The Information Access Commission (CAI) is changing its tune. The private information watchdog stops publishing the names of companies and public organizations that have reported “privacy incidents” to it, as it has done since December. The decision comes after the publication of articles in La Presse based on such information, which had shaken personal intelligence experts.
The CAI has sent La Presse lists of organizations that have reported breaches of confidentiality on five occasions since December, following freedom of information requests or a simple communications request. This information served as the basis for an article mentioning that about 30 companies had declared “confidentiality incidents”, as required by the new “Law 25” (Act respecting the protection of personal information in the private sector) , which entered into force in September.
The Commission had only revealed the names of the organizations and the date of their declaration to the CAI, without further details. “Giving more information is not excluded”, however, the president of the organization, Diane Poitras, then declared in an interview with La Presse1.
The agency did not provide an incomplete or partially redacted list: it simply refused to provide the names of any entities that have made such a statement since mid-February.
“The Commission does not intend to systematically deny access to information of the nature of that which has been transmitted to you in the past concerning confidentiality incidents”, assures however the director of communications, Jorge Passalacqua.
According to his email, “experience has shown that disclosing details about an incident and sometimes simply confirming the existence of a confidentiality incident can adversely affect a company or organization’s handling of the incident. audience “.
In December, La Presse wrote that about thirty companies had made declarations of confidentiality incidents to the CAI since the entry into force of law 25, on September 22. Most of the organizations involved had provided information on reported incidents. But not the Royal Bank or McGill University, which had refused to explain anything.
In response to our articles, lawyer Charles Morgan published a blog post in January that referred to it.
“The precedent the CAI has set in releasing the names of organizations reporting incidents to the media may have a chilling effect on future reporting of breaches of confidentiality,” the partner at McCarthy Tétrault wrote on January 123.
According to Charles Morgan, organizations may become more reluctant to make such statements when the risk of harm is unclear to victims of breaches of confidentiality. They may decide to keep some less serious breaches quiet “for fear of attracting unwanted negative attention or giving rise to speculation in the press.”
On the phone, Charles Morgan assures us that he was unaware of the change in policy at the Commission on the disclosure of these lists.
La Presse wanted to know if he had intervened with the organization to stop broadcasting them. He did not answer. “I’m not sure I have anything to add to what’s already been posted,” he said.
The CAI refused to arrange an interview with its president. “Unfortunately, Me Poitras is not available for an interview at this time,” according to Jorge Passalacqua.
The office of Minister Jean-François Roberge, responsible for the Commission, assures that it “was not consulted”.
“The CAI is an independent organization and makes its own interpretation of its responsibilities and obligations under the law,” says its director of communications, Thomas Verville. We are of the opinion that the CAI must inform citizens by giving as much information as possible without harming the investigation or judicial process. »
The publication of the names of companies that have reported privacy incidents to the Commission seems to have caused some controversy.
“We saw your article at the office and we were surprised because it is sensitive information about our clients, agrees Soleïca Monnier, lawyer at Fasken specializing in privacy and cybersecurity. The CAI had not necessarily mentioned that it was going to transmit this to the media. »
Nothing in Law 25 specifies whether or not the Commission must identify organizations that have reported privacy incidents to the public, she explains. Faced with requests from La Presse, the private data watchdog first opted for greater transparency, before changing its mind.
“That they stop publishing afterwards is also surprising… This whole file is surprising to me, I would tell you,” says Soleïca Monnier.
Regardless of the attitude of the Commission, the lawyer intends to continue to encourage her clients to advocate “transparency”, regardless of the extent of the breach of confidentiality.
“It is better to avoid the element of surprise,” she argues. On the other hand, it is important to know that the CAI can disclose it, precisely to adopt a communication strategy if people start asking questions. »
