Tabling of Privacy Commissioner of Canada's 2007 Annual Report on the
Personal Information Protection and Electronic Documents Act
OTTAWA, June 3 /CNW Telbec/ - Too many data breaches are occurring
because companies have ignored some of the most basic steps to protect
personal information, says the Privacy Commissioner of Canada, Jennifer
The Commissioner's 2007 Annual Report on the Personal Information
Protection and Electronic Documents Act (PIPEDA) was tabled today in
"Many companies need to do more to prevent inexcusable security
breaches," Commissioner Stoddart says. "Too often, we see personal information
compromised because a company has failed to implement elementary security
measures such as using encryption on laptops."
Voluntary privacy breach guidelines which the Office of the Privacy
Commissioner (OPC) developed with business and consumer groups, and published
last summer, appear to be prompting more organizations to report breaches.
The OPC has received 21 voluntary breach reports in the first five months
of 2008. Last year, there were 34 voluntary reports of breaches to the OPC -
up from a total of 20 reports in 2006.
Over the last few years, hundreds of thousands of Canadians have been
affected by data breaches.
"Many organizations want to be good corporate citizens and do the right
thing," says Commissioner Stoddart. "While the increased number of reports is
a positive sign, it's clear we still aren't hearing about every breach which
could have a harmful impact on people."
Financial institutions are reporting the largest number of breaches to
the OPC. Some telecommunications, insurance and retail companies have also
The OPC is concerned that few small and medium-sized enterprises are
Examples of reported breaches include the theft of laptops containing
unencrypted personal information, data tapes lost in transit, improperly
discarded paper records, and misdirected faxes.
Information the OPC is collecting from the voluntary reports is helping
to shed light on some of the common problems which are leading to breaches.
It is clear, for example, that unprotected laptops remain a huge issue
which companies must address. Many breaches related to electronically stored
data, often customer information stored on stolen laptop computers. Almost
nine in 10 people whose data was compromised by a self-reported breach in 2007
were put at risk because their personal information was held in an electronic
format that was either not secured or lacked adequate protection mechanisms
such as firewalls and encryption.
Other breaches occurred because employees had not followed established
company practices. Companies can address this problem by providing ongoing
privacy training, yet a poll commissioned by the OPC last year found only a
third of all businesses had trained staff about their responsibilities under
Canada's privacy laws.
The OPC strongly supports a plan by Industry Canada to introduce
mandatory breach notification. Reporting requirements will encourage
businesses to do more to reduce the risk of a data breach and ensure all
organizations are playing by the same rules. They will also ensure Canadians
are notified about serious breaches.
Industry Canada has prepared draft breach notification reporting rules
and is now fine-tuning this model based on stakeholder input.
The current proposals suggest the federal government is generally headed
in the right direction and that Canada will have a breach reporting regime
which is both reasonable and flexible.
As the federal government completes its work on reporting requirements,
the OPC continues to investigate a wide range of privacy complaints.
The OPC received 350 new PIPEDA complaints during 2007. Almost one third
of complaints involved financial institutions. As in past years, other major
sectors for complaints were telecommunications, insurance, sales and
transportation. The annual report is available on the OPC website.
The Privacy Commissioner of Canada is mandated by Parliament to act as an
ombudsman, advocate and guardian of privacy and the protection of personal
information rights of Canadians.
For further information:
For further information: Anne-Marie Hayden, Office of the Privacy
Commissioner of Canada, (613) 995-0103, firstname.lastname@example.org