Information & Ethics Committee on Feb. 1st, 2007

Actually, I am going to turn to my colleague Dale to talk about that point.

It's in the group insurance world, and I'm going to refer to that frequently, unfortunately, but we collect claims information relating to individuals. The claims are processed and adjudicated internally. Insurers have quality assurance programs in place and review the internal audits of their employees to ensure that claims are being adjudicated properly and processes are being followed. For instance, the SOX audits might involve looking at personal information. I don't think they incorporate personal information into their work product, but there are other processes going on in the business that do not constitute or create a source of information that is not about that individual. It's about the employee who's adjudicating and processing the claim.

Another example might be succession planning in a business. Employees of insurance companies specifically are not caught by PIPEDA. I think generally across the industry the privacy rules are implemented for their employees as well. So employees might say this is personal information about themselves, but I would suggest that succession planning is more business information. It's not information about that individual employee, it's about business continuity. If that individual is not around, someone else will be there to step in.

So those are two examples.

Every information--

No, but the information, when it first comes in the door, is about the.... I guess I'm confusing the employee of the insurer and the employee of a group plan. It's all about that employee in a group plan. It's his name and the name of his dependants, his salary, the nature of the drug he's claiming for--that's his personal information.

On the insurer's side, there might be a review of how that claim information is processed, and it forms another source of information, but it's not about that. I was mixing up the two employees for you. I'm sorry.

All the information we collect in the first instance is definitely personal information.

Sure. As I mentioned in my remarks, we have somewhere in the order of about 350 local chambers across the country that are our members, and they're everywhere in all the provinces and territories. As you can appreciate, when you get into the size of an organization like that, you have some pretty significant differences in the size of chambers as well. Some of them have a lot more capability than others.

One of the reasons we focused on this area is that in terms of some of the practical things we tried to do, we actually put information together for our members directly. We did a couple of rounds on this with respect to our members, both corporate and principally chamber, and through them our small business network across the country, to provide them with tools they could use to deal with the act.

We actually put model clauses, contractual clauses, together that we could have inserted into contractual arrangements they may have had with suppliers or customers. We also told them how to go about doing an audit of their own organizations. We also tried to give some basic information.

One of the great strengths of the organization is having access not only to companies like Mr. Elder's in our membership but to Sun Life and many other companies that are very actively engaged. We use some of our bigger members to help in the educational process with smaller members.

The only other thing I'd add is this, and this is not only true of this particular piece of legislation. There's never enough to do or there's never enough that's been done, and there's always more to do in terms of dealing with the small-business community. They have so many challenges, and they form the heart of our economy. You all know the numbers: 95% plus of businesses in Canada are small. They all have lots of challenges in terms of meeting day-to-day requirements. Our goal was to try to tell them through our network what they needed to know about this.

One of the great opportunities about coming here today, quite frankly, is that in the recent weeks we alerted our network that we were coming here. It will give us another chance to put another package together for our members, and we're going to do that.

It's been an effort. We'll never get all the way there.

We're also working with the Privacy Commissioner. She says there's a wonderful need here to keep educating on that side. We agree with that, and working with SMEs is going to continue to be a priority for us.

I've listened to the translation. I caught on to it late, unfortunately.

I think your question was this: Shouldn't people hear about companies that breach the Privacy Act and shouldn't they be named? Is that the gist of your question? I'm sorry.

Okay.

I think there is a provision in PIPEDA that provides for the publication of a name. When it's in the public interest, that name would be disclosed.

I think that's an appropriate provision when it's found by the Privacy Commissioner—because I don't think she will act outside the limits of her discretion under that provision—that a company is flagrantly abusing the privacy provisions under PIPEDA and the public interest is threatened. Individual consumers are threatened by the breaches that continue by such a company.

I think the provisions in PIPEDA adequately cover the situation where she might make that name public. I don't think we're opposing that provision.

In the insurance area of the industry—and I'm speaking for all of the insurers—there are training programs in place in each of the institutions. I know that at least one member institution of the CLHIA has training in place on a yearly basis for all new employees. They go through a rigorous privacy module, a Breeze module training program. They're scored on how they do on that test, which is given yearly. Frequently privacy tips are left on the Intranet site. There's a business code of conduct that all employees are required to sign every year, which says they have to comply with privacy regulations and only use the personal information they need to do their jobs.

The insurers each have a privacy policy that their employees are bound to comply with. There are individual supplemental privacy processes in place for each area of the company in disability claims, health claims, underwriting, finance, and IT. They all have differing needs to see information and use it for their jobs. There is restricted access to help prevent unauthorized access to information they don't need across the company.

The employees who are adjudicating claims for those thousand group insurance employees are bound by this business code of conduct. They have regular training and their team leads are monitored. Their quality assurance involves continued inspecting or auditing of their compliance with privacy as well.

Mr. Chair, I'll answer the question this way. In terms of the importance of the issue and dealing with small and medium enterprises in Canada, particularly companies—as Mr. Vincent's question points out and I mentioned earlier—as small as five employees, they have lots of challenges.

Regarding the funding of training for companies across the country, I would say not. Through the Office of the Privacy Commissioner, what we have is an opportunity to think about doing a better job. We agree with her that together we can do a better job of getting useful information into the hands of small companies, and there are lots of ways we can do that.

Technology, for us.... Remembering that these companies are all over the country, not just in the big cities.... From our standpoint, we're only three years into a very difficult area with these enterprises that's not unique in terms of the only thing they're thinking about, as I said earlier.

So I wouldn't go so far as to say let's think about a major federal program to start sending people out into companies. I don't know whether you were going that far, but I would say that using the office of the commissioner to think about more outreach for SMEs would be constructive.

Maybe it's just the use of the term “training” here in terms of how we would go about what we do. We have, I think, tools at our disposal, and one of them, as I mentioned earlier, is technology. Our members use our website quite a bit.

We were just talking about this the other day. We were talking about making sure that we continue on so many different files, because the federal government--where I spend my time--touches on all of our members in so many different ways. We're always thinking about the right way to convey important information to our members who are trying to cope with the day-to-day reality of running their business. And what we talk to them about is part of the overhead of running that business. So how do you get useful information into their hands? It's really a question of telling them that we have an office here, nationally, that we can work with, and we're not only happy to do it, we think it's the right vehicle. They should continue to work there and use our technology, including our website, to communicate directly. And, quite frankly, they should use our network, because we have this chamber network that makes us a bit unique in terms of being able to communicate at the grassroots level.

The banks are maybe in a slightly different position. Perhaps that's why they focused on fraud--because they're looking at people getting access to bank account information and then using that information.

Right. But again, that was a story about access to credit card information largely, that people's credit card information was exposed. So maybe that's the focus on fraud.

I would say that, for the purposes of a lot of businesses, that may be too narrow a definition. Part of the problem with having a mandatory breach notification is determining in which circumstances that notification has to occur. And one of the great strengths of the existing privacy framework in the legislation is its flexibility. I think that flexibility needs to be brought to bear in cases of material breaches of information. So first of all, I think the breach has to be material, in some way.