Nova Scotia should require all firms in the province to notify affected individuals and the provincial privacy commissioner of all privacy breaches involving a real risk of significant harm, says its privacy czar.

It was one of 34 recommendations Catherine Tully made Tuesday in her annual report to update the provincial Freedom of Information and Protection of Privacy Act (FIOPOPA). The breach notification requirements would essentially mirror the upcoming changes to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) the covering federally-regulated organizations. Those changes are expected to come into effect next year one regulations are proclaimed.

Nova Scotia organizations would be required to keep of a record of all data breaches with specified details available to the provincial commissioner upon request, Tully said.

In the last fiscal year her office received only three breach reports from public bodies in the province. No one ever complained because the breach notification they did get came from her office, Tully added. “It is simply impossible that privacy breaches are not happening in Nova Scotia,” she wrote.

She  also recommended the breach notification to potential victims should include details about the cause of the breach, a list of the type of data lost or stolen, an explanation of the risks of harm affected individuals may experience as a result of the breach, and information about the right to
complain to the provincial commissioner.

Finally, she said the province should authorize the commissioner be able to to order notification to an individual affected by a breach.

“Nova Scotia’s access and privacy laws are simply no longer up to the task,” Tully said in the report, noting FIPPA hadn’t had significant updates since it was passed in 1993.

She said there are four core areas of weakness in Nova Scotia’s access and privacy laws.

–there is a confusing array of four laws governing public sector access and privacy rights in Nova Scotia. There should be one streamlined, consistent law for all government bodies;

–they fail to enshrine a right to receive information in an electronic format so that the data is open, reusable and accessible. So citizens should have a right to access records in an open format that is open, reusable, and accessible. There should be an open government obligation on departments, which should have a statutory duty to document activities;

–they lack virtually all of the essential modern data privacy protections found in other Canadian jurisdictions.  Core privacy standards should be added to provincial laws, the report says. In addition, the laws should require that government entities use personal information only when necessary, use the least amount of personal information possible, and limit internal sharing to a need-to-know basis.

Privacy impact assessments, information sharing agreements, and breach notification all should be mandatory in prescribed circumstances.
Public bodies and municipalities should have to have a privacy management program that includes policies, practices, and training.

In addition, the standards of sharing personal information should be updated to allow for big data projects and common or integrated programs or activities – subject to mandatory privacy impact assessment requirements and appropriate notification to the Information and Privacy Commissioner;

— and there is a lack of oversight over the laws, compounded by the fact that the commissioner is not an independent officer of the legislature and that public bodies can simply choose to ignore the commissioner’s recommendations. So provincial and municipal public bodies should have to obtain the court’s permission if they wish to decline to follow a recommendation of the commissioner. In addition the provincial privacy commissioner should have the same authority with respect to all public bodies and municipal bodies whether the issue is information access or privacy.

The Centre for Law and Democracy, has developed a rating system that evaluates the strength of access to information legislation around the world. Tully noted that according to the centre,  Mexico currently has the highest mark of 136 and Austria currently has the lowest mark of 32. Nova Scotia’s access law earned a mark of 85, making it 7th in Canada and 56th in the world. Newfoundland and Prince Edward Island’s laws both rank higher than Nova Scotia’s. New Brunswick’s law earned a mark of 79, the lowest mark given for a Canadian jurisdiction.