The article you just read was brought to you by a few thousand dedicated readers. Will you join them?

Thanks for coming by The Tyee and reading one of many original articles we’ll post today. Our team works hard to publish in-depth stories on topics that matter on a daily basis. Our motto is: No junk. Just good journalism.

Just as we care about the quality of our reporting, we care about making our stories accessible to all who want to read them and provide a pleasant reading experience. No intrusive ads to distract you. No paywall locking you out of an article you want to read. No clickbait to trick you into reading a sensational article.

There’s a reason why our site is unique and why we don’t have to rely on those tactics — our Tyee Builders program. Tyee Builders are readers who chip in a bit of money each month (or one-time) to our editorial budget. This amazing program allows us to pay our writers fairly, keep our focus on quality over quantity of articles, and provide a pleasant reading experience for those who visit our site.

In the past year, we’ve been able to double our staff team and boost our reporting. We invest all of the revenue we receive into producing more and better journalism. We want to keep growing, but we need your support to do it.

Fewer than 1 in 100 of our average monthly readers are signed up to Tyee Builders. If we reach 1% of our readers signing up to be Tyee Builders, we could continue to grow and do even more.

If you appreciate what The Tyee publishes and want to help us do more, please sign up to be a Tyee Builder today. You pick the amount, and you can cancel any time.

Support our growing independent newsroom and join Tyee Builders today.
Before you click away, we have something to ask you…

Do you value independent journalism that focuses on the issues that matter? Do you think Canada needs more in-depth, fact-based reporting? So do we. If you’d like to be part of the solution, we’d love it if you joined us in working on it.

The Tyee is an independent, paywall-free, reader-funded publication. While many other newsrooms are getting smaller or shutting down altogether, we’re bucking the trend and growing, while still keeping our articles free and open for everyone to read.

The reason why we’re able to grow and do more, and focus on quality reporting, is because our readers support us in doing that. Over 5,000 Tyee readers chip in to fund our newsroom on a monthly basis, and that supports our rockstar team of dedicated journalists.

Join a community of people who are helping to build a better journalism ecosystem. You pick the amount you’d like to contribute on a monthly basis, and you can cancel any time.

Help us make Canadian media better by joining Tyee Builders today.
We value: Our readers.
Our independence. Our region.
The power of real journalism.
We're reader supported.
Get our newsletter free.
Help pay for our reporting.
Mediacheck

Is Your Data Safe in Canada?

Two changes to the proposed Digital Privacy Act would bring data breach law in step with other nations.

By Michael Geist 10 Jun 2014 | TheTyee.ca

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.

image atom
Thousands of new moms who gave birth at a Toronto-area hospital had their names, addresses and phone numbers turned over to private companies last week. The breach points to weaknesses in Canada's proposed Digital Privacy Act. Stethoscope photo via Shutterstock.

News last week of a stunning data breach at a Toronto-area hospital involving information on thousands of mothers places the proposed Digital Privacy Act squarely in the spotlight.

Bill S-4, which was introduced two months ago by Industry Minister James Moore, features long-overdue data breach disclosure rules. The new rules would require organizations to notify individuals when their personal information is lost or stolen through a data or security breach.

Most other leading economies established similar rules years ago, recognizing that they create much-needed incentives for organizations to better protect our information and allow individuals to take action to avoid harms such as identity theft when their information has been placed at risk.

While the mandatory data breach rules can be an effective legislative privacy tool, they only work if organizations actually disclose breaches in a timely manner. Bill S-4 establishes tough penalties for failure to notify affected individuals, but unfortunately undermines its effectiveness by setting a high notification standard such that Canadians will still be kept in the dark about many breaches, security vulnerabilities, or systemic security problems.

High bar for disclosure

There are two major problems with the government's proposal, which appears to have been placed on a legislative fast track.

First, the standard for disclosing a data breach is set at "a real risk of significant harm to the individual." This standard is considerably higher than that found in some other jurisdictions.

For example, the California breach notification law requires disclosure of any breach of unencrypted personal information that is reasonably believed to have been acquired by an unauthorized person. In other words, the threshold is whether an unauthorized person acquired the information, not whether there is real risk of significant harm.

In Europe, telecom breaches must be reported based on an "adverse affect to personal data or privacy" standard, which is also lower threshold than the Canadian plan.

Privacy commish not always notified

Second, earlier versions of the privacy bill envisioned a two-stage approach in which organizations would be required to notify the privacy commissioner of Canada of material data breaches (a far lower standard), who would then work with the organization to assess whether a wider notification to all affected Canadians was warranted. The two-stage approach is increasingly common with New Zealand announcing plans for a similar approach late last month.

The Digital Privacy Act removes the notification of material breaches to the privacy commissioner altogether. The bill requires organizations to maintain a record of all breaches, but only to disclose them if the commissioner asks and no one seriously expects the commissioner to regularly ask every organization about whether they have experienced any data breaches.

The elimination of notifications of material breaches is likely to result in significant under-reporting since organizations will invariably err on the side of non-reporting in borderline cases and the commissioner will be unaware of the situation.

Rather than providing Canadians with the necessary information to take steps to mitigate against identity theft and misuse of their personal information, the bill will often leave them unaware of data breaches or security risks.

Canada's 'weak approach'

While there are other serious concerns with the Digital Privacy Act -- notably the massive expansion of warrantless voluntary disclosures of personal information -- the government promoted the data breach rules as the centrepiece of its effort to better protect Canadians against the misuse of their personal information. Yet the core requirements of that system actually provide less protection than earlier proposals and would be one of the weaker approaches in the developed world.

Privacy has emerged as dominant issue on Parliament Hill in recent weeks, with the focus on surveillance, lawful access, and the new privacy commissioner. The Digital Privacy Act has received less attention, however, its failure to keep Canadians informed about many data breaches should be added to the list of privacy disappointments.  [Tyee]

Share this article

The Tyee is supported by readers like you

Join us and grow independent media in Canada

Facts matter. Get The Tyee's in-depth journalism delivered to your inbox for free

LATEST STORIES

The Barometer

Tyee Poll: What Coverage Would You Like to See More of This Year?

Take this week's poll