Information & Ethics Committee on Dec. 4th, 2006

If you obey the law, you would not keep that information on file once you had determined there was no reasonable reason to keep it on file. You're not allowed to keep that information on a file.

Even now, if you know that someone has been convicted of an offence, for example, and if you have an absolute need to know that--for example, someone has been convicted of impaired driving and you're hiring that person as a driver for your company--you could collect that information because you need to know it. You would not be allowed to collect that information just because you're interested in it, unless you needed to know it for the purposes of your company.

The two issues we raised in our introductory comments, from Barbara and Edith I think, were the ones we certainly looked at. We felt the B.C. model was more workable.

We can only assume that because B.C. and Alberta came after the federal legislation, they had the opportunity to look at PIPEDA and discuss the matter with the Privacy Commissioner. It is my understanding--and I realize this is hearsay, but you would know--that when the Privacy Commissioner appeared, she indicated there were some problems with the employee aspects of the act. I don't know what she said in terms of specifics, but I think that was known by those who deal with the Privacy Commissioner's office. It may well be that those concerns were identified and passed on to the authorities in B.C. and Alberta, and as a result of that, the legislation is somewhat different.

Could I take one example? The definition of personal information in PIPEDA is very broad. It's basically any information that can be identified with an individual, except name, business telephone number, and business address. That means, in some cases, a person may claim that a memo they signed in the course of their work is their personal information because it's information about them; they prepared the memo. Theoretically, that is possible under PIPEDA.

If you look at personal information in some of the other definitions, for example in B.C., there is a definition of work product information in section 1 that says:

“work product information” means information prepared or collected by an individual or group of individuals as a part of the individual's or group's responsibilities or activities related to the individual's or group's employment or business but does not include personal information about an individual who did not prepare or collect the personal information.

If you then look at the definition of personal information in the B.C. act, it does not include work product information. That solves that problem.

Another potential problem under PIPEDA is if a person gives an opinion about a second person. Under PIPEDA, that information is the personal information of both people--the person about whom an evaluation or opinion was given, and the person who gave the opinion. There is no direction as to whose information it is.

In the Alberta act, and also in the federal Privacy Act, by the way, there is a provision that a personal opinion about a third party is the third party's information. That is, if I give an opinion about someone's work performance, for example, I can't try to prevent that opinion from being given to that person by saying it's my personal information. Both the federal Privacy Act and the Alberta act say that an opinion about a third party is the third party's information. It settles the question.

There are breaches and there are breaches. Just last week, somebody e-mailed me and asked for somebody else's e-mail address, and I sent it to them. Technically I'm in violation of PIPEDA, but it's hardly a major infraction. It's something we all agree shouldn't have been personal information in the first place. I didn't really feel I was a felon.

There is going to be a lot of this type of thing on whether so-and-so got a piece of information he was entitled to. That might even be routine. I don't know what is achieved by disclosing that.

If you get into a major issue that might affect the public—and everybody remembers the personal banking information that got faxed to a junkyard in West Virginia—that is an egregious situation where disclosure might be justified, but I don't think it is a black and white thing. Employers have to live with millions of statutes. I mentioned some of them. I already mentioned the ones in the labour area. As you know, there are many other statutes in non-labour areas and there may be some situations—my colleagues, being lawyers, might know—where disclosure is required, but I don't think it's the normal practice.

My sense, in answer to your question, Mr. Laforest, would be this: is the public facing some harm? If there is some harm, the public should know there is a breach of the law that impacts them. Maybe there should be some public disclosure, but in routine breaches of the act, I wouldn't see any particular purpose being achieved by doing it.

Let me—

Could I answer that, because some information might be of use?

The Privacy Commissioner currently has a set of standards or policies with respect to disclosure of the name of a company that's breached the act. First of all, she does not normally disclose the name immediately because she wants to use that power with discretion and ask the company to correct what it's doing, change the way they're doing things, do better. If they comply with what they're being asked to do, fine, she will be satisfied, but if they don't, she has the authority to release their name publicly. I can tell you that is a huge power, because no one wants to shake the confidence of their customers in how they protect private information.

As you've suggested, if a company keeps breaching the act, the commissioner could certainly release it. The other time she has said she will release it, as her predecessor said as well, is if there were ongoing harm. If something were happening and the public needed to know right away so they could protect themselves, then she would release the name. There is a process in place as to when the name is released and under what circumstances.

I would like to answer. It is not a privilege, it is left to the discretion of the privacy commissioner. It is a process that she established, but it is up to her to decide if she will disclose or not. Most privacy commissioners do not publicize the names for the time being, but they can change their practise from one day to the next. It is their choice. These decisions are not good only for the company which is the subject of a complaint, but for all of us. For example, we chose those examples or decisions in order to provide guidance. These matters are rather indistinct.

Yes. These decisions guide us, they help us to know how to act. For example, until the commissioner made its ruling on e-mails and faxes, we believed, in our company, that e-mails were part of the addresses and faxes were part of the phone numbers. However, following this ruling, we changed our practice. This is left to her full discretion, it is not specified in the act.

You would have to put that question to her because it is her practice.