Late last week, the office of the Privacy Commissioner of Canada
announced a major breach within its own office with the loss of an
unencrypted hard drive containing sensitive personal information
relating to over 800 of its current and past employees. The
loss provides a test to Interim Privacy Commissioner Chantal
Bernier, who recently took over the top job on an interim basis
from departing Commissioner Jennifer Stoddart.
The Privacy Commissioner's office announced that the
information first went missing in mid-February during an office
move, and that the breach was discovered in mid-March. It was
not until early April that it was determined that the hard drive
contained sensitive financial information, including
salaries. Adding insult to injury, some of the missing
personal information dated back 12 years. It is not clear what
retention period should have applied to the data. Under Privacy
Act regulations, the Commissioner would be required to retain
the personal information for at least 2 years. Indefinite retention
would be contrary to best practices; however, the Privacy
Commissioner may be constrained by the provisions of the
Library and Archives of Canada Act from destruction of the
information without permission of the Librarian and Archivist
depending on the exact nature of the records. Likewise,
the Office of the Information and Privacy Commissioner of Ontario
has different obligations. In any event, this lengthy
retention raises questions about appropriate retention periods and
whether the information ought to have been securely destroyed after
an applicable retention period expired.
In fairness to the Commissioner's office, it is believed
that the missing information is not accessible without specialized
software and technical knowledge, and that the information taken
cannot result in identity theft. But it may be a concern to
Canadian entities bound by the Personal Information Protection
and Electronic Documents Act as well as the Privacy
Act to know that not only did the breach occur, but the
Commissioner's office did not notify employees or the media
immediately, and did not file a police report. On the good
news front, Commissioner Bernier has stated that the breach gives
her better insight as to what amount of time is reasonable for an
organization to investigate a possible breach prior to taking
Dentons is a global firm driven to provide you with the
competitive edge in an increasingly complex and interconnected
marketplace. We were formed by the March 2013 combination of
international law firm Salans LLP, Canadian law firm Fraser Milner
Casgrain LLP (FMC) and international law firm SNR Denton.
Dentons is built on the solid foundations of three highly
regarded law firms. Each built its outstanding reputation and
valued clientele by responding to the local, regional and national
needs of a broad spectrum of clients of all sizes –
individuals; entrepreneurs; small businesses and start-ups; local,
regional and national governments and government agencies; and
mid-sized and larger private and public corporations, including
international and global entities.
Now clients benefit from more than 2,500 lawyers and
professionals in 79 locations in 52 countries across Africa, Asia
Pacific, Canada, Central Asia, Europe, the Middle East, Russia and
the CIS, the UK and the US who are committed to challenging the
status quo to offer creative, actionable business and legal
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances. Specific Questions relating to
this article should be addressed directly to the author.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
On Thursday, September 22, 2016, Dentons hosted a panel discussion about the management of liabilities and risks associated with environmental crises, including potential liabilities for directors and officers and provided insight into risk and liability techniques associated with environmental crisis management.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).