#CyberFLASH: Privacy watchdog wants to see new office enforcement muscle

1297658073661_ORIGINALCanada’s privacy watchdog says “the time has come” to change his role under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) from that of an ombudsman, who can only make non-binding recommendations, to a regulator with authority to make binding orders, and even impose fines on recalcitrant organizations.

In an exclusive interview, federal Privacy Commissioner Daniel Therrien contrasted his limited enforcement powers (“naming and shaming” privacy transgressors and, on occasion, taking them to court) with those of EU and U.S. regulators.

“In many other jurisdictions, privacy regulators have order-making powers and they can impose fines for organizations that violate privacy laws,” Therrien said. “We’ve done well in Canada without these powers, but we think that the time has come to align our laws to those of other western democracies where privacy regulators do have order-making and fine powers. We’re dealing with organizations that are extremely wealthy. To recommend that they change a practice has some effect. But to be able to make an order, and to impose fines, when warranted, I think is necessary.”

The commissioner did not disclose what level of fines he considers appropriate (“we’re not there yet,” he said).

But his endorsement of adding beefed-up enforcement powers to the federal privacy regime — which he considers “an important enhancement” and “not a revolution” — will spark debate.

“I would be quite against…giving the commissioner order-making powers,” privacy law expert David Fraser of McInnes Cooper in Halifax told The Lawyers Weekly. “That would be a revolutionary thing in Canadian privacy law, and actually would require, I think, kind of essentially burning [the office of the privacy commissioner] to the ground and starting again because…if it’s going to have the ability to levy fines, or anything else like that, you have to build in all the procedural fairness requirements. You can’t have a kind of ‘judge-jury-executioner-prosecutor’ all in one office and all in one person, particularly in light of the advocacy-for-privacy role that the commissioner takes.”

Fraser called PIPEDA, as it stands, “a made-in-Canada solution that, in fact, is a complete solution. You have a privacy commissioner whose job…not to an insignificant degree, is framed as a champion of privacy, [who] investigates. The objective is principally to resolve [privacy complaints] and because the commissioner isn’t the cops, and isn’t the judge, at least in my experience, the businesses are inclined to sit down at the table with the commissioner and the commissioner’s investigators, lay all their cards on the table, and look towards building a solution, rather than something that is more adversarial. And so in fact I think all that goodwill would pretty well go out the window, and people would kind of ‘lawyer-up’ in the classic sense. It would get very defensive and it would get very adversarial.”

Read more here

#CyberFLASH: Bid to boost spy agency’s powers raises privacy concerns: watchdog

privacy-commissioner-daniel-therrienThe Conservative government’s bid to boost the power of Canada’s spy service to work with agencies that operate outside the existing oversight regime has raised a yellow flag for the federal privacy watchdog.

“The sharing of information does directly affect privacy, so that’s where my concerns would lie,” Daniel Therrien told the House privacy committee on Thursday afternoon.

He noted that, while the Canadian Security Intelligence Service (CSIS) is subject to independent oversight through the Security Intelligence Review Committee, that isn’t the case for all of the federal organizations with which it would be authorized to share information under the proposed changes to the law.

“Judge O’Connor in the Arar affair pointed out that there are shortcomings in independent oversight, and recommendations were put forward to the effect that government agencies involved in intelligence should be the subject of oversight in the same way as CSIS is.”

Practically speaking, he said, the bill before the House right now deals with CSIS’s mandate, and “indirectly,” the sharing of information by the same.

Read more here

#CyberFLASH: Lost hard drive with student loan data lacked password protection


A portable computer hard drive containing the personal information of more than 500,000 student loan recipients was left unsecured for extended periods of time by government employees and was not protected by a password or encryption, Canada’s top privacy watchdog says.

In a report tabled in Parliament on Tuesday, interim federal privacy commissioner Chantal Bernier detailed the various security procedures Employment and Social Development Canada failed to follow when dealing with the confidential information — failures she said should serve as a lesson for every public sector department and agency.

The report says the ESDC hard drive went missing in 2012. It contained the personal information — including social insurance number, name, date of birth, home address, telephone number, loan amounts and balances — of 583,000 Canada Student Loans Program borrowers from 2000 to 2006. 

Read more here

Privacy watchdog says more Ontario gas plant emails found


Newly discovered emails relating to the costly cancellation of two Ontario gas plants have turned up and the province’s privacy commissioner isn’t pleased that she had wrongly been informed that they couldn’t be found.

Information and Privacy Commissioner Ann Cavoukian issued a statement Wednesday, confirming that an official from the Ministry of Government Services informed her that “a number of emails” had been recovered that relate to the gas plant cancellations in Oakville and Mississauga.

Earlier this year, Cavoukian had been informed that the emails could not be found.

“I am appalled that we were provided with incorrect information during the course of my investigation, that was misleading,” Cavoukian said in her statement. “I am, however, very pleased that these records have now been found.”

Read more here

Proposed data breach measures trail other countries: privacy watchdog

OTTAWA – Canada would have one of the weakest data breach laws in the western world even if proposed revisions currently before Parliament are passed, according to an analysis by the federal privacy watchdog.

The United States, Australia, Britain, France, Germany, Ireland and Spain either have — or are planning — stiffer enforcement measures to penalize organizations for breaches resulting in exposure of personal information, says the comparison released under the Access to Information Act.

The newly disclosed documents show the office of Privacy Commissioner Jennifer Stoddart prepared the analysis last June for deputy Industry minister Richard Dicerni.

Read more here

Websites leaking users’ personal information: Privacy Commissioner

Canada’s privacy watchdog has issued a warning to 11 of Canada’s leading websites to stop handing over their users’ personal information to third parties without permission — or risk public exposure.

The Office of the Privacy Commissioner of Canada published the results Tuesday of a study it conducted in the summer that found “significant privacy concerns” with six out of 25 popular Canadian sites — they included media, shopping and travel sites all operated by large, profitable organizations — and questioned the practices of five other sites.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.