Canadian businesses missing important steps to protect personal information stored digitally, poll finds

Privacy Commissioner of Canada reminds businesses
that when using technology to safeguard personal information,
sometimes small steps can prevent a big loss.

OTTAWA, May 4, 2012 /Canada NewsWire/ - Canadian businesses are storing more and more personal information digitally, but many are not using the technological tools or implementing the recommended practices to protect this information, a new survey has found.

In a telephone survey of 1,006 companies across Canada, commissioned by the Office of the Privacy Commissioner of Canada (OPC) and published today, companies are storing personal information on a variety of digital devices, such as desktop computers (55%), servers (47%) and portable devices (23%). Most (73%) are using some type of technological tool, such as passwords, encryption or firewalls, to prevent unauthorized access to the personal information stored on these devices.

However, the survey also suggested that many businesses may not be adequately using technology when it comes to protecting the personal information they store digitally.

For example, passwords are the most popular technological tool used by businesses to protect personal information (96%). However, of those using passwords, 39% do not have controls in place to ensure that those passwords are difficult to guess, and 27% never require employees to change passwords.

"Using passwords is like locking your front door. They can be a very simple and effective way to protect valuable personal information," says Commissioner Stoddart. "But simply setting a password is not enough to thwart today's savvy online criminals—passwords must to be complex and dynamic."

The poll, conducted in late November and early December 2011 by Phoenix Strategic Perspectives, also found that nearly one quarter of businesses are storing personal information on portable devices, such as laptops, USB sticks or tablets, which are more vulnerable to theft and loss. Nevertheless, almost half of those who do (48%) indicated that they did not use encryption to protect the information on these devices. Encryption refers to the use of a secret code as a key to scramble information to make it unreadable. Once the information is scrambled, only the same key can be used to unscramble the information and make it readable again.

"Encryption is one step better than locking your doors - it is like putting information into a safe - and it can really help limit the risks if a laptop is stolen or a USB key is misplaced," says Commissioner Stoddart. "Businesses that lose their customers' data, lose their customers' trust, so they need to take every precaution to ensure they safeguard personal information they hold."

The survey did find that many Canadian companies attribute considerable importance to protecting privacy (77%).

"I am encouraged to see that companies are beginning to realize the importance of building privacy into their business processes," said Commissioner Stoddart. "Smart businesses know that taking the time to build privacy in from the beginning is much easier than cleaning up a privacy breach down the road."

In fact, survey responses seem to suggest that companies are becoming more sensitive to the potential for data breaches. Only 40%, however, indicated that they were concerned about data breaches that might compromise the personal information of their customers and 31% indicated that they have guidelines in place for responding in the event of a breach.

Other highlights of the poll include:

...One third (32%) of businesses have staff that has had training on appropriate information practices and responsibilities under Canada's privacy laws.

...Almost half (48%) of businesses have procedures in place for dealing with complaints from customers who feel that their information has been handled improperly.

...Just over three in five businesses have a privacy policy.

...The majority of companies that have a privacy policy update it at least once a year (57%) and of those that do, 35% have notified their customers about the changes.

...Many companies (39%) view protecting privacy as a competitive advantage, with 24% seeing it as a significant advantage and 15% a moderate advantage.

The OPC commissioned the survey in order to better understand the extent to which businesses are familiar with privacy issues and requirements, and the types of privacy policies and practices they have in place. Similar surveys were conducted in 2010 and 2007.

The complete survey, which is considered to be accurate to within +/- 3.1%, 19 times out of 20, can be found on our website at www.priv.gc.ca.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two federal laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to commercial activities in the Atlantic provinces, Ontario, Manitoba, Saskatchewan and the Territories. Quebec, Alberta and British Columbia each has its own law covering the private sector. Even in these provinces, PIPEDA continues to apply to the federally regulated private sector and to personal information in interprovincial and international transactions.

Keep it private - your Facebook password should not be shared

Commissioner Cavoukian advises people to
protect their online social media profiles

TORONTO, May 3, 2012 /Canada NewsWire/ - Spurred by numerous recent media reports of employers requesting Facebook passwords from job candidates, Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, launched a paper today to provide Ontarians with practical advice on how to protect their online privacy in the increasingly complex social media world.

Entitled "Reference Check: Is Your Boss Watching? The New World of Social Media: Privacy and Your Facebook Profile," the paper will be officially launched this evening in Toronto during a presentation by Commissioner Cavoukian at international law firm Baker & McKenzie.

"Passwords are meant to be kept private, and I want to be clear that the practice of employers requesting personal passwords from their current or potential future staff is fundamentally wrong," said Commissioner Cavoukian.

"Canada's human rights and privacy laws provide strong protections for job applicants when it comes to improper practices, such as employers requesting personal passwords. However, everyone using social media must remain vigilant when it comes to guarding their own personal information."

The paper offers true-to-life examples of improper practices by employers, provides context, and most importantly, offers practical tips to protect your privacy in today's constantly-evolving online world. Some of the issues covered in depth in the paper include:

...Think hard before you click;

...Review all the information about you that lives online;

...Remove potentially-damaging information & photos;

...Apply strong privacy controls to all of your personal information;

...Know your rights: employment, human rights & privacy laws;

...Build up a positive online social media profile.

"It is absolutely crucial to remember that anything you post online may stay there forever, in one form or another, so think carefully before you post," said Commissioner Cavoukian.

"With 86 per cent of Canadian Internet users having a Facebook profile, my sincere hope is that our paper will remind people to use social media sites wisely - posting information with their eyes wide open, and considering the potential risks to their employment - current and future."

"Job candidates should preserve their legally-protected right against what the courts have now labeled 'intrusion into seclusion'," agrees Mark Ellis of Baker & McKenzie. "As counsel to many of Canada's largest employers, we advise companies to respect the legal boundaries regarding investigation of any applicant. While an employer's review of outward-facing social media pages is proper and valuable due diligence, probing beyond the password-protected wall constitutes unwarranted invasion of privacy."

About the IPC

The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly, and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act, as well as the Personal Health Information Protection Act, which applies to both public and private sector health information custodians. A vital component of the Commissioner's mandate is to help educate the public about access and privacy issues.

Privacy Commissioner of Canada awards $500,000 to advance privacy research and awareness

Funding for 11 new independent research and awareness projects
which will explore emerging and evolving privacy issues

OTTAWA, May 2, 2012 /Canada NewsWire/ - The Office of the Privacy Commissioner of Canada (OPC) today announced the recipients of its 2012-2013 Contributions Program, which will provide $500,000 this year for projects that explore emerging and evolving privacy issues of interest to Canadians.

This year's projects touch on all four policy priorities of the OPC: 1) identity integrity and privacy; 2) information technology and privacy; 3) genetic information and privacy; and 4) public safety and privacy. For example, there are projects that focus on privacy issues related to social networking, cybercrime, surveillance, cloud computing, smartphone applications and cell therapy research.

"Technologies are advancing at an astounding rate, and it's essential that we take time to both truly understand and reflect upon their impacts on privacy," says Commissioner Stoddart. "By supporting privacy research, my Office is encouraging the exploration of complex privacy issues as well as the development of information and tools to help Canadians make informed decisions about protecting their personal information."

The Office announced the 2012-13 recipients today at its Pathways to Privacy Research Symposium at the National Arts Centre in Ottawa. The Symposium is showcasing privacy-related research funded by OPC's Contribution Program and other organizations to stimulate discussion and enable others to use and apply the research in their fields of expertise or areas interest.

The OPC is supporting a total of 11 projects in 2012-13 under the Contributions Program. This year, there is an emphasis on making the research outcomes accessible, and researchers will be using a variety of approaches, such as workshops, forums, web sites and tools, or awareness materials, to share the results of their work. Some examples of the projects include: A study of the privacy challenges emerging from innovations in cell therapy research;

...An analysis of the scope of voluntary information sharing by private enterprises in law enforcement investigations into cybercrime;

...The development of a series of in-depth news reports and other informational tools for French radio and web sites that provide practical information about protecting personal information;

...An interactive mapping tool to help Canadians better understand cloud computing and its impact on their personal information;

...An investigation of smartphone applications and the risks to end-user privacy.

...A report on the positive and negative privacy implications of using information technology in situations involving domestic violence, sexual violence and stalking.

A full list of the 2012-13 Contributions Program recipients and their projects is available on our web site.

The OPC received 45 proposals for the 2012-2013 Contributions Program. Each proposal was evaluated by representatives of the OPC, as well as an external peer review panel of privacy experts in various fields.

"It was wonderful to have the opportunity to review the interesting, innovative, and creative applications to the Contributions Program," says Dr. Jacquelyn Burkell, Associate Professor, Faculty of Information and Media Studies at the University of Western Ontario. "The research they outlined addresses complex aspects of privacy in our digital environment and will produce results that have important implications for Canadians."

The OPC's Contribution Program was created in 2004 to support arm's length, non-profit research on privacy, further privacy policy development, and promote the protection of personal information in Canada. To date, the Program has allocated approximately $3 million to nearly 90 initiatives in Canada, and it is considered one of the foremost privacy research funding programs in the world.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two federal laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to commercial activities in the Atlantic provinces, Ontario, Manitoba, Saskatchewan and the Territories. Quebec, Alberta and British Columbia each has its own law covering the private sector. Even in these provinces, PIPEDA continues to apply to the federally regulated private sector and to personal information in interprovincial and international transactions.

Keep Your Loot; Give Fraud the Boot!

North Wellington, Ontario - Keep Your Loot; Give Fraud the Boot!", April 23, 2012, Teen Elder Abuse Awareness Initiative

Grade 12 High school students partnered with older adults in North Wellington, Ontario to research and develop an awareness event in honour of National Victims of Crime Awareness Week. Working with local OPP, the Seniors Centre for Excellence and the Seniors at Risk Coordinator of Trellis Mental Health & Developmental Services, students and seniors surveyed older adults on elder abuse and frauds/scams and put together an awareness event for seniors.