Evidence of meeting #27 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.
A recording is available from Parliament.
9:55 a.m.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
What about the situation where material is just lost? There was no evidence in the story recently that it was stolen or hacked into; it was just lost.
9:55 a.m.
Vice-President, Regulatory Law, Bell Canada
I guess the question is what was lost, how material was--
9:55 a.m.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
Oh, all kinds of things: clients' names, addresses, signatures, dates of birth, bank account numbers, beneficiary information, and social insurance numbers. It was just lost. They don't know where it went.
9:55 a.m.
Vice-President, Regulatory Law, Bell Canada
It's difficult to speak on behalf of all members. But I think when you have a breach where material information has been provided to third parties, including unknown third parties, and there is a risk that the information could be used for criminal purposes--for identity theft, for God knows what--then I think there should be a notification.
9:55 a.m.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
Let's just localize it to chambers of commerce. People go into stores and their names and credit card information are given. I have no idea what they do with it. Hopefully they're all honourable and they don't keep a record of my credit card information, my address, and my name. I'm obviously on mailing lists. I don't know how they get my name and address, and I'm not even suggesting it came from those people, but somehow I get them. What happens? How did we get on those mailing lists, and what other information do they have about us?
9:55 a.m.
Some hon. members
Oh, oh!
9:55 a.m.
Liberal
The Chair Liberal Tom Wappel
Mr. Tilson, I wonder if we could give the insurance industry an opportunity to answer your first question about breach notification, and then we could try to figure out how they get the names. But maybe we could give the insurance industry an opportunity to get in there.
9:55 a.m.
Vice-President and Associate General Counsel, Canadian Life and Health Insurance Association Inc.
Thank you, Mr. Chair.
I might be duplicating some of what my friends with the chamber said, but we believe it has to a risk-based approach. You have to look at whether you're dealing with an incident that has some materiality attached to it. I think you have to have some reasonable grounds to believe that the disclosure has in fact taken place. You're saying something went missing. Well, under what circumstances? Could it still be within the company somewhere and it hasn't gone out of the office? You have to make that determination.
And you have to look at whether there's a significant risk that the individuals whose information you're dealing with could suffer some harm from this. I think you do that by analyzing the sensitivity of the information, whether that information was encrypted and in what form, and by consulting with your regulators to ensure they're aware of the situation and to get some good advice from people who can look at this from perhaps a broader perspective than the company itself. You look at all those factors to determine whether notification should be made.
We discussed this morning that there are a number of guidelines being developed across the country. One of the advantages of not mandating very specific rules in this area is that you can develop guidelines that are similar, apply across the board across Canada, and retain that flexibility to deal with the variety of incidents you could have.
In your introduction to that question, you indicated there were different instances, different possible breaches, etc. They were all different in type, so I think you have to look at all those factors.
10 a.m.
Liberal
The Chair Liberal Tom Wappel
Thank you.
That was eight minutes, so we'll have to leave the interesting question of how we get on various lists to another round.
We'll go to Mr. Pearson, for five minutes.
10 a.m.
Liberal
Glen Pearson Liberal London North Centre, ON
Thank you.
My question is for Mr. Murphy, if you don't mind.
As a follow-up to Mr. Dhaliwal's question, I understood you have a communication challenge with having to communicate these aspects of PIPEDA to all these various businesses. I would like to look at the communication as it comes the other way. I realize you have to communicate, but if I had a business and I had five employees, for example, my head would be swimming with all this stuff. I don't necessarily have the legal background, and I don't have the legal resources to help me to understand it. I realize you're trying to give tool kits and other things.
I am interested, though, because they are important players in the economy and in the Canadian makeup. Did you provide a venue for information to come the other way? How did they feel about PIPEDA? Did they give insights or ideas as to how they thought it might be improved? I guess the second part to my question would be whether you honestly think they will be able to maintain the focus on PIPEDA and apply it properly, given all the other challenges they have to face.
10 a.m.
Executive Vice-President, Policy, Canadian Chamber of Commerce
Yes, it's a very good question, because it is part of the challenge of not only our organization, but all, in terms of dealing with a majority of the members of our group.
One of the good things about being at the chamber and being the policy guy is that I never have to wonder whether I'm going to get feedback from my members on a variety of issues. It's usually coming to me at a rapid rate. It's interesting that this is true regardless of the size of business. That's because of what I said earlier, in terms of the impact--and I'll just deal with the federal level, because that's where we deal at the Canadian Chamber--how much of the day-to-day activity of business government affects in so many ways.
We're not here to discuss the broad principle, but just with respect to this particular legislation--of course, we are just three years in when we're talking about most small companies--we did hear from members on this particular issue as we put information in their hands. We heard it in two ways: not only directly from some of those companies that we get to talk to, direct members of ours, but also through the local chamber network where many of these folks are members.
I won't get into the details of the variety of our communications vehicles, but we initiate feedback ourselves by holding calls with local chambers and others to actually have an opportunity to test the waters on various things that we've done. We put a package together on this particular piece of legislation, and we did that more than once, by the way, because there were different phasings here in terms of implementation. We tried to test the waters.
We don't overburden our members with surveys, the kinds of things where you would mail something out and say, “Could you fill this in, please”, but when we do--we try to do them maybe once or twice a year--we try to capture a bit of an omnibus approach. This is an area that we've tested in the past as well.
The feedback I got, quite frankly, was “You've given us useful tools.” One of the most useful was the contractual clauses that we actually were able to draft with some help from some of the legal members of the chamber, which was very useful stuff. We got very good feedback on that generally.
So is there more to get? There always is, absolutely.
10:05 a.m.
Conservative
Bruce Stanton Conservative Simcoe North, ON
Thank you, Mr. Chair.
Welcome to our panel here this morning. It's great to have you with us.
My question is directed to the Canadian life and health insurers. On this issue of fraud detection that you mentioned in your brief, the section you're referring to is paragraph 3(d) of the act, which talks in terms of your ability to essentially disclose, without knowledge or consent, personal information when you see that there might be a potential for fraud or a breach of covenant or a breach of agreement with an insured, in this case.
You talk in terms of there being a gap currently with PIPEDA. I suspect that pertains to the fact that there isn't the term “investigative body”. Are you saying that there is no investigative body to which you could, in fact, disclose?
I wonder if you could give us a practical example to illustrate what this gap is in terms of being able to investigate fraud.
10:05 a.m.
Assistant Vice-President and Senior Counsel, Sun Life Financial, Canadian Life and Health Insurance Association Inc.
It's a good question, and I'm happy to work through it with you.
If we step back, under PIPEDA we have the ability to collect and use without consent when we have reasonable grounds to believe it would be useful in the investigation of a contravention of law of Canada and the information is used or collected for the purpose of that investigation.
Then we move to subsection 7(3), which is disclosure without knowledge or consent, and in this section there is no ability for an insurance company to disclose to anyone other than to a government institution or an investigative body. And yes, you're correct, the life and health insurance companies do not have an investigative body.
The CBA has an investigative body. The Insurance Bureau of Canada may have an investigative body. But the life and health insurance industry does not.
10:05 a.m.
Conservative
Bruce Stanton Conservative Simcoe North, ON
Just on that point, what about a government institution, or part of a government institution--is there a department or a ministry that is in a position of oversight that could be used in this case?
10:05 a.m.
Assistant Vice-President and Senior Counsel, Sun Life Financial, Canadian Life and Health Insurance Association Inc.
For an investigation relating to fraud under a group members plan, there isn't. We have OSFI and we have the superintendents of insurance across the provinces.
Let me just give you an example of a situation where there might be employee fraud, not insurers' employee fraud but under an employer's benefit plan. The employer may have their health and dental insurance with one insurer and their disability with another insurer, and we have one plan member who defrauds both of these plans. The insurers cannot communicate. They can collect and use the information in their own plans to deal with this fraud, but they can't even communicate with the other insurer to say, “Look, we know we have a common plan sponsor here. Our employer is our client.” They have a rogue employee who's submitting fraudulent claims, and we cannot communicate with them about the identity of that individual. That's where we're stopped, whereas under B.C. and Alberta legislation, we would be allowed to share, for the purposes of investigation and to support and protect our common employer clients.
10:10 a.m.
Conservative
Bruce Stanton Conservative Simcoe North, ON
What do B.C. and Alberta have that specifically addresses that point?
10:10 a.m.
Assistant Vice-President and Senior Counsel, Sun Life Financial, Canadian Life and Health Insurance Association Inc.
Specifically, they have the ability to disclose without consent. I can give you the section numbers. In Alberta, it's paragraph 20(m). They can disclose the information where it's reasonable for the purposes of an investigation or a legal proceeding. The similar section in B.C. is paragraph 18(1)(c). In contrast, in PIPEDA we're restricted; we have to share with an investigative body.
And then I think somebody the other day, in the submissions by the banks, made a submission that even investigative bodies can't communicate with each other. So it's just a clear little gap.
10:10 a.m.
Conservative
10:10 a.m.
Conservative
Bruce Stanton Conservative Simcoe North, ON
That was clear--always very straight to the point. Thank you.
10:10 a.m.
Liberal
The Chair Liberal Tom Wappel
Just on that point, Ms. Philp, if you have a husband and wife, and each of them has a different employee plan, and let's say there's a dental claim, and the husband puts in a dental claim. You know on our form there's a question “Are you covered by some other insurance company, yes or no?” Suppose the husband puts in “No” and the wife puts in the claim for her husband. Same claim, two different insurance companies. There's no way those insurance companies can know--or can there be? I'm asking the question, is there a way for those two separate insurance companies to figure out that the same claim has been put forward and paid twice?
10:10 a.m.
Assistant Vice-President and Senior Counsel, Sun Life Financial, Canadian Life and Health Insurance Association Inc.
That's a great example of a situation where we cannot communicate. We cannot say “We have Joe Smith, and we know that Irene, his wife, has a plan under the insurer across the street, and we think that the same claim is being submitted under both plans.”
Ultimately, it catches up, and we'll work with that person under our plan and say, “Sorry, you're covered under another one.” We'll work through it indirectly.
