By Jordan Press,
Canada’s privacy commissioner is being asked to investigate thousands of data breaches that weren’t reported to her office over the past 10 years.
The opposition New Democrats argue that an investigation of each of the more than 3,000 data and information breaches that occurred over the last 10 years, affecting more than one million Canadians, should be accompanied by new recommendations and a substantive review of the country’s privacy laws.
In a letter to be delivered Monday to Privacy Commissioner Jennifer Stoddart, the NDP’s privacy critic says the review and investigations should take place because the “status quo is unacceptable.” The letter suggests that mandatory reporting of breaches — a recommendation Stoddart made five years ago — should be enacted for federal departments.
“Given what we have learned, we clearly can’t trust government to investigate itself,” NDP privacy critic Charlie Angus said in an email to Postmedia News. “We need to have the privacy commissioner investigate to find out why the breaches are happening and to determine why the ministers of these departments have not put in place effective protocols to protect privacy information.”
Last week, documents tabled in Parliament in response to a written question from Angus showed that since 2002, there had been 3,143 information and data breaches at federal departments that affect at least 1,075,313 individuals. Of those breaches, about 13 per cent were reported to Stoddart’s office.
The numbers were a surprise to Stoddart. In an interview Wednesday, Stoddart told Postmedia News that it wouldn’t surprise her if some of the unreported breaches resulted in serious consequences for Canadians and should have been reported to her office.
Federal privacy laws don’t require departments to report every data breach. Departmental guidelines, such as those enacted at Citizenship and Immigration Canada in 2012, allow departments to not report breaches to the privacy commissioner if there is not serious threat of identity theft to the affected individuals.
“I am deeply concerned about the potential impact of these breaches on the privacy rights of individuals,” Angus writes in the letter to Stoddart. “I am also concerned that the federal government continues to refuse to carry out a substantial review of the Privacy Act.”
The government has said that in many departments, including Human Resources and Skills Development Canada and Veterans Affairs Canada, new rules and protocols have been put in place to better protect the personal information of Canadians.
Still, during the 2012-2013 fiscal year, departments reported more than 100 breaches to Stoddart’s office — an all-time high and a 25 per cent increase over the previous fiscal year. However, Stoddart’s office wasn’t able to say whether the increase was a result of more breaches, or better reporting practices.