Privacy

James Newland Compliance Officer

November 12, 2003

Medical records turn up on real estate flyers

CBC News, February 20, 2003

A hospital in Ottawa is trying to find out how some of its medical test results ended up on the back of real estate flyers delivered to homes in Toronto this week.

The flyer shows pictures of houses for sale on one side, and the results of a mammogram done at the Ottawa Hospital on the other.

Careless disposal of records imperils privacy

Hartford Courant, May 14, 1999

Aetna health insurance claim forms blew out of a truck on the way to a recycling center and scattered on I-84 in East Hartford during the evening rush hour. Aetna … quickly dispatched employees - some of them on their way home from work - to scoop up forms containing names and personal health information. The papers should have been shredded under company policy, but they were not.

Computers containing customers' banking info listed on EBay

CBC News, September 19, 2003

Two computers originally owned by the Bank of Montreal and containing thousands of customer files ended up on EBay last week ...The computers originated at the bank's head office in Montreal, but contained information on customers from Victoria to St. John's ... Robert Garigue, vice president and chief information security officer for the bank, said the sale of the computers with customer files still on them was a mistake.

Laws and Guidelines, 1970-1989

Year Jurisdiction

1970 Data Protection law Hesse, Germany

1973 Datalagen, SFS 1973:289 Sweden

1978 Loi No. 78-17 relative a l’informatique Franceaux fichiers et aux libertes

1980 Council of Europe Convention 108

1980 OECD Guidelines

1988 Wet Persoonsregistratie Netherlands

Laws and Guidelines, 1990 - 1999 (I)

Year Jurisdiction

1990 Bundesdatenschutzgesetz Germany

1993 Privacy Act New Zealand

1994 Loi relative a la protection de la Belgiumvie privee a l’egard des traitementsde donnees a caractere personnel

1994 Loi sur la protection des renseigne- Quebecments personnels dans le secteur prive

1995 Directive 95/46/EC of the European European Parliament Union

Laws and Guidelines, 1990 - 1999 (II)

Year Jurisdiction

1995 Computer - Processed Personal TaiwanData Protection Law

1996 Legge ‘31 dicembre 1996 n675 ItalyTutela delle personne e di altrisoggetti rispetto trattamento deidati personali

1996 Personal Data (Privacy) Ordenance Hong Kong

1998 Personuppgiftslagen, SFS 1998:204 Sweden

Laws and Guidelines, 2000 (I)

Year Jurisdiction

2000 Datenschutzgesetz 2000, BGB1.I AustriaNr. 165 / 1999

2000 Ley Organica 15/1999 de 13 de Spaindiciembre de Protection de Datosde Caracter Personal -

2000 Data Protection Act UnitedKingdom

2000 Children’s Online Privacy Protection United Act States

Laws and Guidelines, 2000 (II)

Year Jurisdiction

2000 Privacy of Consumer Financial United Information (Gramm-Leach-Bliley Act) States

2000 The Privacy Amendment (Private AustraliaSector) Act

2000 Handling of Personal Information Act - Norway

2000 Personal Information Protection and CanadaElectronic Documents Act

Legislative History - Canada

1980 - OECD Guidelines

1993 - CLHIA Privacy Guidelines

1994 - Québec adopted the Loi sur la protection des renseignements personnels dans le secteur privé

Privacy

November, 2000 - federal government passed the Personal Information Personal Information Protection and Electronic Protection and Electronic Documents Act (PIPEDA)Documents Act (PIPEDA)

PIPEDA will come into force for all businesses January 1, 2004, unless a province passes “substantially similar” legislation

Personal Information

A very broad definition:

Any information concerning an identifiable individual, except

address and telephone number at work

The General Principle

Everyone must hold in strict confidence all information

concerning clients and may not divulge any such information

unless authorized by the client or required by law to do so

Ten Privacy Principles

Should be viewed as principles to guide actions rather than as a

specific set of rules

1. Accountability

Everyone is responsible for personal information in their possession or control, including information that has been transferred to a third party for processing

this obligation extends to all employees

2. Identifying Purposes

The purpose for which personal information is collected will be identified before it is collected

Information cannot be used for any purpose not identified in advance

3. Consent

The knowledge and consent of the person are required before information can be used or disclosed

consent will generally be express, but may be implied

in certain circumstances, consent may be given by an authorized representative

3. Consent

Legal, medical or security concerns may allow information to be collected or disclosed without consent

consent may be withdrawn, although this may result in termination of the contract

4. Limiting Collection

Only information reasonably necessary for the identified purposes will be collected

information shall only be collected by fair and lawful means

information shall not be collected indiscriminately

5. Limiting Use, Retention, Disclosure

Information may not be used or disclosed for any purpose other than the one identified, unless

required by law or with consent

5. Limiting Use, Retention, Disclosure

Information must be destroyed when it is no longer necessary for the identified purpose or required by law

Speaking about personal information outside the office is unacceptable under any circumstances

Speaking about personal information within the office should be limited to those on a “need to know” basis

6. Accuracy

Information shall be as accurate, complete and up-to-date as is

necessary for the identified purposes

7. Safeguards

Safeguards must be put in place which are appropriate to the sensitivity of the information

7. Safeguards

A. Physical measures

- building access cards

- locked filing cabinets

- shredders

- clean desks

- imaging

7. Safeguards

B. Organizational Measures

- verification of policyholder on the telephone

- incoming and outgoing mail procedures

- application handling

- information for underwriting

- taking work outside the office

- use of laptops on airplanes

7. Safeguards

C. Technological Measures

- access rules

- passwords

- screensavers

8. Openness

National Life’s Privacy Policy has been provided to all employees, and is available to the public on our web site or upon request

a brochure is distributed to all individual clients

9. Individual Access

All clients have a right to access the information in their file

Some medical information may be sent via a doctor designated by the individual

Any errors identified by a client will be corrected

10. Challenging Compliance

Anyone may address a challenge to compliance with the law or company policy

Penalties for failure to comply

Anyone may initiate a complaint (a client, the Privacy Commissioner, a lobby group)

The Privacy Commissioner will attempt to negotiate a settlement

A client may also apply to a court after having received the Privacy Commissioner’s report

Although either the Privacy Commission or the court may order the company to correct its

practices, publish its intentions or pay damages …

The Privacy Commissioner’s main weapon will be the power to publicly

embarrass

Firm loses secrets of 180,000 clients Computer hard drive goes missing

Toronto Star - January 30, 2003

Co-operators Life Insurance Company has warned more than 180,000 customers across Canada about possible identity theft after the disappearance of a computer hard drive containing personal information.

In a letter to life insurance and pension plan clients, the top official of the company’s parent firm says the loss of the hard drive in Regina is extremely serious and “theft of an individual’s identity is possible in such circumstances.”

“Vital information, such as name, address, date of birth, social insurance number and mother’s maiden name can be used to access financial accounts, open new bank accounts, transfer bank balances, apply for loans, credit cards and other financial services,” Co-operators Chief Executive Officer said in the letter this week.

Resources

The Privacy Commissioner

www.privcom.gc.ca

The Golden Rule

While each file may be one of hundreds for you, it is the only file

for that client, and should be treated as if it were your own

information

Privacy

James Newland Compliance Officer

November 12, 2003