With the Conservative government’s privacy reform bill sitting untouched after being introduced about two years ago, New Democractic Party MP Charmain Borg has introduced a private member's bill that that would make it mandatory for organizations to report data breach incidents.
, Borg’s proposed amendment to the federal Personal Information Protection and Electronics Document Act (PIPEDA), echoes what Canadian consumer and privacy advocacy groups have been clamoring for – more teeth to the existing privacy legislation that only requires voluntary reporting of breaches.
“An organization having personal information under its control shall notify the (Privacy) Commissioner of any incident involving the loss or disclosure of, or unauthorized access to, personal information, where a reasonable person would conclude that there exist a possible risk or harm to an individual as a result of the loss or disclosure or unauthorized access,” the proposed bill reads.
The document also includes two determining factors for considering a breach harmful:
-The sensitivity of the personal information
-The number of individuals whose personal information was involved
Bill C-475 also says the commissioner may require organizations to notify affected individuals “to whom there is an appreciable risk of harm” as a result of the breach.
The notification should include:
-A report of the risk of harm
-Instructions about reducing the risk of harm or mitigating the harm
-Any other prescribed information
The proposed bill also empowers the privacy commissioner to order the organization concerned to conduct actions such as: corrective measures; destruction of data; deleting or adding a record; stop data collection or disclosure; and publishing a notice of actions taken.
Another data loss at Human resources Canada
Ottawa urged to draft data breach notification law
Should the organization fail to comply within a prescribed limit, they may subject to penalty of no more than $500,000 or punitive damages imposed by the court. Individuals affected by the breach also have the right to sue the organization for damages or loss suffered due to non-compliance to the act by the organization.
In a his blog post today, privacy advocate and University of Ottawa Internet law professor Michael Geist said Bill C-475 is a better than the government's Bill C-12 as it provides clear cut breach disclosure requirements, comes and comes with an order making power “backed by significant penalties for compliance failures.”