Privacy commissioner Daniel Therrien says there is still much room for improvement to protect personal information – particularly with use of portable memory sticks.Sean Kilpatrick/The Canadian Press
The privacy watchdog is urging the Liberal government to engage in open debate on national-security legislation as Justin Trudeau's cabinet reviews the controversial anti-terrorism law known as Bill C-51.
Privacy commissioner Daniel Therrien expressed hope Thursday that the new government would follow through on its commitment to consult the public and specialists before revamping the bill, suggesting there was insufficient discussion on the Conservative legislation last spring.
"It would be very desirable to have a more complete and exhaustive debate on the issues before legislation is adopted," Therrien said after tabling his annual report.
"I certainly look forward to presenting my views on what amendments should be considered."
Therrien railed against C-51 last March, saying the bill's scope was "clearly excessive" and put personal information at risk.
The legislation gave the Canadian Security Intelligence Service the explicit power to disrupt terror plots, made it easier to limit the movements of a suspect, expanded no-fly list powers and cracked down on terrorist propaganda.
It also alarmed Therrien by removing many barriers to sharing security-related information. Therrien said the bill could make available all federally held data about someone of interest to as many as 17 government departments and agencies with responsibilities for national security.
In his annual report, Therrien said the bill and two other major pieces of security-related legislation ushered in by the former Conservative government amounted to a "sea change for privacy rights in Canada."
"Ensuring government powers under these new acts are exercised in a manner which respects privacy will be an ongoing focus of the (privacy commissioner's) office in the months and years to come."
Therrien also urged federal agencies to put more rigorous safeguards in place to protect sensitive personal information — especially when that data is on an easy-to-lose memory stick.
The commissioner underscored a record-high number of federal government data breaches disclosed to his office.
While many institutions have made strides, there is still much room for improvement — particularly with the use of portable storage devices, Therrien said.
Federal institutions reported 256 data breaches in 2014-2015, up from 228 the year before.
As in previous years, the leading cause of breaches was accidental disclosure, a risk Therrien says can often be lessened by following proper procedures.
Last year marked the first time institutions were required to report data breaches to the privacy commissioner. Previously, reporting was voluntary.
Portable storage devices are convenient because they can hold huge amounts of data and are generally small and highly portable, the commissioner noted. But that creates significant privacy and security risks, since the devices can easily be lost or stolen.
Therrien's office undertook a special audit following concerns over a number of such data breaches, including a 2012 incident in which a portable hard drive containing the personal information of almost 600,000 student loan recipients went astray.
The audit, which examined practices at 17 institutions, identified a number of concerns:
- More than two-thirds of the agencies had not formally assessed the risks surrounding the use of all types of portable storage devices;
- More than 90 per cent did not track all devices throughout their life cycle;
- One-quarter did not enforce the use of encrypted storage devices.
The commissioner says the audited institutions have accepted all of his recommendations.