Privacy Story of the Week (PSotW) - January 27

by John Wunderlich

Happy International Data Privacy Day

What with a busy weekend, and data privacy day today, I’m a little delayed in identifying and posting last week’s privacy story of the week, which is:

Canada’s privacy watchdog wants answers over NETFILE web-service change

Canada’s privacy watchdog would like some answers from the government’s tax collector after it eliminated the need for a web-access code to file personal-income tax returns online.

I choose this for the privacy story of the week partially because when I got the mail from the Canada Revenue Agency, my first thought was to file a Freedom of Information Request for any copies of a Threat/Risk Assessment or Privacy Impact Assessment relating to the change. On the face of it it appears to be a reduction in the security of the NETFILE system. Before this change, each participant would receive a code through the mail. In essence this created a type of two factor authentication system. Going forward, people who want to NETFILE only need to provide their Social Insurance Number and their date of birth.

The CRA spokesman said in the coverage of this story that since the NETFILE system does not allow users to change their address or direct deposit information no confidential information is ever revealed. Those kind of changes required the “My Account" service which does require a separate security code..

What seems to me to be the most disturbing piece about this is that the CRA proceeded with planning and announcing this change without engaging the Privacy Commissioner’s office. In organizations to whom I provide advice I usually recommend that their needs to be a privacy impact policy that sets out when a privacy impact assessment (PIA) or a threat & risk assessment (TRA) should be carried out. While the goals of the two assessments are not the same, the triggers for that assessments should be similar: If there is a change proposed to a system that collects, uses, discloses, retains, or disposes of personally identifiable information, then the organization should assess the proposed change or new system to ensure a continuity of privacy (PIA) or security (TRA) protection.

According to iPolitics, the CRA says these changes will be safe, making filing returns easier and improve service. It seems only fair to point out in passing that this change is also likely to save the government money. While it’s good to save money, this shouldn’t be at the expense of citizens or their data. The determination about whether citizen data is at risk is the purpose of doing a PIA or a TRA. Let us all hope that this has all been done, and that the controversy has arisen simply as a result of the bad communications strategy on the part of the CRA.

Other privacy stories of note

Not just for modern warfare: RCMP to expand use of drone mini-helicopters

Unmanned surveillance drones with live-streaming video and thermal-imaging technology. What could possibly go wrong? Other than maybe a whole new You Tube channel…

WhatsApp violated Canadian law, says privacy commissioner

The Canadian and Dutch privacy commissioners jointly investigate a California based mobile chat app.

Privacy visor blocks facial recognition software

Wraparound plastic glasses designed to foil surveillance cameras.

Report finds B.C. Government’s $182 million Integrated Case Management system plagued with “fundamental deficiencies”

"The B.C. Ministry of Child and Family Development has issued an interim report by a consultant hired to review the problem-plagued Integrated Case Management System, and the results are damning." 

Prof offers $100 to any Canadian who can find a ‘privacy-compliant’ surveillance camera

"After two years of offering the $100 reward to his students for educational purposes, he’s now opening it up to the entire country."

ICT and human rights: A roundup of 2012 and challenges for 2013

"Freedom of expression and privacy, two rights intertwined with the information and communication technology (ICT) sector, were very much in the spotlight in 2012. Balancing the two is not easy, and companies in the sector continue to face many difficult choices."

Fitbit To Give Employers Your Fitness Report?

According to this piece,

According to a recent report, Fitbit is working with an insurance company to “determine whether individuals who use the mobile devices visit their physicians less than those who do not use the devices." Fitbit’s Chief Revenue Officer claims, that if Fitbit can make a direct connection to reduction in medical care costs, then the floodgates would be open."