer files ended up on EBay last week ...The computers originated at the bank's head office in Montreal, but contained information on customers from Victoria to St. John's ... Robert Garigue, vice president and chief information security officer for the bank, said the sale of the computers with customer files still on them was a mistake.
Laws and Guidelines, 1970-1989
Year Jurisdiction
1970 Data Protection law Hesse, Germany
1973 Datalagen, SFS 1973:289 Sweden
1978 Loi No. 78-17 relative a l’informatique Franceaux fichiers et aux libertes
1980 Council of Europe Convention 108
1980 OECD Guidelines
1988 Wet Persoonsregistratie Netherlands
Laws and Guidelines, 1990 - 1999 (I)
Year Jurisdiction
1990 Bundesdatenschutzgesetz Germany
1993 Privacy Act New Zealand
1994 Loi relative a la protection de la Belgiumvie privee a l’egard des traitementsde donnees a caractere personnel
1994 Loi sur la protection des renseigne- Quebecments personnels dans le secteur prive
1995 Directive 95/46/EC of the European European Parliament Union
Laws and Guidelines, 1990 - 1999 (II)
Year Jurisdiction
1995 Computer - Processed Personal TaiwanData Protection Law
1996 Legge ‘31 dicembre 1996 n675 ItalyTutela delle personne e di altrisoggetti rispetto trattamento deidati personali
1996 Personal Data (Privacy) Ordenance Hong Kong
1998 Personuppgiftslagen, SFS 1998:204 Sweden
Laws and Guidelines, 2000 (I)
Year Jurisdiction
2000 Datenschutzgesetz 2000, BGB1.I AustriaNr. 165 / 1999
2000 Ley Organica 15/1999 de 13 de Spaindiciembre de Protection de Datosde Caracter Personal -
2000 Data Protection Act UnitedKingdom
2000 Children’s Online Privacy Protection United Act States
Laws and Guidelines, 2000 (II)
Year Jurisdiction
2000 Privacy of Consumer Financial United Information (Gramm-Leach-Bliley Act) States
2000 The Privacy Amendment (Private AustraliaSector) Act
2000 Handling of Personal Information Act - Norway
2000 Personal Information Protection and CanadaElectronic Documents Act
Legislative History - Canada
1980 - OECD Guidelines
1993 - CLHIA Privacy Guidelines
1994 - Québec adopted the Loi sur la protection des renseignements personnels dans le secteur privé
Privacy
November, 2000 - federal government passed the Personal Information Personal Information Protection and Electronic Protection and Electronic Documents Act (PIPEDA)Documents Act (PIPEDA)
PIPEDA will come into force for all businesses January 1, 2004, unless a province passes “substantially similar” legislation
Personal Information
A very broad definition:
Any information concerning an identifiable individual, except
address and telephone number at work
The General Principle
Everyone must hold in strict confidence all information
concerning clients and may not divulge any such information
unless authorized by the client or required by law to do so
Ten Privacy Principles
Should be viewed as principles to guide actions rather than as a
specific set of rules
1. Accountability
Everyone is responsible for personal information in their possession or control, including information that has been transferred to a third party for processing
this obligation extends to all employees
2. Identifying Purposes
The purpose for which personal information is collected will be identified before it is collected
Information cannot be used for any purpose not identified in advance
3. Consent
The knowledge and consent of the person are required before information can be used or disclosed
consent will generally be express, but may be implied
in certain circumstances, consent may be given by an authorized representative
3. Consent
Legal, medical or security concerns may allow information to be collected or disclosed without consent
consent may be withdrawn, although this may result in termination of the contract
4. Limiting Collection
Only information reasonably necessary for the identified purposes will be collected
information shall only be collected by fair and lawful means
information shall not be collected indiscriminately
5. Limiting Use, Retention, Disclosure
Information may not be used or disclosed for any purpose other than the one identified, unless
required by law or with consent
5. Limiting Use, Retention, Disclosure
Information must be destroyed when it is no longer necessary for the identified purpose or required by law
Speaking about personal information outside the office is unacceptable under any circumstances
Speaking about personal information within the office should be limited to those on a “need to know” basis
6. Accuracy
Information shall be as accurate, complete and up-to-date as is
necessary for the identified purposes
7. Safeguards
Safeguards must be put in place which are appropriate to the sensitivity of the information
7. Safeguards
A. Physical measures
- building access cards
- locked filing cabinets
- shredders
- clean desks
- imaging
7. Safeguards
B. Organizational Measures
- verification of policyholder on the telephone
- incoming and outgoing mail procedures
- application handling
- information for underwriting
- taking work outside the office
- use of laptops on airplanes
7. Safeguards
C. Technological Measures
- access rules
- passwords
- screensavers
8. Openness
National Life’s Privacy Policy has been provided to all employees, and is available to the public on our web site or upon request
a brochure is distributed to all individual clients
9. Individual Access
All clients have a right to access the information in their file
Some medical information may be sent via a doctor designated by the individual
Any errors identified by a client will be corrected
10. Challenging Compliance
Anyone may address a challenge to compliance with the law or company policy
Penalties for failure to comply
Anyone may initiate a complaint (a client, the Privacy Commissioner, a lobby group)
The Privacy Commissioner will attempt to negotiate a settlement
A client may also apply to a court after having received the Privacy Commissioner’s report
Although either the Privacy Commission or the court may order the company to correct its
practices, publish its intentions or pay damages …
The Privacy Commissioner’s main weapon will be the power to publicly
embarrass
Firm loses secrets of 180,000 clients Computer hard drive goes missing
Toronto Star - January 30, 2003
Co-operators Life Insurance Company has warned more than 180,000 customers across Canada about possible identity theft after the disappearance of a computer hard drive containing personal information.
In a letter to life insurance and pension plan clients, the top official of the company’s parent firm says the loss of the hard drive in Regina is extremely serious and “theft of an individual’s identity is possible in such circumstances.”
“Vital information, such as name, address, date of birth, social insurance number and mother’s maiden name can be used to access financial accounts, open new bank accounts, transfer bank balances, apply for loans, credit cards and other financial services,” Co-operators Chief Executive Officer said in the letter this week.
Resources
The Privacy Commissioner
www.privcom.gc.ca
The Golden Rule
While each file may be one of hundreds for you, it is the only file
for that client, and should be treated as if it were your own
information
Privacy
James Newland Compliance Officer
November 12, 2003