Canada's Privacy Commissioner Daniel Therrien released his
Privacy Act Annual Report to Parliament on December 10.
The report highlighted the results of an audit of the management of
portable storage devices and reported data breaches by 17 federal
Federal institutions reported a record-high number of data
breaches – 256 incidents were reported in 2014-2015, up from
228 reported the year before. The main cause of the data breaches
was accidental disclosure. Examples include incidents in which
Health Canada mailed letters to over 41,000 people showing their
names in conjunction with the medical marijuana access program, and
the Canada Revenue Agency accidentally sent the personal financial
information of over 1,000 people to a journalist.
The Commissioner urged the agencies to increase their vigilance
and implement more effective safeguard and control measures to
protect the personal information of Canadians. The
Commissioner's recommendations, which the federal agencies
agreed to accept and address, included:
Ensure that the issuance of all portable storage devices is
recorded for identification and tracking purposes;
Retain documentary evidence as verification that all data on
surplus or defective portable storage devices has been destroyed in
a secure manner;
Assess the current disposal process to ensure appropriate
controls are in place to mitigate the risk of a data exposure;
Assess the risk to personal information resulting from the lack
of controls on the connection of unauthorized USB storage devices,
or from the use of CDs/DVDs to store data, and implement
appropriate controls to address identified gaps and
Ensure that encryption is deployed on all portable storage
devices that may contain personal information;
Ensure that all employees, including contract personnel, are
aware of the policies governing the use of portable storage
devices, and provide guidance to mitigate the risks inherent to the
use of the devices.
This was the first year in which federal institutions were
required to report data breaches, as compared to the previous
voluntary reporting regime. It is important to note that the
mandatory breach notification regime will soon be coming to the
private sector. The relevant Digital Privacy Act
amendments to the Personal Information Protection and
Electronic Documents Act (PIPEDA) are expected to come into
effect as soon as the government issues corresponding regulations
that are currently being drafted.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The prospect of an internal investigation raises many thorny issues. This presentation will canvass some of the potential triggering events, and discuss how to structure an investigation, retain forensic assistance and manage the inevitable ethical issues that will arise.
From the boardroom to the shop floor, effective organizations recognize the value of having a diverse workplace. This presentation will explore effective strategies to promote diversity, defeat bias and encourage a broader community outlook.
Staying local but going global presents its challenges. Gowling WLG lawyers offer an international roundtable on doing business in the U.K., France, Germany, China and Russia. This three-hour session will videoconference in lawyers from around the world to discuss business and intellectual property hurdles.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).