In front of what is annually the largest Canadian privacy conference ever, the IAPP Canada Privacy Symposium, Interim Privacy Commissioner Chantal Bernier did not shy away from what she euphemistically called “that little enlightening experience”: Her office’s recent data breach.
“It was definitely my worst day at the office,” she deadpanned.
However, she said she has chosen to embrace that time-honored Churchill quote: “Never let a good crisis go to waste.”
While her office immediately notified both houses of Parliament, the committee they report to, even the Treasury Board to be safe, and there was already an annual IT audit planned, Bernier said she has taken the additional step of scheduling a third party to come in and go through an operational review. “What could we have done differently?” she asked. “How do we make sure this never happens again?”
Bernier admitted that the experience created a much deeper sympathy, too, with those she’s overseeing.
“A few years ago,” she said, “when the draft EU regulation was including 24-hour data breach notice, I thought to myself, ‘Yes! Man, those Europeans know how to get data-holders in line!’ And now I know for a fact that it just doesn’t make sense. You don’t even know yet who you’re supposed to notify!”
She said she also learned how carefully you have to notify those who’ve been affected—in her office’s case, current and former employees. “Notification must be impeccably accurate,” she said, “and you need support.” Some people will need someone to talk to because they’re scared, even if there’s no good reason to be.
The episode has also brought her around to the philosophy that “breaches happen. It’s not like the OPC is not concerned about protecting personal information. If it can happen to us, it can happen to anyone.”
Thus, she now looks at a breach—one attendee even questioned whether “breach” should be the default word, or maybe “incident” instead—in terms of severity of the event, determined by a combination of “how the obligation of means was met and the impact on individuals.”
“And we will not,” she confirmed, “treat all breaches the same … We need to adapt our tools to the variety and types of breaches.”
More broadly, Bernier said the privacy community as a whole needs to bolster its contextual knowledge of privacy. “We can’t just know about privacy law or privacy protections,” she said. “We need to understand the transformation in the national security context, the commercial transformations in the digital economy, the evolution of safe genetics. Need to have great contextual knowledge, because privacy is a contextual right.”
Ultimately, she said, “the challenge is that we need to be flexible enough to be relevant but firm enough to protect the immutable and unchangeable—the fundamental—right of privacy.”
If you want to comment on this post, you need to login.