The Privacy Commissioner's
annual report to Parliament
was released today to little fanfare:
In her annual report to Parliament on Tuesday, Privacy Commissioner Jennifer Stoddart promised her office will be "more assertive ensuring all businesses are complying" with the five-year-old federal act protecting personal information.
"We are considering seeking amendments that would give the privacy commissioner the discretion to visit private sector entities and review their privacy management framework and practices," said the report, adding this power could be used "even when a privacy breach has not become public."...
(T)he privacy commissioner says her office needs stable, longterm funding and an increased budget - as well as more broadly defined powers - to carry out more privacy audits.
While it would certainly be a plus to see those types of changes, what seems more interesting to me in the report itself is that Stoddart appears mostly satisfied with the current enforcement mechanisms, under which the Privacy Commissioner is only able to make recommendations rather than binding orders:
As familiarity with privacy standards increases, so does the expectation that they will be observed. It is no longer acceptable that violations of personal information protection norms do not lead to direct remedial action. In 2005, I began asking organizations that are the subject of well-founded complaints to state the corrective measures they would take. I would then decide whether to seek a remedy for the complainant in Federal Court. To date, in the few situations where I have used this approach, almost all organizations have rapidly committed to providing redress and making systemic changes.
We continue to monitor whether the systemic changes we recommended have occurred in response to complaints made in previous years. Again, the overall compliance rate is high and, once we intervene following a complaint, the level of cooperation by organizations is generally commendable.
It's understandable to some extent that Stoddart's current priority is to secure enough funding and government support for the Privacy Commissioner to be able to exercise the office's current powers. But in the longer term, one has to figure that the current lack of "direct remedial action" will give rise to a need to extend the Commissioner's powers beyond merely making recommendations. And it's a shame that such a goal seems distant enough that Stoddart's current report doesn't make any significant push in that direction.
No comments:
Post a Comment