On December 10, 2015, the Annual Report of the Office of the Privacy Commissioner (“OPC”) on the Privacy Act for 2014-2015 was tabled in Parliament.  The Annual Report provides details on privacy trends and investigations involving Canadian federal departments for the past year.

Strategic Privacy Priorities Identified

In his opening message, Privacy Commissioner Daniel Therrien introduced an effort by the OPC to identify key privacy issues that are most significantly affecting Canadians.  The effort has identified four strategic privacy priorities that will guide the OPC for the next five years:

  1. The economics of personal information: The commoditization of personal information and new business models developed around the use of Big Data and the exponential growth of Internet-connected/mobile devices have caused stakeholders to question whether it is realistic to obtain quality consent to the use of personal information, the foundation of Canadian privacy laws. The OPC’s goal is to enhance privacy protection and trust, so individuals may confidently participate in an innovative digital economy.
  2. The body as information: The federal government is expanding its use of genetic material for policing, border control and other uses. The OPC will be engaged on initiatives in which federal institutions seek to make use of such data to ensure the privacy implications raised by such uniquely personal and highly sensitive information are respected.
  3. Reputation and privacy: The federal government has demonstrated a desire to use publicly available information, including information found on social media sites, in the context of security screening. The OPC’s objective is to ensure that people can use the Internet without fear that their digital footprint will lead to unfair treatment.
  4. Government surveillance: Bill C-51, Anti-Terrorism Act, 2015, Bill C-13, Protecting Canadians from Online Crime Act and Bill C-44, Protection of Canada from Terrorists Act, are described as giving federal institutions unprecedented ability to disclose Canadians’ personal information without individual knowledge and consent. The OPC intends to use its review and investigative powers to examine the collection, use and sharing practices of departments and agencies involved in surveillance activities to ensure that they comply with the Privacy Act.

A separate report on the feedback received from stakeholders, as well as how the OPC intends to address the four priorities is available here. 

Risks Posed by Portable Storage Devices Highlighted

Of interest to those concerned with information security, the Annual Report includes a report on an audit conducted by the OPC of the use of portable storage devices (“PSDs”) by federal institutions. PSDs are electronic devices intended to hold digital data, such as smart phones, laptops, portable hard drives and flash memory sticks.  Of the entities selected for review:

  • approximately 70 percent have not formally assessed the risk surrounding the use of all types of PSDs;
  • over 90 percent do not inventory and track all PSDs throughout their lifecycle;
  • over 85 percent do not retain records verifying the secure destruction of data retained on surplus or defective PSDs; and
  • approximately 55 percent have not assessed the risk to personal information resulting from the absence of controls to prevent the use of unauthorized PSDs.

The audit found that although policies, processes and controls are in place, there are significant opportunities for improvement, and noted that federal entities that allow the use of PSDs without proper controls run the risk of:

  • losing or exposing confidential data or personal information, resulting in harm to the government and individuals;
  • eroding public confidence and exposing themselves to significant reputational risks; and
  • incurring substantial costs for data losses and recovery efforts.

These risks are equally applicable to business, highlighting the importance of robust information security policies that include an assessment of risks and implementation of controls relating to the use of all types PSDs.  The details of the audit are found at pages 25 to 40 of the report.

In 2014-2015 there were 256 data breaches reported under the new mandatory reporting scheme, which came into force in May 2014.  This represents an increase from 228 the year before, which itself was double the number reported the year before that.

Many Data Breaches are Preventable

The report includes a summary of data breach incidents, which demonstrate that in many cases the breaches have been preventable: Canada Revenue Agency (accidental disclosure of taxpayer information, heartbleed vulnerability, unauthorized access to taxpayer files), Health Canada (unintended disclosure through mailing labels), Public Prosecution Service of Canada (unintended disclosure through envelope windows), Citizen and Immigration Canada (cross-border data breach) and National Research Council of Canada (network intrusion).

The OPC reports that the number of investigations it completed in the last year increased from 1,214 to 1,234, while the number of complaints rose by 123 percent.  It is noteworthy that 3,154 of the nearly 4,000 complaints came from a small number of people.