First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

personal information

Defending a lawsuit is not a “commercial activity” under privacy legislation

In a case dating back to 2016 but just recently published, the Office of the Privacy Commissioner of Canada has ruled that the collection and use of a plaintiff’s personal information for the purpose of defending against a civil lawsuit is not a “commercial activity” and, as such, the Personal Information Protection and Electronic Documents Act does not apply.

 

, , , ,

Former employee steals personal information to purchase smart phones

The Office of the Information and Privacy Commissioner of Alberta has required a payment processing organization to notify individuals pursuant to section 37.1 of the province’s Personal Information Protection Act because there was a real risk of significant harm to those individuals affected by an incident that involved unauthorized access and theft of information of 60 Alberta residents.

 

, , , ,

Lawful access: The Privacy Commissioner reiterates its position

Patricia Kosseim, Senior General Counsel and Director General, Legal Services, Policy, Research and Technology Analysis for the Office of the Privacy Commissioner of Canada, was asked, at the request of Commission’s counsel, to provide an overview of the legislation for protecting privacy in Canada and to answer questions about lawful access issues from a federal perspective.

 

, , , , , , , , ,

Privacy law: The Supreme Court of Canada’s Royal Bank of Canada v. Trang

The Supreme Court of Canada released a landmark decision giving important guidance on when personal financial information may be disclosed under Canada’s federal privacy law, the Personal Information Protection and Electronic Documents Act.

 

, , , , , ,

Adequacy of Canadian privacy law

Potential amendments could mean Canadian businesses receiving personal information from Europe will have more exposure to the differences in the data protection laws and enforcement regimes in the EU member states.

 

, , , , , ,

IP address as personal information: Canadian and EU positions

The Office of the Privacy Commissioner’s findings do not mean that consent to the collection of an IP address is always required. There may be a number of legitimate reasons for collecting this information, including those relating to security of the site. These reasons would not necessarily extend, however, to collection and use of IP addresses for advertising purposes without some form of consent.

 

, , , , , , , , ,

Pension and benefit plan provider breaches privacy law causing employee to lose life insurance coverage

Many of us have called service providers to change basic information, such as a mailing address. You pick up the phone, speak to a representative, and the change is made; no big deal, right? This seamless scenario may not always be the case. Any little misstep on an organization’s part can cause grief not only for the customer, but also for the organization itself. This proved to be true when an employee complained, to the Office of the Privacy Commissioner of Canada, that her employment pension and benefit provider disclosed her personal information to a third party without her consent.

 

, , , , , , , , , , ,

Attempt to fix email issue causes privacy issue

A recent privacy complaint was filed against a telecommunications company under PIPEDA regarding frequent email problems.

 

, , , , , , , ,

New PIPEDA data breach regulations proposed

On March 9, 2016 the Department of Innovation, Science and Economic Development Canada released a discussion paper on the new data breach regulations being proposed. The Ministry is accepting public submissions until May 31, 2016 on the proposed Data Breach Notification and Reporting Regulations.

 

, , , , , , , , ,

Businesses should re-evaluate approach to privacy with passage of Digital Privacy Act

The Digital Privacy Act (Bill S-4) passed into law, introducing (among other things) significant fines and mandatory breach notification (not yet in force) into the Personal Information Protection and Electronic Documents Act (PIPEDA). Organizations which handle personal information in the course of their commercial activities will want to undertake a review of their privacy policies […]

 

, , , , , , , ,

Office of the Information and Privacy Commissioners bring your own device program guidelines

iphone-ipad-bring-your-own-device

Using personal devices at work to conduct business (BYOD or “bring your own device”) has become commonplace in the last couple of years. Employers are implementing BYOD policies left, right and centre to try to control the privacy challenges this practice can bring about when employers access these devices to protect their data contained on them.

 

, , , , , , , ,

Lessons from the Saanich spyware fiasco and new privacy laws to be aware of

In our current information age, security over electronic information and protection against unauthorized access is foundational to employers’ businesses. To guard against endlessly multiplying electronic threats, employers must resort to electronic means and, understandably, often resort to broad and comprehensive software to protect their operations. However, the situation involving the District of Saanich earlier this year is a good reminder to all B.C. employers that cyber-protection cannot be used at the expense of employees’ privacy.

 

, , , , , , , , , , , , , ,

First international standard on cloud services and personal information protection

The International Standards Organization has released a standard for privacy aimed at cloud computing service providers.

 

, , , , , , , , , , , , , , , , , , ,

Business guidelines on how to destroy personal information

Organizations collect more and more personal data these days—from customers and employees. With all of this new data in their hands, organizations may be tempted to hold onto it without an express purpose, or they may be unsure what to do with it once it has served its original purpose.

 

, , , , , , , , , , , , , , , , , , ,

Arbitrators should apply ‘privacy spectrum’ to personal information

The names of people involved in labour arbitration should be disclosed with the arbitrator’s decisions, unless there are compelling reasons not to do so, according to the open-court principle and the public’s interest.

 

, , , , , , , , , , , , , ,

Previous Posts