Online privacy is a source of constant tension in our wired world: is online banking actually safe? Should I add my phone number to Facebook? Are my smart phone apps tracking my location? In light of the recent revelations about the extent of the National Security Agency’s wiretapping and wire splitting operations in the US, I thought it would be interesting to see what Ontario’s Office of the Information and Privacy Commissioner (IPC) might have to say about online privacy issues. Jason Papadimos, a Communications Officer at the IPC responded to my questions on behalf of the organization.
Q. How is the Office of the Information and Privacy Commissioner (IPC) involved in online privacy?
A. As part of our mandate to build public awareness about Ontario’s access to information and privacy laws, the IPC develops tools and resources to educate members of the public, including website users, operators and other stakeholders, about their shared responsibility to protect personal information online.
Q. What are some of the most common online privacy concerns that the IPC deals with?
A. Some common online privacy concerns include identity theft, online reputation management and privacy management on social networks. Our message is that all participants must educate themselves and think proactively about protecting their privacy in the online environment.
Q. Social media is often mentioned as being a privacy concern. What precautions does the IPC suggest people take?
A. Users of social media sites such as Facebook should post information with their eyes wide open. It is crucial to remember that anything posted online may stay there forever, in one form or another.
[The] uncertainty regarding the privacy and confidentiality of potentially sensitive information is a major downside to social networking sites, despite their many positive aspects. Users should…carefully review the privacy settings for each social network they are using. Additionally, consumers must be proactive by carefully protecting their passwords and creating passwords that are difficult to break.
Q. Does the IPC have any new areas of concern regarding online privacy that people might not know about yet?
A. Mobile applications can be a concern if people do not take the time to understand what they are agreeing to when accepting terms and conditions. For example, it [is] common for many applications to add time and geo-location data to photos, thereby allowing anyone to track your location.
Consumers need to be vigilant with their personal information and should not routinely agree to privacy policies and terms and conditions without reading them first. Users should take the time to review the settings on their mobile devices and understand who they are sharing their information with.
Q. Website servers are often located in the US. Should Canadians be concerned about their privacy under the US Patriot Act?
A. With respect to the storage of personal information in the US, the Commissioner [Dr. Ann Cavoukian] has always taken the position that you can outsource services, but you cannot outsource accountability. This means that where a provincial institution outsources its operations across provincial or international borders, it remains responsible for the protection of personal information in its custody and control.
In Ontario, there is no legislative prohibition against the storing of personal information outside the province or outside Canada. FIPPA [the Freedom of Information and Privacy Act] requires, however, that provincial institutions ensure that reasonable measures are in place to protect the privacy and security of their records containing personal information, regardless of where the records are located, and makes them accountable for the actions of their agents or service providers, whether located in Ontario or in other jurisdictions.
Q. How does the alleged online/telephone spying in the US fit into the online privacy picture?
A. The recent revelations about the US National Security Agency’s surveillance programs raise different issues altogether, although the question of accountability remains crucial. President Obama has said that “people understand that there are some trade-offs involved” to ensure public security. The IPC has always advocated against this type of zero-sum thinking—it is possible to achieve both privacy and security, and to do so in an accountable and transparent manner…The need for operational secrecy must not stand in the way of public accountability.
Q. What advice would the IPC give lawyers who want to advise their clients about online privacy issues?
A. Privacy is increasingly critical to achieving success in the new economy. While our office cannot provide any legal advice, we encourage all businesses to follow the principles of Privacy by Design (PbD) to help ensure that privacy is protected online. PbD is a principled, flexible, and technology-neutral approach to engaging with privacy issues that calls for privacy to be built right up front, directly into the design specifications and architecture of business systems and processes.
Q. Does the IPC have public resources (brochures, etc) about online privacy that you can share?
So there you have it, some tips and advice from the IPC to keep in mind the next time you’re online.
(The Q&A has been edited for clarity and length.)