Privacy Tips

By David J Bilinsky

Photocopiers and Privacy
Most photocopiers sold in the last few years have a built-in hard drive. That hard drive is used to store copies of the images. Problem is, when you trade in that copier for a new one, that hard drive still has all those images stored on it and they are not encrypted or erased when the lease is up. CBS in the USA purchased several used copiers and was able to retrieve “tens of thousands” of documents from those copiers (http://bit.ly/a2ZiKA).

The most secure way of protecting your privacy is to smash that hard drive to pieces. If this is not possible, then call in an expert to erase (not just delete!) those files. You will want his or her written assurance that all the data has been made “non-recoverable.”

Data stored on Servers in the USA or other locations outside Canada The Office of the Privacy Commissioner of Canada has some interesting findings on their web page that may be of interest to lawyers in Canada (www.priv.gc.ca), particularly with respect to private information when services are outsourced beyond the Canadian borders.

For example, in the Personal Information Protection and Electronic Documents Act (PIPEDA) Case Summary #2008-394, Canada.com outsourced email services to a U.S.-based firm.

“Two complainants expressed doubt that subscribers’ personal information was adequately protected after Canada.com email operations were outsourced to a U.S.-based firm. Moreover, the complainants did not believe that existing subscribers had had an opportunity to consent to the transfer of their information to the U.S. or that new subscribers were properly informed that their information would be used and stored in the U.S.”

The Privacy Commission held that the measures by which personal information is protected must be formalized with the organization by using contractual or other means. (Of course the problem with this is that most companies have standard terms of use and it is very difficult to have those modified or changed to suit individual circumstances.)

The Privacy Commission also held that Canadian organizations must be transparent about their personal information handling practices. In other words, there should be notification to the clients that information may be available to the government of that country or its agencies under lawful order made in that country.

Furthermore, client consent should be sought since the sharing of information with a third-party service provider constitutes a “use” for the purposes of the Act.

Now in B.C. we have PIPA – the Personal Information Protection Act rather than PIPEDA. My colleague Barb Buchanan interviewed David Loukidelis, B.C.’s former Information and Privacy Commissioner (http://bit.ly/9rxGSQ) and this is what he said:

“BB: Any comments on managing outsourcing risks?

DL: If a law firm wants to outsource services involving personal information, whether personal information of clients or employees, it is free to do so. The firm remains responsible, however, for the appropriate use, disclosure and protection of that personal information. So law firms should use diligence in selecting service providers and contractually obligate them to use personal information only for providing the services and to take reasonable security measures. In major cases of outsourcing, law firms might consider following up with the service provider to ensure that these contractual obligations are being respected, including the undertaking of inspections or audits in particularly important cases.”

The views expressed herein are strictly those of the author and may not be shared by the Law Society of B.C. David J. Bilinsky is the Practice Management Advisor for the LSBC. Email: daveb@lsbc.org; Blog: www.thoughtfullaw.com.

This article originally appeared in the June 2010 issue of BarTalk and is reproduced here with permission of both the author and the Canadian Bar Association, British Columbia Branch.