Privacy rules to get tougher

April 9, 2014 | Last updated on April 9, 2014
4 min read

Firms need to bolster data protection efforts.

Last November, we reported the Privacy Commissioner of Canada and her office (OPCC) were pushing for an overhaul of national privacy legislation.

Read: Financial firms must value client privacy

And now, the government’s introduced Digital Canada 150, a plan aiming to offer all Canadians safe and secure access to Internet services. Part of that strategy is to pass the new Digital Privacy Act or Bill S-4, which, among other measures, requires companies to:

  • officially report all data breaches to OPCC and clients;
  • keep records of all security incidents; and
  • pay a fine of up to $100,000 for failing to do so.

These changes would affect advisory firms since they’re investigated by national officials, rather than by financial regulators, if data breaches occur. For more on the background of the Act and on Digital Canada 150, click here.

Read: Regulators aren’t protecting client data

It’s not yet clear how long records of security incidents would have to be kept, but Industry Minister James Moore has outlined how fines would be administered. A government release says the Act will “give complainants, including the Commissioner, up to a year after an investigation has been completed to ask the Federal Court of Canada to order an organization to comply with the law or to award damages to an individual who has been harmed as the result of a privacy violation.”

It adds, “This allows enough time for an organization to voluntarily take corrective action or negotiate a compliance agreement, while maintaining the ability to take the matter to court.”

As a result, says Moore, the OPCC will continue to play an ombudsman role, rather than act as prosecutor. But, as former Privacy Commissioner Jennifer Stoddart wanted, businesses across Canada will now have more incentive to protect clients.

Read: 7 ways to protect client data

The Act was tabled yesterday and now awaits second reading. If passed, it will also update the Personal Information Protection and Electronic Documents Act (PIPEDA) and clarify how companies can collect and use people’s information.

Moore says, “Canadians need to have confidence that their online transactions are secure, [that] their privacy is protected and [that] their families are safe from online threats. These changes will inform Canadians when their personal information has been lost, stolen or put at risk, and they will ensure companies that break these rules are punished.”

Read: Privacy regulators slam CRA

Interim privacy commissioner Chantal Bernier says she received a copy of the Act yesterday and OPCC will analyze its measures. She adds, “At first glance…there are some very positive developments for the privacy rights of Canadians.

“I welcome proposals with respect to mandatory breach notification, new penalties, and provisions that will make it easier for [OPCC] to ensure…companies carry through on commitments…made during investigations” when data is lost or complaints received.

Read: Financial firm data breaches are costly

OPCC would also have “greater discretion [when it comes] to publicly shar[ing] more information with Canadians about…investigations,” says Bernier.

Senior protection also prioritized

The Digital Privacy Act also aims to protect seniors from fraud and financial abuse.

In particular, it lets banks and other organizations notify officials or a client’s next of kin if they suspect an elderly client is the victim of financial abuse.

Read: Educate clients about fraud

Currently, financial institutions must obtain consent before disclosing such information. Under the pending legislation, banks and firms would be allowed to make a report if they determine there’s reason to believe fraud or abuse is taking place.


This will let advisors notify relevant authorities such as the Office of the Public Guardian and Trustee, which is connected to Ontario’s Attorney General.

Officials at Industry Canada, Employment and Social Development Canada and OPCC say they’ll help banks and companies understand new laws and create best practices.

Canadians critical

Throughout the week, critics have slammed both the Digital Privacy Act and Digital Canada 150.

NDP MP Charmaine Borg says the government is simply offering “a dial-up strategy for a broadband world,” reports CTV News. She anticipates the changes won’t take effect for years and that “Canada is continuously falling behind in terms of being a digital leader.”

It doesn’t help that in the last year alone, reports The Ottawa Citizen, “The federal government’s reported more data breaches…than [have been] reported in the previous 10 years. Between April 1, 2013 and Jan. 29, 2014…federal departments and agencies reported 3,763 breaches of data,” compared to fewer than 3,000 over the last decade altogether.

The outlet adds there have been several situations where people’s information, including that of taxpayers, has been incorrectly released, lost or compromised. Read more.


Security worry tanks NETFILE, other CRA services

IIROC loses client information

LinkedIn sued for $5 million

Monitoring digital risks crucial for businesses

FINTRAC has too much personal info, audit reveals

Is your private financial data secure?

Protect clients’ digital estates