Skip to main content
The Globe and Mail
Support Quality Journalism
The Globe and Mail
First Access to Latest
Investment News
Collection of curated
e-books and guides
Inform your decisions via
Globe Investor Tools
Just$1.99
per week
for first 24 weeks

Enjoy unlimited digital access
Enjoy Unlimited Digital Access
Get full access to globeandmail.com
Just $1.99 per week for the first 24 weeks
Just $1.99 per week for the first 24 weeks
var select={root:".js-sub-pencil",control:".js-sub-pencil-control",open:"o-sub-pencil--open",closed:"o-sub-pencil--closed"},dom={},allowExpand=!0;function pencilInit(o){var e=arguments.length>1&&void 0!==arguments[1]&&arguments[1];select.root=o,dom.root=document.querySelector(select.root),dom.root&&(dom.control=document.querySelector(select.control),dom.control.addEventListener("click",onToggleClicked),setPanelState(e),window.addEventListener("scroll",onWindowScroll),dom.root.removeAttribute("hidden"))}function isPanelOpen(){return dom.root.classList.contains(select.open)}function setPanelState(o){dom.root.classList[o?"add":"remove"](select.open),dom.root.classList[o?"remove":"add"](select.closed),dom.control.setAttribute("aria-expanded",o)}function onToggleClicked(){var l=!isPanelOpen();setPanelState(l)}function onWindowScroll(){window.requestAnimationFrame(function() {var l=isPanelOpen(),n=0===(document.body.scrollTop||document.documentElement.scrollTop);n||l||!allowExpand?n&&l&&(allowExpand=!0,setPanelState(!1)):(allowExpand=!1,setPanelState(!0))});}pencilInit(".js-sub-pencil",!1); // via darwin-bg var slideIndex = 0; carousel(); function carousel() { var i; var x = document.getElementsByClassName("subs_valueprop"); for (i = 0; i < x.length; i++) { x[i].style.display = "none"; } slideIndex++; if (slideIndex> x.length) { slideIndex = 1; } x[slideIndex - 1].style.display = "block"; setTimeout(carousel, 2500); }

Federal Privacy Commissioner Jennifer Stoddart

CHRIS WATTIE/REUTERS

Privacy commissioner Jennifer Stoddart's office has compiled a preliminary list of federal agencies with potentially worrisome patterns when it comes to the loss of Canadians' personal information.

The analysis is based on departmental figures tabled in Parliament in April in response to a question from New Democrat MP Charlie Angus. The response indicated there were more than 3,000 data breaches over a 10-year period affecting about 725,000 Canadians.

Upon crunching the numbers, the privacy commissioner identified nine departments and agencies that may lack adequate reporting mechanisms, have faulty security procedures or require improved tracking protocols.

Story continues below advertisement

Ms. Stoddart's staff cautions that the figures paint a statistical picture but do not shed full light on the kind of data involved in the breaches.

Still, the office says two departments – Fisheries and Oceans and Public Safety – "may lack adequate reporting mechanisms" for alerting the privacy commissioner of a data loss.

Fisheries reported three breaches affecting 73 people between 2002 and 2012. However, for the same period there were actually 12 lapses affecting 4,690 individuals.

None of the 28 breaches that occurred at Public Safety after 2009 were reported, says the privacy commissioner.

"A cursory comparison between institutions indicates that they do not seem to have a consistent method for reporting breaches," say notes prepared by Ms. Stoddart's office. "Some systematically report breaches, others almost never."

Institutions that "may have systematic issues in safeguard and security protocols" are Citizenship and Immigration, Passport Canada, the Correctional Service, the RCMP, the Parole Board and Veterans Affairs.

Citizenship and Immigration had 161 breaches in 2012 alone, while the passport office had 131 incidents in 2011-12, said the commissioner.

Story continues below advertisement

Finally, the Canada Revenue Agency was not able to present any data, suggesting a "deficiency in tracking and auditing."

The difficulty with federal data breaches is not new, Ms. Stoddart said in an interview.

"We know it's a systemic problem. We've seen it for years," she said. "So I think a positive action on the part of the government to strengthen education about it, prevention, followup and so on, would be the way to go."

The commissioner's office points out that while the federal Treasury Board has published guidelines for privacy breaches, they simply recommend – not require – that institutions notify the commissioner of certain kinds of breaches. They include ones that involve sensitive personal data such as financial or medical information, can result in identity theft, or might otherwise harm or embarrass a person, damaging their career, reputation or well-being.

"Conversely, this means that there are a number of breaches that are not deemed to be serious enough to warrant notification to our office," say the notes. "We can presume that this may partially explain the vast number of unreported breaches."

During a recent meeting, Ms. Stoddart urged Treasury Board President Tony Clement to amend the privacy law to make reporting of federal data losses mandatory.

Story continues below advertisement

"It was a very positive meeting," Ms. Stoddart said. "Minister Clement seemed very concerned about the question of data and very interested in ways of strengthening data-breach awareness, I'd say, and proactive work to minimize data breaches."

However, she said Mr. Clement "made no commitments" about enshrining mandatory reporting.

Andrea Mandel-Campbell, a spokeswoman for Mr. Clement, said Monday that the minister is taking Ms. Stoddart's comments "under consideration."

Mr. Angus says a "complete overhaul" of reporting procedures is needed. "Every breach must be reported to the privacy commissioner," he said Monday.

Government must also ensure Ms. Stoddart's office has the resources to investigate lapses and powers to effectively police both federal agencies and private companies that lose data, he said.

"She has to have the tools that she needs to protect privacy."

Story continues below advertisement

After Human Resources and Skills Development lost the personal information of more than half a million people who took out student loans, Mr. Angus's NDP colleague, digital-issues critic Charmaine Borg, tabled a motion in February requesting a House of Commons committee study mandatory breach notification. It was defeated.

Report an error
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies