Wednesday, June 26, 2013

Privacy Commissioner stresses significance of online reputation and business accountability in digital age.

Privacy Commissioner stresses significance of online reputation and business accountability in digital age

Annual report tells tales of rental laptops that spied on users, the response to a teen smeared by a social network imposter and a dating site that left sensitive health data vulnerable.
Ottawa, June 6, 2013 — Privacy Commissioner Jennifer Stoddart today released the Office of the Privacy Commissioner’s (OPC) annual report on the Personal Information Protection and Electronic Documents Act (PIPEDA) for 2012, which details investigations affecting individual online reputation and the growing importance of organizational accountability.  This is the Commissioner’s last PIPEDA annual report before the end of her mandate and it underlines the need for changes to the law to bring it up to speed with today’s rapidly changing, digitally driven times.
“As in previous years, our annual report outlines some significant achievements as investigations led to improved privacy practices among businesses,” said Commissioner Stoddart. “Such changes, however, often came only after long investigative and follow-up processes, and therefore at significant costs. Canadians would be better served by a law that motivates organizations to put privacy considerations up front, rather than the current situation where we’re left to trigger a mop-up after privacy is violated.”

Leering laptops

The report details the outcome of a Commissioner-initiated complaint against a Canadian franchisee of rent-to-own company Aaron’s Inc. “Detective Mode” software was installed onto its rented laptops, enabling the collection of data, including key strokes, screen shots and web cam photos without user knowledge.
While installing the software was intended to recover lost or stolen laptops, the OPC found that the extreme measure wasn’t justified, given the egregious and disproportionate loss of privacy for its clients. The franchisee agreed to delete what the software collected, and the company committed to never again using this type of tool.   

Facebook fakery

This year’s report also includes the story of a teen whose reputation was imperiled by a fake Facebook account being set up in her name. She was not a Facebook member, but many of her real life friends were. They “friended” the impostor account and then received a barrage of inappropriate comments.
The teen’s mother complained to the OPC and demanded Facebook delete the account.  Upon determining the account was indeed a fake, the company promptly deleted it.  The teen’s reputation though remained at risk as those who had been “friended” by the account were not notified of it being a fake.   As a result following negotiations with the OPC, Facebook agreed to implement a new process moving forward to help non-users notify individuals “friended” by imposter accounts.

Information on singles with STDs unprotected

The report also details our investigation into complaints by members of a dating web site for people with sexually transmitted diseases called PositiveSingles.com.  They alleged that, unbeknownst to them, their profiles, including personal information detailing their individual health status, were stored in a database accessible by a wider network of affiliated sites.
The investigation concluded that PositiveSingles and its parent company, SuccessfulMatch, failed to openly and clearly explain to prospective members how and to whom their personal information would be visible and disclosed. SuccessfulMatch then made changes to the web site to make its information handling practices more transparent, including informing prospective members of the broad visibility of profiles at the point of registration.
Overall, 2012 saw 220 complaints accepted by the OPC, down from 281 the previous year. The OPC also completed 145 formal investigations in 2012, marking a 21-percent increase from the year before, while also realising a 12-percent reduction in the time it took to resolve formal investigations.

About the OPC

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two federal laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to organizations engaged in commercial activities in the Atlantic provinces, Ontario, Manitoba, Saskatchewan and the Territories. Quebec, Alberta and British Columbia each has its own law covering the private sector. Even in these provinces, PIPEDA continues to apply to the federally regulated private sector and to personal information in interprovincial and international transactions.
- 30 -
For more information (media only), please contact:
Scott Hutchinson
Office of the Privacy Commissioner of Canada