The Public Interest Advocacy Centre (PIAC) today released a report entitled “Data Breaches: Worth Noticing?”. The report examines data breach notification in Canada in the private sector in general and in particular whether the proposed federal data breach notification law (Bill C-12) is adequate to protect Canadian consumers.
“Data breaches affect consumer confidence in the new economy,” said John Lawford, PIAC legal counsel and co-author of the report. “Government must require business to report all data breaches to the Privacy Commissioner of Canada or their provincial privacy commissioner.”
The report recommends that Bill C-12, An Act to amend the Personal Information Protection and Electronic Documents Act, be significantly toughened to require all data breaches be reported promptly to the Federal Privacy Commissioner, who in turn should have the power to order companies to notify individual consumers when there is a real risk of significant harm to them. The report also recommends Bill C-12 be amended to give the Privacy Commissioner of Canada order-making power to enforce the requirements and a fining power for non-compliance.
PIAC’s study is based in part on focus groups of Canadian consumers regarding their attitudes to data breaches.
“Consumers clearly think that they should always be notified when a company has lost their personal information unless the Privacy Commissioner says there’s no real risk of harm to them” said Lawford. “Bill C-12 is too weak to assure them that will happen,” he noted.
PIAC called for other amendments to Bill C-12, including increased audit powers for and a special data breach division at the Office of the Privacy Commissioner of Canada.
The Public Interest Advocacy Centre received funding from Industry Canada’s Contributions Program for Non-profit Consumer and Voluntary Organizations. The views expressed in this report are not necessarily those of Industry Canada or of the Government of Canada.
Data Breaches: Worth Noticing?”
Download File: data_breaches_worth_noticing_publication_version_final_final.pdf [size: 0.92 mb]
Executive Summary
Download File: executive_summary_data_breaches.pdf [size: 0.11 mb]
Sommaire: Ce rapport examine la notification des atteintes à la protection des données au Canada dans le secteur privé en général et, plus particulièrement, si le projet de loi fédéral sur la notification des atteintes à la protection des données (Projet de loi C‐12, Loi modifiant la Loi sur la protection des renseignements personnels et les documents électroniques) permet de protéger de façon adéquate les consommateurs canadiens.
Download File: sommaire_data_breaches.pdf [size: 0.14 mb]
Appendix 1: Focus groups
Download File: databreachesappendix_1_focus_groups_1.zip [size: 0.17 mb]
Data breaches: Appendix 2: Environics Report
Download File: appendix_2_environics_report_2.pdf [size: 0.32 mb]