Information & Ethics Committee on Feb. 1st, 2007

No. We have made a change. It will be Mr. Zinatelli.

Thank you, Mr. Chairman and members of the committee.

I would like to thank the committee very much for giving us this opportunity to contribute to your review of the Personal Information Protection and Electronic Documents Act.

My name is, as indicated, Frank Zinatelli, and I am vice-president and associate general counsel of the Canadian Life and Health Insurance Association Inc., CLHIA.

I'd like to begin by saying a word or two about my colleagues who are seated with me at the table.

Dale Philp is assistant vice-president and senior counsel with Sun Life Financial, where she focuses on products and distribution group insurance issues. She is deeply involved with privacy issues in the life and health insurance industry, both within her own company and as chair of the CLHIA's privacy committee, where industry issues of common interest relating to the protection of personal information are discussed.

Yves Millette is the CLHIA's senior vice-president, Quebec affairs. Mr. Millette's lengthy experience in Quebec matters affecting our industry has given him a good familiarity with Quebec's privacy legislation. And of course, as you know, Quebec was the first Canadian jurisdiction to introduce private sector privacy legislation.

We welcome this opportunity to make constructive contributions to the committee as you seek to develop your report to Parliament on this sensitive, complex, and vitally important area.

With your permission, Chairman, we would like to make a few introductory comments. Together with Ms. Philp and Mr. Millette, we will provide the committee with the industry's views pertaining to the PIPEDA review.

By way of background, the CLHIA represents life and health insurance companies accounting for 99% of the life and health insurance in force across Canada. The industry protects about 24 million Canadians and some 20 million people internationally.

For over 100 years, Canada's life and health insurers have been handling the personal information of Canadians. The very nature of the insurance product requires that a large portion of the information exchanged between companies and their clients is personal in nature, and protecting its confidentiality has long been recognized by the industry as an absolute necessity for maintaining access to such information.

Indeed, our industry would not have survived if it were not able to have the trust placed in it by Canadians. Correspondingly, chairman, life and health insurers have taken a leadership role in developing standards and practices for the proper stewardship of personal information.

In 1980 we adopted right-to-privacy guidelines which represented, as far as I know, the first privacy code to be adopted by any industry group in Canada. Those guidelines served the industry and its customers well for 23 years, until they were superseded by personal information protection statutes across Canada in 2004.

In 1991 the industry included a provision in its consumer code of ethics which requires members to respect the privacy of individuals by using personal information only for the purposes authorized, and not revealing it to any unauthorized person.

And a commitment to this provision, by the way, is one of the requirements for membership in the CLHIA.

The committee should also be aware that the life and health insurance industry participated actively in the development of personal information protection rules across Canada such as, for example, Quebec's private sector privacy legislation in 1994.

The CSA model code is now schedule 1 of PIPEDA. The development of PIPEDA itself.... We worked also on the personal information protection acts of Alberta and B.C. and of course on the health information legislation in Alberta, Saskatchewan, Manitoba, and Ontario.

I will now turn it over to my colleague, Dale Philp, to continue our remarks.

Thank you, Frank.

Thank you, Mr. Chairman and members of the committee. I would like to provide you with a brief background in the next few minutes to the various issues that we have discussed in part IV of the CLHIA's written submission.

Life and health insurers operate on a national basis and deal with a very large number of Canadians, as Frank indicated. In addition, Canadian insurers also carry on their business operations internationally in locations including the U.S., China, India, and the U.K. The operations of life and health insurers cover a variety of personal situations, including financial planning for a potential death, the processing of a disability claim, reimbursing the costs of prescription drugs and other health care expenses, and administration of savings plans or employer pension plans.

These insurance, pension, group benefit operations involve thousands of transactions each day. As these transactions vary in nature, so do the insurers' needs for personal information. We believe a brief description of the parties and individuals involved in our life and health insurance industry might be helpful as context for our issues.

In the group environment, the insurer may insure the benefit plan or only administer an employer's group benefit plan or group pension plan. That's where the employer self-insures its plan.

As well in the group environment, the players then involve the employer, the employee, the employee's dependants, which would be spouse or children, and of course the insurer. It also involves a possible third-party administrator who's retained by the employer to help administer premium payments, etc., and also likely a consultant or advisor to help the employer decide on what should go in their benefit plan.

In the individual insurance world, the players would include the individual policyholder; perhaps a life insured, different from the policy holder; an adviser; and the insurer. In all types of life insurance--individual, group, or pensions--there are also beneficiaries. So you can appreciate the different types of information that would be required to be collected from each of those individual players in the insurance world.

As for the type of information we collect and use under an individual life insurance policy, detailed medical and financial information may be collected when the individual applies for insurance. This is then used to assess the applicant's eligibility for coverage. That file, then, may be relatively dormant for several decades until a death occurs and then a claim is made. In contrast, under most group employee benefit plans, whether insured or just administered by insurers, the insurer is required to collect a small amount of personal information initially, such as name, date of birth, beneficiary designation, and dependents' names. Additional information is collected when a claim actually occurs for the cost of a prescription drug or at the time of a disability, for example. At that time, sufficient additional information must be collected and used to process the claim.

In contrast to the banks, national or international organizations that are provincially regulated are required to contend with an array of privacy legislation across Canada. A transaction that involves the transfer of information from an individual or organization subject to one protective regime--for example, a physician complying with Alberta's Health Information Act--to an individual or organization subject to a different regime, such as an insurer subject to Quebec's private sector legislation or to PIPEDA, will have to meet the requirements of both regimes with respect to consent to disclose under one and consent to collect and use under the other. An employee resident in B.C. may expect that B.C. privacy legislation will apply, but if her employer is located in Ottawa and the insurer processes claims in Toronto, PIPEDA will apply.

In this environment a lack of clarity, gaps, overlaps, or inconsistencies in the legislation can create confusion and unnecessary administrative complexity for life and health insurers, and confusion for their customers. We believe that the coordination or harmonization of the provisions of PIPEDA with privacy legislation at the provincial level would help to avoid such confusion for consumers, organizations, and regulators alike. To appropriately balance the need to protect information privacy with the need to conduct efficient commercial activities, such as providing life and insurance products to Canadians, it is essential that harmonization be given high priority.

While the life and health insurance industry's experience during the three years it has been subject to PIPEDA has been that the current rules are generally workable, a large portion of our specific comments in part 4 of our submission fall under the category of harmonization, with a view to making the provisions under PIPEDA “more practical and more predictable”, to use the words of the Privacy Commissioner.

One of those specific comments relates to the detection and deterrence of fraud. The impact of fraudulent and deceptive conduct on insurance and other financial services can be extremely costly and damaging. Efforts to minimize them are essential. Fraudulent and deceptive conduct can involve a small number of consumers, service providers, and other parties not directly involved with the contract.

Our efforts to control the incidence of fraud in our industry are not in conflict with our protection of personal information, but the current provisions need to be adjusted to make our efforts work better. Specifically, there is a gap in PIPEDA that restricts our ability to disclose information without the consent of an individual for the purpose of conducting an investigation into a breach of an agreement or a law of Canada.

It is the industry's view that instead of, or in addition to, a system of investigative bodies, PIPEDA should be amended to adopt the model used in both Alberta and B.C.'s PIPAs, which allow collection, use, and disclosure of personal information without consent for the purpose of an investigation. In this way, the range of acceptable circumstances as to when personal information can be collected, used, and disclosed during an investigation can be more clearly set out and understood by all parties.

Thank you, Mr. Chairman. I was in fact about to close and hand over the reins, so I'm sorry.

No. My intervention will be quite short. I will develop only one point, concerning the situation in Quebec.

Thank you very much.

Another topic of importance, for the industry, relates to the provisions on individuals’ right to access information that concerns them. It is clear that they must have the right to access it, to determine the use being made of it and, if necessary, to correct any inaccurate information.

However, experience shows us more and more cases where access rights are used for purposes that the legislature could never have thought of when the Act was promulgated. Increasingly, companies are receiving detailed, identical access requests, most likely prepared by lawyers, that seem to be “fishing expeditions” to obtain information that would not otherwise be available except through the process of discovery, as it should be.

At present, Quebec’s An Act Respecting the Protection of Personal Information in the Private Sector includes a provision covering this type of situation. The second paragraph of section 39 of the Quebec act stipulates that:

39. A person carrying on an enterprise may refuse to communicate personal information to the person it concerns where disclosure of the information would be likely to: (2) affect judicial proceedings in which either person has an interest.

Under this provision, it must be clear that the legal proceeding would be instituted in light of the facts at issue. The industry recommends that the Quebec precedent be used to amend the Canadian act in a similar fashion.

Thank you.

It's section 39, the second paragraph.

Thank you, Mr. Chairman and honourable members. It's a pleasure to be here.

My name is Michael Murphy, and I'm executive vice-president, policy, with the Canadian Chamber. Also appearing with me today is Chris Gray, who's a policy analyst with us at the chamber, along with David Elder, who's vice-president, regulatory law, with Bell Canada--a chamber member. Importantly, Mr. Elder is also Bell's privacy ombudsman.

As an advocate for Canadian businesses, the Canadian Chamber of Commerce speaks on behalf of a network of 350 chambers of commerce and other business associations representing over 170,000 member businesses.

The chamber is pleased to provide its input on the five-year statutory review of the act. Since PIPEDA was enacted, we have worked closely with our members, local chambers, and boards of trade to ensure that businesses of all sizes understand their roles and responsibilities under the act.

The majority of our members have been subjected to complying with the act since only 2004. We communicate with our members regarding their obligations through a variety of vehicles, and we are always considering how we can continue to better educate all businesses, particularly small and medium enterprises.

To assist our members with PIPEDA, the chamber developed a privacy policy template, modelled contractual clauses, and informed them on how to conduct a privacy audit.

My remarks today will be based on our submission to the commissioner's consultation on the act last fall. We've met with the Privacy Commissioner's office on a number of occasions since the legislation came into force, and we've brought additional copies of that particular submission for your reference today.

In general, the Canadian Chamber of Commerce’s position on the review of the PIPEDA, the Personal Information Protection and Electronic Documents Act, is similar to the one that other business organizations, such as ITAC and the CMA, expressed to you during previous meetings. The protection of privacy and personal information is a primordial issue for consumers and companies. It is particularly important nowadays because of new technologies that increase the risk that personal information will be compromised.

The adoption of best practices for the protection of personal information is an element of sound business management. A company that uses effective practices in this area increases consumer confidence, and both benefit. From the trade and industry perspective, the Act functions well and requires no amendments at this time. Moreover, most of the industrial sectors and individual companies have just started working within the current framework.

Both business and the Privacy Commissioner's office have demonstrated a solid cooperative working relationship. The structure of the act allows for an effective and workable balance between the interests of protecting an individual's personal information and allowing for business to operate effectively.

In addition, there is a flexibility built into the act that is an important factor in allowing industry to efficiently respond to any privacy issues. PIPEDA, as it currently exists, also has relatively low associated costs and a very efficient complaint mechanism. By maintaining technological neutrality, this legislation also transcends technology change.

I'd now like to turn it over to Mr. Elder to get into some more specific comments from the chamber's perspective that we believe members should consider when discussing the principles of the act.

David.

Thank you, Mike.

The Canadian Chamber and its members believe that Canadian privacy legislation should continue to strike the correct balance between the privacy rights of individuals and the legitimate needs of business to collect and disclose customer information. The flexibility built into PIPEDA has been very beneficial to consumers and business alike during the five years since its implementation.

With regard to the Privacy Commissioner's order-making powers, the current ombudsman model provides an effective manner, in our view, in which to best protect an individual's need for privacy and at the same time address the interests of businesses. This mechanism for resolving privacy issues is critical for consumers, and it is cost-effective. Implementation of an order-making process would require a complete review and overhaul of the role of the Office of the Privacy Commissioner and the Federal Court. Since any such orders would be subject to appeals, this could potentially result in a less timely resolution of issues.

In 2004, under the existing ombudsman model, the OPC increased its emphasis on settling complaints, settling 45% of them without a formal investigation. Changes to the current ombudsman model could significantly adversely impact the ability of the OPC to effect such early settlement. The current model provides the commissioner with a wide range of powers, including complaint investigation and audit powers.

Turning now to the issue of duty to notify, in the Canadian Chamber's view, the current model, again, is operating successfully. I would note that there already exist significant reputational, financial, and legal incentives for businesses to notify customers when there have been serious breaches. Moreover, we believe that the OPC already has the tools to require notification where circumstances warrant it.

Instituting a duty to notify could create a more adversarial relationship between business and the OPC. In addition, imposing a duty to notify on every potential breach could well do a disservice to the very consumers it is meant to protect. This kind of requirement could result in a flood of notices being sent to consumers, desensitizing them to the gravity of a truly serious privacy breach. I believe we've seen this occurring in the U.S.

Given this, the Canadian Chamber does not believe that mandatory breach notification is necessary in the legislation. We would encourage businesses to continue to work closely with the Privacy Commissioner's office in order to identify breaches and to notify those who could be affected by a possible breach in privacy. This flexibility enables notice where appropriate in the circumstances, with no adverse impact on consumers.

I'd also like to note that it would be beneficial for the Canadian Chamber and other business associations to develop a best practices set of guidelines that could be used when breaches in privacy occur. To that end, business groups, including the Canadian Chamber, ITAC, the CMA, and others, are currently developing breach notification guidelines in conjunction with the Office of the Privacy Commissioner. Details on these best practices guidelines should be available later this spring.

With regard to the power to name names, the Canadian Chamber believes that reputation is key for business, and therefore the naming power that currently exists with PIPEDA should not be used lightly. Any proposed changes to the Privacy Commissioner's powers in this regard would represent a fundamental shift in the structure of PIPEDA and would be opposed by the Canadian Chamber.

Take the retail sector, for instance. It is extremely competitive, which is good for consumers, but the naming of names could do serious damage to a company's brand, damage that would possibly be wholly disproportionate to the severity of the breach. Therefore, this power should be reserved for those parties who demonstrate a clear pattern of non-compliance.

If there were to be a routine naming of names, it would not help the relationship between business and the OPC. The Privacy Commissioner herself has stated that she does not require naming powers nor desire them. Most cases can be adequately mediated between business and the OPC.

Given this, it is essential that businesses in all sectors are educated about PIPEDA and their responsibilities as businesses in handling personal information. There needs to be a good balance between enforcement of the law and ensuring businesses, especially small and medium-sized businesses, have a good understanding of PIPEDA so that inadvertent infractions are minimized.

On the issue of transborder data flow, international data flow is an economic reality, and any restrictions on this flow could hinder Canada's competitiveness in the global economy. Companies understand that their business reputations are on the line, and they do not take that responsibility lightly. They remain accountable when information is transferred to a third party for processing.

Policy consistency is essential for efficient transborder data flow, as was illustrated in the APEC privacy framework and the security and prosperity partnership initiatives. The accountability principle that is built into PIPEDA is an effective means of ensuring that Canadian businesses communicate their privacy practices to the public in an open and transparent manner. The accountability principle also requires businesses to enter into contractual agreements with any third-party providers, regardless of where the third party is located. This provides an added level of protection to consumers.

Mike.

Thanks, David.

I'll just wrap up, Mr. Chair, with a quick overview of our conclusions today.

The first one is that there be no changes made to the act at this time and that the commissioner be given the additional time—she talked about five years—she has requested to work with the current act.

Ensure a proper balance is maintained so that the interests of both consumers and businesses are considered.

Maintain the current ombudsman model to effectively protect privacy. With this model in place, mandatory privacy breach notification is not required.

Make no changes to the commissioner's powers with regard to naming power.

Do not place restrictions on transborder data flow that could impede trade and competitiveness.

And we recommend that the Privacy Commissioner's office and other business groups continue to play a strong leadership role in educating and informing firms—and particularly here, small and medium-sized enterprises—and individuals of their rights and obligations under the act.

Thank you, Mr. Chair, for the opportunity to be here today.

Thank you, Chairman.

With respect to breach notification, our position is that there should be a risk-based approach to when notification should be made. In that regard, one looks at the circumstances of the particular breach to determine whether a breach has in fact occurred and whether the event requires notification. In doing that, certainly in the financial services industry, one notifies the Privacy Commissioner; one also notifies our financial regulators to bring them into the picture; and one looks at the particular circumstances of the information that may be exposed.

For example, you do a risk assessment. You determine whether that information can be accessed. If it's in a disk and it's encrypted in such a way that your forensic consultants tell you that the risk is really, really minute, then in consultation with the Privacy Commissioner and in consultation with the financial regulator, you can determine, you can assess whether you should reach out or not.

So we believe that's an approach that works.

I'll just comment briefly, and I'll ask Mr. Elder to jump in if he would like.

We mention in our brief that we and some other groups are working with the Privacy Commissioner on guidelines in this particular area, and I think, importantly, there are going to be lots of sources of input for that. Clearly, the work that's already going on elsewhere in Canada, in particular with other agencies, the ones you mentioned in B.C. and Ontario, can be one of those inputs.

David, I don't know if you want to add to that.

First of all, I'd confess that I'm not personally familiar with the breach notification tools that you have. There are certainly things that are being looked at within organizations.

It is, and we'll certainly take that into account.

With respect to your question about uniformity, certainly I think we are in favour of a generally harmonized approach. Obviously this doesn't mean that anything that any province does we want to see rolled out across the country.

It reminds me a bit of what my mother used to say: If they jumped off a bridge, would you want to too? So I think we will certainly have a hard look at the guidelines put out by those provinces as part of our ongoing efforts with the Privacy Commissioner of Canada to develop federal level privacy breach guidelines.

Thank you.

In fact, if you look at our submission, a number of the changes we recommend are aimed at bringing PIPEDA in line with what has been put in place, if you like, in the third generation privacy legislation that is in place in B.C. and Alberta. As I indicated earlier, Quebec was the first one, in 1994, then PIPEDA in 2001. For our sector, though, it started in 2004. That's when the act began applying to us. But since then Alberta and B.C. have developed what PIPEDA had put in place. So our suggestion is that you look at those newer provisions where perhaps more thought has gone into it, given time and given the experience that they saw from PIPEDA.

One of the areas Dale spoke about is adjusting the provisions dealing with fraud and defining investigation in such a way so that it brings clarity to what the rules are for everybody, because I must confess, I looked at section 7 of PIPEDA, and it's pretty complicated stuff to get your head around. So that's one area.

Another area where the provinces are third generation again is in the area of access. They've gone on to clarify some of the rules in that area, and we have those again in our submission.

Another area that has been talked about and I know this committee has heard about before is when there is a sale of assets or of a business and the purchaser, in doing the due diligence, needs to look at personal information contained by the buyer. So there are provisions in B.C. and Alberta in this regard that may be useful for this committee to look at to determine whether they should be included in PIPEDA, for the purpose of making that area clear.

Another area, and again you've heard about this one, is looking at the B.C. model for their definition of work product and considering whether that should be included in PIPEDA as well.