Make federal data protection and breach reporting the law, MPs say
Government policy directs agencies to report data breaches, federal privacy watchdog says many don't
Federal agencies should be required by law to properly protect the private information of Canadians and to report breaches when sensitive data goes astray, says a group of MPs.
The Commons committee on ethics, information and privacy's recommendations for updating the 33-year-old Privacy Act — which covers the collection, use and disclosure of information by federal departments — come as data losses and thefts in the new digital universe make many people nervous about sharing personal details.
This week Yahoo revealed it only just discovered a breach affecting more than one billion user accounts that took place more than three years ago.
Hundreds of notable lapses involving personal information occur in federal agencies every year.
- Privacy commissioner to probe breach of public servants' personal info
- Phoenix to blame for twice breaching public servants' private data
A government policy directs federal agencies to report these significant data breaches, but privacy commissioner Daniel Therrien says many do not.
For instance, Health Canada didn't tell the privacy commissioner it slipped up by sending letters to more than 41,000 people across the country in 2013 in windowed envelopes that clearly indicated they were from the department's medical marijuana program.
The Commons committee report, tabled this week, says there should be an explicit requirement in the Privacy Act for government institutions to report significant breaches in a timely manner, along with clear consequences for failing to safeguard personal information.
Two years ago the commissioner's office concluded that a missing portable hard drive with details about hundreds of thousands of people who took out student loans had been left unsecured for extended periods and lacked password protection and encryption.
Human Resources and Skills Development Canada, as the department was known when the drive disappeared, said the files included student names, social insurance numbers, dates of birth, contact information and loan balances, as well as the personal contact information of 250 department employees.
Time for modernization
Legislation passed last year laid the groundwork for mandatory reporting of private-sector breaches that pose a substantial risk of harm to individuals.
The government has asked the public and interested parties for comment on shaping regulations and determining what companies and other private organizations will have to do in the event of a lapse.
Many have long said the public-sector Privacy Act needs to be modernized.
The Commons committee also recommends:
- Defining metadata — the digital trails associated with a message, but not the content itself — in the Privacy Act, with an emphasis on the information it can reveal about someone;
- More transparency about the information-sharing agreements departments have with one another or other governments;
- Clear rules governing the collection and protection of personal information that federal agencies gather through the Internet and social media.