Evidence of meeting #17 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.
A recording is available from Parliament.
4:20 p.m.
Director General, Electronic Commerce, Department of Industry
We have an agreement with the Europeans. An international standard has been set based on OECD-approved guidelines. This standard provides us with a level of privacy protection comparable to that of European countries.
I'm not familiar with all of the studies that have been carried out, such as the one done by Privacy International. According to that study, we currently measure up very well to other countries.
4:20 p.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
We rank in the top percentile.
In the comparative studies that you have seen - perhaps you haven't done one yourself -- did you identify areas in which some improvements could be made?
4:20 p.m.
Director General, Electronic Commerce, Department of Industry
Not really, because the standards that we have adopted are based on the CSA Model Code and they are the same as the ones adopted by European countries. We are almost at the same level.
4:20 p.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
Nevertheless, are there any components that could be improved upon?
4:20 p.m.
Assistant Deputy Minister, Spectrum, Information Technologies and Telecommunications, Department of Industry
Comparisons are always being drawn between ourselves, the Europeans and the Americans. The latter take a different approach to privacy protection. They have passed legislation for each sector, whether the financial sector or the health sector. Their approach is completely different. We feel that ours is the best method, because the economy as a whole is treated the same way. It's interesting, because Mr. Gates, for example—
4:20 p.m.
Assistant Deputy Minister, Spectrum, Information Technologies and Telecommunications, Department of Industry
Yes. The time has come for the United States to adopt an approach similar to ours, that is to pass legislation that applies to all sectors of the economy.
November 20th, 2006 / 4:20 p.m.
NDP
Pat Martin NDP Winnipeg Centre, MB
Thank you, Mr. Chair.
Thank you, witnesses.
I've been looking over the excellent research done by Nancy Holmes, our research staff member. I wasn't going to ask any questions, but I became alarmed about some things later on in her research paper, at some of the things that she has recommended we ask you for your input on.
One is dealing with the duty to notify people in the event of a breach, especially in light of high-profile privacy breaches in data companies in the United States, etc. State laws are being enacted now such that in the event of a breach, there would be an obligation to inform the person that their personal information has been compromised in this way. This is interesting to me, because somebody came to me recently and said that Visa has three million breaches per year in Canada alone, and they don't inform Visa card clients that their personal information has been compromised. This is an alarming thing.
Would you recommend, in this first statutory review, that PIPEDA be amended to require that kind of duty to notify individuals in the event of a breach?
4:25 p.m.
Assistant Deputy Minister, Spectrum, Information Technologies and Telecommunications, Department of Industry
If I may, we've heard a lot about that particular topic. There are those who are absolutely recommending strongly—and you will hear them in front of you—that the Privacy Commissioner name names. They may also make the suggestion to amend this legislation to force the disclosure of breaches of privacy.
4:25 p.m.
NDP
Pat Martin NDP Winnipeg Centre, MB
Not just the organizations that breach privacy; for instance, if it is Visa, then Visa would be obliged to tell me, if my card had been compromised, even if they fixed it and it didn't cost me anything.
Are we talking about the same thing?
4:25 p.m.
Assistant Deputy Minister, Spectrum, Information Technologies and Telecommunications, Department of Industry
That's correct. That's the recommendation you'll hear a lot about. In fact, I think the Privacy Commissioner will be here, so you can ask her. She is deemed to have no power right now in the legislation to actually name names, so to speak, and to force the particular issue. This would probably require a legislative amendment.
4:25 p.m.
Liberal
The Chair Liberal Tom Wappel
Not to take any time away from you, sir, but Mr. Binder, I want you to listen carefully. Mr. Martin asked the question. He asked for your recommendation about whether there should be any amendments to the act. He didn't ask about what kind of evidence we were about to hear, or from whom we were going to hear it. You seem to think it quite natural that the Privacy Commissioner is going to give us her recommendations about how she thinks the act should be amended. I think it's fair to say we think it quite natural that the department should give us recommendations about the things they agree should be recommended. It isn't just me; you've just heard it from Mr. Martin.
Mr. Martin, that takes no time from you. Go ahead.
4:25 p.m.
NDP
Pat Martin NDP Winnipeg Centre, MB
Thank you. That actually helps.
Further to that, if you could respond to the chair's input, I was wondering what it would look like if we embraced this as something we should do to PIPEDA. The question put here by our researcher is, would non-notification be a breach that you could file a complaint to the Privacy Commissioner about—for instance, if my Visa had been compromised, even if the company fixed it and it didn't cost me a penny, but they didn't inform me. Do you think that is something I should be able to complain to the Privacy Commissioner about, either as a class action or as an individual?
4:25 p.m.
Director General, Electronic Commerce, Department of Industry
I can jump in.
You probably can complain right now to the Privacy Commissioner if you have reason to believe your personal information was somehow accessed by someone without your knowledge or consent, even if it was purely accidental or an act of someone with deliberate intention to subvert an information system. The reason you can do it is due to the ten principles of the CSA code, which the Privacy Commissioner is responsible for enforcing and companies and organizations are responsible for administering. It requires organizations to take proper security, proper steps to secure the personal information that is in their hands. Negligence, or an inability to protect that information, is really no justification or excuse for not complying with the act.
The issue you're raising is one that I think the committee is going to hear about from other people. It has risen in the United States, as your researcher has pointed out. There are a number of states in the U.S. that have adopted duties to notify, or breach notifications. There are various terms for it, I think quite a few—over 30. They have different approaches. One of the difficulties is that it is state by state, and therefore quite fragmented, across the U.S.
That's an issue that has come up in our consultations and that I think will come up before the committee. But it's not black and white that there is nothing there versus a duty to notify. In fact, there are a number of obligations under PIPEDA that organizations should comply with. In your case, to take that example, you would be able to go to the Privacy Commissioner. The difference is, as Michael Binder pointed out, that there is no obligation to notify everybody in a public way, which is what most of the laws in the U.S. do require.
4:30 p.m.
NDP
Pat Martin NDP Winnipeg Centre, MB
Very quickly, another serious concern raised by our researchers has to do with the effect of the Public Safety Act when it was passed into law and the necessary amendments to PIPEDA. It's a real concern that you could have the state getting the private sector to collect personal information for the sole purpose of telling government what that information is--in other words, contracting that out.
In what context does this come up? I guess one of the contexts--to preface that, even though there's not much time--is that in the province of Manitoba they contracted out health information to Manitoba Data Services Inc.. They did it so well that it became interesting to an American company, so an American firm bought it because it had a guaranteed anchor tenant. So now my personal health records are held in Dallas, Texas, by some company.... I have no idea how many times it's been flipped from owner to owner to owner, and I don't know what they're doing with that information.
Maybe I can change the angle of my question. Is there any way for the duty to follow the money, as it were, out of the country in the same way as we do with child sex laws or mining laws--Canadian activity operating outside the borders? Can anybody help me with my personal private information that's being held in Dallas by a private company?
4:30 p.m.
Director General, Electronic Commerce, Department of Industry
The way PIPEDA works now under an accountability arrangement, as they call it, is that the Privacy Commissioner will investigate that situation from the point of view of the Canadian organization that first allowed your information to leave the country. So what—
4:30 p.m.
NDP
Pat Martin NDP Winnipeg Centre, MB
So there's still some obligation on the part of the government who sold it to the private firm? No. The private firm that sold it to the Americans would still have an obligation to me?
4:30 p.m.
Director General, Electronic Commerce, Department of Industry
The organization that provided your personal information—
4:30 p.m.
Director General, Electronic Commerce, Department of Industry
Well, if you're talking about Manitoba Data Services, that's a little more difficult as an example because that's governed by a provincial privacy act. If we can take a private sector organization, though, that would have personal information that it collected from you, with your consent, for a particular purpose, the obligation on that organization, no matter how it decides to process that information and use it in the conduct of its business, which you have consented that it could do, is to protect that information in contractual form with any other organization that has access to it.
4:30 p.m.
Liberal
The Chair Liberal Tom Wappel
Mr. Martin, your time is up. I can't allow you to interrupt again.
Just finish off your answer, Mr. Simpson, and we'll go to the next questioner.