Text: Small Text  Normal Text  Large Text  Larger Text

    Blog Archive

    PrevPrevApril 2014NextNext
    SMTWTFS
      12345
    6789101112
    13141516171819
    20212223242526
    27282930

    Why the Digital Privacy Act Undermines Our Privacy: Bill S-4 Risks Widespread Warrantless Disclosure

    PDF  | Print |  E-mail
    Thursday April 10, 2014
    Earlier this week, the government introduced the Digital Privacy Act (Bill S-4), the latest attempt to update Canada's private sector privacy law. The bill is the third try at privacy reform stemming from the 2006 PIPEDA review, with the prior two bills languishing for months before dying due to elections or prorogation. 

    The initial focus has unsurprisingly centered on the new security breach disclosure requirements that would require organizations to disclose breaches that puts Canadians at risk for identity theft. Security breach disclosure rules are well-established in other countries and long overdue for Canada. The bill fixes an obvious shortcoming from the earlier bills by adding some teeth to the disclosure requirements with the addition of penalties for violations of the law. Moreover, Bill S-4 stops short of granting the Privacy Commissioner full order making power as is found at the provincial level, but the creation of compliance orders has some promise of holding organizations to account where violations occur.

    Despite those positive proposed changes to Canadian privacy law, the bill also includes a provision that could massively expand warrantless disclosure of personal information.



    Tags:
    Share: Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterTagsShare
    View
     

    The Canadian Government's Embarrassing Opposition to Security Breach Disclosure Legislation

    PDF  | Print |  E-mail
    Monday May 27, 2013
    Last week, the Privacy Commissioner of Canada released her vision of privacy reform, including the need for security breach disclosure legislation, order-making power, and greater transparency of warrantless disclosure. On the same day as Commissioner Stoddart released her position paper, the government was embarrassing itself in the House of Commons by formally opposing security breach disclosure legislation on the weakest of grounds. The opposition to meaningful privacy reform is particularly discouraging given the thousands of breaches that have occurred in recent years from within the government itself and its claims to be concerned with the privacy of Canadians.

    The government introduced legislation featuring security breach disclosure requirements in Bill C-12 in September 2011 (itself a reintroduction of the former C-29 that was first introduced in 2010).  Since first reading, the bill has not moved. It would take very little for the government to complete second reading and send the bill for study to committee, yet more than a year and a half later, the bill languishes, certain to die this summer when the government hits the parliamentary reset button. Frustrated by the inexplicable delays, NDP MP Charmaine Borg introduced a private member's bill in February (C-475) that includes a mandatory security breach requirement roughly similar to the government's own bill. 


    Tags:
    Share: Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterTagsShare
    View
     

    Your Information is Not Secure: Thousands of Government Privacy Breaches Point to Need for Reform

    PDF  | Print |  E-mail
    Tuesday April 30, 2013
    As Canadians focused last week on the aftermath of the Boston Marathon bombing and the RCMP arrests of two men accused of plotting to attack Via Rail, the largest sustained series of privacy breaches in Canadian history was uncovered but attracted only limited attention.  Canadians have faced high profile data breaches in the past - Winners/HomeSense and the CIBC were both at the centre of serious breaches several years ago - but last week, the federal government revealed that it may represent the biggest risk to the privacy of millions of Canadians as some government departments have suffered breaches virtually every 48 hours.

    The revelations came as a result of questions from NDP MP Charlie Angus, who sought information on data, information or privacy breaches in all government departments from 2002 to 2012.  The resulting documentation is stunning in its breadth.

    My weekly technology column (Toronto Star version, homepage version) notes that virtually every major government department has sustained breaches, with the majority occurring over the past five years (many did not retain records dating back to 2002). In numerous instances, the Privacy Commissioner of Canada was not advised of the breach.



    Tags:
    Share: Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterTagsShare
    View
     

    Your Information is Not Secure: Thousands of Government Privacy Breaches Point to Need for Reform

    PDF  | Print |  E-mail
    Monday April 29, 2013
    Appeared in the Toronto Star on April 27, 2013 as Your Information is Not Secure in Ottawa

    As Canadians focused last week on the aftermath of the Boston Marathon bombing and the RCMP arrests of two men accused of plotting to attack Via Rail, the largest sustained series of privacy breaches in Canadian history was uncovered but attracted only limited attention.  Canadians have faced high profile data breaches in the past - Winners/HomeSense and the CIBC were both at the centre of serious breaches several years ago - but last week, the federal government revealed that it may represent the biggest risk to the privacy of millions of Canadians as some government departments have suffered breaches virtually every 48 hours.

    The revelations came as a result of questions from NDP MP Charlie Angus, who sought information on data, information or privacy breaches in all government departments from 2002 to 2012.  The resulting documentation is stunning in its breadth.

    Virtually every major government department has sustained breaches, with the majority occurring over the past five years (many did not retain records dating back to 2002). In numerous instances, the Privacy Commissioner of Canada was not advised of the breach.

    Some of the most vulnerable departments are those that host the most sensitive information. For example, Citizenship and Immigration Canada suffered 161 breaches in 2012 - more than three per week - affecting hundreds of people. The department only disclosed the breaches to the Privacy Commissioner of Canada on five occasions.

    Human Resources and Skills Development Canada famously suffered a massive breach last year - 588,384 individuals were affected - but less well known is that the department has had thousands of other breaches over the past few years. In 2007, a breach affected 28,651 people, yet the Privacy Commissioner of Canada was not informed and the department is unsure of whether the breach resulted in criminal activity.

    Virtually no department has been immune to security breaches with nearly 100,000 individuals affected by breaches at Agriculture and Agri-Food Canada since 2008, almost 5,000 individuals hit at Fisheries Canada with no reporting to the Privacy Commissioner of Canada, and just under 200 breaches at the RCMP affecting an unknown number of people.

    If a similar situation occurred involving a major Canadian bank, retailer, or telecom company, there would be an immediate outcry for tougher rules on mandatory disclosure of security breaches. Yet the federal government plays by different rules, with no liability and no legal requirements to disclose the breaches.

    Successive federal privacy commissioners have urged the government to reform the badly outdated Privacy Act to at least hold government to the same privacy standard that it expects from the private sector. But those calls for reform have been repeatedly ignored.

    Most recently, Privacy Commissioner of Canada Jennifer Stoddart identified twelve seemingly uncontroversial reforms, including strengthening annual reporting requirements by government departments, introducing a provision for proper security safeguards for the protection of personal information, and creating legislated security breach notification requirements. None of the recommendations have been implemented.

    In fact, Canadian privacy failures dot the legislative landscape. Bill C-12, the Canadian private sector privacy bill intended to implement reforms that date back to hearings conducted in 2006 lies dormant in the House of Commons. A review of the private sector privacy law that was required by law in 2011 has seemingly been forgotten. Anti-spam legislation passed in 2010 and touted as a key part of the government's cybercrime strategy is stuck as Industry Minister Christian Paradis dithers on the applicable regulations.

    No institution has greater access to the personal information of Canadians than the federal government. The public entrusts it to keep their information secure and to take all appropriate action should a security breach occur. The latest revelations indicate that the failure to live up to that trust is spread across virtually all government departments and to the political leaders that have failed to introduce much-needed legislative privacy safeguards. 
      
    Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.


    Tags:
    Share: Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterTagsShare
     
    << Start < Prev 1 2 3 4 5 6 7 Next > End >>

    Results 1 - 4 of 25