The Authority for Information Access (CAI) is changing its tune. The private information watchdog has stopped publishing the names of companies and public organizations that have reported “privacy incidents,” as it has done since December. The decision comes after the articles were published in Journalism Based on this information that shocked personal intelligence experts.
Send CAI to Journalism Lists organizations that have reported privacy violations five times since December, following freedom of information requests or a simple communications request. This information was used as the basis for an article indicating that about thirty companies had declared “secret incidents,” as required by the new “Law 25” (Act respectfully to protect personal information in the private sector), which went into effect in September.
The commission had only disclosed the names of the organizations and the date they were announced to the CAI committee, without further details. “Providing more information is not excluded,” however, declared the head of the organization, Dianne Poitras, in an interview with Journalism1.
Instead, the opposite happened. For the first time, the CIA refused us access to this information, on April 21.
The organization has not sent an incomplete or partially redacted list: it has simply refused to send the name of any entity that has made such a declaration since mid-February.
“The Commission does not intend to systematically prevent access to information of the nature of that which has been communicated to you in the past in connection with incidents of confidentiality,” stresses, however, the Director of Communications, Jorge Passalacqua.
Selon son courriel, « l’experience démontre que la divulgation de details au sujet d’un incident and parfois le simple fait de confirmer l’existence d’un incident de confidentialité peut nuire au traitement de l’incident par une entreprise or an organisme audience.”
in December, Journalism He wrote that about thirty companies have submitted classified incident declarations to CAI since Law 25 went into effect, on September 22. Most of the concerned organizations provided information on the reported incidents. But not Royal Bank or McGill University, which have both refused to explain anything2.
In response to our articles, attorney Charles Morgan published a blog post in January that referred to him.
“The precedent set by the CIA in releasing the names of organizations that reported incidents to the media could have a chilling effect on future reporting of confidentiality breaches,” partner McCarthy Tetraault wrote on Jan. 12.3.
According to Charles Morgan, organizations may become more reluctant to make such statements when the risk of harm is not clear to victims of breaches of confidentiality. They may decide to keep some of the less serious violations “for fear of attracting unwanted negative attention or sparking speculation in the press.”
Over the phone, Charles Morgan assures us that he was not aware of any change in policy in the committee about disclosing these lists.
Journalism He wanted to know if he had intervened with the organization to stop her broadcast. He did not answer. “I’m not sure I have anything to add to what’s already been posted,” he says.
CAI refused to arrange an interview with its boss. “Unfortunately, Mr.H According to Jorge Passalaqua, Poitras is not currently available for an interview.
The office of Minister Jean-François Roberge, who is in charge of the commission, assures us that “he was not consulted”.
“CAI is an independent organization and makes its own interpretation of its responsibilities and obligations in accordance with the law,” says Director of Communications Thomas Verville. We are of the opinion that the CAO should inform citizens to give as much information as possible without harming the investigation or the judicial process. »
“Surprise,” says one specialist
The publication of the names of the companies that reported confidential incidents to the Commission appears to have caused some controversy.
“We saw your article in the office and were surprised because it is sensitive information about our clients,” agrees Solika Moner, a lawyer at Fasken who specializes in privacy and cybersecurity. CAI did not necessarily say that it would take this to the media. »
Nothing in Law 25 specifies whether or not the commission is required to identify organizations that have reported privacy incidents to the public, she explains. face demands JournalismThe watchdog on private data initially opted for more transparency before changing its mind.
“They stopped posting after that is surprising too… This whole file is surprising to me, I’d like to tell you,” Solika Meunier says.
Regardless of the committee’s position, Counsel intends in any event to continue to encourage her clients to advocate for “transparency,” no matter how much confidentiality is breached.
“It is best to avoid the element of surprise,” she argues. However, it is important to know that CAI can detect this, specifically to adopt a communication strategy if people start asking questions. »
In association with William Leclerc, Journalism
- Increased number of disclosures of confidentiality incidents to the Access to Information Committee between September 22 and March 31, compared to the same period in the previous year
Source: Information Access Authority
“Music guru. Incurable web practitioner. Thinker. Lifelong zombie junkie. Tv buff. Typical organizer. Evil beer scholar.”