The federal Privacy Commissioner says the laws protecting access to the personal information of Canadians need serious revision to bring them into step with the dramatic changes that have taken place in the online world.
In her final report before the end of her second mandate, Jennifer Stoddart highlights alarming examples of ways in which privacy has been breached – sometimes deliberately – by corporations and others who have taken liberties with the information provided to them wittingly or unwittingly.
"As in previous years, our annual report outlines some significant achievements as investigations led to improved privacy practices among businesses," Ms. Stoddart said in a release issued to accompany her report.
"Such changes, however, often came only after long investigative and follow-up processes, and therefore at significant costs," she said. "Canadians would be better served by a law that motivates organizations to put privacy considerations up front, rather than the current situation where we're left to trigger a mop-up after privacy is violated."
The number of complaints accepted by the Privacy Commissioner's office was down to 220 in 2012 compared to 281 the previous year but the office completed 145 formal investigations which marked a 21-per cent increase from 2011.
Among the more egregious examples of privacy breaches recounted in the report are tales of the deliberate retrieval and storage of the personal information of Canadians who had no knowledge that their data had been compromised.
As part of a cautionary tale, Ms. Stoddart outlines three of the cases that crossed her desk:
- The Canadian franchisee of a rent-to-own company called Aaron’s Inc. installed “Detective Mode” software onto its rented laptops, enabling the collection of data, including key strokes, screen shots and web-cam photos without user knowledge. The company did this to help it recover stolen computers but the commissioner found the practice resulted in a disproportionate loss of privacy for clients;
- A fake Facebook account was set up for a teenager that was then “friended” by some of the teen’s real-life friends who received a barrage of inappropriate comments from the imposter. Facebook deleted the account after receiving complaints from the teen and her mother but did not notify the people who had “friended” the account that it was a fake. As a result of the intervention of the Privacy Commissioner, Facebook agreed to notify non-users people who have been “friended” by imposter accounts.
- Personal information including the health status of people who signed up for a dating web site for people with sexually transmitted diseases called PositiveSingles.com. was stored in a database that could be accessed by a network of affiliated sites. The Privacy Commission concluded that PositiveSingles and its parent company, SuccessfulMatch, failed to openly and clearly explain how and to whom the personal information would be disclosed and changes have been made to make the practices more transparent.