Information Access Commission | Data leaks that will remain secret

The Information Access Commission (CAI) is changing its tune. The private information watchdog stops publishing the names of companies and public organizations that have reported “privacy incidents” to it, as it has done since December. The decision falls after the publication of articles in The Press based on such information, which had shocked the personal intelligence experts.

The CAI sent to The Press lists of organizations that have reported privacy breaches five times since December, following freedom of information requests or a simple communications request. This information served as the basis for an article mentioning that about thirty companies had declared “confidentiality incidents”, as required by the new “Law 25” (Act respecting the protection of personal information in the private sector), which entered into force in September.

The Commission had only revealed the names of the organizations and the date of their declaration to the CAI, without further details. “Giving more information is not excluded,” however, then declared the president of the organization, Diane Poitras, in an interview with The Press¹.

Rather, the reverse has happened. For the first time, the CAI refused to give us access to this information, on April 21.

The organization did not send an incomplete or partially redacted list: it simply refused to send the name of any entity having made such a declaration since mid-February.

“The Commission does not intend to systematically deny access to information of the nature of that which has been transmitted to you in the past concerning incidents of confidentiality”, nevertheless assures the director of communications, Jorge Passalacqua.

According to his email, “experience has shown that disclosing details about an incident and sometimes simply confirming the existence of a confidentiality incident can adversely affect a company or organization’s handling of the incident. audience “.

Variable transparency

In December, The Press wrote that about thirty companies had made declarations of confidentiality incidents to the CAI since the entry into force of law 25, on September 22. Most of the organizations involved had provided information on reported incidents. But not the Royal Bank or McGill University, which had refused to explain anything².

In response to our articles, lawyer Charles Morgan published a blog post in January that referred to it.

“The precedent set by the CAI in releasing the names of organizations reporting incidents to the media could have a chilling effect on future reporting of breaches of confidentiality,” the partner at McCarthy Tétrault wrote on January 12.³.

According to Charles Morgan, organizations may become more reluctant to make such statements when the risk of harm is unclear to victims of breaches of confidentiality. They may decide to keep some less serious breaches quiet “for fear of attracting unwanted negative attention or giving rise to speculation in the press.”

On the phone, Charles Morgan assures us that he was unaware of any change in policy at the Commission on the disclosure of these lists.

The Press wanted to know if he had intervened with the organization to stop broadcasting them. He did not answer. “I’m not sure I have anything to add to what’s already been posted,” he says.

The CAI refused to arrange an interview with its president. “Unfortunately, Mr.^e Poitras is currently unavailable for interview,” according to Jorge Passalacqua.

The office of Minister Jean-François Roberge, responsible for the Commission, assures us that he “was not consulted”.

“The CAI is an independent organization and makes its own interpretation of its responsibilities and obligations according to the law,” says its director of communications, Thomas Verville. We are of the opinion that the CAI must inform citizens by giving as much information as possible without harming the investigation or judicial process. »

“Surprising”, says a specialist

The publication of the names of companies that have reported confidentiality incidents to the Commission seems to have caused some controversy.

“We saw your article at the office and we were surprised because it is sensitive information about our clients, agrees Soleïca Monnier, lawyer at Fasken specializing in privacy and cybersecurity. The CAI had not necessarily mentioned that it was going to transmit this to the media. »

Nothing in Law 25 specifies whether or not the Commission must identify organizations that have reported privacy incidents to the public, she explains. Faced with the demands of The Pressthe watchdog of private data first opted for greater transparency, before changing its mind.

“That they stop publishing afterwards is also surprising… This whole dossier is surprising to me, I would tell you,” says Soleïca Monnier.

Regardless of the attitude of the Commission, the lawyer intends in any case to continue to encourage her clients to advocate “transparency”, regardless of the extent of the breach of confidentiality.

“It is better to avoid the element of surprise,” she argues. However, it is important to know that the CAI can disclose it, precisely to adopt a communication strategy if people start asking questions. »

With the collaboration of William Leclerc, The Press