The number of material data breaches suffered by federal government departments increased 16 per cent to 298 for the 12 month period ending March, 2016, compared to 256 the previous year according to the federal privacy commissioner’s annual report.
“As in years before, ‘accidental disclosure’ was the most common cause cited for breaches,” says the report, “highlighting the need for institutions to ensure proper procedures are in place to protect Canadians’ personal information.
“Our office has received hundreds of reports of data breaches from federal institutions, pointing to a lack of adequate safeguards. With advances in technology, government departments are collecting and using ever-greater amounts of personal information without necessarily having the adequate safeguards in place, increasing the risk and potential consequences of privacy breaches.”
The report, issued Tuesday morning, says new technologies and business models are putting ever-greater pressures on privacy and demand a more modern approach to protecting personal information.
“We’re trying to use 20th Century tools to deal with 21st Century privacy problems and it’s clear those tools are increasingly insufficient,” commissioner Daniel Therrien said in a statement.
“The government should give greater priority to the modernization of laws and policies and it should invest more resources in building robust privacy protection frameworks. This is essential to maintaining public confidence in government and the digital economy.”
The data breach numbers for the last fiscal year were the second year government departments were obliged under Treasury Board rules to report to the privacy commissioner’s office “material” data breaches. In the years before 2012-2013 reporting was voluntary.
But, the report adds, there is still inconsistency in reporting. For example, there were more than 5,800 breaches recorded across all departments in 2015-2016, but just over five per cent of those reported to Therrien. Admittedly, many of the breaches did not necessarily involve personal information or would not likely include such sensitive data as to be considered “material” breaches so wouldn’t have to be reported under Treasury Board policy.
Still the report says it’s time for breach notification to be elevated from a policy directive to a legal requirement, likely in the Privacy Act. “Placing a specific legal obligation on federal institutions to report such privacy breaches to our Office would ensure we have a better picture of the current scope of the problem, and that we are consulted in the process of responding to the breach and mitigating its impact on individuals,” the report says.
The privacy commissioner enforces two pieces of legislation that protects the privacy of personal information, the Privacy Act, which covers the federal government, and the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to private sector organizations covered by federal legislation.
The report also notes a sharp increase in voluntary data breach reports submitted by organizations covered by PIPEDA. For calendar year 2015, there were 98 reports, more than double the 44 received in 2014. That is expected to increase even more when mandatory data breach reporting comes into effect, perhaps next year, when regulations are proclaimed under the Digital Privacy Act.
The biggest number of complaints under PIPEDA were about the handling of personal data from Internet providers (22 per cent of complaints).
Among the federal departments that have suffered data breaches is Therrien’s. In 2014 a portable hard drive that backed up the office’s financial system to manage and forecast employee salaries of 800 current and former staff went missing. During the fiscal year of the report former commissioner John Simms looked into the matter and found the portable hard drive wasn’t properly recorded and tracked as an asset, the information on the portable hard drive was retained longer than recommended, and certain department and Treasury Board policies weren’t followed. There was no evidence that any of the personal information contained on the missing hard had been disclosed or used improperly.
The report also notes differences between the privacy commissioner and the federal government on how much personal information departments can collect. The Privacy Act states that, “no personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution.” Therrien has interpreted this to mean that the collection of information must be necessary for the operating program or activity — which, the report says is consistent with the Treasure Board Directive on Privacy Practices.
However, the report adds, this interpretation is not consistently followed across the Government of Canada. In a recent court submission, the Attorney General of Canada explicitly rejected necessity as a standard for the collection of personal information under the Act, arguing instead for a broader interpretation of the term “unless it relates directly,” which would allow greater collection of personal information, the report says. The question is now before the Federal Court of Canada.
Furthermore, the federal Standard on Security Screening, set by Treasury Board, has recently been amended to allow for much broader collection than the past. That issue is also before the courts in a challenge to the new standard launched by the Union of Correctional Officers of Canada.
Finally, the commissioner’s office looked at the first six months of the new Security of Canada Information Sharing Act (SCISA), aimed at facilitating sharing of personal information of residents between federal departments and institutions to protect against “activities that undermine the security of Canada.” So far it seems there’s been a limited use of the act — Canada Border Services Agency, Immigration, Refugees and Citizenship Canada and Global Affairs Canada made a total of 58 disclosures during the period.
Still, the report warns “the potential for sharing on a much larger scale combined with advances in technology allow for personal information to be analyzed algorithmically to spot trends, predict behaviour and potentially profile ordinary Canadians with a view to identifying security threats among them. Our intent in future reviews will be to examine whether law abiding citizens are indeed subject to these broad sharing powers, and if so, under what circumstances.”