32 NAIDnews Summer 2017
criminals, capitalizing on this ready source of personal information. These rings were found to have divisions of labour, where
lower ranks start by harvesting the information from dumpsters, which is then handed over to others of higher rank who
have been trained to best exploit it.
That has led to a new generation of legislation in the U.S., exemplified by the Fair and Accurate Credit Transactions Act
(FACTA) and a host of state laws, which are designed not only to protect privacy rights, but also to stem the tide of identity
theft and fraud. As a result, there is a marked difference in the regulatory language regarding information disposal and the
penalties for non-compliance.
Where in the past a regulatory reference to information disposal would require limiting unauthorized access, improved
regulations now require that steps be taken to destroy personal information prior to its disposal. Further to the point, the
newer generation of legislation requires that such security measures be documented in the organization’s policies. We have
recommended in other provinces that organizations be required to publicly post their destruction policy.
Recommendation #2: Add a definition of “destruction” to FIPPA. In addition, the Government should consider whether
organizations covered by FIPPA should have to post their destruction policy.
In addition to the two legislative changes above, the third priority is to ensure organizations respect the law, and closely
linked to that, to ensure that employees understand and abide by it. NAID-Canada has found that just having a policy does
not necessarily translate into compliance if an organization’s employees are not aware of it and/or do not adhere to it.
The keys to the latter are awareness, proper and ongoing training and, where necessary, fines and penalties for violations of
the law. The first two are outside the scope of the legislation, but should be a priority for the Government once the review is
To that end, privacy compliance needs to be easy to understand, both for organizations and employees. Therefore, we
recommend ensuring organizations have clear and easy-to-understand instructions on how to comply with FIPPA. In addition,
once such instructions are developed, the Government should evaluate whether these materials are reaching their target
audience, most particularly rank-and-file employees.
Recommendation #3: Develop materials to help organizations understand their FIPPA compliance obligations and assess
whether those materials are reaching their target audience.
As for penalties, the solution in the private sector is fines, though we assume the Government is not going to fine itself for
similar violations in the public sector. That said, a failure to respect the law must still have consequences. Depending on the
severity of the violation and the intent, these could range from mandatory training to outright dismissal. This may seem
harsh, but NAID’s experience internationally has found that the degree of compliance with privacy legislation is closely tied
to the risk of sanction.
Recommendation #4: Consider increasing penalties for violations of FIPPA in cases where negligence is clear.
Breach notification laws are also becoming standard in Canada and around the world. NAID-Canada is strongly supportive
of such laws. Historically, such notification has been focused on incidents involving sensational electronic data breaches, of
which there have been many in recent years. It is important to note, however, that a breach resulting from casual disposal of
paper records can be just as damaging for those impacted and must not be overlooked.
Mandatory breach notification is becoming the norm globally and we recommend Manitoba adopt the same provision.
Recommendation #5: Adopt a mandatory breach notification requirement in FIPPA.
Finally, there are two additional issues NAID-Canada puts forth for consideration. First, we support stronger contracting
requirements between information custodians and third parties to whom destruction is outsourced. For example, NAID-Canada is a professional association. Our members must abide by certain standards. We also have a rigorous certification
program for members who want to be recognized as the top of the class in the information destruction industry. When such
professional standards exist, we believe they should be recognized when contracting with government entities.
Recommendation #6: Encourage organizations to consider professional standards when outsourcing information