Information of interest to specialists in Records ManagementStudy ranks Canada’s freedom-of-information laws dead last
A new study ranks Canada dead last in an international comparison of freedom-of-information laws — a hard fall after many years being judged a global model in openness.
The study by a pair of British academics looked at the effectiveness of freedom-of-information laws in five parliamentary democracies: Australia, New Zealand , Ireland , the United Kingdom and Canada. New Zealand placed first and Canada last.
Canada’s Information Retention Gap
Symantec recently released the results of its 2010 Information Management Health Check Survey. The survey reached the legal and IT management departments of 1680 enterprises in 26 countries. It sought to identify the best (and worst) practices in the field. One hundred Canadian companies took part in the exercise.
Unfortunately, the results reveal that Canadian companies suffer a serious gap. On a worldwide basis, 87% of the participants were aware that a proper information retention plan will help them delete unnecessary information, but only 46% do have such a retention plan. Costs and responsibility attribution are cited by both IT and legal departments as the main reasons why no plan is put in place. Further reasons identified, by IT, are the lack of a need for a plan and, by legal, the lack of expertise.
This gap is even wider – one of the largest, according to the study – in Canada. Although a similar proportion of the companies (80%) recognized the utility of an information retention plan, only 15% had a plan in place (yep, in bold and italics!). While the first figure is, in a sense, reassuring, the gap between those who took action and those who haven’t yet means only one thing: the next step is stepping in. The other findings of the study (PDF) relating to over-retention, improper legal hold, backup, recovery and archive practices all point in the direction of a set of consequences:
“First, high storage costs. Studies show that storage costs continue to skyrocket as over retention has created an environment where it is now 1,500 times more expensive to review data than it is to store it. And it is not just the raw cost of tape stock and hard disks, but the higher costs of managing such massive stores.
Second, backup windows are bursting at the seams. It is becoming increasingly common to hear of weekend backups taking more than a single weekend. Recovery times are even worse. The time it takes to restore such massive backups will bring any disaster recovery program to its knees. Finally, with the massive amounts of information stored on difficult-to-access backup tapes, eDiscovery has become a lengthy, inefficient and costly exercise.”
While these consequences are serious, so are the short-to-middle-terms benefits of the remedy.
Privacy Takes Big Step Toward Global Enforcement
The talk of the privacy world was recent news that 10 privacy and data protection commissioners – led by Canadian Privacy Commissioner Jennifer Stoddart – had released a public letter to Google CEO Eric Schmidt to express concern that the Internet giant was forgetting its privacy responsibilities.
The letter, also signed by the heads of privacy agencies from France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the United Kingdom, focused on the recent introduction of Google Buzz, a service that offered new social media capabilities. It attracted the wrath of users and privacy advocates after Google automatically assigned users a network of “followers” from among people with whom they corresponded most often on Gmail. Google quickly altered the offending features, but the damage was clearly done, as privacy commissioners from around the world used the incident as the basis for a shot across the company’s bow.
Stoddart’s role in the letter is instructive. Fresh off last year’s successful showdown with Facebook, in which the popular social media site agreed to alter some of its policies for its more than 400 million users based on a single Canadian complaint, her office has jumped on the technology bandwagon, actively blogging, twittering, and engaging on Internet-related issues.
Business reaction to the letter was decidedly mixed, however. Some argued that it foreshadowed potential regulatory action against Google and other major Internet companies. Others were more skeptical, noting that a closer reading of the letter revealed that the commissioners had few specific complaints remaining about Google Buzz, given the changes implemented by the company weeks earlier. Moreover, when asked about the status of the case, Stoddart admitted that there had not been a formal investigation into the matter.
As experts debated the importance of the letter, the longer-term impact may come not from specific actions against a company such as Google (there does not appear to be much likelihood of imminent action) but rather from the realization that the joint effort may represent a major step toward the globalization of privacy enforcement.
The difficulties associated with cross-border privacy enforcement has long been viewed as a particularly thorny issue in a world where data moves effortlessly across borders, and private companies retain massive databases containing myriad personal information.
The European Union has attempted to address the issue by establishing restrictions on the export of data, requiring that data transfers be limited to those countries with “adequate” privacy protections. Canada has adopted a different approach, eschewing restrictions on data exports but holding organizations accountable for the data they collect, regardless of its location.
Despite efforts to assure the public that these regulatory systems offered effective privacy protections, the reality has been that privacy rules are purely domestic creatures that end at the border. Indeed, only a few years ago, Stoddart’s office maintained that it could not even investigate a case involving a foreign-based company.
The joint letter signals a new approach to privacy enforcement, one based on greater cooperation and mutual recognition of common privacy principles. While the specifics of privacy laws may vary, the underlying principles are remarkably similar across jurisdictions. As privacy and data protection commissioners work together on issues with a global impact, they create a new layer of enforcement that could lead to joint investigations and parallel enforcement actions.
ARMA International Canadian Policy Brief, May 2010
Laptops can be seized at the U.S. border
Travelers beware: U.S. agents now have the authority to seize and retain laptops indefinitely, according to a new policy detailed in documents issued by the U.S. Department of Homeland Security.
As part of border search policy, government agents are now authorized to seize electronic devices and inspect documents in them, the document states. The electronic devices might include laptops, cell phones, portable music players or storage devices such as portable hard drives. Agents with U.S. Customs and Border Protection will also be allowed to translate and share documents with other government agencies.
The DHS document, issued July 16, appears to state publicly a policy that has already existed. Laptops and electronic devices have been subject to search in the past, and travelers have reported not getting their devices back. The policy has drawn strong criticism from lawmakers and nonprofit groups, who charged that the searches were invasive and a violation of an individual’s privacy rights. Computers contain a vast amount of private information about family, finances and health, which could be easily copied and stored in government databases, the Electronic Frontier Foundation has complained.
The policy document states that being able to examine documents and electronic devices is crucial for “detecting information concerning terrorism, narcotics smuggling … contraband including child pornography, and … other import or export control laws.”
The new DHS policies allow customs agents to analyze the contents of laptops without any suspicion of wrongdoing, U.S. Senator Russ Feingold said in a statement. “The policies that have been disclosed are truly alarming,” Feingold wrote. The policy could blur the distinction between “search” and “seizure,” which could also allow DHS officials to steal personal documents from laptops it has retained, Feingold wrote.