Skip Navigation

Canada Privacy Commissioner Endorses Notification

Bookmark and Share

Canada's privacy commissioner wants financial institutions and corporations to be required by law to notify their customers when a security breach takes place.

The federal privacy act, in effect since 2001, doesn't require companies to notify individuals or the privacy commissioner's office when a breach occurs.

Jennifer Stoddart, who's been federal privacy commissioner since 2003, is scheduled to make her case in February when she appears before a parliamentary committee conducting a mandatory five-year review of federal privacy legislation, according to commission spokeswoman Anne-Marie Hayden.

Amending privacy laws "will ensure we are able to help the companies deal with the problem and also that individuals can take the proper steps they need to take to protect their personal information," said Hayden. "A lot of the time companies do notify our office. It is just that they don't have to."

Besides being an important mechanism to protect those whose personal information has been breached, notification provisions also act as an effective impetus for data protection compliance.

NAID-Canada, which tomorrow will address the same parliamentary committee as the privacy commissioner, will recommend that casual disposal of hard copy data that may have put personal information at risk constitutes a notification event.

It is significant that the announcement of support for this requirement comes at this time, since up to now the commissioner has opposed mandatory notification. The announcement comes only one week after NAID-Canada addressed the privacy commissioner and her staff in Ottawa.