With the Conservative government’s privacy reform bill sitting untouched after being introduced about two years ago, New Democractic Party MP Charmain Borg has introduced a private member’s bill that that would make it mandatory for organizations to report data breach incidents.
“An organization having personal information under its control shall notify the (Privacy) Commissioner of any incident involving the loss or disclosure of, or unauthorized access to, personal information, where a reasonable person would conclude that there exist a possible risk or harm to an individual as a result of the loss or disclosure or unauthorized access,” the proposed bill reads.
The document also includes two determining factors for considering a breach harmful:
-The sensitivity of the personal information
-The number of individuals whose personal information was involved
Bill C-475 also says the commissioner may require organizations to notify affected individuals “to whom there is an appreciable risk of harm” as a result of the breach.
The notification should include:
-A report of the risk of harm
-Instructions about reducing the risk of harm or mitigating the harm
-Any other prescribed information
The proposed bill also empowers the privacy commissioner to order the organization concerned to conduct actions such as: corrective measures; destruction of data; deleting or adding a record; stop data collection or disclosure; and publishing a notice of actions taken.
Should the organization fail to comply within a prescribed limit, they may subject to penalty of no more than $500,000 or punitive damages imposed by the court. Individuals affected by the breach also have the right to sue the organization for damages or loss suffered due to non-compliance to the act by the organization.
In a his blog post today, privacy advocate and University of Ottawa Internet law professor Michael Geist said Bill C-475 is a better than the government’s Bill C-12 as it provides clear cut breach disclosure requirements, comes and comes with an order making power “backed by significant penalties for compliance failures.”
He said the bill “kickstarts” the stalled privacy reform initiative but Bill C-475 failed to addressed some important issues.
“What the bill does not do, however, is address the other side of the privacy coin, namely the failure of government to hold itself accountable for the personal information it collects and now regularly seems to fail to safeguard,” he wrote.
In recent years, dozens of government departments and offices have been hit by data breach scandals.
Among the latest fiasco is the loss of no less than 585,000 personal records contained in a USB key that was misplaced by a staffer at Human Resources and Skills development Canada.