Bill C-580: An Act to amend the Privacy Act (personal information — loss or unauthorized access or disclosure)

C-580 Second Session, Forty-first Parliament, 62-63 Elizabeth II, 2013-2014 HOUSE OF COMMONS OF CANADA BILL C-580 An Act to amend the Privacy Act (personal information — loss or unauthorized access or disclosure) first reading, March 25, 2014 Ms. Borg 412094 SUMMARY This enactment amends the Privacy Act to require government institutions to inform the Privacy Commissioner of the loss or unauthorized disclosure of, or unauthorized access to, personal information if there is a risk of harm to an individual because of that loss, access or disclosure. The enactment also gives the Privacy Commissioner the power to make compliance orders and requires that a comprehensive review of the Act be conducted at least once every five years. Available on the Parliament of Canada Web Site at the following address:http://www.parl.gc.ca 2nd Session, 41st Parliament, 62-63 Elizabeth II, 2013-2014 house of commons of canada BILL C-580 An Act to amend the Privacy Act (personal information — loss or unauthorized access or disclosure) Her Majesty, by and with the advice and consent of the Senate and House of Commons of Canada, enacts as follows: SHORT TITLE Short title 1. This Act may be cited as the Taking the Privacy of Canadians Seriously Act. R.S., c. P-21 PRIVACY ACT 2. The Privacy Act is amended by adding the following after section 11: LOSS, UNAUTHORIZED DISCLOSURE OR UNAUTHORIZED ACCESS Definition of “harm” 11.1 (1) For the purposes of this section and section 11.2, “harm” includes bodily harm, humiliation, embarrassment, injury to reputation or relationships, loss of employment or of business or professional opportunities, financial loss, identity theft, identity fraud, negative effects on credit rating and damage to or loss of property. Notification of Privacy Commissioner (2) A government institution having personal information under its control shall notify the Privacy Commissioner of any incident involv-ing the loss or unauthorized disclosure of, or unauthorized access to, that information, if a reasonable person would conclude that there exists a possible risk of harm to an individual as a result of the loss, unauthorized disclosure or unauthorized access. Relevant factors (3) The factors that are relevant in determining whether a reasonable person would conclude that the loss or unauthorized disclosure of, or unauthorized access to, personal information would create a risk of harm include (a) the sensitivity of the personal information; and (b) the number of individuals whose personal information was involved. Notification to be made without unreasonable delay (4) The notification must be made without unreasonable delay after the discovery of the loss or unauthorized disclosure of, or unauthorized access to, personal information. Notification requirements (5) The notification must contain the information, and be made in the form, prescribed in the regulations or otherwise specified by the Privacy Commissioner. Notification of affected individuals 11.2 (1) Upon receipt of the notification referred to in subsection 11.1(2), the Privacy Commissioner may require the government institution to notify affected individuals to whom there is an appreciable risk of harm as a result of the loss or unauthorized disclosure of, or unauthorized access to, personal information. Obligation to notify affected individuals (2) Subject to subsection (3), if the Privacy Commissioner determines that the loss or unauthorized disclosure of, or unauthorized access to, personal information is likely to result in an appreciable risk of harm to the affected individuals, the Privacy Commissioner shall, as soon as feasible, order the government institution to notify the affected individuals without unreasonable delay. Previous notification (3) The Privacy Commissioner is not required to make an order under subsection (2) if the government institution has already notified the affected individuals to the satisfaction of the Privacy Commissioner. Notification requirements (4) The notification referred to in subsection (2) shall include (a) a report of the risk of harm as it pertains to the affected individuals; (b) instructions for reducing the risk of harm or mitigating that harm; and (c) any other prescribed information. Form and manner of notification (5) The notification shall be clear and delivered directly to the affected individual in the prescribed form and manner. Notification of compliance (6) Once the government institution has complied with the notification order referred to in subsection (2), it shall notify the Privacy Commissioner of that fact. 3. Paragraph 35(1)(a) of the Act is replaced by the following: (a) the findings of the investigation, any recommendations that the Privacy Commissioner considers appropriate and any order made under section 35.1; and 4. The Act is amended by adding the following after section 35: Compliance order 35.1 Despite any other provision of this Act, upon completion of an investigation of a complaint or after an investigation on his or her own initiative, the Privacy Commissioner may order the government institution that is the object of the complaint or investigation to take the necessary actions to comply with this Act, which may include (a) correcting its practices in order to comply with sections 4 to 8, including by (i) fulfilling any obligation under this Act, (ii) disposing of data, (iii) ceasing to collect, use or disclose personal information, and (iv) deleting or adding a record; and (b) publishing a notice of any action taken or proposed to be taken to correct its practices, whether or not ordered to correct them under paragraph (a). Time limit 35.2 The Privacy Commissioner shall establish a time limit for the implementation of any order made under section 35.1. Extension of time limit 35.3 (1) Upon a request by the government institution that is the object of an order made under section 35.1, the Privacy Commissioner may extend the time limit for the implementation of the order at any time throughout the implementation period established by the Pri-vacy Commissioner. Extension of time limit only granted once (2) The extension of the time limit may only be granted once. Publication of orders 35.4 If a government institution fails, within the time limit set under section 35.2 or 35.3, as the case may be, to comply with an order made under section 35.1, the Privacy Commissioner shall, within 60 days after the expiration of the relevant time limit, publish the following information on the website of the Office of the Privacy Commissioner of Canada: (a) the date and identification number of the order; (b) the time limit for implementation of the order, including any extensions; (c) the name of the government institution that is the subject of the order; (d) the provision of the Act with which the government institution failed to comply; and (e) any additional information that the Pri-vacy Commissioner considers necessary and relevant. 5. Section 75 of the Act is replaced by the following: Review by parliamentary committee 75. (1) A comprehensive review of the provisions and operation of this Act shall be undertaken, every five years after this section comes into force, by the committee of the House of Commons, or of both Houses of Parliament, that may be designated or established by Parliament for that purpose. Report (2) The committee referred to in subsection (1) shall, within a year after the review is undertaken or within such further time as the House of Commons or both Houses of Parliament, as the case may be, may authorize, submit a report on the review to Parliament that includes a statement of any changes to this Act or its operation that the committee recommends. Published under authority of the Speaker of the House of Commons