Annual report tells tales of rental laptops that spied on users, the
response to a teen smeared by a social network imposter and a dating
site that left sensitive health data vulnerable.
OTTAWA, June 6, 2013 /CNW/ - Privacy Commissioner Jennifer Stoddart
today released the Office of the Privacy Commissioner's (OPC) annual
report on the Personal Information Protection and Electronic Documents
Act (PIPEDA) for 2012, which details investigations affecting
individual online reputation and the growing importance of
organizational accountability. This is the Commissioner's last PIPEDA
annual report before the end of her mandate and it underlines the need
for changes to the law to bring it up to speed with today's rapidly
changing, digitally driven times.
"As in previous years, our annual report outlines some significant
achievements as investigations led to improved privacy practices among
businesses," said Commissioner Stoddart. "Such changes, however, often
came only after long investigative and follow-up processes, and
therefore at significant costs. Canadians would be better served by a
law that motivates organizations to put privacy considerations up
front, rather than the current situation where we're left to trigger a
mop-up after privacy is violated."
The report details the outcome of a Commissioner-initiated complaint
against a Canadian franchisee of rent-to-own company Aaron's Inc.
"Detective Mode" software was installed onto its rented laptops,
enabling the collection of data, including key strokes, screen shots
and web cam photos without user knowledge.
While installing the software was intended to recover lost or stolen
laptops, the OPC found that the extreme measure wasn't justified, given
the egregious and disproportionate loss of privacy for its clients. The
franchisee agreed to delete what the software collected, and the
company committed to never again using this type of tool.
This year's report also includes the story of a teen whose reputation
was imperiled by a fake Facebook account being set up in her name. She
was not a Facebook member, but many of her real life friends were. They
"friended" the impostor account and then received a barrage of
The teen's mother complained to the OPC and demanded Facebook delete the
account. Upon determining the account was indeed a fake, the company
promptly deleted it. The teen's reputation though remained at risk as
those who had been "friended" by the account were not notified of it
being a fake. As a result following negotiations with the OPC,
Facebook agreed to implement a new process moving forward to help
non-users notify individuals "friended" by imposter accounts.
Information on singles with STDs unprotected
The report also details our investigation into complaints by members of
a dating web site for people with sexually transmitted diseases called
PositiveSingles.com. They alleged that, unbeknownst to them, their
profiles, including personal information detailing their individual
health status, were stored in a database accessible by a wider network
of affiliated sites.
The investigation concluded that PositiveSingles and its parent company,
SuccessfulMatch, failed to openly and clearly explain to prospective
members how and to whom their personal information would be visible and
disclosed. SuccessfulMatch then made changes to the web site to make
its information handling practices more transparent, including
informing prospective members of the broad visibility of profiles at
the point of registration.
Overall, 2012 saw 220 complaints accepted by the OPC, down from 281 the
previous year. The OPC also completed 145 formal investigations in
2012, marking a 21-percent increase from the year before, while also
realising a 12-percent reduction in the time it took to resolve formal
About the OPC
The Privacy Commissioner of Canada is mandated by Parliament to act as
an ombudsman and guardian of privacy in Canada. The Commissioner
enforces two federal laws for the protection of personal information:
the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to organizations engaged in commercial
activities in the Atlantic provinces, Ontario, Manitoba, Saskatchewan
and the Territories. Quebec, Alberta and British Columbia each has its
own law covering the private sector. Even in these provinces, PIPEDA
continues to apply to the federally regulated private sector and to
personal information in interprovincial and international transactions.
SOURCE: Office of the Privacy Commissioner of Canada
For further information:
For more information (media only), please contact:
Office of the Privacy Commissioner of Canada
NOTE: Journalists are asked to please send requests for interviews or further information via e-mail.