“Who can keep track of who’s collecting the information, who has access to it and where it’s stored?” she wondered aloud at the two-day event, which is sponsored by IT World Canada. She later added in response to audience questions that while her team deals with specific complaints, it isn’t supporting laws that offer direct guidelines on IT security and privacy standards. The Personal Information Protection and Electronic Documents Act (PIPEDA), for example, which went into effect nine years ago, is supposed to be “technology neutral,” Stoddart said. “It just says you have to keep the data secure.”
Stoddart said Bill C-29, which would require organizations to proactively report when an incident that exposes private citizen’s personal information takes place, is already at the Senate level, while Bill C-28, a proposed law to curb unsolicited commercial e-mail, which include new powers for the Privacy Commissioner’s office to choose which cases it investigates. More pressing, perhaps, is Canada’s Privacy Act, to which all public sector organizations are subject. This law needs to be modernized, Stoddart said, particularly following audits that showed poor security around BlackBerry usage and the disposal of government documents.
“This is an act that was first introduced in 1982 – the same year the Commodore 64 was released and ET was starting to call home,” she observed. Even PIPEDA’s authors, she said, could never have predicted what it would cover today. “Nobody at that time had ever heard of a social network, even (Facebook founder) Mark Zuckerberg.”
Stoddart’s office most recently gained attention for its investigation into Google’s Wi-Fi service. She said hers was the only regulator to have people fly directly to the search engine giant’s offices in Mountain View, California, to review data on site. Although Google has not yet responded to the Privacy Commissioner’s recommendations, she noted the company has recently appointed a chief privacy officer and other measures to deal with the potential threat to its users’ information.
“We have proven we can act quickly, decisively and with a great deal of expert depth,” she said, calling on all vendors to make sure privacy is built in from the beginning, and not once a breach has occurred. “We expect enterprises to think of privacy not as an add-on in a drop-down menu but as a default setting.”
Meanwhile, although Stoddart’s office officially ended its Facebook probe in September, Stoddart admitted that a new investigation is underway around the “invitations” feature on the social networking service, as well as the popular “like” button.
The Privacy Commissioner’s office has also tasked two Canadian legal academics to review its largely ombudsman’s role, and to explore whether it would make sense to give Stoddart and her team greater order-making powers to deal with increased privacy risks that the country’s citizens face.
SC World Congress Canada 2010 continues on Wednesday.