Site icon IT World Canada

Enshrine data breach guidelines in law: Stoddart

Upon learning that various government departments have failed to report thousands of incidents of data and privacy breaches to her office, Canadian Privacy Commissioner Jennifer Stoddart said it is high time guidelines on how government organizations handle such situations be turned into law.

“Departments have Treasury Board guidelines to follow in order to determine when they should notify our office of breaches, it is generally based on the magnitude of the breach and the sensitivity of data,” Stoddart said in an email to ITWorld Canada. “Our office feels federal organizations and Canadians would benefit from an instrument of greater weight to provide increased certainty such as enshrining such direction into law.”

On Monday, the Federal government reported that there have been more than 3,000 data and privacy breaches in various departments over the past 10 years. The breaches affected more than 725,350 Canadians.
“Our office learned about the information Tuesday afternoon,” said Stoddart. “While we haven’t had a chance to go through and evaluate each breach to see if we should have been notified, the sheer number leads us to think that there certainly should be at least some that really should have been reported to our office.
 
Of the 3,134 breaches that occurred between 2002 and 2012, only 399 were reported to the Office of the Privacy Commissioner, according to documents released by the federal government in the House of Commons.
 
Privacy Commissioner Jennifer Stoddart

“It’s really disturbing to learn of the extent this attempt to keep the OPC and the people in the dark,” said NDP MP Charlie Angus. His original  question about how many instances Canadian’s private information held by government departments were lost, stolen or accessed by unauthorized third parties prompted the government to reveal its lapses. “There is clearly a culture of putting the interest of the department ministers ahead of those of the people they are supposed to serve.”

“I think the threshold for determining when government breaches should be reported is extremely high,” he said “Private organizations handling sensitive personal information are being pushed towards mandatory privacy breach reporting, the government should be subjected to the same.”

Under federal legislation, the government is not required to tell Canadians if their personal information has been breached, according to David Fraser, a privacy law expert and part at the McInnes Cooper law firm in Atlantic Canada. 
“As the law stands, departments are also not obliged to inform the OPC if personal data they are holding is stolen or lost,” he said. “This is very ironic because if any organization holds truly sensitive and personal information, it would be government bodies. They have your medical records, your financial records, your immigration records and even criminal records.”

The Treasury Board of Canada however has a privacy breach guideline which advices government organizations on what actions to take in case of a data or privacy breach. The guideline for instance says “it is strongly recommended” that institutions notify the OPC if the breach:

Stoddart said that in 2009, her office had recommended a reform of the Privacy Act that called for the Treasury Board guidelines to be enshrined in law.

“We also called for the law to include a provision stipulating that requirements for adequate information security safeguards,” Stoddart said. “These recommendations have not been followed and given events such as the HRDC student loans breach and the news this week, it may be high time for them to be acted upon.”

In January this year, The Human Resources and Skill Development Canada minister Diane Finley that her department lost a portable hand drive with 585 personal records of student loan borrowers between 2000 and 2005. In December of 2012, an HRSDC employee lost a USB key containing the information of 5,000 people.

The OPC will release its annual report on the Privacy Act this fall, according to Stoddart. The report’s theme will be information security. In the coming months, the OPC also intends to undertake an audit of the use of portable storage devices by some federal organizations.

 

Exit mobile version