The deadline for Industry Canada's PIPEDA consultation is January 15th.
In particular, Industry Canada is seeking views on the implementation of a data breach notification provision in PIPEDA (ETHI recommendations 23, 24 and 25). Such a provision is an important component of a comprehensive strategy to address the growing problem of identity theft. The Government proposes that the Privacy Commissioner be notified of any major breach of personal information, and that affected individuals and organizations be notified when there is a high risk of significant harm resulting from the breach. Ultimately, a requirement for data breach notification should encourage organizations to implement more effective security measures for the protection of personal information, while enabling consumers to better protect themselves from identity theft when a breach does occur. Industry Canada is seeking input in developing the parameters of a data breach notification provision, including, but not limited to, questions of timing, manner of notification, penalties for failure to notify, the need for a "without consent" power to notify credit bureaus, and appropriate "thresholds" for when organizations should be required to notify.