Canada’s Privacy Commissioner is calling for a reform of the Privacy Act that would require public institutions to report data breaches and to make the collection of personal information possible only when it’s explicitly necessary, according to the office.
Canada’s Privacy Act regulates how the federal government and its institutions handle the personal information of Canadians. It was introduced July 1, 1983 – a year that the Commodore 64 and the Apple II were top-selling computers – and hasn’t received a substantial update since then. Last year, Parliament passed the Digital Privacy Act, which amended the Personal Information Protection and Electronic Documents Act (PIPEDA), the law that regulates how the private sector handles personal information. Now Daniel Therrien, the Privacy Commissioner of Canada, is turning his attention to the public sector.
“Technological change has allowed government information sharing to increase exponentially. Existing legal rules are not sufficient to regulate this kind of massive data sharing,” reads Therrien’s opening statement given to the Standing Committee on Access to Information, Privacy, and Ethics on Reform of the Privacy Act on Thursday. “We recommend creating an explicit requirement for institutions to safeguard personal information under their control as well as a legal requirement to report breaches to my Office.”
Such an update would mean that the federal government would have the same requirements to report data breaches as private companies as legislated by the Digital Privacy Act. Passed into law, the act contains a clause requiring notification of affected individuals and the Privacy Commissioner when a breach occurs. But those laws won’t be enforced until regulations are issued around them.
Therrien also wants to put in place an “explicit necessity requirement” for the collection of personal information by the government in order to prevent “excessive collection” of personal data. Again, this provision is similar to the Digital Privacy Act update that requires organizations to prove consent of a person to collect their data.
Therrien is also looking to upgrade the powers of his office. While he’s not seeking order making power, which is the model for Ontario’s Privacy and Information Commissioner and allows for issuing of punitive financial measures, he is looking to expand the scope of court intervention his office is allowed. Currently, the Privacy Commissioner can only pursue a matter in the Federal Court when it’s a case of denial of access to personal information. That could be extended to include cases involving collection, use and disclosure of personal data.
The new model would be similar to the one recently put in place in Newfoundland and Labrador, Therrien said. There, if a public body in the order receives recommendations from the Commissioner, they are obligated to enact them, or seek a court exemption from doing so.
Therrien is also recommending that the office be allowed to report on matters of privacy to Canadians proactively instead of doing so just once or twice a year and that the Privacy Act should be applied to the officers of Ministers, including the Prime Minister of Canada.