Insights from the Canadian Privacy Commissioner’s Annual Report

Insights from the Canadian Privacy Commissioner’s Annual Report

A Useful Summary for Businesses

Last week, the Office of the Privacy Commissioner of Canada (the ‘Office’) issued its 2021-2022 Annual Report to Parliament on the Privacy Act and the Personal Information and Electronic Documents Act (PIPEDA), the first annual report under Commissioner Philippe Dufresne.

The report provides a useful summary of the Office’s activities for organizations to learn from. This article focuses on the private sector sections of the report. The report highlights that the Office’s work under PIPEDA involved a significant focus on breaches resulting from cyber incidents involving compromised credentials. It is worthwhile to note that the Office participated in developing a guidance document with international data protection and privacy authorities in June 2022 on the risk of credential stuffing attacks and how to prevent them.

The annual report also confirms that we can expect to soon see the Commissioner’s comments and advice to Parliament on Bill C-27, The Digital Charter Implementation Act, 2022, which replaced an earlier attempt at private-sector privacy law reform (Bill C-11) that died on the order paper last year.

A number of important cases are also summarized in the annual report. For example, mention is made of the Tim Hortons app decision (PIPEDA Findings #2022-001), a joint investigation of the Office with the B.C., Alberta and Quebec commissioners into location tracking. This decision is worth reviewing, particularly as it relates to transparency and consent. The investigation identified that people who downloaded the Tim Hortons app had their movements tracked and recorded every few minutes of every day, even when their app was not open. The app asked for permission to access the mobile device’s geolocation functions, but misled many users into believing information would only be accessed when the app was in use. The app also used location data to infer where users lived, where they worked, and whether they were travelling. It generated an “event” every time users entered or left a Tim Hortons competitor, a major sports venue, or their home or workplace. Investigators also looked at the contract Tim Hortons had in place with its American third-party location services supplier and found it contained language that would have allowed the company to sell “de-identified”, but potentially re-identifiable, location data for its own purposes.

The annual report always provides a useful look at the Office’s stats. Here is a summary of some of the intelligence the Office:

  • 85% of PIPEDA files were closed strictly through early resolution (303 PIPEDA complaints were closed through early resolution and 55 were closed through standard investigation). Greater use of early resolution and other efficiencies led to significantly shorter treatment times for complaint investigations – 7.8 months compared to 12.2 months the previous year.
  • Of the 427 PIPEDA complaints received, 58% were considered well-founded. The Office received the greatest proportion of complaints against businesses in the financial (24%), telecommunications (12%), Internet (10%) and accommodations (10%) industries. Use and disclosure of personal information was the top complaint category from individuals, followed by access, collection of personal information and retention of personal information.
  • The leading cause of breaches involved unauthorized access, with 419 reported incidents (65%). These incidents often involved external actors gaining access to systems. Among the unauthorized access reports, 69% were cyber incidents involving malware, ransomware, hacking and phishing. But the unauthorized access cases also include scenarios where employees viewed information without authorization and used the information for inappropriate purposes.
  • A quarter of breaches were caused by unauthorized disclosures, including employee errors involving misdirected communications and disclosures resulting from a failure of technical safeguards and system vulnerabilities.

These numbers clearly point to the importance of reducing human error factors – ensuring critical security updates are patched quickly, providing ongoing cybersecurity training to employees and reviewing access privileges regularly. These points are in line with Blakes’ excellent Canadian Cybersecurity Trends Study 2022. I highly recommend downloading it.

Organizations subject to PIPEDA are required to report to the Office any and all breaches of security safeguards involving personal information that pose a real risk of significant harm (RROSH) to individuals. Just as privacy compliance software (from sweeping through systems to create data maps and automating privacy impact assessments) is taking off across industries, the Office is also leaning on technology and AI. It has developed and implemented a pioneering new tool to assess harm in breaches. The tool considers factors such as the sensitivity of personal information involved, and the probability that the information has been, is being, or will be misused. The tool is being used in-house by the Office, and a version is scheduled for public launch by the end of the 2022 calendar year. The goal is to more quickly and consistently identify breaches where there is a likelihood of RROSH, triggering mandatory reporting, and offer guidance to help reporting organizations subject to PIPEDA better assess risks, manage incidents and mitigate harms. Note that the breach reporting framework will stay in tact when Bill C-27 comes into force, giving this tool long-term usefulness.

I hope this article was useful for businesses in understanding the Federal Privacy Commissioner’s activities and focus on digital technologies. For assistance with your Canadian privacy compliance needs, contact PRIVATECH.

The privacy and data protection fields continue to offer complex challenges and growth opportunities for privacy professionals. CLICK HERE to learn about PRIVATECH’s certification courses that help advance your career!