In a recently released report, titled Data Breaches: Worth Noticing?, PIAC recommends that the data breach notification bill include a requirement that all data breaches be reported promptly to the Privacy Commissioner of Canada, who should be given the authority to order companies to notify consumers when there is a risk of significant harm from a breach.
The report also recommends that Bill C-12, an Act to amend the Personal Information Protection and Electronic Documents Act, should give the Privacy Commissioner order-making power to enforce the requirements and fining power for non-compliance.
In addition, PIAC recommends increased audit powers for the Privacy Commissioner, as well as establishment of a special data breach division within the commissioner’s office.
“Consumers clearly think that they should always be notified when a company has lost their personal information unless the Privacy Commissioner says there’s no real risk of harm to them”, said John Lawford, PIAC legal counsel and co-author of the report. “Bill C-12 is too weak to assure them that will happen”, he noted.