Hot on the heels of the Ontario report yesterday, the Federal Privacy Commissioner has released her annual report on PIPEDA. It really should be a must read for anyone interested in PIPEDA, as it discusses many of the notable cases of the last year and some of the issues in the Office of the Privacy Commissioner of Canada. For example, the average resolution time from initial complaint to final finding has moved to sixteen months, five more months than in 2005.

Here's the media release with links to the report.

News Release: Privacy Commissioner calls for stronger data protection: Tabling of Privacy Commissioner of Canada's 2006 Annual Report on the Personal Information Protection and Electronic Documents Act (May 31, 2007)

Privacy Commissioner calls for stronger data protection: Tabling of Privacy Commissioner of Canada's 2006 Annual Report on the Personal Information Protection and Electronic Documents Act

Ottawa, May 31, 2007 — There has never been a greater need to take data protection seriously as new data breaches reinforce concerns about both security issues and trans-border data flows, according to the Privacy Commissioner of Canada, Jennifer Stoddart. Her 2006 Annual Report on the Personal Information Protection and Electronic Documents Act (PIPEDA) was tabled today in Parliament.

High-profile data breaches among a few well-known banking and retail organizations during 2006 reinforce the very serious nature of privacy breaches and the need to better protect personal information held by private sector companies.

Despite these cases, complaints against some of the major sectors covered by PIPEDA since 2001 (financial institutions, insurance companies and the transportation sector) have declined slightly. This is in contrast, however, to those industries which have been subject to PIPEDA only since 2004, such as the retail and accommodation sectors. These sectors have been the subject of substantially more complaints than in previous years. Overall, there were 424 complaints in 2006, compared with 400 in 2005.

“We are pleased to see fewer complaints related to sectors more familiar with PIPEDA; I believe it stems from a stronger understanding of the Act. It would appear that compliance is improving with time and we look forward to seeing this trend continue,” says Commissioner Stoddart.

“Sectors with less experience with PIPEDA have more work to do. As they gain a better understanding of what the law requires, we expect to see a decrease in complaints involving them,” she says.

“Research we are releasing today shows a majority of businesses covered by the Act appreciate their role in protecting consumer information, although there are still too many firms that need to take their role more seriously.”

That research, a survey of Canadian businesses on a number of issues relating to privacy, was conducted by Ekos Research Associates earlier this year. The results raise important questions about whether some businesses are doing enough to fulfill their PIPEDA obligations.

The survey found:

• While the majority of businesses that collect personal customer information have fully implemented PIPEDA provisions (67 per cent), there are a small but not insignificant number that are only in the process of implementing (16 per cent) and others that are not in the process of doing so (15 per cent).
• Only a third of all businesses report having staff that has been trained about their responsibilities under Canada’s privacy laws.
• Less than one in five has sought clarification of their role, although this is also much higher among larger businesses.

“Almost half of the businesses studied tend to rate their company’s awareness of its responsibilities under the privacy laws favourably. However, a similar number report either low or moderate awareness. PIPEDA and its provincial counterparts regulate commercial activity in Canada. All businesses that handle personal information need a good understanding of what the law requires,” says Commissioner Stoddart. “Businesses must realize the importance of living up to the law’s privacy protection principles and the consequences of failing to do so.

“I am particularly concerned to see that only a third of businesses have provided privacy training for staff. Good training is absolutely essential to prevent privacy breaches.”

Going forward, these companies will need to take steps to ensure greater compliance with the Act. Canadians expect private sector organizations to safeguard their personal information, particularly given the proliferation of identity theft.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

In the fall of 2007, the Office of the Privacy Commissioner will be hosting the who’s who of the privacy world at the 29th International Conference of Data Protection and Privacy Commissioners in Montreal. Details are available at http://www.privacyconference2007.gc.ca/.

To view the reports:

• Annual Report to Parliament 2006 – Report on the Personal Information Protection and Electronic Documents Act (Adobe format)
• Backgrounder: Findings of a 2007 poll commissioned by the Office of the Privacy Commissioner of Canada
• 2007 EKOS Research Associates survey: Canadian Businesses and Privacy-Related Issues

Labels: identity theft, privacy