First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Amendments to PIPEDA disappoint privacy watchdogs


Image taken from:

On May 29, the federal government introduced Bill C-29, the Safeguarding Canadians’ Personal Information Act, which makes substantial changes to the Personal Information Protection and Electronic Documents Act (PIPEDA). The Bill had been in development for several years, and one of its primary objectives was to address a significant gap in PIPEDA, the issue of mandatory disclosure of “material” breaches of personal information by the companies or organizations responsible.

Although Bill C-29 does address this issue, it’s the way that disclosures are classified as material, and the lack of penalties for non-disclosure that have critics unhappy, like Michael Geist and Janet Lo, counsel with the Public Interest Advocacy Centre. Under the new legislation, the organizations responsible for the breaches get to decide if they are material and must be reported to the Privacy Commissioner (based on a number of criteria, such as the sensitivity of the information, the number of customers affected and an assessment by the company that concludes the cause of the breach indicates a systemic problem).

Companies also have the discretion to decide if they must inform the individuals whose personal information has been breached, based on whether the breach poses a real risk of significant harm (e.g., identity theft, fraud or damage to reputation). And there are no monetary penalties for sweeping significant data breaches under the rug. This is in contrast to laws in several United States jurisdictions that define the responsibility to report breaches with more precision, and either impose hefty fines for breaches or grant the right of those affected to sue the company responsible.

Confidentiality and Privacy policies are featured in all of First Reference’s Internal Control Library publications. See policy IT 8.04 in Information Technology PolicyPro, policy NP 1.08 in Not-for-Profit PolicyPro, and policy GV 1.11 in Finance and Accounting PolicyPro.

Colin Braithwaite
First Reference Internal Controls Managing Editor

Follow me

Colin Braithwaite

Freelance writer at Colin Braithwaite Editorial Services
Colin Braithwaite has more than 20 years experience in writing and publishing. From 2004–2010, Colin was the Managing Editor responsible for the products in the Internal Control Library at First Reference Inc.Read more
Follow me

, , , , , , , , , , , , , , , , ,

Comments are currently closed.