The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Saturday, June 11, 2005
On Friday, the Canadian Bar Association's Access and Privacy Law Section executive had a unique opportunity to meet with the Federal and Provincial Access and Privacy Commissioners in Ottawa. It was a very interesting and useful session, but off the record.
The issue of notification of data breaches was raised and I was asked at the lunch by one of the Commissioners whether there has been serious research on the topic. Because there is no law (other than PHIPA in Ontario) that requires notification, any business dealing with an incident will need to consider what information, if compromised, will result in actual loss or harm to the individual(s) in question. The Commissioners are increasingly being contacted by businesses who want to know whether they should contact affected individuals, but they don't have all the information to fully assess the risk.
Though the media is full of information related to identity theft, I couldn't point to any substantive research of what information is useful to identity thieves. I know anecdotally that name, address, social insurance number (or SSN in the US), date of birth are the "keys to the kingdom". If anyone can point to anything authoritative that can provide insight, please e-mail it to me at david.fraser@privacylawyer.ca. I'll post links to anything I get.
Thanks.
Labels: breach notification, identity theft, information breaches, phipa
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.