PIPEDA

Security Insights on The PEI Pass: From a Security Professional and Islander

We’re closer and closer to the end of Covid-19 restrictions and we’re heading to point in this pandemic that privacy and security experts have been fearing for quite some time. It was only a matter of time before Covid-19 vaccination became everyone’s answer for getting back to a normal(-ish) life. The challenge was always going to be in creating a process whereby everyone can provide evidence of vaccination, without breaching anyone’s right to privacy.

I was reading this article this morning on CBC, “Cybersecurity expert warns P.E.I. Pass website is ‘hotspot’ for hackers”, and was expecting to read something substantial about the security of the platform, and was honestly pretty disappointed. In my opinion, this article does nothing but erode more trust in our institutions. It lacks the details necessary for an article with such a title, and could stoke a decrease in use and trust of other online government platforms.

What Is The PEI Pass?

The PEI Pass is a document given by the Government of Prince Edward Island that verifies an individual has been either fully or partially vaccinated, plus an additional 21 days. If you have this document then you are not required to self-isolate for 14-days when entering P.E.I. The PEI Pass is available to almost anyone given they meet one of the 4 requirement categories. Each category has a different set of requirements including differing documentation needs. Categories:

  • Permanent P.E.I. residents
  • Permanent residents of N.S., N.B., N.L, or Magdalen Islands
  • Other Individuals who have been in an Atlantic province for a minimum of 14-consecutive days, not including Magdalen Islands.
  • Non-P.E.I. residents who came to P.E.I. through a Pre-Travel Approval and are currently in PEI

Security Vs Privacy

There are two different concepts being discussed here. Security and privacy are not the same thing. The privacy of the data may depend on factors that include, security.

Privacy Concerns

Although it’s easiest as a Permanent P.E.I. resident, all four requirement categories require you to upload documents or enter information that may not be relevant to the PEI Pass application.

As a Prince Edward Island resident, the government already knows this information about me, which is why they’ve made it easier by being able to lookup my records in the PEI COVID Immunization Registry. For me, I’m not concerned about uploading my driver’s license either, as the government has that too.

Non-permanent residents will be experiencing the most risk to privacy. Especially, with a data breach in P.E.I.’s not too distant past. Any time you give your information and data to an organization or government that didn’t previously have it, you’re increasing the risk of that information being stolen. That’s a risk calculation that you’ll need to make yourself.

Security Concerns

I wasn’t able to find any information on how the Government of Prince Edward Island is securing the transmission and the storage of information being supplied.

The PEI Pass application itself is protected by a valid SSL Certificate, which tells us that the data is being transmitted (data in transit) from your browser to the website server securely.

The unknowns don’t come into play until we attempt to identify what security controls are put into place to protect the data in storage (data at rest), nor do we know if the data is stored on the same server as the website. Unfortunately, outside of the privacy commissioner giving her go ahead, I can’t find any reports on it.

Conclusion

The PEI Pass application process asks not just for personal information, but also for personal documentation. This can lead to you releasing much more personal information then you may have wanted to. Photocopy your documents and use a dark marker to eliminate any information on them that isn’t relevant to the request. Then send the modified photocopy. The Government of Prince Edward Island provides a similar note on their website:

Will Applying To The PEI Pass Be a Risk To My Privacy?

Any time that you provide personal information to a third-party that didn’t have information before, you are compromising your privacy. Sometimes it’s good, sometimes it’s bad. That’s where laws like PIPEDA come in.

Will Applying To The PEI Pass Be a Risk To My Data Security?

Without knowing what security controls are in place, there is simply no way of knowing if applying for the PEI Pass will compromise your data security.

Is The PEI Pass Website a Hotspot for hackers?

No.

Privacy Policy Resources, Template Generators, and PIPEDA

Cameras

Did you know that, as a business, you may be required to abide by both provincial and federal privacy laws? Many provinces, such as Alberta, British Columbia, and Quebec have already introduced their own legislation for the collection, use, and disclosure of personal information that occurs while doing business in those provinces. For the rest of us, the Personal Information Protection and Electronic Documents Act (PIPEDA), probably applies.

PIPEDA applies to private-sector organizations across Canada that collect, use, or disclose personal information in the course of doing business. This information might include personally identifiable information (PII), such as names, telephone numbers, ethnicity, blood type, employee records, loan records, and even opinions, evaluations, and comments.

Is a Privacy Policy Important?

A privacy policy is a very important document if your website interacts with its visitors in any way shape or form. This includes not just contact forms, but also more indirect forms of interaction such as website analytics tracking.

As mentioned, a privacy policy is a simple document that is available on your website that outlines your organisation’s policies and procedures as they relate to the collection, use, storage and disclosure of personal information. A privacy policy is intended to advise the users of your website of the steps that your organisation takes in order to meet provincial or federal privacy regulations and outlines several key principles:

Although PIPEDA doesn’t include many details on what it considers, “against policy”, the Office of the Privacy Commissioner of Canada (OPC) has outlined several examples of what would be considered generally innappropriate.

  • Collecting, using or disclosing personal information in ways that are otherwise unlawful;
  • Profiling or categorizing individuals in a way that leads to unfair, unethical or discriminatory treatment contrary to human rights law;
  • Collecting, using or disclosing personal information for purposes that are known or likely to cause significant harm to the individual;
  • Publishing personal information with the intent of charging people for its removal;
  • Requiring passwords to social media accounts for the purpose of employee screening; and
  • Conducting surveillance on an individual using their own device’s audio or video functions.

Source: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/p_principle/

PIPEDA Resources

The OPC website is probably the single best resource as it relates to PIPEDA. We’ve included some of the more relevant links here.

Privacy Policy Generators

Without further ado, let’s take a look at how we can quickly and easily get a privacy policy setup for your website.

These tools were designed to take basic inputs and generate a complete privacy policy for your website. I’ve only include links to tools that offer a free tier or are completely free.