Organizations will have to tell people if their personal information has been lost or stolen and if there is a risk they could be harmed under new legislation tabled Tuesday by the Harper government.
In amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) introduced into the Senate are the first obliging organizations covered by the federal legislation to notify people of data breaches.
Companies that deliberately fail to report a data breach or notify individuals could be fined up to $100,000 for each person not told by a Federal Court judge. That could be considerable because data breaches usually involve significant numbers of people.
In addition to notifiying victims, organizations will also have to keep a database of breaches and report them to the federal Privacy Commissioner, who will have the power to take organizations to Federal Court if it can’t negotiate voluntary compliance agreements.
The commissioner will also have more flexibility to release information about non-compliant organizations.
Organizations that would have to follow the legislation include those covered by federal jurisdiction, plus provinces that say private sector has to follow PIPEDA
Former commissioner Jennifer Stoddart had long called for mandatory data breach notification.
Ottawa privacy lawyer Kris Klein, a former Justice department counsel who has also advised the commissioner, noted in an interview this is not the first time Ottawa has tried to update PIPEDA.
The mandatory breach requirement has been “a long time coming,” he said. But the private sector shouldn’t have trouble adjusting. When Alberta became the first Canadian jurisdiction to make reporting mandatory, privacy commissioners in British Columbia, Alberta and Quebec told businesses there they should voluntarily follow suit as a best practice. Most Canadian organizations today at the very least notify provincial or federal privacy commissioners of a breach, he added, if they don’t also contact victims.
Therefore “it’s not going to be a huge game-changer for organizations,” he said.
Other improvements include clarifying when the commissioner can go public with findings.
The proposed amendments include new requirements for obtaining an individual’s approval to collect, use or share his/her personal information are also being proposed to establish stronger privacy protection for more vulnerable Canadians, such as children.
Organizations will also be required to communicate clearly with their customers when obtaining consent to capture personal information, the government said, and to consider whether their target audience is able to understand the consequences of sharing their personal information.
The government also said the proposed legislation sets limited exceptions to allow personal information to be shared with other businesses to help protect individuals from harm, such as to protect seniors from financial abuse, communicate with the family of an injured or deceased individual, or detect and prevent fraud.
At the same time the government said the legislation will also reduce red tape “by making sure that companies are able to use personal information to support their normal day-to-day business activities without undermining individual privacy.”
It will be easier for businesses to collect, use and share information in order to manage employees, conduct due diligence when buying another company or process insurance claims, for example.
In a news release OpenMedia.ca complained the proposed legislation doesn’t address government surveillance of individuals by Canadian spy agencies. The organization is part of a campaign protesting Ottawa’s cyberbullying legislation that protects telecom carriers that turn over personal information on subscribers under court order.
“There are some positive measures here (in the Digital Privacy Act) but this proposal also serves as a distraction from the government’s reckless surveillance of law-abiding residents of Canada,” OpenMedia.ca executive director Steve Anderson said in a statement.
Klein said that most organizations affected will probably say the proposed legislation goes far enough, despite the “hefty fine” they might have to pay.
However, he added, privacy advocates might be disappointed the amendments don’t give the commissioner the power to levy administrative fines in addition to facing prosecution for obstructing or breaking the law. Prosecution in court won’t be easy, he said — in fact he doubts it will ever be used.