On May 29, the federal government introduced Bill C-29, the Safeguarding Canadians’ Personal Information Act, which makes substantial changes to the Personal Information Protection and Electronic Documents Act (PIPEDA). The Bill had been in development for several years, and one of its primary objectives was to address a significant gap in PIPEDA, the issue of mandatory disclosure of “material” breaches of personal information by the companies or organizations responsible.
Although Bill C-29 does address this issue, it’s the way that disclosures are classified as material, and the lack of penalties for non-disclosure that have critics unhappy, like Michael Geist and Janet Lo, counsel with the Public Interest Advocacy Centre. Under the new legislation, the organizations responsible for the breaches get to decide if they are material and must be reported to the Privacy Commissioner (based on a number of criteria, such as the sensitivity of the information, the number of customers affected and an assessment by the company that concludes the cause of the breach indicates a systemic problem).
Companies also have the discretion to decide if they must inform the individuals whose personal information has been breached, based on whether the breach poses a real risk of significant harm (e.g., identity theft, fraud or damage to reputation). And there are no monetary penalties for sweeping significant data breaches under the rug. This is in contrast to laws in several United States jurisdictions that define the responsibility to report breaches with more precision, and either impose hefty fines for breaches or grant the right of those affected to sue the company responsible.
Confidentiality and Privacy policies are featured in all of First Reference’s Internal Control Library publications. See policy IT 8.04 in Information Technology PolicyPro, policy NP 1.08 in Not-for-Profit PolicyPro, and policy GV 1.11 in Finance and Accounting PolicyPro.
First Reference Internal Controls Managing Editor