Data Spills, Not Oil Spills Threaten Businesses in Canada

By: Lee Rickwood

July 9, 2010

Most Canadian companies say they aren’t concerned about data breaches involving their customers’ personal information.

Despite the fact those same companies are collecting and holding more personal information than ever before, a recent survey conducted for the Privacy Commissioner of Canada found that 42 per cent of businesses surveyed are not concerned about security breaches.

That finding also runs counter to other reports of increased data breaches from privacy and security agencies in Canada.

In fact, in an attempt to conduct privacy and data breach investigations in the country’s business centre, the Privacy Commissioner is planning to open a new office in the Greater Toronto Area.

It’s a first for the Ottawa-based agency, part of its stated desire to conduct more outreach and investigation work on the ground in Toronto.

Privacy Commissioner of Canada

Canada’s Privacy Commissioner, Jennifer Stoddart, (at right) with Robin Gould-Soil

Based on the results of that business risk assessment survey, the Office will have a busy summer and fall ahead of it.

“Given the severity and number of major data spills that we have seen reported in the headlines over the past few years, it is concerning to see that businesses are not more apprehensive about this issue,” Assistant Privacy Commissioner of Canada Elizabeth Denham explains. “There are serious risks involved in collecting and holding personal information, and the stakes for both businesses and customers are high.”

In the survey, conducted by the EKOS research firm, 68 per cent of businesses indicated they collect personal information from their customers — and that’s an increase of five per cent since a previous 2007 study.

And while most companies may be confident that they can protect the personal information they collect, consumers are not nearly so certain. Only 12 per cent of Canadians indicated they feel that businesses take the issue of protecting personal information very seriously.

The survey also revealed that only about one-third of companies have formal guidelines to deal with a data breach where the personal information of their customers is compromised; the majority (63 per cent) do not have any such guidelines in place.

Data breaches are a problem around the globe, and many governments are responding to consumers’ concerns by implementing mandatory breach notification legislation.

Canada recently changed the existing Personal Information Protection and Electronic Documents Act (PIPEDA) so that now, data breach must be reported and affected individuals must be notified if a data breach poses a “real risk of significant harm” to them.

It is breaches or reports of breaches under PIPEDA that has triggered the Commissioner to open a Toronto office.

“Over the past two years, almost half of respondent organizations for PIPEDA complaints have had addresses in the GTA,” Commissioner Jennifer Stoddart adds. “I believe our Office could be doing more to conduct outreach and some PIPEDA investigation work on the ground in the Toronto area. And so, not too many months ago, we began looking at how to develop a more effective presence in the Toronto region, where much of Canada’s business takes place.”

Stoddart also noted that the new officers will be under the responsibility of Director, PIPEDA, would be Robin Gould-Soil, currently the Commissioner’s Director for PIPIEDA related issues.

She comes to the office from TD Bank Financial Group, where she was Chief Privacy Officer.

The Toronto Office will be up and running by September.

In the meantime, other initiatives are underway at the Office of the Privacy Commissioner.

For example, it is hosting public consultations with Canadians on the topic of cloud computing, and its impact on consumer privacy and data security.

As well, it is funding a number of research and education initiatives, looking specifically at personal privacy and data protection as it relates to.

  • Targeted online advertising
  • Data-sharing between governments and commercial organizations through national security programs at the border and at airports
  • Video surveillance in public spaces by commercial organizations
  • The privacy implications of patient websites, online health record databases and other “Health 2.0” tools

The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

submitted by Lee Rickwood

# # #

More detailed information about the poll results and how businesses can secure personal information is available on the Privacy Commissioner’s website.

To see the final report: Canadian Businesses and Privacy-Related Issues (PDF version)

More Security coverage

More Privacy coverage

Leave a Reply

Your email address will not be published. Required fields are marked *