The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Wednesday, June 04, 2008
The Privacy Commissioner of Canada tabled her annual report to Parliament on the Personal Information Protection and Electronic Documents Act for 2007 on June 3, 2008.
Here is the accompanying media release:
Lack of basic privacy and security measures causing major data breaches, Privacy Commissioner says
Tabling of Privacy Commissioner of Canada's 2007 Annual Report on the Personal Information Protection and Electronic Documents Act
Ottawa, June 3, 2008 — Too many data breaches are occurring because companies have ignored some of the most basic steps to protect personal information, says the Privacy Commissioner of Canada, Jennifer Stoddart.
The Commissioner’s 2007 Annual Report on the Personal Information Protection and Electronic Documents Act (PIPEDA) was tabled today in Parliament.
“Many companies need to do more to prevent inexcusable security breaches,” Commissioner Stoddart says. “Too often, we see personal information compromised because a company has failed to implement elementary security measures such as using encryption on laptops.”Voluntary privacy breach guidelines which the Office of the Privacy Commissioner (OPC) developed with business and consumer groups, and published last summer, appear to be prompting more organizations to report breaches.
The OPC has received 21 voluntary breach reports in the first five months of 2008. Last year, there were 34 voluntary reports of breaches to the OPC – up from a total of 20 reports in 2006.
Over the last few years, hundreds of thousands of Canadians have been affected by data breaches.
“Many organizations want to be good corporate citizens and do the right thing,” says Commissioner Stoddart. “While the increased number of reports is a positive sign, it’s clear we still aren’t hearing about every breach which could have a harmful impact on people.”
Financial institutions are reporting the largest number of breaches to the OPC. Some telecommunications, insurance and retail companies have also reported breaches.
The OPC is concerned that few small- and medium-sized enterprises are reporting breaches.
Examples of reported breaches include the theft of laptops containing unencrypted personal information, data tapes lost in transit, improperly discarded paper records, and misdirected faxes.
Information the OPC is collecting from the voluntary reports is helping to shed light on some of the common problems which are leading to breaches.
It is clear, for example, that unprotected laptops remain a huge issue which companies must address. Many breaches related to electronically stored data, often customer information stored on stolen laptop computers. Almost nine in 10 people whose data was compromised by a self-reported breach in 2007 were put at risk because their personal information was held in an electronic format that was either not secured or lacked adequate protection mechanisms such as firewalls and encryption.
Other breaches occurred because employees had not followed established company practices. Companies can address this problem by providing ongoing privacy training, yet a poll commissioned by the OPC last year found only a third of all businesses had trained staff about their responsibilities under Canada’s privacy laws.
The OPC strongly supports a plan by Industry Canada to introduce mandatory breach notification. Reporting requirements will encourage businesses to do more to reduce the risk of a data breach and ensure all organizations are playing by the same rules. They will also ensure Canadians are notified about serious breaches.
Industry Canada has prepared draft breach notification reporting rules and is now fine-tuning this model based on stakeholder input.
The current proposals suggest the federal government is generally headed in the right direction and that Canada will have a breach reporting regime which is both reasonable and flexible.
As the federal government completes its work on reporting requirements, the OPC continues to investigate a wide range of privacy complaints.
The OPC received 350 new PIPEDA complaints during 2007. Almost one third of complaints involved financial institutions. As in past years, other major sectors for complaints were telecommunications, insurance, sales and transportation. The annual report is available on the OPC website.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.
To view the report:
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.