Firms must try harder to guard personal data: Privacy Commissioner

Consumers may be well-versed in thwarting identity theft,but many Canadian companies have only a modest understanding of what is expected of them when it comes to privacy regulations, Canada's privacy commissioner said Thursday.

Jennifer Stoddart, who tabled her annual report on the Personal Information Protection and Electronics Document Act (PIPEDA) in Parliament, said data breaches are becoming a more common occurrence.

But she noted that a survey Ekos Research conducted earlier this year found that only one-third of surveyed businesses reported training their staff about Canada's privacy laws.

"Businesses must realize the importance of living up to the law's privacy protection principles and the consequences of failing to do so," Stoddart said in a release.

"I am particularly concerned to see that only a third of businesses have provided privacy training for staff.Good training is absolutely essential to prevent privacy breaches."

TJX Cos. and Talvest Mutual Funds investigated

The Office of the Privacy Commissioner conducted two major data breach investigations in 2006 involving TJX Cos. and Talvest Mutual Funds. On Jan. 18, TJX Cos., the parent company of Winners and HomeSense, said that millions of credit card accounts may have been compromised after hackers allegedly stole information from the company's computer systems.

On the same day, CIBC Asset Management said a backup computer file containing information on almost half a million of its Talvest Mutual Funds clients has gone missing. The information may have included client names, addresses, signatures, dates of birth, bank account numbers, beneficiary information and/or social insurance numbers.

Stoddart's report also suggested that the global flow of information is posing new privacy challenges. In one instance, the OPC investigated the Society for Worldwide Interbank Financial Telecommunication, a Europe-based financial co-operative, because it had, under subpoena, provided the U.S. Department of the Treasury with Canadians' personal information.

The office found that the group did not breach PIPEDA but noted that the disclosure process should have been more evident.

The OPC fielded 425 complaints in 2006, up from 400 in 2005.