First Reference Talks

Amendments to PIPEDA disappoint privacy watchdogs

Author: Colin Braithwaite

Posted on Thursday, June 17th, 2010 at 09:30

Image taken from: www.cba.org

On May 29, the federal government introduced Bill C-29, the Safeguarding Canadians’ Personal Information Act, which makes substantial changes to the Personal Information Protection and Electronic Documents Act (PIPEDA). The Bill had been in development for several years, and one of its primary objectives was to address a significant gap in PIPEDA, the issue of mandatory disclosure of “material” breaches of personal information by the companies or organizations responsible.

Although Bill C-29 does address this issue, it’s the way that disclosures are classified as material, and the lack of penalties for non-disclosure that have critics unhappy, like Michael Geist and Janet Lo, counsel with the Public Interest Advocacy Centre. Under the new legislation, the organizations responsible for the breaches get to decide if they are material and must be reported to the Privacy Commissioner (based on a number of criteria, such as the sensitivity of the information, the number of customers affected and an assessment by the company that concludes the cause of the breach indicates a systemic problem).

Companies also have the discretion to decide if they must inform the individuals whose personal information has been breached, based on whether the breach poses a real risk of significant harm (e.g., identity theft, fraud or damage to reputation). And there are no monetary penalties for sweeping significant data breaches under the rug. This is in contrast to laws in several United States jurisdictions that define the responsibility to report breaches with more precision, and either impose hefty fines for breaches or grant the right of those affected to sue the company responsible.

Confidentiality and Privacy policies are featured in all of First Reference’s Internal Control Library publications. See policy IT 8.04 in Information Technology PolicyPro, policy NP 1.08 in Not-for-Profit PolicyPro, and policy GV 1.11 in Finance and Accounting PolicyPro.

Colin Braithwaite
First Reference Internal Controls Managing Editor

Tags: disclosure of personal information, employee personal information, employment law, Finance and Accounting PolicyPro, Human Resources, information breaches, Information Technology PolicyPro, Janet Lo, Michael Geist, not-for-profit policypro, personal information, personal information protection, Personal Information Protection and Electronic Documents Act, PIPEDA, privacy, privacy breach, privacy legislation, Safeguarding Canadians' Personal Information Act

This entry was posted on Thursday, June 17th, 2010 at 09:30 and is filed under Human Resources, Internal Controls, IT, Privacy and Security, Privacy and Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Note that some comments may be moderated. If you have not had an approved comment here before, your comment will be held for approval. We are glad to publish comments that address issues raised in the post or other comments on it and that contribute to a fruitful discussion. We do not publish comments that seek to promote commercial products or that seek personal legal advice. Although we do not require it, we ask that in making a comment you use your full name. You must supply a valid email address, which will not appear with your comment.

Name (required)

Mail (will not be published) (required)

Website

I have 5 apples. How many apples do I have?

Spam Protection by WP-SpamFree

Amendments to PIPEDA disappoint privacy watchdogs

Leave a Reply

Get Free Updates

Categories

Recent Comments

Like us on Facebook!

Links

Blogroll

Post Archives

Questions?