Since the amendments to the laws on the protection of personal information (“Law 25”), a “confidentiality incident” that presents a “risk of serious prejudice” must be reported to the Commission d’accès à l’information (CAI). Result: the number of reports has jumped. But the means of the organization, them, did not follow, deplores its president, in interview with The Press.
“Since September 22, we have received more than 70 statements,” said Diane Poitras. Almost one every day. At this rate, 346 reports will have reached the Commission in one year, four times more than in 2021. A huge task for the organization, which celebrated its 40th anniversary this year.
“It’s boring to say, but there is a resource issue,” notes the president.
Despite the new requirements of the law that it must enforce, Quebec granted the Commission only a quarter of what it asked for to properly cope with the increase in its workload. “For the current year, the increase is 1.5 million, to reach 8.2 million,” says Diane Poitras.
Too little, she says. Because the apprehended explosion could even intensify, according to the president, a veteran of the CAI, who began working as a lawyer for the organization in 1986, when it was only four years old.
Diane Poitras expects the rate of increase to be comparable within a year to that experienced by the Office of the Information and Privacy Commissioner of Alberta. In 2018, this province began requiring the reporting of any health privacy breaches. “They saw a 400% increase in declarations”, illustrates the president. With his news Personal Information Protection and Electronic Documents Actthe Office of the Privacy Commissioner of Canada saw a 500% increase in reports.
According to the CAI, it would have needed 5.9 million more this year, four times more additional funds than what Quebec granted it.
From 2024-2025, when all the new provisions of the privacy laws are in force, the Commission is claiming an additional 9 million per year.
In fact, the organization would need to double its staff compared to last year, for a total of 156 employees, according to the figures communicated during the study of the 2022-2023 appropriations. To date, it has only 98.
Choose your priorities
Under the circumstances, the CAI must choose what it puts on top of the stack. “Our main challenge is to limit the harm suffered by citizens,” explains Diane Poitras.
What is at risk are the Commission’s special initiatives, such as the investigation it conducted in 2020 into the massive leak of personal information at Desjardins.
Especially since new provisions will come into force in 2023. Companies and public organizations will then have to adopt stricter frameworks to control the collection, storage and use of personal information. The organization will have to design guides to help them observe the rules and look into their compliance.
Companies that don’t take risks
With soaring reports of breaches of confidentiality, are organizations reporting incidents to the Commission being too finicky?
In an article published Thursday on the declarations that companies have made to the CAI since September 22, The Press presented the case of an IT company that reported sending a single email about a supplier to the wrong person. A pharmacy also reported a ripped open medicine box, which theoretically could have allowed the delivery person to see confidential and medical information about customers.
“The reporting threshold is the risk of serious harm,” says Diane Poitras. The first person who must assess it is the organization concerned. It is certain that there are some who do not take a chance, so it is possible that some make the declaration even if the threshold is not really reached. »
Better more than less, she says. “The Commission’s primary expectation is that organizations do everything they can to prevent incidents and, if an incident does occur, do everything to protect the public. »
More transparency?
When The Press obtained the list of companies reporting privacy incidents, it did not contain any description of the reported events.
For example, the grocer Sobeys, which for a month has refused to give any details about the cyberattack it suffered, is listed, but without any details that could help the public understand what happened. past.
“When we are dealing with the incident, it can be a risk to reveal information”, justifies Diane Poitras.
She is not, however, closed to the idea of saying more in the future, once the investigations are completed on the cases brought to her attention. “Giving more information is not excluded. »
Ideally, perhaps the law should have specified what information about privacy breaches should be made public, the president adds. “As things stand, there is no public record of all incidents. »
54
Number of reports received by the Commission d’accès à l’information for the whole of 2021. This is 25% less than since the entry into force of the amendments to the laws on the protection of personal information (“law 25”).
Source: Information Access Commission