“The intent and principles of PIPEDA line up almost perfectly with genealogical emphasis about privacy protection and the ethics surrounding that, but the genealogical societies do not seem to be aware that it could be a fantastic tool in ensuring those ethics are followed and are caught up instead in determining whether or not they are bound by the legislation. In my opinion PIPEDA needs to be embraced and it's principles entrenched into genealogical societies' policies and practices.”

September 7, 2013
G. Alvin Murray, Certified Saskatchewan Instructor, CCSG

*************

The following was taken from R. v. Dyment, [1988] 2 SCR 417, as reproduced at http://canlii.ca/t/1ftc6:

“22. Finally, there is privacy in relation to information. This too is based on the notion of the dignity and integrity of the individual. As the Task Force put it (p. 13): "This notion of privacy derives from the assumption that all information about a person is in a fundamental way his own, for him to communicate or retain for himself as he sees fit." In modern society, especially, retention of information about oneself is extremely important. We may, for one reason or another, wish or be compelled to reveal such information, but situations abound where the reasonable expectations of the individual that the information shall remain confidential to the persons to whom, and restricted to the purposes for which it is divulged, must be protected. Governments at all levels have in recent years recognized this and have devised rules and regulations to restrict the uses of information collected by them to those for which it was obtained; see, for example, the Privacy Act, S.C. 1980-81-82-83, c. 111.

23. One further general point must be made, and that is that if the privacy of the individual is to be protected, we cannot afford to wait to vindicate it only after it has been violated. . . . Invasions of privacy must be prevented, and where privacy is outweighed by other societal claims, there must be clear rules setting forth the conditions in which it can be violated.” (Emphasis added)

From http://www.canlii.org/en/ca/scc/doc/1997/1997canlii358/1997canlii358.html, at paragraph 67, in the case of Dagg v. Canada (Minister of Finance), [1997] 2 SCR 403, we learn that the Supreme Court of Canada also invites us to consider R. v. Duarte, 1990 CanLII 150 (SCC), [1990] 1 S.C.R. 30, at p. 46 (“privacy may be defined as the right of the individual to determine for himself when, how, and to what extent he will release personal information about himself”); (and) R. v. Osolin, 1993 CanLII 54 (SCC), [1993] 4 S.C.R. 595, at pp. 613-15 (per L’Heureux-DubĂ© J., dissenting); Westin, supra, at p. 7 (“[p]rivacy is the claim of individuals . . . to determine for themselves when, how, and to what extent information about them is communicated to others”); (and) Charles Fried, “Privacy” (1968), 77 Yale L.J. 475, at p. 483 (“[p]rivacy . . . is control over knowledge about oneself”).

***********

The design of this site is to readily afford access to ‘research tools’ that may be used to answer the question which asks if the Saskatchewan Genealogical Society (SGS), and certain other genealogical societies, are or are not limited by the terms and provisions of The Personal Information Protection and Electronic Documents Act (PIPEDA) when indiscriminately collecting and selling personal information about those “in the land of the living.”

Wednesday, September 11, 2013

A "similar fact" PIPEDA Case Summary

PIPEDA Case Summary #2009-013 — Publisher collected and used e-mail addresses for marketing without consent — [Section 2; Principles 4.3 and 4.3.1; Paragraphs 7(1)(d) and 7(2)(c.1); Regulations 1(e)] — Issued June 2, 2009 — found at https://www.priv.gc.ca/cf-dc/2009/2009_013_0602_e.asp — “The company contended that (certain) e-mail addresses were publicly available.” // “The Assistant Privacy Commissioner established that business e-mails are personal information as defined by the Act, and as determined in an earlier complaint, and, furthermore, that all but one of the e-mail addresses in question could not be considered publicly available as defined in the Regulations.” // “The company contended that even if the complainant’s e-mail addresses could be considered personal information, paragraphs 7(1)(d) and 7(2)(c.1) of the Act would then apply. These paragraphs permit the collection or use of personal information without knowledge or consent if the information is publicly available and is specified in the Regulations. Subsection 1(e) provides that personal information can be considered publicly available when it appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, and where the individual has provided the information. The organization believed that the e-mail addresses in question were provided by the complainant on a publicly available source, and a web site. In the organization’s view, it could therefore collect and use the addresses without the complainant’s knowledge or consent.” // “The Assistant Commissioner . . . examined the argument that the complainant’s e-mail addresses were publicly available, as specified by Regulation 1(e).   She determined that the complainant’s various e-mail addresses were not captured under the Regulations and could not, therefore, be considered publicly available information. However, she noted one exception: an e-mail address that appeared on a web site devoted to a publication of which the complainant had been the editor.

Thursday, September 5, 2013

One summary of PIPEDA

“ . . . The PIPEDA Guide, prepared by the Federal Department of Justice, explains as follows:

The PIPEDA gives you the right to:

    know why an organization collects, uses, or discloses your personal information;
    expect an organization to collect, use, or disclose your personal information reasonably and appropriately, and not use the information for any purpose other than that to which you have consented;
    know who in the organization is responsible for protecting your personal information;
    expect an organization to protect your personal information by taking appropriate security measures;
    expect the personal information an organization holds about you to be accurate, complete, and up-to-date;
    obtain access to your personal information and ask for corrections if necessary; and
    complain about how an organization handles your personal information if you feel your privacy rights have not been respected.

This law requires organizations to:

    obtain your consent when they collect, use , or disclose your personal information;
    supply you with a product or a service even if you refuse consent for the collection, use, or disclosure of your personal information unless that information is essential to the transaction;
    collect information by fair and lawful means; and
    have personal information policies that are clear, understandable , and readily available.

. . .

Wednesday, September 4, 2013

Are genealogical societies required to protect personal information in their possession or control in a way that is compliant with PIPEDA?

Our provincial Privacy Commissioner has just issued a report in response to concerns over how personal information collected from a skills survey conducted by the Saskatchewan Government would be stored and could be used in the United States.  I am so very thankful that I was advised, this morning, that CBC’s Stefani Langenegger, via twitter, under the title Latest from SK privacy commissioner on outsourcing personal info of govt workers, provides access to that report.

A suggestion from our first Privacy Commissioner of Canada

"A reasonable person will not take every business to task for collecting personal information.  A reasonable person will welcome the collection of personal information in some situations, since it will serve the person in his or her dealings with that business.  However, a reasonable person will challenge the excessive and persistent collection of information about them, the indiscriminate or careless sharing of that information with others and the shrouding of that information-handling process in secrecy." (Emphasis added)  [See Privacy Commissioner Bruce Phillips, The Privacy Commissioner of Canada's approach to implementing the Act, Speaking Notes prepared for the CENTRUM Conference (Dec. 10, 1999), found at http://www rivcomn gc.c: speechiarchi-ei02 05 a 99121.]

Could this argument challenge the view that, properly applied, PIPEDA limits collection, use and distribution of personal information by genealogical societies?


The purpose of Part 1 (of PIPEDA) is to establish "rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances." (See Section 3)

I want this page to be balanced and fair with respect to all matters, especially that of answering the question which asks if, technically and lawfully, PIPEDA applies or does not apply to genealogical societies in provinces that have not passed similar legislation.  I’m afraid that, at the moment, it will be up to others to provide ‘the balance’ with respect to that matter, however, given my firmly held view that Parliament intended that PIPEDA would apply, in every respect, to our genealogical organizations. But do know that I will be very able and very willing to change my mind about that, ‘if and when I’m persuaded otherwise.’  In fact, I’m able and willing to invent and publish the following as one argument that, when perfected, just might lay my heartfelt and certain opinion to rest.

Monday, September 2, 2013

Re: Aggregation of personal information

I think it will be interesting and useful to list all of the practical reasons we can think of that suggest why forbidding republication of our personal information is a wise thing to do.  Today’s CBC news broadcast reveals one that I never would have thought about, except for the publicly expressed concerns of two sisters in BC.

Pharmacies, doctors fail to stop narcotic shopping spree
Identity theft victims impersonated for years want accountability
By Kathy Tomlinson, CBC News
Posted: Sep 2, 2013 2:03 AM PT

“Two sisters in B.C. are going public to expose what they see as a big hole in the health system after a drug addict was able use their identities to get thousands of taxpayer-funded prescription narcotic pills.   . . .   The sisters realized their old friend knew their information — enough to get their personal health numbers (PHN) from any pharmacist willing to look it up.   . . .   “All she had to do was use my full name, my date of birth and my address and say, ‘Oh I misplaced my care card’ (said one of the sisters). Because you are already in the system, they just type it in and OK, yup, no problem,” said Lisa.  . . .   The imposter could then give that PHN at any doctor’s office or pharmacy to access services, claiming she lost her ID.   . . .    “There’s so many ways that people actually steal people’s identities and people’s health cards,” said Calder (who was interviewed after the sisters filed their complaint). “People are dying from this. People are dying from doctors being duped or conned. People are dying from abusing these drugs and there has to be a solution.”

More can be found by using the link that is indicated above.

The end of Groklaw and our online privacy?

The end of Groklaw and our online privacy?
By Monica Goyal
Published: August 28th, 2013

“In Canada, we are governed by the Personal Information Protection and Electronic Documents Act. PIPEDA applies to every organization that collects, uses or discloses personal information in the course of commercial activity. So if your business collects any information about clients including their names, addresses and phone numbers – or say, their purchase records, ages, buying preferences, and possibly even their IP addresses – then you are governed by this act. Under PIPEDA you can only disclose personal information without consent in very limited circumstances such as:  in the case of a subpoena, if the individual has been dead for 20 years, or if the information is regarding certain acts related to the Canadian government collecting information about money laundering or terrorism.” More can be found here.

Data theft or loss: ten things your lawyer must tell you about handling information

Six years ago Craig Bavis, a labour and employment lawyer with the Victory Square Law Office LLP, Vancouver BC, and Michael Parent, an Associate Professor, Segal Graduate School of Business, Simon Fraser University, Vancouver BC, and Visiting Professor, The University of Queensland, Australia, wrote an article titled Data theft or loss: ten things your lawyer must tell you about handling information.  That was published in the Ivey Business Journal Online, in the July/August publication, in 2007.

This website is dedicated to providing tools that folks may wish to use in an effort to certainly answer that question which asks whether or not genealogical societies in some provinces are subject to the terms and provisions of PIPEDA.

Mr. Bavis and Mr. Parent do not directly address that question.  Nevertheless, I do believe a careful study of the advice provided by these gentlemen will assist all who will be willing to join our discussion and debate.

Whatever the case may be, you will enjoy this read.  There is much to be learned from it.