Micahel Geist's take on the results of the PIPEDA review: There Will Be No Privacy Reform. Get Over It.
See also his Toronto Star column on the topic.
I think he's probably right.
Showing posts with label pipeda review. Show all posts
Showing posts with label pipeda review. Show all posts
Michael Geist: There Will Be No Privacy Reform. Get Over It
0
comments
Labels:
pipeda review,
privacy
The Parliamentary Committee on Access to Information, Privacy and Ethics has just released its report following the five year PIEDA review:
ETHI (39-1) — Fourth Report: STATUTORY REVIEW OF THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) — Standing Committee on ACCESS TO INFORMATION, PRIVACY AND ETHICS - Committees of the House of CommonsThe Standing Committee onACCESS TO INFORMATION, PRIVACY AND ETHICS
has the honour to present its
Fourth Report
Pursuant to its mandate under Standing Order 108(2), the Committee has studied a Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA) and agreed to the following report:
The HTML version of this report will be available soon. In the meantime, the Committee is pleased to make available the report entitled STATUTORY REVIEW OF THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) (.PDF, 262 KB) in printable format.
Here are the recommendations:
47Recommendation 1
The Committee recommends that a definition of “business
contact information” be added to PIPEDA, and that the
definition and relevant restrictive provision found in the
Alberta Personal Information Protection Act be considered for
this purpose.Recommendation 2
The Committee recommends that PIPEDA be amended to
include a definition of “work product” that is explicitly
recognized as not constituting personal information for the
purposes of the Act. In formulating this definition, reference
should be added to the definition of “work product
information” in the British Columbia Personal Information
Protection Act, the definition proposed to this Committee by
IMS Canada, and the approach taken to professional
information in Quebec’s An Act Respecting the Protection of
Personal Information in the Private Sector.Recommendation 3
The Committee recommends that a definition of “destruction”
that would provide guidance to organizations on how to
properly destroy both paper records and electronic media be
added to PIPEDA.Recommendation 4
The Committee recommends that PIPEDA be amended to
clarify the form and adequacy of consent required by it,
distinguishing between express, implied and deemed/opt-out
consent. Reference should be made in this regard to the
Alberta and British Columbia Personal Information Protection
Acts.Recommendation 5
The Committee recommends that the Quebec, Alberta and
British Columbia private sector data protection legislation be
considered for the purposes of developing and incorporating
into PIPEDA an amendment to address the unique context
experienced by federally regulated employers and employees.Recommendation 6
The Committee recommends that PIPEDA be amended to
replace the “investigative bodies” designation process with a
definition of “investigation” similar to that found in the Alberta
and British Columbia Personal Information Protection Acts
thereby allowing for the collection, use and disclosure of
personal information without consent for that purpose .Recommendation 7
The Committee recommends that PIPEDA be amended to
include a provision permitting organizations to collect, use
and disclose personal information without consent, for the
purposes of a business transaction. This amendment should
be modeled on the Alberta Personal Information Protection Act
in conjunction with enhancements recommended by the
Privacy Commissioner of Canada.Recommendation 8
The Committee recommends that an amendment to PIPEDA be
considered to address the issue of principal-agent
relationships. Reference to section 12(2) of the British
Columbia Personal Information Protection Act should be made
with respect to such an amendment.Recommendation 9
The Committee recommends that PIPEDA be amended to
create an exception to the consent requirement for information
legally available to a party to a legal proceeding, in a manner
similar to the provisions of the Alberta and British Columbia
Personal Information Protection Acts.Recommendation 10
The Committee recommends that the government consult with
the Privacy Commissioner of Canada with respect to
determining whether there is a need for further amendments to
PIPEDA to address the issue of witness statements and the
rights of persons whose personal information is contained
therein.Recommendation 11
The Committee recommends that PIPEDA be amended to add
other individual, family or public interest exemptions in order
to harmonize its approach with that taken by the Quebec,
Alberta and British Columbia private sector data protection
Acts.Recommendation 12
The Committee recommends that consideration be given to
clarifying what is meant by “lawful authority” in section
7(3)(c.1) of PIPEDA and that the opening paragraph of section
7(3) be amended to read as follows: “For the purpose of clause
4.3 of Schedule 1, and despite the note that accompanies that
clause, an organization shall disclose personal information
without the knowledge or consent of the individual but only if
the disclosure is […]”Recommendation 13
The Committee recommends that the term “government
institution” in sections 7(3)(c.1) and (d) be clarified in PIPEDA
to specify whether it is intended to encompass municipal,
provincial, territorial, federal and non-Canadian entities.Recommendation 14
The Committee recommends the removal of section 7(1)(e)
from PIPEDA.Recommendation 15
The Committee recommends that the government examine the
issue of consent by minors with respect to the collection, use
and disclosure of their personal information in a commercial
context with a view to amendments to PIPEDA in this regard.Recommendation 16
The Committee recommends that no amendments be made to
PIPEDA with respect to transborder flows of personal
information.Recommendation 17
The Committee recommends that the government consult with
members of the health care sector, as well as the Privacy
Commissioner of Canada, to determine the extent to which
elements contained in the PIPEDA Awareness Raising Tools
document may be set out in legislative form.Recommendation 18
The Committee recommends that the Federal Privacy
Commissioner not be granted order-making powers at this
time.Recommendation 19
The Committee recommends that no amendment be made to
section 20(2) of PIPEDA with respect to the Privacy
Commissioner’s discretionary power to publicly name
organizations in the public interest.Recommendation 20
The Committee recommends that the Federal Privacy
Commissioner be granted the authority under PIPEDA to share
personal information and cooperate in investigations of
mutual interest with provincial counterparts that do not have
substantially similar private sector legislation, as well as
international data protection authorities.
Recommendation 21
The Committee recommends that any extra-jurisdictional
information sharing, particularly to the United States, be
adequately protected from disclosure to a foreign court or
other government authority for purposes other than those for
which it was shared.Recommendation 22
The Committee recommends that PIPEDA be amended to
permit the Privacy Commissioner to apply to the Federal Court
for an expedited review of a claim of solicitor-client privilege in
respect of the denial of access to personal information
(section 9(3)(a)) where the Commissioner has sought, and
been denied, production of the information in the course of an
investigation.Recommendation 23
The Committee recommends that PIPEDA be amended to
include a breach notification provision requiring organizations
to report certain defined breaches of their personal
information holdings to the Privacy Commissioner.Recommendation 24
The Committee recommends that upon being notified of a
breach of an organization’s personal information holdings, the
Privacy Commissioner shall make a determination as to
whether or not affected individuals and others should be
notified and if so, in what manner.Recommendation 25
The Committee recommends that in determining the specifics of an appropriate notification model for PIPEDA, consideration
should be given to questions of timing, manner of notification,
penalties for failure to notify, and the need for a “without
consent” power to notify credit bureaus in order to help
protect consumers from identity theft and fraud.
Feds to leave disclosure of data security breaches to businesses: legislative plan
0
comments
Labels:
breach notification,
pipeda review,
privacy
One thing that was relatively consistent in the submissions at PIPEDA's five year review was to follow in the footsteps of more than half the US states to require notification of security and privacy breaches. Canwest is reporting on leaked draft legislation which will surely disappoint many in the privacy community. In effect, there is no mandatory reporting. Businesses get to determine whether there is a "high risk of significant harm" and only then do they need to report the breach to consumers. Not reporting has no consequences. See: Feds to leave disclosure of data security breaches to businesses: legislative plan.
In case you haven't been consulted enough ...
The Government of Canada issued its response to the PIPEDA review report from the Standing Commitee on Access to Information, Privacy and Ethics, agreeing in parts and disagreeing in others with the committee's recommendations. So the government is now seeking public input on the topics that were relatively well canvassed before the parliaentary commitee.
If you have additional thoughts, you have until January 15 to make them known to Industry Canada.
Canada GazetteDEPARTMENT OF INDUSTRY
IMPLEMENTATION OF THE GOVERNMENT RESPONSE TO THE FOURTH REPORT OF THE STANDING COMMITTEE ON ACCESS TO INFORMATION, PRIVACY AND ETHICS ON THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT
Deadline for submission of views: January 15, 2008
On October 17, 2007, the Government of Canada tabled in Parliament its response to the Fourth Report of the Standing Committee on Access to Information, Privacy and Ethics (ETHI) on the statutory review of the Personal Information Protection and Electronic Documents Act (PIPEDA). In support of the Minister of Industry's responsibility for PIPEDA, Industry Canada is seeking the views of Canadians on a number of issues related to the response, including proposals for legislative amendments to PIPEDA.
PIPEDA, which came into force on January 1, 2001, sets rules for the collection, use and disclosure of personal information in the course of commercial activity in Canada. In a modern, information-based economy, an effective and efficient model for the protection of personal information is vitally important to ensure that the privacy of Canadian consumers remains protected. The ETHI Report contains 25 recommendations for how PIPEDA could be fine-tuned to ensure that the Act continues to achieve this objective. The government response expresses agreement with a majority of the Committee's recommendations and reflects the view held by a number of stakeholders that PIPEDA is working well and is not in need of dramatic change at this time. However, a small number of specific amendments may be warranted, and this consultation process provides Canadians with the opportunity to present further information, advice and views regarding the implementation of key proposals for legislative change.
In particular, Industry Canada is seeking views on the implementation of a data breach notification provision in PIPEDA (ETHI recommendations 23, 24 and 25). Such a provision is an important component of a comprehensive strategy to address the growing problem of identity theft. The Government proposes that the Privacy Commissioner be notified of any major breach of personal information, and that affected individuals and organizations be notified when there is a high risk of significant harm resulting from the breach. Ultimately, a requirement for data breach notification should encourage organizations to implement more effective security measures for the protection of personal information, while enabling consumers to better protect themselves from identity theft when a breach does occur. Industry Canada is seeking input in developing the parameters of a data breach notification provision, including, but not limited to, questions of timing, manner of notification, penalties for failure to notify, the need for a "without consent" power to notify credit bureaus, and appropriate "thresholds" for when organizations should be required to notify.
Industry Canada is also seeking further views on the issue of "work product" information (ETHI recommendation 2). The question of whether information created by individuals in their employment or professional capacity should be explicitly excluded from the definition of personal information has been a matter of significant debate. Industry Canada would therefore appreciate a wider range of views on whether an amendment to PIPEDA is needed, and, if so, how this should be implemented.
Furthermore, in order to ensure that PIPEDA is consistent with the needs of Canadian law enforcement agencies, the Government intends to clarify the meaning of lawful authority in PIPEDA as recommended by the Committee (ETHI recommendation 12). Industry Canada is seeking views and specific advice on how the concept of lawful authority could be better defined.
The Committee also recommended a number of issues for further consideration and/or consultation, including witness statements (ETHI recommendation 10), consent by minors (ETHI recommendation 15), and an assessment of the extent to which elements contained in the PIPEDA Awareness Raising Tools (PARTS) document may be set out in legislative form (ETHI recommendation 17). Industry Canada welcomes submissions on these matters.
Finally, Industry Canada is considering alternatives to the current process for the designation of investigative bodies (ETHI recommendation 6) and would appreciate any further views on this issue.
Submissions on the above, or on any other issues related to the government response that you may wish to raise, can be sent by email to PIPEDAconsultation@ic.gc.ca, by fax to 613-941-1164, or by mail to Richard Simpson, Director General, Industry Canada, Electronic Commerce Branch, 300 Slater Street, Ottawa, Ontario K1A 0C8.
The Government's response to the Fourth Report of the Standing Committee on Access to Information, Privacy and Ethics is available electronically on the World Wide Web at the following address: http://ic.gc.ca/specialreports.
For printed copies, please contact Publishing and Depository Services, Public Works and Government Services Canada, Ottawa, Ontario K1A 0S5; 1-800-635-7943 (Canada and U.S. toll-free telephone), 613-941-5995 (telephone), 1-800-465-7735 (TTY), 1-800-565-7757 (Canada and U.S. toll-free fax), 613-954-5779 (fax), publications@pwgsc.gc.ca (email), www. publications.gc.ca.
The government has issued its response to the five year PIPEDA review report, issued earlier this year by the Parliamentary Committee on Access to Information, Privacy and Ethics. No big surprises.
The government proposes even more "consultations".
The PIPEDA Review Hearings have resumed after a recess and Michael Geist continues to link to notes taken at the hearings (see: Michael Geist - PIPEDA Hearings - Days 9 (banking industry) and 10 (Chamber of Commerce, Insurance)). The focus has shifted to discussions of breach notification, a topic that now seems to have strong support on the committee.
Will this be beginning of breach notification in Canada?
0
comments
Labels:
alberta,
breach notification,
identity theft,
pipeda review,
privacy,
tjx
The recent personal information breaches in Canada have prompted a lot of discussion about breach notification.
This may be the upswell of citizen concern that will prompt legislative change in Canada.
From today's Halifax Chronicle Herald:
The ChronicleHerald.ca - Should retailers come clean?
Businesses not obligated to alert consumers when information is stolenBy CLARE MELLOR Business Reporter
Retailers and financial institutions in Canada don’t have to tell customers when thieves have stolen their personal information.
Recent cases of data theft at Winners and the loss of a hard drive at CIBC have made headlines across the country, alerting Canadian consumers to be on guard for identity theft, but these security breaches could be the tip of the iceberg, privacy experts say.
"There are probably a whole lot more incidents out there that we haven’t heard about because the businesses have no legal reason that requires them to tell the consumers involved," Halifax lawyer David Fraser, a privacy specialist, said Friday.
"One of the big questions on law reform in this area is whether a business should have a duty to notify people whose information has been compromised."
CIBC, which was earlier taken to task by federal privacy commissioner Jennifer Stoddart for lapses in security involving misdirected faxes, issued a news release and sent letters to Talvest mutual-fund holders last week. The company said a backup computer file containing their personal information had gone missing in transit.
TJX Cos., American operator of Winners and HomeSense, recently revealed that computer hackers had broken into its system, but the firm has not said how many customers had personal data stolen.
About 30 states have laws requiring businesses to notify their customers when their personal information has been stolen or lost, Mr. Fraser said.
A parliamentary committee has been reviewing Canada’s federal privacy law. Requirements to notify the public when a breach happens are being discussed.
When Ms. Stoddart appears before the committee, she will likely call for changes to the law requiring businesses to inform consumers when their information has been stolen or gone missing, Anne-Marie Hayden, spokeswoman for the privacy commissioner’s office, said Friday.
Under Canada’s privacy law, businesses and banks must keep personal information secure and not share it without client consent.
While Ms. Stoddart’s office can’t fine or penalize businesses that repeatedly break the law, it can pursue legal action through the Federal Court, Ms. Hayden said.
"It would be safe to say that most of the time when the commissioner makes recommendations (to tighten privacy practices), those changes are implemented," she said .
But David Malamed, a forensic accountant, said it is clear many companies are not taking their privacy obligations seriously enough.
"A lot of the reason that it is happening is that the focus for a lot of companies is on the bottom line," said Mr. Malamed, who works at Grant Thornton in Toronto
"As systems advance, people get smarter and the question is how money is being invested into protecting these systems. . . . There are different methods that you can go about to protect your customer information that will help prevent this from happening or at least reduce it to a greater degree."
There have been media reports of fraudulent purchases made with customer information stolen from Winners.
A Canadian law firm, Merchant Law Group, which has offices in Saskatchewan and Alberta, has already launched a class-action suit over the security breach.
But there is some question about whether Canadian consumers can successfully sue for theft or mishandling of their personal information, Mr. Fraser said.
"If you are the subject of fraud, you may be able to successfully sue them," he said. "But if you can’t prove harm, it is much more difficult."
(cmellor@herald.ca)
All the evidence to date in the statutory review of PIPEDA is up on the committee's website. Links are below for your convenience:
Meeting |
|
|
|
Meeting |
|
|
|
Meeting |
|
|
|
Meeting |
|
|
|
Meeting |
|
|
|
Meeting |
|
|
|
Meeting |
|
|
|
Meeting |
|
|
|
Meeting |
|
|
|
Kevin Bousquet, a private investigator with The Corpa Group, has an interesting and long post on PIs, privacy law and pretexting on his blog. It's his view that privacy laws have backfired and that Bill C-299 (the anti-pretexting private member's bill) will have a disastrous effect on the ability of private investigators to deal with fraud, among other things. It's obvious that he put a lot of thought into it and, though I don't agree with many of his conclusions, it is an interesting perspective.
Oddly, there wasn't anyone espousing this perspective who appeared at the PIPEDA review hearings.
Subscribe to:
Comments (Atom)
Popular entries
-
Incident: Sick Kids physician loses portable hard-drive with unencrypted personal health informationA physician from Sick Kids hospital who decided to travel with a portable hard-drive containing unencrypted health information on 3,300 pat...
-
The Securities and Exchange Commission has voted unanimously to introduce amendments designed to strengthen the regulatory framework govern...
-
The Information and Privacy Commissioner of Alberta released a very interesting order today, considering whether the right to freedom of exp...
-
Like many people I suspect, I was concerned to read the recent BBC report about glass ceilings which, the report said, means that "to...
-
Public limited companies in Norway were given until the start of this year to implement rules designed to increase the representation of wom...
-
Note - the Landlord Law Blog has now moved to www.landlordlawblog.co.uk . There is still quite a bit of confusion regarding the recent deci...
-
In Gregson v HAE Trustees Ltd & Ors [2008] EWHC 1006 (Ch) a so-called "dog-leg" claim was brought against the directors of a ...
-
Today, April 6, is an important date for aficionados of the Companies Act 2006 and anyone else interested in the Government's programme...
-
Figures from the DCA show that landlord possession claims were 20% down during the last quarter. Co-incidentally this was the first quarter...
-
The Ontario Information and Privacy Commissioner is investigating after old medical records were found in a dumpster behind a coffee shop by...
