Mandatory data breach reporting proposed

Proposed changes to Canadian privacy laws reintroduced by the government Thursdaywould force companies to report breaches of personal information to the privacy commissioner and affected individuals. But they also contain 'real dangers,' a privacy advocate says.

Mandatory reporting ofdata breaches was among proposed amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) introduced Thursday by Industry Minister Christian Paradis in the House of Commons. The bill is identical to one introducedin May 2010during the last session of Parliament, C-29, which died when the election was called this past May.

"Ensuring trust and confidence through the protection of personal information is essential to the growth of the digital economy," Paradis said in a statement. "Our government will continue to help protect consumers and businesses from the misuse of their personal information, thereby increasing confidence in the online marketplace."

Organizations would be required to report breaches where there is a risk of "significant harm" such as identity theft, fraud or risk to a person's reputation. In that way, the government said, those affectedcould take steps to mitigate the damage that might arise from the breach.

Privacy rule exceptions

Other proposed changes to the law introduce exceptions to rules for handling personal information:

• They would clarify that organizations can disclose personal information requested by government institutions and law enforcement and security agencies without a warrant, subpoena or court order. They would also prohibit such organizations from notifying those affected by the disclosure of their personal information if the law enforcement or government institution requesting the information objects to the disclosure.
• They would allow for the release of personal information to help protect victims of financial abuse, locate missing persons or identify people who might be injured, ill or deceased.
• Disclosure of personal information without consent would be allowed for private sector investigations and fraud prevention.
• Consent would no longer be required for the collection, use and disclosure of information needed for managing employment relationships, information produced for work purposes, information used for due diligence in business transactions, or business contact information for day-to-day business.

In addition, the rules concerning consent to disclosure of personal information would require organizations to consider the ability of their target audience, such as children, to understand the consequences of sharing their information.

The amendments are based on recommendations made by the standing committee on access to information, privacy and ethics, following consultations with stakeholders, the government says.The committee's 2007 report was the result of the first review of PIPEDA, legislation that came into force in 2001 and must be reviewed by Parliament every five years.

Lack of oversight: privacy advocate

Vincent Gogolek, executive director of the B.C. Freedom of Information and Privacy Association, said the data breach notification requirements are a positive change.

'This particular amendment appears to create a provision similar to those in the U.S.A. Patriot Act.' Vincent Gogolek, B.C. Freedom of Information and Privacy Association

But he added that the bill overall needs to be given a very careful look.

"Because amidst the good stuff, there's some real dangers here," he said.

He was particularly concerned about the clause that bars people from being notified that their personal information has been disclosed to police or the government if the latter object to that notification.

"This particular amendment appears to create a provision similar to those in the U.S.A. Patriot Act," he said.

The U.S. provisionsrestricting the circumstances in whichpeople may be informed that the government has requested the disclosure of personal information were struck down in 2004.

Gogolekadded that theCanadian provision doesn't require the disclosure of personal information to be related to an authorized investigation, unlike the U.S. provision.

"There seems to be an absence of judicial oversight here," he said.

It's ironic, he added, that such a proposal was introduced during "Right to Know" week, a celebration the rights of Canadians to a transparent and open government, which runs Sept. 27 to Oct. 1.

With respect to data breach notification, legislation in the U.S. already requires it, and sometimes Canadian consumers affected by the same breaches have been notified as a result.

Following a high-profile data breach affecting more than 100 million customers of the Sony PlayStation Network and other Sony services this past spring, Privacy Commissioner Jennifer Stoddart said she was "very disappointed" that Sony did not proactively notify her office. At the time, she said that before the election, the government had been intending to introduce legislation requiring the data breaches to be reported.