News Releases

Poll: Canadian businesses unconcerned about privacy breach risk

New poll results suggest that Canadian businesses are collecting more personal information than ever but they aren’t worried about privacy breaches.

OTTAWA, May 27, 2010 – Most Canadian companies aren’t concerned about data breaches involving their customers’ personal information — even though these same companies report they are collecting and holding more personal information than ever before, according to the results of a poll released today.

The poll conducted by EKOS for the Office of the Privacy Commissioner of Canada found that 42 per cent of businesses surveyed are not concerned about security breaches.

“Given the severity and number of major data spills that we have seen reported in the headlines over the past few years, it is concerning to see that businesses are not more apprehensive about this issue,” says Assistant Privacy Commissioner of Canada Elizabeth Denham. “There are serious risks involved in collecting and holding personal information, and the stakes for both businesses and customers are high.”

The survey revealed that the collection of personal information by Canadian businesses is a growing trend.  Sixty eight per cent of businesses surveyed indicated they collect personal information from their customers — an increase of five per cent since a previous study conducted by the Office in 2007.

While most companies may be confident that they can protect the personal information they collect, consumers are not nearly so certain. In a previous poll conducted by the Office in 2009, only 12 per cent of Canadians indicated they feel that businesses take the issue of protecting personal information very seriously.

Data breaches are a problem around the globe, and many governments are responding to consumers’ concerns by implementing mandatory breach notification legislation. On May 25, 2010, the Canadian government announced that it is moving ahead with a package of amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) Canada’s private sector privacy law. The amendments include mandatory breach reporting, which would require private-sector organizations to report to the Office of the Privacy Commissioner of Canada any “material breach of security safeguards involving personal information under its control”. Factors in determining whether a breach is reportable include the sensitivity of the information involved, the number of individuals affected, and whether the data breach constitutes a pattern. The affected individuals would also have to be notified if there is a chance the breach poses a “real risk of significant harm” to them.

Although the poll results revealed some issues of concern, there was also some good news. The poll found that the majority of businesses have implemented provisions to protect customer information, and almost half of the businesses surveyed report high awareness of their responsibilities under Canada’s privacy laws.

In fact, the survey suggests that PIPEDA has had a positive impact on Canadian businesses’ handling of customers’ personal information.

Approximately two in three of the companies surveyed indicate they are more concerned about protecting their customers’ personal information (68 per cent), and have increased their awareness of privacy obligations (63 per cent) as a result of PIPEDA. And more than half (57 per cent) said the introduction of PIPEDA has resulted in improved security associated with personal information held by the company on its customers.

The EKOS survey, which was conducted in March 2010 with 1,005 Canadian businesses, examined a number of issues relating to privacy and the implementation of PIPEDA. The results may be considered statistically accurate to within +/- 3.1 percentage points, 19 times out of 20. More detailed information about the poll results and how businesses can secure personal information is available on the Privacy Commissioner’s website, www.priv.gc.ca.

The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

To view the final report: Canadian Businesses and Privacy-Related Issues (PDF version)

— 30 —

For more information and/or media interview requests, contact:

Heather Ormerod
Office of the Privacy Commissioner of Canada
Tel: (613) 947-8416
E-mail: heather.ormerod@priv.gc.ca