Bill calls for mandatory data breach reporting

With the Conservative government’s privacy reform bill sitting untouched after being introduced about two years ago, New Democractic Party MP Charmain Borg has introduced a private member’s bill that that would make it mandatory for organizations to report data breach incidents.

Bill C-475, Borg’s proposed amendment to the federal Personal Information Protection and Electronics Document Act (PIPEDA), echoes what Canadian consumer and privacy advocacy groups have been clamoring for – more teeth to the existing privacy legislation that only requires voluntary reporting of breaches.

“An organization having personal information under its control shall notify the (Privacy) Commissioner of any incident involving the loss or disclosure of, or unauthorized access to, personal information, where a reasonable person would conclude that there exist a possible risk or harm to an individual as a result of the loss or disclosure or unauthorized access,” the proposed bill reads.

The document also includes two determining factors for considering a breach harmful:

-The sensitivity of the personal information

-The number of individuals whose personal information was involved

Bill C-475 also says the commissioner may require organizations to notify affected individuals “to whom there is an appreciable risk of harm” as a result of the breach.

The notification should include:

-A report of the risk of harm
-Instructions about reducing the risk of harm or mitigating the harm
-Any other prescribed information

The proposed bill also empowers the privacy commissioner to order the organization concerned to conduct actions such as: corrective measures; destruction of data; deleting or adding a record; stop data collection or disclosure; and publishing a notice of actions taken.


Another data loss at Human resources Canada
Ottawa urged to draft data breach notification law

Should the organization fail to comply within a prescribed limit, they may subject to penalty of no more than $500,000 or punitive damages imposed by the court. Individuals affected by the breach also have the right to sue the organization for damages or loss suffered due to non-compliance to the act by the organization.

In a his blog post today, privacy advocate and University of Ottawa Internet law professor Michael Geist said Bill C-475 is a better than the government’s Bill C-12 as it provides clear cut breach disclosure requirements, comes and comes with an order making power “backed by significant penalties for compliance failures.”

He said the bill “kickstarts” the stalled privacy reform initiative but Bill C-475 failed to addressed some important issues.

“What the bill does not do, however, is address the other side of the privacy coin, namely the failure of government to hold itself accountable for the personal information it collects and now regularly seems to fail to safeguard,” he wrote.

In recent years, dozens of government departments and offices have been hit by data breach scandals.

Among the latest fiasco is the loss of no less than 585,000 personal records contained in a USB key that was misplaced by a staffer at Human Resources and Skills development Canada.

Click here for full text of Bill C – 475



Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now