Privacy Commissioner Jennifer Stoddart released the Office of the Privacy Commissioner’s (OPC) annual report on the Personal Information Protection and Electronic Documents Act (PIPEDA) for 2012, which details investigations affecting individual online reputation and the growing importance of organizational accountability. This is the Commissioner’s last PIPEDA annual report before the end of her mandate and it underlines the need for changes to the law to bring it up to speed with today’s rapidly changing, digitally driven times.
“As in previous years, our annual report outlines some significant achievements as investigations led to improved privacy practices among businesses,” said Commissioner Stoddart. “Such changes, however, often came only after long investigative and follow-up processes, and therefore at significant costs. Canadians would be better served by a law that motivates organizations to put privacy considerations up front, rather than the current situation where we’re left to trigger a mop-up after privacy is violated.”
The report details the outcome of a Commissioner-initiated complaint against a Canadian franchisee of rent-to-own company Aaron’s Inc. “Detective Mode” software was installed onto its rented laptops, enabling the collection of data, including key strokes, screen shots and web cam photos without user knowledge.
While installing the software was intended to recover lost or stolen laptops, the OPC found that the extreme measure wasn’t justified, given the egregious and disproportionate loss of privacy for its clients. The franchisee agreed to delete what the software collected, and the company committed to never again using this type of tool.
This year’s report also includes the story of a teen whose reputation was imperiled by a fake Facebook account being set up in her name. She was not a Facebook member, but many of her real life friends were. They “friended” the impostor account and then received a barrage of inappropriate comments.
The teen’s mother complained to the OPC and demanded Facebook delete the account. Upon determining the account was indeed a fake, the company promptly deleted it. The teen’s reputation though remained at risk as those who had been “friended” by the account were not notified of it being a fake. As a result following negotiations with the OPC, Facebook agreed to implement a new process moving forward to help non-users notify individuals “friended” by imposter accounts.
Information on singles with STDs unprotected
The report also details our investigation into complaints by members of a dating web site for people with sexually transmitted diseases called PositiveSingles.com. They alleged that, unbeknownst to them, their profiles, including personal information detailing their individual health status, were stored in a database accessible by a wider network of affiliated sites.
The investigation concluded that PositiveSingles and its parent company, SuccessfulMatch, failed to openly and clearly explain to prospective members how and to whom their personal information would be visible and disclosed. SuccessfulMatch then made changes to the web site to make its information handling practices more transparent, including informing prospective members of the broad visibility of profiles at the point of registration.
Overall, 2012 saw 220 complaints accepted by the OPC, down from 281 the previous year. The OPC also completed 145 formal investigations in 2012, marking a 21-percent increase from the year before, while also realising a 12-percent reduction in the time it took to resolve formal investigations.
SOURCE: Office of the Privacy Commissioner