Privacy News Highlights

01–07 March 2010



CA – Biometric Passport Promise Revived. 3

CA – Alberta Privacy Commissioner Concerned about Court of Appeal Decision. 3

CA – IPC AB Order P2009-005 - Odyssey Health Services. 3

US – Pentagon Will Allow Social Networking on Non-Classified Networks. 4

US – What’s Happening with the Trusted Internet Connection?. 4

US – Proposed HITECH Rule Coming Soon. 4

CA – File-Sharing Programs Might Put Doctors’ Patient Records at Risk: Study. 4

EU – German Court Overturns Telecommunications Data Retention Law.. 5

EU – Art 29 Working Party Issues Opinion on the Concepts of Controller and Processor 5

EU – UK Information Commissioner Asks Organizations to “Deliver the Privacy Dividend”. 6

UK – Government Denies Wi-Fi Operators Copyright Exemption. 6

EU – French Senate Issues New Legislation to Amend Data Protection Act 6

EU – French Data Protection Authority Issues New Guidelines. 6

EU – Ban on Burqa is an Invasion of Privacy: EU Chief 7

UK – Kate Middleton Set for £10,000 Privacy Victory. 7

CA – Baird wants Fed Privacy Commissioner to Examine American Flight Rules. 7

US – FTC to Appeal Red Flags Decision. 7

US – Compliance Costly and No Guarantee, Study Finds. 8

CA – 1M Canadians Lose $ to Fraud, Continue Taking Risks. 8

WW – Top Privacy Issues for 2010. 8

US – Massive Gene Database Planned in California. 8

AU – Public Given One Week to Respond to Health ID Bill 9

AU – Medicare Privacy Breaches ‘Only The Beginning’ 9

CA – Privacy Commissioner Questions Security of Health Records After Doctors Die. 10

EU – Farmaindustria Approves Code of Data Protection for Clinical Investigations. 10

US – Price to Fix BlueCross Data Theft: $7 Million and Counting. 10

US – Wyndham Hotels Acknowledges Third Breach in a Year 10

IN – Privacy Protections in Place for UID: Nilekani: 11

UK – ID Scheme Proposed to Reduce Alcohol-Related Trouble in Consett 11

US – License Plate Software Stirs Privacy Concerns. 11

WW – Internet of Things More Reality than Fiction. 11

WW – Website Archives Personal Information, Helps Track World News. 12

CA – Ontario Police: Vehicle Signs Do Not Breach Privacy Laws. 12

WW – Some Social Networking Sites Share Users’ Location Data. 12

HK – Privacy Commissioner Will Not Seek Another Term.. 12

HK – Gov’t to Open Privacy Commissioner Search Soon. 12

US – CDD Says New Regulations Needed. 13

US – Company to Target Ads Based on IP Addresses. 13

EU – French Court: IP Address Not Enough to ID User 13

EU – Amendments to the Guernsey Data Protection Law.. 13

EU – Latvian Data Inspectorate Recommendation on Data Transfers to Third Countries. 13

US – Brill and Ramirez Confirmed as FTC Commissioners. 14

US – Court Reviews Charitable Aspect of Proposed Facebook Settlement 14

US – TRUSTe Launches Privacy Policy Generator for Small and Medium Businesses. 14

EU – One Quarter of Germans Would Embrace an Implantable Microchip: Poll 14

UK – Garbage Police Microchip 2/3 More Rubbish Bins. 15

WW – Three Arrested in Huge Botnet Case. 15

US – Napolitano Announces Cybersecurity Awareness Competition. 15

WW – Average Users Have Difficulty keeping Up With Security Patches. 15

EU – Crown Prosecution Service Considering Legal Action Over BT’s Secret Phorm Trial 16

NZ – Commission Recommends Law to Prohibit Tracking. 16

UAE - CCTV Will Cover 90% of Abu Dhabi Within 18 Months. 16

EU – Google May Not Renew Street View in Europe. 16

CY – Cyprus: Cyta Clients Sue Over Privacy Violations. 16

US – White House Outlines Secret Cybersecurity Plan. 17





CA – Biometric Passport Promise Revived

The Conservative government has vowed to press ahead with biometric passports for Canadians, two years after first promising to adopt a more secure electronic travel document by 2011. A passport encrypted with biological information “will significantly improve security,” one of several measures previously promised and highlighted under the title of criminal justice and national security improvements in Wednesday’s throne speech. First promised in the 2008 federal budget, the advent of a passport with encoded identification information, such as an iris scan, fingerprints, or facial recognition data, was delayed by questions over logistics, and how to cover costs. In 2008, the federal Conservatives said the passports, when introduced, would be valid for 10 years - deemed too long by some for security reasons. New Democrat public safety critic Joe Comartin said when a parliamentary committee last looked at it, accuracy rates of biometrics were considered 85 to 90% - “nowhere near what you want.” Proposed use of DNA technology also raised too many privacy concerns, he said. [Source]




CA – Alberta Privacy Commissioner Concerned about Court of Appeal Decision

Alberta’s Information and Privacy Commissioner, Frank Work, issued a news release regarding the recent Court of Appeal of Alberta decision in Alberta Teachers’ Association v. Alberta (Information and Privacy Commissioner). In the case, the Court held that the Information and Privacy Commission has no authority to extend investigation time limits under the Personal Information Protection Act (“PIPA”) after the statutory time limit has expired. Further, if the Commissioner extends the time in an inquiry process within the time limit, he must provide reasons for the extension, and his decision will be subject to judicial review. The Court noted that “[b]lanket or routine extensions seem unlikely to be regarded as reasonable if they cannot also be justified in the specific circumstances of the case.” PIPA is provincial legislation that governs the use of personal information by private sector organizations in Alberta. In the news release, Commissioner Work expressed concern that, as a result of the Court of Appeal decision, many Albertans “will lose the privacy remedies they thought they received in response to their complaints.” In addition, the decision “simply creates another avenue of judicial review” and “[f]or the poor applicant or complainant, all you are making them do it start all over again.” The news release indicates that Commissioner Work will seek leave to appeal the decision to the Supreme Court of Canada. The Commissioner also will request that the Legislative Assembly of Alberta amend PIPA to address issues raised by the decision. [Hunton & Williams]


CA – IPC AB Order P2009-005 - Odyssey Health Services

An adequate search requires an organization to make every reasonable effort to locate responsive records, which does not require perfection or that the records be found on a first search; the fact that responsive records have been overlooked may be mitigated if the organization responds in a timely way once the error is discovered. The adjudicator found that a health service conducted an adequate search and fulfilled its duty to assist the individual with respect to one letter containing his personal information - it was reasonable for the health service to believe the letter was in a copy of the individual’s file already provided to him, the oversight was quickly remedied when the individual drew attention to it, and the delay in providing the letter (2 months) was not overly lengthy. Even if records are not in the applicant’s file, they may still be in the custody and control of the organization; the adjudicator also found that the health service had not made every reasonable possible effort to search for another set of notes it had custody and control over, since the possible location of the notes was apparent (with the doctor who wrote them), the doctor was a member of the organization insofar as treating the applicant, and the doctor’s failure to provide them was not an acceptable reason for the 6 month delay in providing them to the applicant. Payment information regarding the applicants treatments was not his own personal information - the possibility that payment information might indirectly reveal something about treatment the applicant received from the health service does not mean that it is his personal information; a more direct connection between the information and the applicant is required in order to make information “about” the individual, rather than merely “related” to him. [OIPC]




US – Pentagon Will Allow Social Networking on Non-Classified Networks

A new Pentagon policy will allow all personnel to use social networking sites like Facebook and Twitter on non-classified networks. DoD deputy CIO Dave Wennergren noted in an interview that “service members [are] using these tools to ... do their jobs better and even to collaborate with mission partners and people outside the organization.” The policy is the result of a seven-month review in which the risks of using the emerging tools were weighed against their benefits. The policy will be the same throughout all departments. [Washington Post] [MSNBC] [Information Week]


US – What’s Happening with the Trusted Internet Connection?

As director of federal network security at the Department of Homeland Security’s National Cybersecurity Division, Matt Coose is helping shepherd the Trusted Internet Connection initiative, which aims to reduce the number of connections linking executive branch IT networks to the Internet to 100 or fewer from thousands upon thousands. The basic concept behind TIC, initiated in 2007 by the Bush administration, is that by drastically reducing the number of access points, the government could more easily monitor and identify potentially malicious traffic. In the interview, Coose:

To download streaming video or MP3 file, go to Source


Electronic Records


US – Proposed HITECH Rule Coming Soon

A proposed rule regarding business associate (BA) provisions in the HITECH Act will be released soon. A lawyer at the Health and Human Services Office for Civil Rights conveyed that the rule will come “shortly” and will provide more details on the anticipated compliance date, the report states. HITECH required that BAs come into compliance with the HIPAA Security Rule and certain provisions of the privacy rule by February 17. [HealthLeaders Media]


CA – File-Sharing Programs Might Put Doctors’ Patient Records at Risk: Study

Doctors who trade music on file-sharing programs might also be accidentally swapping something else: Their patients’ health records. In the first study to test the way personal health information is disclosed through file-sharing applications, researchers from the Children’s Hospital of Eastern Ontario in Ottawa discovered that software installed on home computers can make health and financial documents vulnerable to fraud or theft. For example, if a health-care professional uploads records onto his or her computer, and then uses file-sharing software to download music, patient information could be inadvertently released, said the study published last Friday in the Journal of the American Medical Informatics Association. “A significant amount of information is leaking and I think it’s important for the public to be aware of the risks of running those programs,” said Khaled El Emam, the study’s lead researcher and a professor of electronic health information at the University of Ottawa. The study, which took about a year to complete, analyzed the IP addresses of millions of computers in the United States and Canada which use file-sharing programs. Out of 23-24 million files, researchers found about 2%, or tens of thousands, in Canada which contained private health and financial information and could be accessed using a simple search tool. In the U.S., that number was significantly greater at 5%, in the hundreds of thousands, said El Emam. He cautioned both citizens and doctors to cease file-sharing applications to protect their identities, especially as health records become electronic. [Source]


EU Developments


EU – German Court Overturns Telecommunications Data Retention Law

Germany’s Federal Constitutional Court has overturned a law that allowed the retention of telephone and email data for anti-terrorism investigations. The court said the law was a “grave intrusion” on people’s personal privacy rights and that it violates citizens’ constitutional rights to private correspondence. The law required that all data, with the exception of content, on phone calls and email be retained for six months to allow authorities to conduct investigations if necessary. The court noted that the law did not provide adequate security for the data, nor did it “sufficiently limit the possible uses of [the] data.” The court ordered that all currently held data be deleted and that no more data be retained until a national law is passed that is in harmony with basic German law. [MSNBC] [EU Observer] [Hunton & Williams] see also [reactions] [EU state reactions]


EU – Art 29 Working Party Issues Opinion on the Concepts of Controller and Processor

On February 16, 2010, the Article 29 Working Party adopted Opinion 1/2010 (the “Opinion”) providing further clarification and guidance on the interpretation of the concepts of “data controller” and “data processor” in the context of the EU’s Data Protection Directive 95/46/EC. The full text of the Opinion (in English) has been made public on the Dutch DPA’s website. The interaction between data controllers and data processors is essential in the application of Directive 95/46/EC, not least because the concepts determine who will be responsible for compliance with data protection rules and how data subjects can exercise their rights. However, the increasing complexity of the environment in which these concepts are used has given rise to new and difficult issues. The Opinion emphasizes the need to allocate responsibility between data controllers and data processors so that compliance with data protection rules are upheld sufficiently. Despite the impact of information and communication technologies and globalization, the Working Party concluded that the current distinction between data controllers and data processors remains relevant and workable. The following points are of particular importance:

Regarding Data Controllers

Regarding Data Processors


EU – UK Information Commissioner Asks Organizations to “Deliver the Privacy Dividend”

On March 3, 2010, the UK Information Commissioner launched a report on the “Privacy Dividend” (the “Report”), which outlines the business case for proactively investing in privacy protection. The lack of a robust business case is a common barrier to privacy investment, and too often such investment is approved only after a privacy breach or other crisis occurs. The conclusions of the Report are unsurprising, namely that (i) personal information has commercial value, (ii) good data protection can bring business benefits and (iii) there are significant downsides to ignoring data protection. The Report also reiterates the need for direction and accountability on the part of senior management for the organization’s privacy strategy. Against the backdrop of these conclusions, the Report offers a structured approach for Data Protection Officers to build their own business case to secure privacy investment and build a privacy culture. It highlights the key components of a privacy program, and offers a framework (including examples) for estimating both the value of personal data, and the costs of ignoring data privacy. In launching the report, the UK Information Commissioner, Christopher Graham, recognized that there can be no “one size fits all” approach to privacy. Instead, the Report provides practical tools to help organizations of all sizes and across all sectors to build a business case for investing in privacy.” The Commissioner challenges organizations to use the tools necessary to ensure that privacy protection is hardwired into organizational culture and governance, and urges organizations to realize the privacy dividend. [Hunton & Williams] [eWeek Europe]


UK – Government Denies Wi-Fi Operators Copyright Exemption

Cafes, pubs, universities and libraries that offer wireless internet access will not be granted a special exemption from measures aimed at tackling copyright infringement, the UK Government has said. The Government’s controversial Digital Economy Bill makes an internet access subscriber liable for the copyright-infringing behaviour of others. The Government has now published guidance to the Bill which clarifies that organisations providing access will be granted no such exemption. The Bill says that action can be taken not just against the person accused of engaging in copyright infringement, but also against “a subscriber to an internet access service [who] has allowed another person to use the service, and that other person has infringed the owner’s copyright by means of the service.” [OUT-LAW] [The guidance]


EU – French Senate Issues New Legislation to Amend Data Protection Act

The French Senate proposes a new law to reinforce the right to privacy in the digital age; the proposed law requires data controllers to provide information on their data processing activities to their data subjects in a clear, specific and easily accessible manner, inform the data subjects about any data processing activity and obtain a data subject’s consent to process data, including for the use of cookies, except if a legal exception applies. The law also creates an obligation for data controllers to notify the French data protection authority (the “CNIL”) in case of a data security breach. Organizations with more than fifty employees that either access or process personal data would be required to appoint a data protection officer. The law would increase the CNIL’s enforcement authority; fines violations of the law would be increased to a maximum €600,000 from the current maximum of €300,000, the CNIL’s decisions to sanction data controllers would be published more frequently and the CNIL would gain the right to be heard in any civil, criminal or administrative court hearing. [Hunton & Williams Privacy and Information Security Law Blog] and (available in French)


EU – French Data Protection Authority Issues New Guidelines

Companies based in France that plan to transfer personal data to the U.S. in view of discovery procedures are subject to French law including the 1970 Hague Convention; letters of request from the U.S. are to be filed with the Ministry of Justice to be transmitted to a judge who assesses if the request poses a threat to state sovereignty and national security. Noncompliance with the Hague Convention is subject to criminal sanctions and fines of up to 18,000 euros. Companies are also required to comply with the French Data Protection Act (the “1978 Act”); they must register their data processing with the Commission de l’informatique et des libertés (the “CNIL”), retain data only as long as is necessary, ensure that for massive and frequent transfers to the U.S. the recipient of the data has an adequate level of protection in place. Companies are encouraged to filter the information to be transferred with the help of a local third party, and to anonymize or pseudonymize it. Noncompliance with the 1978 Act is punishable by criminal sanctions and fines of up to 300,000 euros. [Olivier Proust, The Privacy Advisor]


EU – Ban on Burqa is an Invasion of Privacy: EU Chief

Amidst the uproar on the ban of burqa in the European contries, a European rights chief said on Sunday, Mar 7 said that imposing a ban on the full Islamic veil would alienate Muslim women in the society. Speaking against the ban on burqa or niqab, Thomas Hammarberg, the Council of Europe’s human rights commissioner said imposing a ban on it was an unreasonable invasion of personal privacy. Hammarberg added that supporters of the burqa does not project women as being more oppressed than other, adding that the veil does not undermine democracy or public morals. “Prohibition of the burqa and the niqab would not liberate oppressed women, but might instead lead to their further alienation in European societies,” he said. “A general ban on such attires would constitute an ill-advised invasion of individual privacy.” He said that the ban on the burqa could also lead to a breach of the European Convention on Human Rights. [OneIndia]


Facts & Stats


UK – Kate Middleton Set for £10,000 Privacy Victory

Kate Middleton, the girlfriend of Prince William, is set to win a controversial claim for alleged invasion of her privacy. She is expected to receive at least £10,000 in damages, plus substantial legal costs, after threatening to sue a photographer and two British picture agencies over photographs taken of her at Christmas. The images were not even published in Britain. Middleton’s claim follows a decision by the Queen to crack down on alleged intrusions into the private lives of the royals. Middleton’s action may also be an attempt to restrain photographers ahead of an engagement to the prince. Sources close to negotiations over the dispute say that the photographic agencies have offered to meet Middleton’s demands because they cannot risk losing an expensive court battle. One said: “We can’t fight them. If it went to court and we lost, it could cost £100,000.” Through Harbottle & Lewis, a firm of lawyers used by members of the royal family, Middleton has sought damages for invasion of privacy, legal costs, withdrawal of the images and a public apology. [Times Online]




CA – Baird wants Fed Privacy Commissioner to Examine American Flight Rules

Federal Transport Minister John Baird says he wants to hear from the federal privacy commissioner regarding new American security rules that require Canadian airlines flying over the United States to give U.S. authorities the names of passengers as part of anti-terrorism efforts. “We’re going to consult the privacy commissioner,” the minister said Thursday. “There has to be consent for the information to be shared.” Baird said the U.S. officials aren’t looking for detailed information on passengers. “When they say they want personal information, they are not looking for health information or income tax information. What they are looking for, as I understand it, is your name and your birthdate.” Nevertheless, Baird said he expected the Americans to be reasonable and expressed understanding for the American concerns. [Star Pheonix] [U.S. gets say on which Canadians can fly]




US – FTC to Appeal Red Flags Decision

The Federal Trade Commission will appeal a December 2009 decision of the DC District Court related to the FTC Red Flags Rule. The commission filed a notice last week stating its intention to appeal the court’s judgment in American Bar Association v. FTC. The court ruled in favor of the ABA’s claim that the Red Flags Rule does not apply to attorneys or law firms. [Hunton & Williams Privacy and Information Security Law Blog]


US – Compliance Costly and No Guarantee, Study Finds

A recent study found that more than half of qualified security assessors (QSA) say merchants are not proactively managing data privacy and security in their environments. The Ponemon Institute study surveyed 155 QSAs certified by the Payment Card Industry Data Security Standards (PSI DSS). Those surveyed also said that despite merchants’ significant financial investments in compliance audits--on average costing $225,000 each year--two percent of merchants fail. “That’s a large chunk of change to be doing each and every year,” said the institute’s founder, Larry Ponemon, CIPP, adding that sometimes the annual audit “leads to better security posture, but not always.” The survey also found that more than half of merchants investing in audits feel PCI DSS is too costly. [NetworkWorld]


CA – 1M Canadians Lose $ to Fraud, Continue Taking Risks

More than one million Canadians have lost money in an investment scheme and many Canadians are making easily-avoidable mistakes leaving their personal financial information up for grabs by fraudsters, separate studies show. A whopping 82% of adults are concerned about fraud in today’s online, convenience-oriented business world, according to the TD Canada Trust Fraud Prevention Month Poll. There is at least some cause for this concern. New data from the Canadian Securities Administrators shows more than one million Canadians have lost hard-earned dollars to white-collar criminals. And a recent poll by Visa found older Canadians are among the most vulnerable, with 16% of baby boomers and seniors citing they have already been victimized by payment card fraud, identity theft or a violation of financial privacy since turning 50-years-old. Roughly 40% of older Canadians admit to participating in unsafe behaviours that put their personal financial information at risk, Visa found. [Source] See also: [US: You could soon be depositing checks with your cell phone]




WW – Top Privacy Issues for 2010

Enterprise governance, risk and compliance (“GRC”) represents the actions that an organization takes to achieve its performance objectives and manage risk; this includes information risk and the organization’s obligations over the information it owns, produces, uses and makes available to others. The privacy framework explains what an organization needs to do well to be able to effectively manage privacy risk and compliance; the business level performance layer describes the organization’s use of personal information throughout its business processes, the risk management and compliance layer defines the people, processes, and technology used to protect and govern the use of personal information and the governance layer defines how all that is managed. The top privacy issues for 2010 include the ever-changing regulatory landscape, new incident management obligations, increased use of cloud computing, service provider audits, use of encryption, costs of compliance failures, GRC technology enablement and emergence of transformational technology. [Ernst & Young]




US – Massive Gene Database Planned in California

Plans for genetic analyses of 100,000 older Californians—the first time genetic data will be generated for such a large and diverse group—will accelerate research into environmental and genetic causes of disease, researchers say. “This is a force multiplier with respect to genome-wide association studies,” says Cathy Schaefer, a research scientist at Kaiser Permanente, a health-care provider based in Oakland, CA, whose patients will be involved. Researchers will be able to study the data and seek insights into the interplay between genes, the environment, and disease, thanks to access to detailed electronic health records, patient surveys, and even records of environmental conditions where the patients live and work. “The importance of this project is that it will, almost overnight—well, in two years—produce a very large amount of genetic and phenotypic data that a large number of investigators and scientists can begin asking questions of, rather than having to gather data first,” Schaefer says. The result will be the largest genetic health research platform of its kind, says Schaefer, who directs Kaiser Permanente’s research program on genes, the environment, and health. The study is being undertaken together with the University of California, San Francisco (UCSF), with a $25 million, two-year NIH grant that tapped federal stimulus funds allocated earlier this year. John Glaser, vice president and chief information officer at Partners Healthcare in Boston, says the Kaiser Permanente platform will make it far easier to conduct research. “The payoffs could be very significant reductions in the costs and time--something on the order of a factor of five--to detect problematic medications and other medical interventions, assess the comparative effectiveness of treatments, and conduct clinical research,” he says. Glaser adds that the long-term vision is to connect the various genetic databases to amplify their benefits. “One can imagine dozens of databases that are linked that have technical and governance means to conduct parallel analyses,” Glaser says. But, he notes, “there are challenges to making this happen that have only begun to be explored.” Kaiser Permanente is meanwhile trying to expand its collection of biological samples to 500,000 by 2013. [Technology Review]


Health / Medical


AU – Public Given One Week to Respond to Health ID Bill

A bill to assign unique ID numbers to all Australians was sent to the Senate Standing Committee on Community Affairs on February 26 for examination, giving members of the public wishing to offer comment until March 5 to do so. According to the Rudd government, the 16-digit Individual Healthcare Identifiers that would be required under the bill are needed to identify patients and healthcare providers and “as a further step to ensure the privacy and security of an e-health system,” the report states. The committee is expected to review such issues as privacy safeguards, including who will have access to the identifier numbers, and issue a report on March 15. [iTWire]


AU – Medicare Privacy Breaches ‘Only The Beginning’

Revelations that Medicare employees are being investigated for spying on customers’ personal information have renewed fears from privacy advocates that healthcare staff cannot be trusted. As the Federal Government works to bring in a national identity scheme for patients, around 400 cases have emerged of unauthorised snooping on people’s private records over the past four years. Medicare says it has implemented privacy controls and that the number of cases of snooping has been getting smaller, however it is not known who or how far the information was allowed to spread. The agency has given few details of how the snooping was allowed to occur. Juanita Fernando, the chair of the health sub-committee at the Australian Privacy Foundation, says Medicare’s assurances may be of little comfort to people whose privacy has been breached. Dr Fernando is concerned the privacy breaches at Medicare are a sign of things to come. The Government has introduced bills into Parliament for what it calls an “individual health identifier”. They bills go to a Senate inquiry next week. The ID number will be used to collate all patient records in one place so health providers can gain access to relevant information at the one time. It is the first stage of the Council of Australian Governments’ national electronic health plan. “It’s of real concern to me and to many people who contact the Australian Privacy Foundation,” Dr Fernando said. “They’re very concerned about it because if I’m a miscreant of some sort, I can just use a single number and access people’s records from whatever health service I decide to go into.” Dr Fernando says no one can say whether the new system will be more secure because “nobody is actually looking at the facts”. “For instance, notes about the Medicare data breach are tucked away on the Australian Privacy Commission’s website. We essentially don’t know what’s going to happen,” she said. “It’s like taking a great big jump off into the unknown and being comfortable that the Government is going to be trustworthy and capable enough to take care of us all.” If the legislation is passed it could only be a matter of months before the ID numbers are used by healthcare professionals. [Source] See also: [Hospital Employees Disciplined for Cell Phone Pictures]


CA – Privacy Commissioner Questions Security of Health Records After Doctors Die

Gary Dickson has seen abandoned medical records turn up in some pretty bizarre places in his time as Saskatchewan’s privacy commissioner - mouldy basements, drafty Quonset huts, vacant buildings. He argues that more needs to be done to protect sensitive, personal health information left behind when a doctor retires or dies. An official with the Saskatchewan Health Ministry says the province would consider changing existing legislation to ensure records are protected. The ministry is currently working with the college of physicians to find a better solution. Dickson says some people believe part of the answer is electronic health records, but he adds it could be another decade before all information is in digital form. The issue needs to be dealt with now. “This is the time we have to pay attention to building confidence in patients that the system is going to properly protect their personal information. If we do a crummy job protecting the privacy of patients now with paper records, is that not going to impair trust when it comes to electronic records?” [Winnipeg Free Press] See also: [B.C. health authority patient records system lacks privacy - privacy commissioner]


EU – Farmaindustria Approves Code of Data Protection for Clinical Investigations

The Standard Code of Data Protection (the “Standard Code”) applies to pharmaceutical companies in Spain (whether or not they are members of Farmaindustria) that expressly accept that they will adhere to it. The Standard Code addresses the use of personal data for clinical studies and includes the following - the investigator (data controller) will be responsible for the clinical investigations with dissociated data (data that cannot be associated with a data subject). The investigator will create a code that will be assigned to the subjects of the study. The sponsor of the study will have access to all data relating to the study minus any personal data and be allowed to transfer any third party. With respect to clinical investigations with personal data the transfer of data to any company belonging to the sponsor’s group or to any third company will require the express and individualised consent of the subject of the clinical investigation. [Baker & McKenzie LLP]


Horror Stories


US – Price to Fix BlueCross Data Theft: $7 Million and Counting

The theft of 57 unencrypted hard drives from BlueCross-BlueShield of Tennessee has given thieves access to personal data on upwards of 500,000 customers and is costing millions to fix. The drives contained recordings of more than one million customer support calls as well as 300,000 screen shots, which in some cases included names, birthdates and Social Security numbers. BlueCross is now auditing its security practices, the report states. The process of investigating the breach and notifying customers has cost more than $7 million so far. According to Michael Spinney of the Ponemon Institute, while the average data breach costs $6.75 million, the company could be paying much more due to the complexity of the breach. Late last year, BlueCross and forensics company Kroll OnTrack employed 500 full-time workers and 300 part-time employees, working in two shifts, six days a week, to piece together what happened, the company said in a letter posted to the Maryland attorney general’s Web site over the weekend. As with many data breaches, this one can be traced back to a burglary involving unencrypted data. [Source] [PCWorld]


US – Wyndham Hotels Acknowledges Third Breach in a Year

Wyndham Hotels & Resorts has acknowledged that attackers gained access to their computer systems and stole customer data. This is the third data breach for Wyndham in the last year. The most recent breach took place sometime between October 2009 and January 2010. The stolen data included information from the magnetic stripes of customers’ credit cards. Wyndham has not yet notified affected customers of the breach. [ComputerWorld] [SC Magazine] See also: [Microsoft Case Study of the Hard Rock Casino]


Identity Issues


IN – Privacy Protections in Place for UID: Nilekani:

The Indian government has allocated Rs.19 billion for the Unique ID Number (UID) program scheduled to roll out in late 2010, and according to Nandan Nilekani, chairperson of the Unique Identification Authority, citizens’ privacy concerns are being addressed. According to the report, the program is aimed at establishing citizenship, addressing security and identity-related issues and preventing leakages in different government schemes. Some legal experts have expressed concerns about leaks and misuse of personal information inherent in a centralised database of this kind, but “We are making all efforts technically and legally to see privacy is protected,” says Nilekani. [Economic Times] See also: [Israel: What Big Brother can’t do with your personal identity card data]


UK – ID Scheme Proposed to Reduce Alcohol-Related Trouble in Consett

Drinkers may have to have their passport or driving licence scanned into a computer system before they can raise a glass. The scheme – which would provide police with quick access to photographs and personal details – is being considered as part of an effort to deter alcohol-related trouble in Consett, County Durham. The No ID No Entry scheme is the idea of Inspector Dave Turner and would require people to hand over their passport or driving licence, which would then be scanned into a computer before they go into a pub or club. It means licensees would have a picture and address of drinkers in case of violence that would allow police to make a quick arrest. Inspector Turner said: “The idea that is being floated is that photo ID is a condition of entry. [Source] See also: [Q&A: The ID card commissioner talks cards and controversy] and also: [Knowledge-based authentication poses privacy issues]


US – License Plate Software Stirs Privacy Concerns

The notion of roving cameras snapping pictures of license plates conjures up television shows like Fox’s counterterrorism series, “24.” It’s not just fantasy, though. Americans are already watched by a variety of security agencies using electronic surveillance technology, and in this post-9/11 world, there seems to be no turning back. Privacy advocates, though, are not altogether comfortable with license plate numbers being electronically recorded by commercial operations. While their views on the gathering this data may vary, privacy groups uniformly agree that the real issue is what happens to the photos after they are taken: how long they are stored and by whom; how secure the data is and whether it might be shared with third parties. Are the photographed license plate numbers matched against other lists, like credit scores or addresses? Invariably, technology finds other applications, said Marc Rotenberg, the executive director of the Electronic Privacy Information Center, a civil liberties advocacy group. You can imagine a scenario, he said, where someone spots a car with an attractive driver, types the license plate number into a computer program and finds the owner’s name. Many companies say their data is encrypted, he said, but “you have to ask, ‘who has the key?’ “ [Source]


Internet / WWW


WW – Internet of Things More Reality than Fiction

A new McKinsey consultancy report suggests that the “Internet of things” is closer than ever to becoming a reality. The system would see everyday objects like shoes and food become capable of communicating data about their position, status and location through GPS and RFID systems, the report states. “Pill-shaped micro-cameras already traverse the human digestive tract and send back thousands of images to pinpoint sources of illness,” the authors write, describing the potential benefits of the Internet of things. But they acknowledge the downsides, as well, saying that companies working on such technological advances must consider privacy, security and data protection concerns. [The Guardian]


WW – Website Archives Personal Information, Helps Track World News

Your personal information has a new home on the internet. Making it easy to research, in near real-time world news and personal information, The Social Archive (, is rousing debate amongst data privacy and information professionals. “We only archive publicly available information for the purpose of organizing it into a more consumable, usable form, freely available to the public.” says founder and operations manager Mendel Kurland. “We believe TSA is a valuable free resource on the internet and our growth in the past 6 months has really proven that people are interested in the information we provide.” TSA searches, spiders, and archives over 150 social media sites with an additional 200 of the most popular social networking sites, directories, and public records sites slated for archiving in Q2 of this year. The Social Archive is privately held by World Life Networks, LLC an internet research and development company. [Source]


Law Enforcement


CA – Ontario Police: Vehicle Signs Do Not Breach Privacy Laws

Niagara Regional Police believe vehicle-mounted signs announcing drug searches are substantially different from those placed in front of homes by another department and found in breach of privacy laws last year. The Office of the Information and Privacy Commissioner of Ontario determined in October that signs posted by Cornwall police in front of properties violated privacy laws by divulging addresses where police had executed search warrants. Niagara police, meanwhile, recently began posting signs on a van used during marijuana investigations. “It’s not meant in any way to comment on the residents of the home,” said Deputy Chief Joe Matthews, “just to provide the public with an understanding of what the police activity is.” [The Standard]




WW – Some Social Networking Sites Share Users’ Location Data

Some users of social media are now more tentative about posting personal location details after learning about some of the privacy implications. One user tells of his surprise after he logged on to social networking site Foursquare, which flagged his physical location online. That information made its way onto, a site that aggregates social media data to create a clearinghouse of who’s home and who’s not. Dangers face users in posting their whereabouts to social networking sites. One expert suggests “the normalization of online over-sharing means most don’t give a second thought to what they post since ‘everyone else is doing it.’“ [The Globe and Mail] Interesting paper: ‘A Practical Attack to De-Anonymize Social Network Users.’




HK – Privacy Commissioner Will Not Seek Another Term

In the wake of his announcement that he will not seek another term, the Hong Kong Government is offering praise for the work of Privacy Commissioner Roderick Woo. “During his tenure, Mr. Woo has made a very important contribution to the protection of personal data privacy in Hong Kong,” a government spokesman said. The government praised Woo’s efforts to strengthen the Personal Data Privacy Ordinance (PDPO). “We respect the decision of Mr. Woo for not seeking re-appointment,” the spokesman said. “As for matters relating to the appointment of the next privacy commissioner, we will announce the details shortly.” Woo’s term will come to an end on July 31. []


HK – Gov’t to Open Privacy Commissioner Search Soon

The government announced Thursday that it will soon conduct an open recruitment exercise for the next privacy commissioner. Current commissioner Roderick Woo this week announced that he will not seek another term when his comes to a close on July 31. “A selection board will consider the candidates and recommend the most suitable candidate to the chief executive,” according to the government’s statement. The selection board comprises academics, government officials and others. The Hong Kong privacy commissioner serves a five-year term. [Announcement]


Online Privacy


US – CDD Says New Regulations Needed

The Center for Digital Democracy is calling for new regulations on how pharmaceutical companies market their products. In a Food and Drug Administration filing, the group says the companies’ use of behavioral targeting poses risks to consumers, the report states. The FDA is seeking comments through this week on “how to apply existing regulations to promotion in...newer media.” In the filing, the CDD writes that “Few U.S. health consumers are aware that they are being identified, labeled, profiled and tracked on the Internet while they search for access information on specific conditions or concerns.” [Tech Daily Dose]


US – Company to Target Ads Based on IP Addresses

In a move that promises to push the debate on whether IP addresses should be considered personally identifiable information, a behavioral targeting company says it will soon launch an ad platform that is based on users’ IP addresses. ClearSight Interactive has acquired 100 million IP addresses--along with postal and e-mail addresses--from publishers. The company says it has enough data to reliably link 65 million IP addresses to specific individuals, and it intends to begin serving ads to visitors based on their neighborhoods within four to six weeks, according to the report. [MediaPost] See also: [NYT: Ads Posted on Facebook Strike Some as Off-Key] [Flash Cookies - Is The EU About To Make Them Crumble? - Valerie Surgenor, Lexology] and also: [The New York Times: Redrawing the Route to Online Privacy] SEE ALSO: [The Economist: The Data Deluge - Businesses, governments and society are only starting to tap its vast potential] and


EU – French Court: IP Address Not Enough to ID User

EDRI-gram reports on the Paris Appeal Court’s recent ruling that an IP address does not allow the identification of an Internet user and, therefore, can be collected without the prior authorization of the French data protection authority, the CNIL. The decision backs the Cassation Court’s decision of January 13, 2009, which classified the IP address as “nominal data.” The Appeal Court said the IP address “cannot be considered personal data because it does not identify the user,” the report states. A commentary on the ruling says that while some will not like it, it’s good that “courts recognize that an IP address does not identify a user, even if it means that IP addresses aren’t considered private info.” [EDRI]


Other Jurisdictions


EU – Amendments to the Guernsey Data Protection Law

The proposed amendment to the Guernsey Data Protection Law, effective March 1, 2010, would provide a prison sentence for up to 2 years for the unlawful disclosure of personal data, a fine or both. The Data Protection Commissioner stated that sentences are the ultimate deterrent and are appropriate where the disclosure has the potential for serious consequences, such as the disclosure of bank or credit card details or sensitive health information; the option of a custodial sentence would also facilitate the investigation and prosecution of cross-border offences, where the offence may have been committed in or from another country. [Source] [Source]


EU – Latvian Data Inspectorate Recommendation on Data Transfers to Third Countries

The recommendation describes circumstances during which personal data transfers take place outside Latvia and refers to the Data State Inspectorate’s recognition of binding corporate rules as one of the methods used to ensure protection of personal data during transfers. While there is also reference to other European Commission legal means and the adequacy of Safe Harbor, the recommendation fails to provide further guidance on both of these instruments despite the fact that their protection is regarded as insufficient and additional legal grounds must therefore be ensured to transfer personal data in accordance with statutory requirements. [Lex Universal]


Privacy (US)


US – Brill and Ramirez Confirmed as FTC Commissioners

On March 3, 2010, the Senate unanimously confirmed the nominations of Julie Brill and Edith Ramirez to serve as FTC Commissioners for seven-year terms. Most recently, Ms. Brill has served as Deputy Attorney General for Consumer Protection and Antitrust for the State of North Carolina. She was formerly Assistant Attorney General for Consumer Protection and Antitrust for the State of Vermont and has served as Chair of the Committee on Privacy for the National Association of Attorneys General. Edith Ramirez is a partner at Quinn Emanuel Urquhart Oliver & Hedges, LLP in Los Angeles, where she handles complex business litigation matters. In addition to the appointment of Jon Leibowitz as Chairman of the FTC by President Obama, these new appointments will give control of the FTC to the Democrats. [Hunton & Williams]


US – Court Reviews Charitable Aspect of Proposed Facebook Settlement

A proposed class-action settlement by Facebook that would see 70% of $9.5 million going to a privacy rights charity has rekindled criticisms about using charitable contributions to reach settlements in large cases. A San Francisco federal judge has heard an objection by consumer rights organization Public Citizen alleging that by helping to set up the charity, “In essence, Facebook is paying itself money to gain a broad release of its users’ legal claims.” Meanwhile, some legal experts are questioning whether judges should ever be the ones to choose which charities should benefit from such cases, the report states. However, in Facebook’s case, Scott Kamber, the plaintiffs’ counsel, said the charitable donation will provide more benefit to the 3.5 million class members than would a nominal settlement check. [Wall Street Journal]


Privacy Enhancing Technologies (PETs)


US – TRUSTe Launches Privacy Policy Generator for Small and Medium Businesses

TRUSTe, provider of an online privacy seal and an Internet trust authority, has launched its newest Privacy Policy Generator (PPG), which provides a custom privacy policy for a wide-range of websites, from online retailers to online publishers, backed by the TRUSTe certification and seal. The new offering is part of TRUSTe’s Privacy Services for small and medium-sized businesses. With the new PPG, small business owners of all kinds are able to quickly construct a TRUSTe-hosted privacy policy for their site using an intuitive widget interface. A customer indicates what kind of personal data they are collecting from consumers, how they use the information, and a number of other key elements, and the PPG provides an accurate and consumer-friendly policy, featuring graphical icons to enhance consumer understanding. The new PPG, scanning technology, and TRUSTe Seal is part of TRUSTe’s Standard Privacy Services starting at just $499 per year. [Source]




EU – One Quarter of Germans Would Embrace an Implantable Microchip: Poll

A poll released in anticipation of Europe’s CeBIT trade show indicated that 23% of Germans are open to the idea of implantable microchips. The largest contingent (16%) said they would do it to help emergency services respond to them more quickly and effectively in case of an accident. Another 5% would do it for mere convenience, to make everyday tasks like shopping go more smoothly. Purchasing goods simply by carrying them past sensors on the way out of the store? Seems feasible enough, though the opportunities for fraud and theft would likely discourage such a scheme. But the fact that a quarter of Germany’s population is open to the idea, while not game-changing, is an indication that a new generation of technophiles comfortable with its place in a brave new wired world is emerging. A full 72% of Germans polled said “absolutely not” to implanted electronics, but a quarter of them see a world where the line between the virtual world and reality is slowly blurring. [Source]


UK – Garbage Police Microchip 2/3 More Rubbish Bins

The number of households that have microchips in their bins has jumped to 2.6m in the past 12 months, according to a new report. The study shows that 68 councils across the UK now put the new technology in their bins - a two-thirds increase in the past year. Councils say the microchips identify which houses the bins belong to and deny accusations that they allow local authorities to analyse the amount of rubbish being thrown away. But opposition politicians claim the microchips can be used to weigh waste and fear the rise in the use of the technology will lead to “pay as you throw” schemes. Caroline Spelman, shadow communities secretary, said: “Labour ministers are secretly planning to roll out bin taxes across the country after the election if Gordon Brown can cling to power. “The government has already forced through bin tax laws and has been funding the bin technology to collect the taxes.” Alex Deane, director of Big Brother Watch, which published the report based on information released under the freedom of information act, criticised the “surreptitious” installation of chips which he said had cost more than £1m in the past year. [The Guardian] and [Warning of rise in microchips in council bins]




WW – Three Arrested in Huge Botnet Case

Spanish authorities have arrested three people in connection with a botnet that comprised as many as 12.7 million PCs worldwide. The Mariposa botnet included PCs at Fortune 1,000 companies and at 40 major banks. Its main focus was stealing login credentials for online bank accounts, email services and similar information. Following the arrests, police recovered personal information of more than 800,000 people. Mariposa was first detected in December 2008 and was shut down in December 2009. It was defeated with the help of the Mariposa Working Group, a coalition of security experts, academics and law enforcement, which monitored communication between the compromised machines and the cyber criminals. The three people arrested in Spain are allegedly Mariposa’s administrators. Arrests in other countries are said to be imminent. [CNN] [Mercury News] [The Register] [The Register] [BBC] [ComputerWorld] [eWeek] [Fox News]


US – Napolitano Announces Cybersecurity Awareness Competition

Speaking at the RSA Conference in San Francisco, Department of Homeland Security Secretary Janet Napolitano described steps the government is taking to develop a strategic approach to cyber security. Napolitano spoke of the urgent need to improve cyber security to protect the country from attacks, highlighted by the recent attacks on Google and other US companies. Napolitano also announced the National Cybersecurity Awareness Campaign Challenge Competition created to gather ideas for “raising public awareness of cyber security.” The winners of the competition will be invited to Washington to attend a DHS event and will help plan the National Cybersecurity Awareness Campaign. [BBC] [Top Tech News] [Information Week] [DHS]


WW – Average Users Have Difficulty keeping Up With Security Patches

If home users were to apply every security patch available for applications on their Windows PCs, they would be facing roughly 75 instances of patching every year, or one every five days, according to Secunia. In addition to the large number of patches, users would also have to interact with an average of 22 different patching mechanisms. Faced with the frequency and variety of required patching, it is no surprise that many users are not up to date for patches on all programs on their computers. Last year at the RSA Conference, Secunia made a call for a unified patching standard, but the idea did not go over well. [ComputerWorld] See also: [Chertoff Says Average Users Struggle With Security] and [Microsoft Releases New Versions of Update That Caused Crashes] [Reasonable Data Security? The Curious Case of EMI v. Comerica]




EU – Crown Prosecution Service Considering Legal Action Over BT’s Secret Phorm Trial

The UK’s Crown Prosecution Service is considering taking legal action against British Internet service provider BT regarding trials of Phorm targeted advertising in which BT customers were not informed their browsing was being tracked. The secret Phorm trial, conducted in 2006, monitored the online behavior of 18,000 broadband lines without informing or obtaining consent from customers. [The Register] [Media Post News]


NZ – Commission Recommends Law to Prohibit Tracking

In its latest report in a series on privacy issues, the Law Commission recommends a new law that would prohibit certain types of tracking. “Surveillance is not well regulated by current law,” says Law Commissioner Sir Geoffrey Palmer, SC. “Technology is developing rapidly and continually creating new ways of invading our privacy.” The commission says that the installation of tracking devices on cell phones or vehicles and the use of visual surveillance devices without consent should be outlawed via a Surveillance Devices Act. “It is important to put boundaries in place to control [technology’s] harmful use before it is too late,” the commission says in its report. [New Zealand Herald]


UAE - CCTV Will Cover 90% of Abu Dhabi Within 18 Months

Crime-fighting in the capital is increasingly widening its scope with sophisticated closed-circuit television cameras. And while privacy is a concern, officials are focusing on their ability to deter lawbreakers. As much as 90% of Abu Dhabi island is expected to fall under the public eye within the next 18 months, according to security analysts. Abu Dhabi Municipality already has 153 outdoor closed-circuit (CCTV) cameras in the city centre, with 83 at junctions feeding live footage to traffic and police authorities. The rapid expansion of surveillance networks is expected to surpass even Dubai’s systems by 2012. “I expect nearly 100 per cent of the city is going to be covered soon, but it will be in phases,” said Amr Mustafa, the accounts manager for City-Tec, one of the country’s largest surveillance providers. [Source]


EU – Google May Not Renew Street View in Europe

Google may not map the continent again if European Union data-protection regulators decide to cut the image storage time for the company’s Street View service from one year to six months. “I think we would consider whether we want to drive through Europe again, because it would make the expense so draining,” said Michael Jones, founder of Google Earth, noting the need for longer storage time due to software constraints. “I think that privacy is more important than technology but for privacy people it is only about privacy,” Jones said, while, “for us it is also about technology. We have to be actually able to do what they want us to do. What we want is to have enough time.” [BusinessWeek]


Telecom / TV


CY – Cyprus: Cyta Clients Sue Over Privacy Violations

TWO CYTA (Cyprus Telecommunication Authority) subscribers have filed separate lawsuits in the Limassol District Court yesterday, alleging the company has been secretly monitoring their mobile phone calls and text messages. They are seeking compensation of up to EUR100,000. [Source]


US Government Programs


US – White House Outlines Secret Cybersecurity Plan

Ever since President Bush signed a secret cybersecurity directive two years ago, executive branch officials have been dropping hints about what might be in the highly classified document known as NSPD54. Former Homeland Security Secretary Michael Chertoff once likened it to a new “Manhattan Project,” and The Washington Post reported that the multibillion Comprehensive National Cybersecurity Initiative represented the “single largest request for funds“ in last year’s classified intelligence budget. A Homeland Security assistant secretary previously acknowledged there were “plans to expand“ a network monitoring component, named Einstein, which has prompted protests by privacy advocates. On Tuesday afternoon, the White House let slip a few more tidbits. It has not released the text of NSPD54, also known as National Security Presidential Directive 54, but a five-page PDF posted on does feature a summary. There’s not much in the way of details, but those that are included are likely to raise questions about the role of the National Security Agency in network surveillance and how intent President Obama is on continuing some of the more controversial cybersecurity policies of his predecessor. After the Bush-era warrantless surveillance controversy, many politicians and civil libertarians have become wary of greater NSA involvement in network monitoring. One portion of the summary talks about “extending cybersecurity into critical infrastructure” used by the federal government, a category that appears to include the Internet as well as electrical power and telephone links. Another dealing with intrusion prevention says that a Homeland Security program called Einstein 3 will involve the NSA receiving “alerts” involving “detected network intrusion attempts.” While the initial purpose of Einstein was to monitor (and eventually prevent) electronic attacks on federal government networks, the parallel goal of protecting critical infrastructure operated by the private sector could blur that line. The White House’s summary takes pains to reassure Americans that their privacy is being protected, saying “government civil liberties and privacy officials are working closely with DHS and US-CERT to build appropriate and necessary privacy protections into the design and operational deployment of Einstein 3.” CATO’s Jim Harper says this glimpse of Bush’s cybersecurity plan, which includes an endorsement by Obama, shows that not much has changed between administrations in this area. “The bureaucrats run everything: the policies of the Bush administration are the policies of the Obama administration,” he said. “I don’t think there’s much of a change of tone in cyberspace policy areas.” Homeland Security has published a privacy impact assessment for a less capable system called Einstein 2--which aimed to do intrusion detection and not prevention--but has not done so for Einstein 3. The Bush Justice Department wrote a memo saying Einstein 2 “complies with“ the U.S. Constitution and federal wiretap laws. Members of Congress have raised questions before about the Comprehensive National Cybersecurity Initiative, including a secretive National Cyber Security Center created by NSPD54. And the House Intelligence Committee, which tends to be hawkish on secrecy, has complained that details about NSPD54 “remain vague“ because of “excessive classification” and said the 2009 budget request was “excessive.” [CNET] See also: [US White House Cyber Czar: ‘There Is No Cyberwar’] and [White House Declassifies parts of Cybersecurity Initiative] And also: [Senate Cyber Security Bill Aims to Establish Cohesive Emergency Response Plan] and [RSA: Experts Say U.S. Cyber Threat Is Real] [WIRED: Cyberwar Hype Intended to Destroy the Open Internet] and [Declan McCullagh: Feds May Extend Communications Monitoring into Private Networks], [Obama, Congress Wink at Massive Surveillance Abuses], [Forbes: The Birth of a new knee-jerk “War On”: This time its Cyber Threats],