Well, we are now a full day into the data breach reporting regime under PIPEDA. I wonder how many breaches have been reported? My personal take on this is that the new regime is actually not all that new. We’ve been operating with voluntary breach notification for a number of years; it has been mandatory in Alberta, and it has been years since the law was amended, so it’s pretty difficult to say that this new regime is going to catch anyone off guard.
Apart from the data breach notification news, the big story this week surrounds, once again, Statistics Canada. It appears they have a program in place to capture, annually, the detailed banking records of 500,000 Canadians. It won’t take long, at that pace, for this to become a very large and very detailed database containing sensitive information.
Also in the news is the fact that the privacy commissioner of Canada is looking into the Stats Can program. The OPC only has jurisdiction to review the program to determine if it complies with the Privacy Act. It seems to me that the answer is going to be pretty easily arrived at: The Privacy Act allows these programs if other laws allow it. The Statistics Canada Act allows it. Plain and simple. Parliament, in all its wisdom, has befitted Stats Can with tremendous powers to collect, use and disclose personal information. Have they gone too far? Considering the outcry by some privacy advocates this week, it sounds like Parliament should review the tremendous power afforded to Stats Can.
Another angle to all this is whether the program meets scrutiny if it is evaluated pursuant to the Charter of Right and Freedoms. Clearly, all Canadians enjoy a reasonable expectation of privacy in their banking records. The next question is whether or not the government interference with that expectation of privacy is justified via lawful authority that is reasonable. Again, we end up concluding that the Statistics Canada Act does provide lawful authority, but would a judge conclude that it is reasonable? The more Canadians have a privacy interest in something, the more the law has to be reasonable. I’m just not sure if this standard has been met here. To this end, I hope Stats Can is transparent in the program and releases its privacy impact assessment so we can see how these issues have been addressed. After all, I think one of the big issues with Canadians is the secrecy surrounding the program. Being more transparent might help. It’s a basic tenet of privacy law in Canada for good reason.
If you want to comment on this post, you need to login.