Skip to main content

Privacy commissioner nominee Daniel Therrien is pictured in Ottawa on June 3, 2014.

Sean Kilpatrick/THE CANADIAN PRESS

Companies that lose personal customer data should be required to directly notify affected people – with limited exceptions – about the nature and date of the lapse along with steps taken to reduce the harm, says the federal privacy watchdog.

The Trudeau government plans to introduce breach-notification regulations in coming months to improve transparency and help consumers.

Several large businesses have been stung by hackers in recent years, causing embarrassment for proprietors and potential headaches for customers whose personal and financial details are suddenly circulating in cyberspace.

Story continues below advertisement

Legislation passed last year laid the groundwork for mandatory reporting of private-sector breaches that pose a "real risk of significant harm" to individuals.

The government recently asked the public and interested parties for comment on shaping the regulations and determining what companies and other private organizations will have to do in the event of a lapse.

The office of federal privacy commissioner Daniel Therrien says companies should directly notify those affected by a breach through means such as telephone calls, emails or mailed letters.

The notice should tell people about the circumstances, the date of the breach (or at least an estimate), a description of the personal information, steps taken to control the harm, measures those affected can take and the contact information of someone at the company who can answer questions.

Setting out the requirements in regulation would "provide important clarity and certainty about the type of information that organizations should communicate to individuals," the commissioner's office says in its submission to the government.

It also urges the government to give thought to cases in which affected people live outside Canada.

In its submission, the Canadian Bar Association also recognizes the importance of providing meaningful notice to individuals of data breaches. "The regulations should avoid being overly prescriptive, however, in the form and manner of notifications. Organizations should have flexibility to determine whether direct or indirect notification is most suitable."

Story continues below advertisement

The privacy commissioner says organizations should be allowed to notify individuals indirectly only when:

– Direct notification is likely to cause undue further harm, for instance by informing family members of the person's purchase of a confidential product or service; – Giving direct notification to every affected person on an individual basis would involve prohibitive costs; – Contact information for affected individuals is out of date, incomplete or inaccurate.

Under the new system, organizations covered by Canada's private-sector privacy law would also have to report significant lapses to the privacy commissioner, which would allow his office to determine whether appropriate actions were indeed being taken.

In addition, organizations that experienced a breach would have to keep a record of the data breach and make these records available to the privacy commissioner upon request.

One of the thornier issues to be decided in the regulatory scheme is whether data breaches in which the information is encrypted – encoded so as to make it indecipherable without a digital key – should be considered "low risk" events.

The privacy commissioner says encryption may indeed play a role in reducing or even eliminating risk of harm.

Story continues below advertisement

However, it cautions that as algorithms evolve, encryption standards once deemed strong "may be eventually be rendered decipherable." Alternatively, an organization's key management system might be compromised.

"In either case, personal information could then be easily decrypted."

Report an error
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

Cannabis pro newsletter