The Personal Information Protection and Electronic Documents Act (PIPEDA) was updated on Nov. 1.
Canada’s privacy rules are being updated, but in the wake of recent high-profile data breaches, is your personal and private data any safer?
The Personal Information Protection and Electronic Documents Act (PIPEDA) was updated on Nov. 1 and among the most noticeable changes is the requirement that companies must “notify affected individuals as soon as feasible of any breach that poses a real risk of significant harm,” according to Innovation, Science and Economic Development Canada.
As well, organizations must report these intrusions to the Office of the Privacy Commissioner and “notify any third-party that the organization experiencing the breach believes is in a position to mitigate the risk of harm.”
And business must hold a record of this data for up to two years. Penalties as high as $100,000 aim to force companies to take privacy seriously.
But already, there is pushback.
“It is a step in the right direction, but it would be much more meaningful if the agency responsible for analyzing breach reports actually had some resources for the task at hand,” said Privacy Commissioner Daniel Therrien to Canadian Lawyer.
Some are concerned that the new rules are not specific enough.
“The law is also full of imprecise language, such as alerting Canadians that their data has been exposed only ‘as soon as feasible’ after a ‘real risk’ of ‘significant harm’ has been detected, which makes it likely some incidents will be reported too slowly or not at all,” according to a CBC News story.
The commissioner is hoping another $12 million will be added to its annual $24 million budget to address the new reality, but it’s unclear if the money will ever appear.
Even before the new rules come into effect, the commissioner will be investigating another government agency, after Global News found Statistics Canada has requested data from as many as 500,000 Canadians about their banking activity.
“Documents obtained by Global News show the national statistical agency plans to collect ‘individual-level financial transactions data’ and sensitive information, like social insurance numbers (SIN), from Canadian financial institutions to develop a ‘new institutional personal information bank,’” according to Andrew Russell and David Akin.
Understandably, many were perturbed to find this out and the federal Conservatives took the governing Liberals to task during a heated parliamentary session last week.
Statistics Canada has gone “too far” and it is acting perilously too much like Big Brother, said Marcel Latouche, president and CEO of the Institute for Public Sector Accountability in Calgary.
“Canadians should not only be alarmed that their private data will be collected without their consent, but also that they may not be assured that their information may not be used by criminals in case of a breach. In 2018 we have already seen major hacks of data at Cathay Pacific, affecting 9.4 million passengers; at Facebook, affecting 90 million users; and at Uber, affecting 57 million customers, to name just a few. Government computer servers are no more immune from infiltration than are private ones and there is no guarantee that any data collected by government organizations is immune from cyber hacking and theft,” he wrote in The Financial Post.
Even political parties are not immune to data breaches, as we learned in the 2016 U.S. election. In Canada, the Privacy Act should be further amended to force political entities to better safeguard private citizen’s data, according to statements made by Liberal MP Nathaniel Erskine-Smith during an ethics committee hearing.
“The 2019 election will exist without any of the parties having any enforceable rules on how they handle our data and we’re at risk, I believe, because outside energies and forces are looking to affect how Canadians vote,” New Democratic Party MP Nathan Cullen said. “My view, based on the evidence that we have heard today, is that privacy rules should certainly apply to political parties.”