A new bill known as the Safeguarding Canadians’ Personal Information Act, currently passing through Parliamentary approvals, is set to extend Canada’s existing privacy legislation. The bill will force organizations to both report any data breach to the Privacy Commissioner and to notify individuals affected by the breach, “if the organization believes that the breach creates a real risk of significant harm to the individual.”
But while the sentiment behind this bill – increased transparency when data breaches occur – is sound, the bill lacks teeth.
Individuals will only be notified if the organization believes there is a need – the risk is that businesses simply won’t want to come clean and face losing not just one angry customer, but potentially hundreds should the news spread through social and traditional media channels.
In addition, the threat of financial penalties is notably absent from the bill, so where is the business incentive to comply?
This bill’s focus on additional transparency around data security should be welcomed by businesses and consumers alike. But while increased safeguards around data protection make sense for all concerned, there must be an element of enforcement if organizations are to improve the way they handle and store customer data.
With 2010 marking the tenth anniversary since the introduction of PIPEDA (the act states that businesses must destroy, erase or make anonymous personal data that is no longer needed), businesses are still failing to comply and it is inevitably only a matter of time before international leaders including Canada’s Privacy Commissioner Ms. Jennifer Stoddart crack down on businesses that continue to disregard the law.
According to Shred-it client research, only 50 per cent of Canadian companies use document destruction services as a direct result of government regulation, and only 68 per cent of organizations have official guidelines for document destruction. Plus according to a recent poll conducted by EKOS for the Office of the Privacy Commissioner of Canada, 42 per cent of businesses surveyed are not concerned about security breaches.
While doubts remain on whether the government will be able to enforce its new privacy measures, business should prepare themselves to answer the following questions:
What is the state of my organization’s data security program? Are we meeting current government regulations? Are we prepared to meet new measures being prepared by the government?
For some tips on keeping data safe read: G20 Summit: Business data security in the ‘Zone’
For more on privacy issues read:
Michael Collins is the vice president for sales at Shred-it Canada. If you are interested in a full Data Security Audit from Shred-it, please call 905-465-4288.