The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Friday, August 03, 2007
The Federal Privacy Commissioner has just released privacy breach guidelines, which are similar to guidelines produced by the Ontario and British Columbia commissioners. Here is the press release, with links to the guidelines:
News Release: Privacy Commissioner releases privacy breach guidelines (August 1, 2007) - Privacy Commissioner of CanadaPrivacy Commissioner releases privacy breach guidelines
Ottawa, August 1, 2007 – New guidelines will help organizations take the right steps after a privacy breach, including notifying people at risk of harm after their information has been stolen, lost or mistakenly disclosed, says the Privacy Commissioner of Canada, Jennifer Stoddart.
The guidelines outline some of the key steps in responding to a breach, such as containing the breach, evaluating the risks associated with it, notifying the people affected and preventing future breaches.
“It’s clear that most businesses take seriously their responsibilities under Canada’s private-sector privacy law. I want to thank the industry groups, civil societies groups and privacy commissioners' offices that helped my office in developing these,” Commissioner Stoddart says.
The Office of the Privacy Commissioner (OPC) has become increasingly concerned about privacy breaches and breach notification following some major data breaches in recent months. Earlier this year, Commissioner Stoddart urged the federal government to amend the Personal Information Protection and Electronic Documents Act (PIPEDA) to make it mandatory for businesses to notify people when their personal information has been breached.
“Our new voluntary guidelines do not take away from the need for breach notification legislation,” the Commissioner says. “I would once again urge the Minister of Industry and his cabinet colleagues to help better protect Canadians by making breach notification a legal requirement for businesses.” The guidelines call on businesses to notify people that their personal information has been compromised in cases where the breach raises a risk of harm. For example, there may be a risk of identity theft or fraud in cases where sensitive personal information has been lost or stolen.
Organizations are also encouraged to inform the appropriate privacy commissioner(s) of a privacy breach. (In British Columbia, Alberta and Quebec, provincially regulated businesses should speak to their provincial privacy commissioners. In Ontario, breaches involving personal health information must be reported to the provincial commissioner.)
The OPC is currently investigating two high-profile privacy breach cases involving large amounts of personal information.
In one case, the Canadian Imperial Bank of Commerce reported to the OPC the disappearance of a hard drive containing the personal information and financial data of close to half a million clients of its subsidiary, Talvest Mutual Funds.
The other investigation, being conducted jointly with the Information and Privacy Commissioner of Alberta, is looking at a breach at TJX Companies Inc., which affected thousands of Canadians who shopped at TJX’s Winners and HomeSense stores.
The new guidelines as well as a privacy breach checklist and a list of organizations which participated in the consultation process to develop the guidelines are available on the OPC website, http://www.privcom.gc.ca/.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.
Labels: alberta, bc, breach notification, british columbia, health information, identity theft, privacy, tjx
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.