Information & Ethics Committee on Dec. 4th, 2006

Thank you, Mr. Chairman. It's a pleasure to be here today.

I might just add to the introduction you made a moment ago that Barbara Robins is also chair of our ethics and privacy committee. Her responsibilities as vice-president, legal and regulatory affairs, extend not just to Canada but to Latin America and the Asia-Pacific region as well. So she has some international perspective that might be of interest to the committee.

I also want to take a quick moment to thank the committee for its indulgence. We were asked to appear next week, but that appearance conflicted with our board of directors meeting to consider our annual plan and budget. Given the fact that we have 37 people on our board, that would have been a little difficult to move.

In 1995, this association was the first national business association to call on the federal government to pass privacy legislation to govern the private sector. CMA believed that a well-balanced privacy law would result in benefits for consumers and for information-based marketers, an increasingly important sector of the Canadian economy.

Marketers know that respect for personal information is good for business. They advocated a law that would provide clear direction on how personal information could be collected, used, and disclosed, and a law that would be sufficiently flexible to enable businesses to grow the economy and take advantage of our new and emerging technologies. And to a great extent, PIPEDA has fulfilled these high expectations, although we remain in the early stages of implementing this new privacy framework. It should be kept in mind that for the vast majority of the private sector, this law only came into effect on January 1, 2004.

CMA is the largest marketing association in the country, with more than 800 corporate members representing a wide variety of marketing sectors, and we do have a code of ethics and standards of practice that is mandatory for our members. It is the self-regulatory code that provides our members and other marketers with a comprehensive set of best practices. We've provided committee members with a copy of that code for your future reference in your deliberations.

Privacy provisions of the code are structured to reflect PIPEDA's 10 privacy principles but are supplemented with additional rules for marketers. For example, for marketing to children, our code requires the express consent of a parent or guardian before a child's personal information can be collected, used, or disclosed for marketing purposes. CMA members are required to offer an opt-out opportunity with every e-mail marketing communication that's made. CMA members are banned from using unsolicited email, or spam, to acquire new customers. And CMA members must use our do-not-contact program, the only service of its kind in Canada, and it is offered free to consumers. All these provisions and the rest of the code are supported by detailed compliance guidelines.

With respect to PIPEDA, CMA takes the position that it's still too early to consider substantial changes, especially given the fact that the act has only been in effect, for most of the private sector, since January 1, 2004. The law does appear to be working well, as demonstrated by the noticeable downward trend in the number of complaints directed to the Privacy Commissioner and the increasing proportion of these complaints that are resolved or settled. At the same time, CMA's research, conducted for the Privacy Commissioner, shows the need for improvement, particularly among small and medium-sized enterprises in terms of both awareness and compliance. We have provided the committee clerk with a copy of that research.

In her own presentation to this committee, the Privacy Commissioner observed that this is not the time to make major changes in the framework of PIPEDA. CMA supports the Privacy Commissioner's view in that respect, and were Parliament to consider changes in the near future, we would strongly advise that these early adjustments be limited to technical amendments for purposes of clarifying meaning and intent.

The commissioner raised some issues that we'd like to comment on. First, I'll go to the question of the commissioner's powers and whether the existing ombudsman model has been effective. The evidence of the past few years clearly indicates that the ombudsman model has worked very well in promoting and protecting the privacy rights of Canadians. In response to complaints, organizations have invariably demonstrated a willingness to follow the direction of the Privacy Commissioner. We also feel that the commissioner's role as a privacy advocate is one that inherently contains positional bias and is therefore more compatible with an ombudsman's role.

Most importantly, however, the reality is that the commissioner's powers of influence are well supported by the discretionary power to publicize privacy breaches and by the ability to seek binding orders through the Federal Court. The last thing any marketer wants to see is their name on the front page of the Ottawa Citizen, being identified as being in breach of the privacy provisions, in the opinion of the Privacy Commissioner.

Another subject that has been the topic of much discussion over the past year or so is notification to consumers where there has been a breach of security or accidental disclosure of personal information. The question is, under what circumstances should organizations report a loss or theft of personal information to consumers? CMA believes that organizations do have a responsibility to notify consumers where the loss or theft of personal information poses a reasonable risk of harm to the individual. The challenge is to establish the correct threshold for triggering that notification. For example, how would we best define a risk of harm to the affected individuals?

We do not want to unduly alarm individuals with interminable notices of inadvertent disclosures of information that are totally innocuous. Our proposed approach to this issue is to request that the Privacy Commissioner of Canada consult with all stakeholders to develop and publicize national privacy breach response and notification guidelines. Those national guidelines can then be easily adjusted as we come to better understand the impacts of breaches and the impacts of notification, and they could subsequently form the basis of some legislative action by Parliament.

The Privacy Commissioner, on another issue, has also indicated that she is satisfied that her office can also deal with the matter of cross-border information flows by providing guidance to organizations. In our experience, that has worked very well and we agree with her assessment.

I have a couple of concluding remarks, Mr. Chairman.

Today's information-based economy continues to present new and innovative ways for business to interact with existing customers and potential customers and grow their customer base. Indeed, consumers expect more, demanding more tailored offers, convenience, and better service, requiring business to become more sophisticated in its ability to anticipate and meet these needs. Central to that marketing relationship is the collection, use, and disclosure of personal information.

Canadian marketers have long recognized that consumer confidence, privacy protection, and transparent information practices are critical for continued success. Good marketers know that respect for personal information is good business. PIPEDA is a privacy framework designed to achieve that delicate balance. In the words of a former Attorney General of this country, it is “a remarkable national consensus based on a series of delicate compromises”, one that all stakeholders believe would provide effective privacy protection while allowing businesses and not-for-profit organizations to responsibly use personal information to grow our information-based economy.

And there is much at stake. In 2001, through information-based channels, marketers generated over $107 billion in annual sales. That supported over 850,000 jobs in the Canadian economy.

PIPEDA has been working well, although there's work to be done in improving its performance and making small and mid-sized enterprises aware of its provisions. That being the case, CMA fully supports the existing act, and we urge the committee to resist making any fundamental changes to PIPEDA until we've had a few more years' experience with the legislation in its current form.

Mr. Chairman, thank you very much. We look forward to your questions and your committee's questions.

Thank you very much, Mr. Chairman.

First of all, I should just clarify the titles of my colleagues here. FETCO can't afford a senior counsel. Edith Cody-Rice, here with me, is senior legal counsel with the Canadian Broadcasting Corporation.

I just wanted to make sure everybody understood, for the record.

Also with me is Barbara Mittleman, who is responsible for privacy issues at the Canadian Pacific Railway Company. Her title is director of employee relations.

Since we're rather tight on time in terms of the time we're given for introductory comments, I'm not going to go into much background about our organization. I'm not going to spend a lot of time going through any details about FETCO. We've been around for 25 years. We're involved in all aspects of labour relations and employee relations issues at the federal level. Our brief does not include a list of our members, but I did e-mail the clerk a list of our members and he may have circulated it. I'm not going to spend time going through it, but the list is available for anybody who would like to know that information.

Unlike many organizations, the ones that are basically considered to be provincial jurisdiction, with the exception of Canada Post, which is a FETCO member and is covered by the Privacy Act, all our members are covered by PIPEDA—if that's the proper pronunciation, but we're not really sure—and have been since 2001.

We therefore have the five-year perspective rather than the shorter period that other organizations have.

We are going to talk about employee issues, and we're going to be exclusively talking about it because it's the only thing we talk about.

From FETCO's perspective, PIPEDA is one of many pieces of labour legislation regulating our businesses. Others include the three parts to the Canada Labour Code, the Canadian Human Rights Act, and the Employment Equity Act. It is our belief that Parliament intended these various statutes to be applied in such a way as to minimize conflict. Through their application, the other statutory obligations placed on employers would be given cognizance, minimizing interference with normal business operations.

I'll reiterate the comment we made five or six years ago to the committee at the time, which I think was the industry committee, that this looks very much like a piece of commercial legislation. Canadians were told about it in the consultation process. It really wasn't until we saw the bill that we realized the larger labour implications. We think perhaps the bill has suffered and the act is suffering from the fact that not enough thought went into the actual provisions dealing with labour issues.

In the brief I circulated, which hopefully was sent to members—I think I sent it about 10 days ago—we cover a number of areas. Quite frankly, we've collectively run into a number of problems with the act.

We make numerous recommendations in the area of employee relations. However, I'm only going to spend time on two of them, because we think they're two of the most important: information consent and the formal dispute resolution process.

There is clearly a need to distinguish between truly personal information related to the employee and information that is used for legitimate business activities or business identifiers. It has been a cause of concern in terms of the application of the act. We understand the Privacy Commissioner is perhaps cognizant of this.

For example, identifiers such as a fax number, which is a phone number, and an e-mail address, which is a business address, are provided for the express purpose of running the business. These in fact belong to the employer, not the employee. When the employee leaves the business, the identifiers stay with the business and don't go with the employee. It's therefore very difficult for us to determine why this would be considered personal information.

When I left the Canadian Pacific Railway a few years ago, I didn't take my e-mail address with me. On the day I left the company, they cancelled it.

We believe it's an example of a situation where a little more thought was needed. The act should have been drafted a little differently to capture what is clearly business information rather than personal information.

Given the increased tension among the various pieces of employment-related legislation in PIPEDA and the importance of maintaining a balance in the employment relationship, consideration may need to be given to whether employee consent should be treated differently.

Different options exist for dealing with employee consent, including reliance on implied or deemed consent or even eliminating the requirement for employee consent for the collection, use, or disclosure of personal information related to managing reasonable requests of the employment relationship. I would say, and I'll probably repeat this at the end, we are favourably disposed to the approach taken in B.C. and Alberta.

It is recommended that issues surrounding employee consent be considered and addressed during the review process. We have a couple of specific recommendations in this area.

We recommend that e-mail addresses and fax numbers should be excluded from the existing definition of personal information and that a new definition of personal information should be developed.

We also recommend that the act be changed to permit employers to collect, use, and disclose personal employee information, either without consent or when there is deemed consent in the conduct of routine and reasonable business in the managing of the employment relationship. That's how we think the acts in B.C. and Alberta work.

The second issue is probably more problematic in the context of the day-to-day operation of the business. It is the informal dispute resolution process. And for the record, Mr. Chairman and members of Parliament, the original bill that was introduced into the House of Commons by the Minister of Industry, way back when, didn't have this provision in it. We foresaw all sorts of difficulties in a whole pile of different areas unless there was something to deal with our ability to manage the employment relationship and fulfil our responsibilities under other statutes.

For example, part 1 of the Canada Labour Code requires that there be a process for dealing with disputes without stoppage of work. Investigations are required under part 2 of the Canada Labour Code. According to part 3 of the Canada Labour Code, you have to have a sexual harassment provision. And if Harry Arthurs has his way, there will be a lot of other obligations on employers, given the kinds of things he'll put in his report on the review of part 3. Of course, we are also obligated under the Canadian Human Rights Act to conduct investigations when there is a complaint lodged.

While PIPEDA provides that personal information generated in the course of a formal dispute resolution process not be provided when an access request is received--that's what we requested six or seven years ago when that was put into the legislation--FETCO believes that the definition of what constitutes a formal dispute resolution process and the stipulation that the information can be withheld in the course of a formal dispute resolution process are restrictive and erode confidence in the process.

Employers are required to investigate employee complaints, often on a confidential basis and without the assistance of an outside body. All investigations of complaints or disputes begin with the differing of opinions, which leads to an information-gathering process. It is impossible to resolve a dispute until the facts identifying the dispute have been determined. Doing so is often undertaken by those having knowledge of the incident and providing information about it, often on a confidential basis, in some form, to those in the business of handling the complaint. This fact-finding process is an integral part of the formal dispute resolution process, whether to determine the need for discipline or to investigate grievances, sexual or other harassment, or other workplace complaints. The fact that an employee being investigated can have access to any confidential information provided by complainants and witnesses results in complainants' being reluctant to have their issues addressed through appropriate internal redress systems, and witnesses' being reluctant to give evidence. We think that the definition is too restrictive. We think it has to cover all aspects of the dispute resolution process, including the information-gathering aspects, which would naturally be the early workings of any dispute resolution process. For anything you do, you collect data and you collect information.

At the present time, the integrity of the fact-finding process is very likely compromised by the fact that it is not protected by exceptions to access. In cases like these, the OPC has taken the position that such information is not, in fact, being generated in the course of a formal dispute resolution process, and therefore is subject to access under PIPEDA. It is FETCO's experience that the OPC's current position--that information gathered in the course of internal investigations is subject to access--has an adverse effect on the ability of employers to collect pertinent information and resolve workplace disputes without complication.

We have a couple of recommendations here, specifically the following:

The term “formal dispute resolution process” should be broadly defined to include all established mechanisms used to conduct an investigation, or otherwise resolve an employee complaint.

In all phases of a dispute resolution process, the employer should not be required to provide access to personal employee information.

Information collected while investigating a breach of a law or contract, regardless of whether the information was collected with or without the knowledge and the consent of the individual, should be also exempt from the requirement to provide access.

It is also inappropriate for employees to be able to access opinions and recommendations made by industrial relations or human resources personnel with regard to employee relations matters, including recommendations as to appropriate discipline or suitability for continued employment.

If I might conclude, Mr. Chair, FETCO strongly encourages that the recommendations contained in our brief be carefully examined in this review of PIPEDA. We've been around a long time, and we don't expect you to pick up every recommendation in your report. But we do ask that you give serious consideration to them. It is imperative that this review take into account the implications of this legislation on employers, their workplaces, and their business activities.

We are aware that subsequent to the implementation of PIPEDA, some provinces have passed substantially similar legislation. They have benefited from the experience gained under PIPEDA and have brought more clarity to the treatment of employee issues. The definition of personal employee information--including confirmation that the definition does not include work product--the concept of a formal dispute resolution process, and the reasonable use of employee information without consent are cases in point. We would recommend that in reviewing PIPEDA, examination be made of the developments in privacy legislation provincially. We would specifically direct your attention to Alberta and B.C.

Thank you very much.

My colleagues here, being lawyers, will be able to find it more quickly than I can.

In terms of access, it's in paragraph 9(3)(d).

In terms of access, yes, I believe so.

Don has asked me to speak to that, if that's all right.

In essence, the difference would be that where the personal information is employment-related there would be no requirement for consent, provided the information is being used, collected, and disclosed for reasonable business purposes. I'm not using the exact or appropriate terms of that legislation, but in essence, that's the case.

That's one piece of it. With regard to having to obtain consent for collection, use, and disclosure, that would alleviate some of the pressure on employers, yes.

There's a judgment issue here. In the course, obviously, of any business operation, especially with the types of things we deal with here--grievances, sexual harassment complaints, human rights complaints--often the individual is identified as a potential culprit. So you have to balance between having people come forward, which we're urged to do by law, by the Canadian Human Rights Act or part III of the Canada Labour Code. We urge employees to come forward when they have a complaint. If we can't deal with them in some measure of confidentiality, they're not going to come forward.

Now, in answer to your question, let's say Barbara gets a complaint from an employee saying she's been sexually harassed, and after the investigation it becomes clear that perhaps some action needs to be taken, then obviously we have to provide the appropriate level of evidence in order to take the action. In the process of collecting the data, in the process of doing the investigation, and in the process of talking to other people, with respect, we believe that information should be protected within that context, You're right, of course, that when it comes to actually taking action, we clearly have to provide the evidence to sustain it.

FETCO employers, not entirely but for the most part, tend to be unionized operations, and many, as you know, in the federal sector especially, have a long history of unionization. My previous employer, Canadian Pacific Railway, had its first collective agreement in 1896. So we're talking about long-established bargaining relationships that have built right into the collective agreements these kinds of protections--investigations, how they're held--to ensure that an employee cannot be disciplined without the appropriate procedures. We recognize that, and nobody is suggesting that it should be otherwise.

However, we believe that unless you can provide in the fact-finding process some measure of confidentiality, we're not sure how the thing can work properly. If an employee knows that if she comes in with a sexual harassment complaint and can't deal with a company on a confidential basis, that anything she's likely to say is immediately going to go to the alleged perpetrator, we think that would have a chilling effect on people coming forward.