Wednesday, May 12, 2010

9:00 am
Announcements and Opening Remarks from the Co-Chair
David Fraser
Chair, Privacy Practice Group
McInnes Cooper, Halifax

9:10 am
The Privacy Commissions: A Year in Review
David Elder
Elder Communications & Privacy Law, Ottawa
Frank Work, Q.C.
Information & Privacy Commissioner, Alberta

• Top privacy commissioner findings and court decisions of the past year
• An update on revival of the E-Commerce/anti-spam bill
• The status of PIPEDA review
  • breach notification
• Will Ontario respond to the OHA’s invitation to expand access to information legislation to hospitals?
  • how has it worked in other provinces?
• How has Alberta’s privacy enforcement stood up on judicial review?
• Quebec’s recent guideline on breach notification
• When will the new legislation in New Brunswick come into force?
• What’s happening in Manitoba?

10:15 am

Alberta’s PIPA Reform: What will it Mean to Alberta and the Rest of Canada?
Frank Work, Q.C.
Information & Privacy Commissioner
Alberta

• Mandatory breach notification
  • what will the real effects be?
• Implications for organizations that outsource data
• What does “significant harm” mean?
• Complying with information destruction requirements
• What was excluded from the amending legislation?

11:15 am

Working with the New Generally Accepted Privacy Principles (GAPP)
Robin Gould-Soil
Chief Privacy Officer
TD Financial Group

• What are the elements of the new GAPP, adopted recently in Canada and the U.S.?
  • standards and benchmarks
• What tools and controls do they offer for evaluating the effectiveness of your privacy program?
  • policies
  • training
  • testing
• How does it fit into your existing program?
• What members of your team need to be aware of the GAPP?

12:15 pm
Lunch Break

1:30 pm
The Police are Knocking at the Door. Now What?
David Fraser
Chair, Privacy Practice Group
McInnes Cooper, Halifax

• How to deal with requests from law enforcement for personal information
• What are your obligations?
  • with a warrant
  • without a warrant
  • under PIPEDA
• Recent case law and legislative reforms
• Intelligence gathering vs. specific investigations
• Dealing with requests from CSIS for national-security investigations
• How to reduce the institutional burden of such requests
• Police investigations in the healthcare context
  • how recent Alberta legislative initiatives may influence healthcare practices elsewhere
  • documents vs. real evidence
• The consequences of getting it wrong

2:30 pm
Refreshment Break

2:45 pm
Understanding Obligations for Employee Privacy
Dan Michaluk
Partner
Hicks Morley Hamilton Stewart Storie LLP

• Employee computer monitoring
  • recent cases at the Ontario CA and US Supreme Court
  • how private are “personal” folders on work computers?
• Social networking
  • to what applications should employers allow access, and why or why not? Web mail? Facebook? Twitter? IM?
  • use in disability claims
  • applicability of privacy legislation to monitoring of the social networking activities of current or potential employees
  • could the use of information gleaned from social-networking sites form the basis of a human rights complaint or grievance?
• What employees can and can’t say on profiles and blogs
  • the employee duty of loyalty
  • defamation
  • deliberate or inadvertent leaking of confidential information
  • inappropriate statements
  • personal vs. company time
• Access requests to employee records
• Workplace surveillance
• Employee background checks
  • the privacy risks involved in not doing them
  • issues surrounding criminal background checks
  • the risks of using internet information as a background check
• The blurring line between private and business
  • employee smart phones: who owns the data?
• Developing and effectively communicating policies
  • essential elements of a policy
• How much can you disclose to colleagues about the reasons for someone’s termination?
• Managing privacy for off-site workers
  • integrating privacy protection into pandemic preparedness

3:45 pm
Understanding the Significance of International Developments
Ariane Siegel
Partner
Aird & Berlis LLP

• New International Standards on the Protection of Personal Data and Privacy, also called ‘The Madrid Resolution’
• Transferring data from the EU to the US
  • increased FTC enforcement of representations made under the Safe Harbor program
  • use of Binding Corporate Rules
• New EU law requiring prior express consent to use cookies: what will it mean when enacted by 2011 in member countries?
  • only countries with EU-based websites or any traffic passing through?
  • only EU citizens?
  • how do you get consent?
  • do browser setting count as express consent?
  • administrative consequences
  • best practices for global companies and branch operations
• The US model privacy form, used in lieu of safe harbor
• The status of the proposed US Data Accountability and Trust Act (DATA)
• US restrictions on ADADs without prior express consent
• The US requirement to report US citizens with foreign accounts in Canada and deny service if they refuse

4:30 pm
Conference Adjourns

Thursday, May 13, 2010

9:00 am
Announcements and Remarks from the Co-Chair
Terry McQuay
President
Nymity Inc.

9:05 am
Improving Your Data Governance
Moderator and Speaker:
Pamela Snively
Managing Director
AccessPrivacyHB
Panelists:
Mimi Lepage
Chief Privacy Officer and General Counsel
Canadian Institute of Health Information
Karen Jackson
Partner
Stikeman Elliott LLP

• Why is governance vital to maintaining privacy?
• Is governance superseding consent as the cornerstone of privacy management?
• Structuring accountability
• Managing outsourced functions
  • controlling data transmission
  • anticipating future disclosure requirements
  • protecting data no matter where it is located
  • myth vs. reality
  • outsourcing by subcontractors
• What healthcare organizations and private enterprise can learn from each other about data governance
• Records management
• Keeping data from walking out the door in a period of economic dislocation
• Increasing the status of privacy, security and data governance within the organization
• Building partnerships between privacy and IT departments
  • why is an integrated, holistic approach necessary?
  • how to achieve this crucial relationship
• The role of data stewards
• Maintaining controls during and following a merger
• Data retention and secure destruction
• Special considerations for umbrella organizations with more than one entity
  • controls when conveying information from one site or entity to another

10:15 am
Refreshment Break

10:30 am
Reconciling Privacy with Current Trends in Marketing
Kathleen Brown
Vice President, General Counsel
Omnicom Canada
Shelley Samel
Partner
Gowling Lafleur Henderson LLP

• An update on telemarketing and Do Not Call Lists
  • managing customer expectations about internal and regulatory DNC lists
  • an update on the initial fines levied
• Using social networking tools and contests as part of your marketing efforts
  • choosing the right applications
  • the role of the CPO
  • mitigating risks
• Requirements under the proposed Electronic Commerce Protection Act, if revived and passed
  • requirements for commercial emails
  • data mining
  • avoiding fines of up to $1 million
• Recent cases
  • are business email addresses personal information?
• Privacy concerns in online marketing
  • youth privacy
  • U.S. and Quebec legislation

11:30 am
Enterprise Risks and Opportunities in Location-Based Services
Richard Pearse
Richard Pearse Technology Law

• What’s possible today, and what will be possible in the future?
• Monitoring mobile employees
• Consent and opt-in design
• Privacy and physical security
• Non-internet-based LBS
• Implications of the integration of social media and GPS

12:15 pm
Lunch Break

1:30 pm
Online Behavioural Advertising: Understanding the Privacy Implications
Michael A. Signorelli
Venable LLP, Washington DC

• How it works
  • flash cookies and re-spawning
• US developments
  • the FTC position: are legally binding guidelines coming?
  • industry initiatives
  • how successful has compliance proved?
• The status of the CMA’s self-regulatory guidelines
• Communicating your tracking to users
  • alternatives to the privacy-policy route
• Opt-outs
  • technical tools

2:15 pm
The View Ahead: Emerging Technological Challenges
Moderator and Speaker:
Gail Magnuson
Director, Emerging Issues
Nymity Inc.
Panelists:
Wendy Gross
Partner
McCarthy Tétrault LLP
Tracy Ann Kosa
Privacy Impact Assessment Specialist
Enterprise Information Management Implementation & Business Services
Government of Ontario

• Cloud computing
  • is it conceptually any different from outsourcing?
  • pros and cons from a privacy perspective
  • evaluating and qualifying providers and contracts
  • protecting security audit rights
  • can it make your own systems vulnerable?
  • dealing with the jurisdictional issues arising from cross-border data flow
  • data preservation and securing litigation holds
  • ensuring data destruction where required by law or policy
• Wireless sensor networks
  • smart meters: new privacy concerns for utilities
  • tracking devices for an aging population
• Ubiquitous computing environments
  • implications in health-care environments
  • communication between network devices

3:15 pm
Conference Concludes