|
Thursday May 23, 2013 |
Privacy Commissioner of Canada Jennifer Stoddart this morning set out her office's goals for PIPEDA reform.
The last attempt to reform the private sector privacy law stalled in
the House of Commons with Bill C-12 still technically alive (having been sitting at
second reading for months) but destined to die once the government hits
the legislative reset button in the summer. The five-year mandatory
review of PIPEDA is now years behind schedule, so Stoddart's attempt to
kick-start the process is a welcome development.
The PIPEDA report focuses on four areas of reform: stronger enforcement
powers, mandatory security breach disclosure, increased transparency on
personal information disclosures, and heightened accountability. In
particular, the OPC is calling for:
- Reform PIPEDA to provide for stronger enforcement powers. These
could include statutory damages (administered by the Federal Court); or
giving the Commissioner the power to make orders; or affording the
Commissioner with the power to impose administrative monetary penalties;
or a combination of the above;
- Require organizations to report breaches of personal
information to the Commissioner and to notify affected individuals,
where warranted, so that appropriate mitigating measures can be taken in
a timely manner;
- Require organizations to publicly report on the number of
disclosures they make to law enforcement under paragraph 7(3)(c.1),
without knowledge or consent, and without judicial warrant, in order to
shed light on the frequency and use of this extraordinary exception; and
- Modify the accountability principle in Schedule 1 to include a
requirement for organizations to demonstrate accountability upon
request; to incorporate the concept of “enforceable agreements”; and to
make certain accountability provisions subject to review by the Federal
Court.
The report is a great start, but will require leadership from the Minister of Industry that has to date been absent.pipeda, privacy Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterTagsShareThursday May 23, 2013 |
|
|
Tuesday April 30, 2013 |
As Canadians focused last week on the aftermath of the Boston Marathon
bombing and the RCMP arrests of two men accused of plotting to attack
Via Rail, the largest sustained series of privacy breaches in Canadian
history was uncovered but attracted only limited attention. Canadians
have faced high profile data breaches in the past - Winners/HomeSense
and the CIBC were both at the centre of serious breaches several years
ago - but last week, the federal government revealed that it may
represent the biggest risk to the privacy of millions of Canadians as
some government departments have suffered breaches virtually every 48
hours.
The revelations came as a result of questions from NDP MP Charlie Angus,
who sought information on data, information or privacy breaches in all
government departments from 2002 to 2012. The resulting documentation
is stunning in its breadth.
My weekly technology column (Toronto Star version, homepage version) notes that virtually every major government department has sustained breaches, with
the majority occurring over the past five years (many did not retain
records dating back to 2002). In numerous instances, the Privacy
Commissioner of Canada was not advised of the breach.
privacy, security breach Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterTagsShareTuesday April 30, 2013 |
|
View
|
|
|
Monday April 29, 2013 |
Appeared in the Toronto Star on April 27, 2013 as Your Information is Not Secure in Ottawa
As Canadians focused last week on the aftermath of the Boston Marathon
bombing and the RCMP arrests of two men accused of plotting to attack
Via Rail, the largest sustained series of privacy breaches in Canadian
history was uncovered but attracted only limited attention. Canadians
have faced high profile data breaches in the past - Winners/HomeSense
and the CIBC were both at the centre of serious breaches several years
ago - but last week, the federal government revealed that it may
represent the biggest risk to the privacy of millions of Canadians as
some government departments have suffered breaches virtually every 48
hours.
The revelations came as a result of questions from NDP MP Charlie Angus,
who sought information on data, information or privacy breaches in all
government departments from 2002 to 2012. The resulting documentation
is stunning in its breadth.
Virtually every major government department has sustained breaches, with
the majority occurring over the past five years (many did not retain
records dating back to 2002). In numerous instances, the Privacy
Commissioner of Canada was not advised of the breach.
Some of the most vulnerable departments are those that host the most
sensitive information. For example, Citizenship and Immigration Canada
suffered 161 breaches in 2012 - more than three per week - affecting
hundreds of people. The department only disclosed the breaches to the
Privacy Commissioner of Canada on five occasions.
Human Resources and Skills Development Canada famously suffered a
massive breach last year - 588,384 individuals were affected - but less
well known is that the department has had thousands of other breaches
over the past few years. In 2007, a breach affected 28,651 people, yet
the Privacy Commissioner of Canada was not informed and the department
is unsure of whether the breach resulted in criminal activity.
Virtually no department has been immune to security breaches with nearly
100,000 individuals affected by breaches at Agriculture and Agri-Food
Canada since 2008, almost 5,000 individuals hit at Fisheries Canada with
no reporting to the Privacy Commissioner of Canada, and just under 200
breaches at the RCMP affecting an unknown number of people.
If a similar situation occurred involving a major Canadian bank,
retailer, or telecom company, there would be an immediate outcry for
tougher rules on mandatory disclosure of security breaches. Yet the
federal government plays by different rules, with no liability and no
legal requirements to disclose the breaches.
Successive federal privacy commissioners have urged the government to
reform the badly outdated Privacy Act to at least hold government to the
same privacy standard that it expects from the private sector. But
those calls for reform have been repeatedly ignored.
Most recently, Privacy Commissioner of Canada Jennifer Stoddart
identified twelve seemingly uncontroversial reforms, including
strengthening annual reporting requirements by government departments,
introducing a provision for proper security safeguards for the
protection of personal information, and creating legislated security
breach notification requirements. None of the recommendations have been
implemented.
In fact, Canadian privacy failures dot the legislative landscape. Bill
C-12, the Canadian private sector privacy bill intended to implement
reforms that date back to hearings conducted in 2006 lies dormant in the
House of Commons. A review of the private sector privacy law that was
required by law in 2011 has seemingly been forgotten. Anti-spam
legislation passed in 2010 and touted as a key part of the government's
cybercrime strategy is stuck as Industry Minister Christian Paradis
dithers on the applicable regulations.
No institution has greater access to the personal information of
Canadians than the federal government. The public entrusts it to keep
their information secure and to take all appropriate action should a
security breach occur. The latest revelations indicate that the failure
to live up to that trust is spread across virtually all government
departments and to the political leaders that have failed to introduce
much-needed legislative privacy safeguards.
Michael Geist holds the Canada Research Chair in Internet and
E-commerce Law at the University of Ottawa, Faculty of Law. He can
reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.
privacy, security breach Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterTagsShareMonday April 29, 2013 |
|
|
Tuesday April 23, 2013 |
|
The Standing Committee on Access to Information, Privacy, and Ethics has released its study on privacy and social media.
The report includes recommendations for new Privacy Commissioner
guidelines. The NDP supplemented those recommendations with nine
additional legislative proposals that include mandatory security breach
disclosure, order making power for the Privacy Commissioner of Canada,
and the inclusion of privacy issues as part of a national digital
economy strategy.ethi, pipeda, privacy, social media Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterTagsShareTuesday April 23, 2013 |
|
|
