Thank you, Jean.
I will limit my opening remarks to just two areas regarding the breach notification regime. The first one is thresholds for reporting to the Privacy Commissioner, and then the second area will be record-keeping.
As you may know, unlike its predecessor, Bill C-12, clause 10 of Bill S-4 sets out a single test or threshold for both notifying individuals of a breach and reporting to the Privacy Commissioner. In effect, every breach that is notifiable to an individual will now also be reportable to the OPC, requiring businesses to change their current practices. The objective of reporting to the commissioner in essence is to track the volume and nature of breaches to see if there are any trends and to allow the commissioner to work with organizations, small and medium-sized organizations, who may need assistance.
This objective is very different—very different—from the objective of notifying individuals so that they can mitigate harm that may result from the breach. This distinction is actually very well understood both by industry and by the Privacy Commissioner's office. In fact, industry players have been following for years the guidelines “Key Steps in Responding to Privacy Breaches”, which were jointly issued by the Privacy Commissioner with their B.C. and Alberta counterparts. These guidelines have existed for several years and have been followed by the industry very successfully. While the threshold for notifying individuals should be based on the existence of a real risk of significant harm, which is what Bill S-4 does today, reporting to the OPC should be premised on the existence of a material breach.
Second, regarding record-keeping, we are of the view that the mandatory record-keeping for all breaches of security safeguards regardless of significance is unworkable, extremely impractical, and places too great a burden on all organizations regardless of size or industry, with no commensurate benefit for the protection of Canadians. In fact, this is really our overarching concern when these new record-keeping obligations are considered in light of the new proposed offences which, in our view, strip away the delicate balance in PIPEDA. In no event should a deficiency in logging be an offence.
As currently drafted, and due to the lack of a specific materiality threshold for reporting breaches to the OPC that I just referred to, every single breach of security safeguards, once again regardless of how trivial, must be diligently logged because it will be an offence to do so improperly or imperfectly.
In closing, we should be focusing on those breaches of security safeguards that might have the most impact on Canadians.
Once again, on behalf of my colleague and me, thank you for the opportunity to meet with you here with today, and we welcome your questions.