Mandatory data breach reporting proposed

Bill needs close look due to inclusion of 'real dangers', privacy advocate says

Proposed changes to Canadian privacy laws reintroduced by the government Thursday would force companies to report breaches of personal information to the privacy commissioner and affected individuals. But they also contain 'real dangers,' a privacy advocate says.

Mandatory reporting of data breaches was among proposed amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) introduced Thursday by Industry Minister Christian Paradis in the House of Commons. The bill is identical to one introduced in May 2010 during the last session of Parliament, C-29, which died when the election was called this past May.

"Ensuring trust and confidence through the protection of personal information is essential to the growth of the digital economy," Paradis said in a statement. "Our government will continue to help protect consumers and businesses from the misuse of their personal information, thereby increasing confidence in the online marketplace."

Organizations would be required to report breaches where there is a risk of "significant harm" such as identity theft, fraud or risk to a person's reputation. In that way, the government said, those affected could take steps to mitigate the damage that might arise from the breach.

Privacy rule exceptions

Other proposed changes to the law introduce exceptions to rules for handling personal information:

• They would clarify that organizations can disclose personal information requested by government institutions and law enforcement and security agencies without a warrant, subpoena or court order. They would also prohibit such organizations from notifying those affected by the disclosure of their personal information if the law enforcement or government institution requesting the information objects to the disclosure.
• They would allow for the release of personal information to help protect victims of financial abuse, locate missing persons or identify people who might be injured, ill or deceased.
• Disclosure of personal information without consent would be allowed for private sector investigations and fraud prevention.
• Consent would no longer be required for the collection, use and disclosure of information needed for managing employment relationships, information produced for work purposes, information used for due diligence in business transactions, or business contact information for day-to-day business.

In addition, the rules concerning consent to disclosure of personal information would require organizations to consider the ability of their target audience, such as children, to understand the consequences of sharing their information. continue

1 | 2