Canada’s chief privacy czar wants to put more funding into hiring technological experts to conduct research on new and emerging technologies such as radio frequency identification devices and ubiquitous computing.
The Office of the Privacy Commissioner (OPC) expects a 40 per cent increase in funding over two years from what it has been since 2000.
“We had asked for a substantial increase in our budget,” Jennifer Stoddart, the Privacy Commissioner of Canada, said in an interview Tuesday following the release of her 2005 report on the Personal Information Protection and Electronic Documents Act (PIPEDA). “We have now been assured that this is in the government’s main estimates for this year.”
Parliament is set to review PIPEDA later this year. In a few weeks, the Commissioner will publish a paper on her Web site that will cover key issues related to the legislation, which started to come effect in 2001. These include employee information, product information and notice requirement when a data breach has occurred. The Office is also pressuring the government to consider a similar review of the Privacy Act, which governs the federal public sector. Stoddart will release her annual report on the Privacy Act at the end of next month.
Stoddart said she expects to hire a half a dozen more auditors in the coming year. The money will also help the office deal with complaints faster, launch complaints on its own initiatives, beef up its auditing and review section, review privacy impact assessments and conduct research, she added.
“This is an increasingly complex area,” said Stoddart. “It’s in an area that to many citizens is invisible. It’s a virtual world we’re in now. Unlike some other worlds, we can’t depend on citizens coming to us because it’s hard for them to know or see.”
Philippa Lawson, executive director and general counsel of the Canadian Internet Policy and Public Interest Clinic (CIPPIC) at the University of Ottawa Faculty of Law, said it’s a good sign that the Commissioner is looking to get tough on businesses that don’t comply with PIPEDA.
“She’s recognizing that she’s got to step up on the enforcement side of things,” said Lawson. “That means following through when companies do not follow through on recommendations, taking cases to court where that’s warranted and naming companies who are not complying. Hopefully we’re going to see more of that.”
In the back of her report, Stoddart listed all of the current companies that are before the federal courts and those that are no longer proceeding.
CIPPIC recently released a study that was funded by the OPC, which found that retailers, online in particular, were not compliant with PIPEDA.
“Our study shows quite clearly that there’s a very high level of non-compliance out there particularly when it comes to the kinds of things that consumers aren’t aware of,” said Lawson. “That is the sharing and use of their personal data behind the scenes. Companies are not being as forthright about that and are not giving consumers meaningful choice.”
In her defense, Stoddart said the OPC consulted with the Canadian Federation of Business in 2003 to make sure it understood what the members’ needs were.
“It’s one of our education objectives this year is to get more information out to small businesses in an interactive exercise on our Web site,” said Stoddart, adding the information should be available by this winter.
Three pages of the 67-page report were devoted solely to the Commissioner’s findings on RFIDs and their impact on privacy rights. One of the threats RFID poses is the ability of tags to track an individual’s movement “. . . identifying items people wear or carry could associate them with particular events – for example political rallies or protests.”
While it would be possible to do this, Bartek Muszynski, president of Richmond, B.C.-based RFID system integrator NJE Consulting Inc., said it would cost billions of dollars.
“It’s not something you can do behind a person’s back,” he said, adding that GPS technology is not compatible with RFID.
Stoddart also said the technology could be used to create a profile of an individual’s spending habits. Muszynski pointed out that this capability already exists with barcode technology.
“That I would consider an error in her report because she’s suggesting that somehow RFID would make this easier,” he said. “Today you have your loyalty card and the store keeps a record of what you’re buying. There’s absolutely no difference if that’s RFID or not. Having the unique ID of a product wouldn’t help them because they don’t care which bottle of water you buy.”
Stoddart’s report also included the findings of the Audit and Review Branch’s study of RFID, which she describes as “a technology that is causing considerable concern from a privacy perspective.” The study began in early 2005 when the Office wrote to 14 corporations, which were not publicly disclosed, asking them to help it understand the use of RFID in Canada.
Out of the 12 respondents, one organization was using RFID to track employees but stated it was not collecting personal information, according to the report. Out of the 10 organizations that were considering RFIDs, testing RFID use and using RFID already, six responded to privacy issues mentioned in the letter. One third of that group said a privacy impact assessment was not required because their RFID application did not identify individuals and/or link with personal information.
Based on the information in the study, the OPC will develop guidelines to ensure that as the use of RFID becomes more common, citizens’ privacy rights will be protected.
“RFID is covered by the principles of PIPEDA,” said Stoddart. “We are going to do like we did for video surveillance and see how the applicable law would be interpreted in particular situations involving that technology.”