In the last two weeks, the out-going Privacy Commissioner of Canada, Jennifer Stoddart, has released three reports that provide insight on the current state of Canada's federal government's protection of personal information of Canadians in the course of departmental and agency operations.
Yesterday, the Privacy Commissioner tabled her Annual Report on the federal Privacy Act. The Privacy Act governs the collection, use and disclosure of personal information by approximately 250 federal government departments and agencies. The Annual Report is Commissioner Stoddart's last report before the end of her mandate as Privacy Commissioner.
The Privacy Commissioner's Annual Report disclosed:
- Cross-border sharing of data between Canada and the US is expanding and being systematized. The Commissioner has raised concerns that this is a departure from previous practice in which information-sharing has occurred on a carefully considered case-by-case basis.
- Record numbers of complaints were received by the Office of the Privacy Commissioner of Canada (OPC) from April 2012 to March 2013.
- In total numbers, the OPC received 2,273 complaints. Even deducting the complaints from two major breaches at what was then known as Human Resources Development Canada and Justice Canada, the total number of complaints would have been a record high.
- Data breaches are being reported in increasing numbers. 109 breaches were reported to the OPC in 2012-2013.
The Annual Report was accompanied by two other reports in recent weeks. Last week, the Office of the Privacy Commissioner (OPC) released a report on the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). Yesterday, the OPC issued a report on an audit of the Canada Revenue Agency (CRA).
The OPC's report on the CRA audit appears to reveal an organization that has made significant strides in enhancing security but remains slow in responding to some of OPC's recommendations. In particular, the OPC's report reveals that:
- There have been more than 50 cases in 2011 and 2012 of inappropriate access to taxpayer information. Some involved thousands of taxpayer files over an extended period of time.
- Although the OPC recommended the appointment of a Chief Privacy Officer following a 2009 audit of the CRA (a position not required by the Privacy Act or Treasury Board guidelines), this position was not filled until April 2013. Moreover, the role of the Chief Privacy Officer still had not been fully defined to the satisfaction of the OPC.
- CRA uses generic User IDs for some functions (that is, User IDs that are used by more than one person).
- CRA does not always complete Privacy Impact Assessments and Threat and Risk Assessments.
- CRA's systems for detecting and preventing inappropriate employee access are inadequate.
- CRA fails to report privacy breaches and inappropriate access to the Access to Information and Privacy Directorate.
In the FINTRAC Report, the OPC noted:
- FINTRAC (which receives financial transaction reports on money laundering and terrorist financing) had holds approximately 165 million records.
- Some of the reports do not clearly demonstrate any reasonable grounds for suspicion. Nevertheless, FINTRAC has retained these reports.
- Although FINTRAC has accepted the OPC's recommendations from a previous 2009 audit, it has made limited progress in addressing five issues. With one exception, all of the issues are related to over collection or failure to purge the retention of unnecessary information. The one exception involves the need to revise a consent form for entry into a dwelling to more clearly and transparently address the authority, purposes and uses of the information to be collected.
Dentons is a global firm driven to provide you with the competitive edge in an increasingly complex and interconnected marketplace. We were formed by the March 2013 combination of international law firm Salans LLP, Canadian law firm Fraser Milner Casgrain LLP (FMC) and international law firm SNR Denton.
Dentons is built on the solid foundations of three highly regarded law firms. Each built its outstanding reputation and valued clientele by responding to the local, regional and national needs of a broad spectrum of clients of all sizes – individuals; entrepreneurs; small businesses and start-ups; local, regional and national governments and government agencies; and mid-sized and larger private and public corporations, including international and global entities.
Now clients benefit from more than 2,500 lawyers and professionals in 79 locations in 52 countries across Africa, Asia Pacific, Canada, Central Asia, Europe, the Middle East, Russia and the CIS, the UK and the US who are committed to challenging the status quo to offer creative, actionable business and legal solutions.
Learn more at www.dentons.com
For more information, visit our Data Governance Law blog at www.datagovernancelaw.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.