Information & Ethics Committee on Feb. 15th, 2007

Good morning. As mentioned, my name is Corinne Pohlmann. I am the director of national affairs for the Canadian Federation of Independent Business. With me today is our policy analyst, Lucie Charron, who will be supporting me through the question and answer period.

I have been in this position for about a year, and for the six years prior to that I was in Alberta as CFIB's director of provincial affairs. In my experience there I was involved in the implementation of the Personal Information Protection Act and saw its impacts on Alberta's small and medium-sized companies. In fact, until my departure about a year ago, I was a member of the ministerial advisory committee on Alberta's privacy act, providing feedback on how well SMEs were adapting to the legislation in that province.

First I'd like to share just a little bit about CFIB. We're a non-partisan, not-for-profit organization that's 100% funded by our 108,000 members, who are independently owned and operated small and medium-sized businesses from across the country. Our members come from all sectors of the economy, and they're found in all regions of the country.

You should have in front of you a slide deck. The first slide shows the profile of our members. You'll notice that our membership is a pretty good reflection of the general business population, which as you know is dominated by small and medium-sized companies.

The chart at the top of the next page illustrates the fact that more than 97% of Canadian businesses have fewer than 50 employees. These businesses represent approximately 45% of Canada's GDP and employ almost 60% of all Canadians. They also continue to create the bulk of new jobs in our economy.

As you can see on the next chart on that page, using Industry Canada findings, of the almost one million jobs that were created between 1993 and 2003, close to 80% were created by small firms, which they define as those with fewer than 100 employees.

Why do I show these to you? It's to emphasize the growing importance of SMEs and to encourage you to always think about how government decisions can impact this integral part of Canada's economy. What may seem trivial to a larger firm can be of great significance to a smaller firm. It can add more cost, confusion, and paperwork, thereby adding more stress for the average small business owner.

So what is top of mind for SMEs? The chart on the next page shows you the issues of highest priority for our members, which we collect on an ongoing basis, face-to-face, through a survey process. We then aggregate those results every six months. This information provides us with direction on which issues we need to take on as an organization.

I'd like to highlight the second highest issue of concern for Canada's SMEs: government regulations and paper burden. This really comes as no surprise when you realize that the cost of regulations tends to be much higher for smaller firms. As you'll notice in the smaller chart, this is illustrated quite well using both CFIB and OECD data. It has been supported by data out of Quebec and the United States that the smaller the firm, the higher the cost per employee to deal with regulations.

That is why we have been so pleased to see commitments being made by provincial governments such as British Columbia, Quebec, and Newfoundland and Labrador to tackle this issue and commit to measuring and reducing the regulatory and paperwork burden on business. More recently we were very pleased to see the federal government also make a commitment to a 20% reduction in the paperwork burden on business.

This leads me to the issue of PIPEDA. Our members in all provinces and territories without their own provincial law are expected to comply with PIPEDA when it comes to dealing with public and consumer information. You should know that we are not legal experts on the technical aspects of the law. Rather, we are here to provide you with some feedback on what we have learned about how SMEs have dealt with this legislation.

First, our members are consumers as well as business owners, so they're concerned about making sure their own personal information is protected. As a result, they are also conscious of protecting the privacy of their clients, customers, and employees.

As far back as 1996, we asked our members about the need for the federal government to introduce a national privacy legislation. Based on more than 10,000 responses, you will see on the top slide on the last page that our members supported the notion of a national law protecting personal information right across Canada. As a result of this finding, CFIB has never argued against the national law. In fact, we believe that for this law to be truly effective it must be adopted by SMEs across Canada. In order for that to happen, it cannot be complicated or onerous to comply with. So the focus of our work has been to ensure that the legislation is simple to understand and does not impose a significant burden on small businesses.

We do actually view PIPEDA as workable legislation from a small business perspective because it avoids prescriptive solutions and allows for flexibility in how businesses can respond to its requirements. The act understands that not every business manages huge amounts of personal information, and that the types of information can vary substantially from sector to sector, and from business to business.

We also like the balance it achieves between protecting consumers' interests while understanding that businesses need information to provide products and services. As mentioned, our members support national privacy legislation--after all, they are consumers too--but they're also business owners who may sometimes need to ask for personal information to be able to offer the public or its employees what they demand.

We also support the fact that it is a complaints-driven process. Regulations and paper burden can be stressful for small business owners, who tend to wear several hats in their business, from human resources to sales to marketing--you name it. It's usually the owner who's responsible for protecting personal information as well. We do believe that most are already doing what they can to protect personal information in their possession as a matter of good business practice. They may simply have not yet put it down on paper and formalized it.

Keeping the process complaints driven removes the level of stress for the SME owner who may otherwise fear being inspected or even fined if they've not complied to the exact letter of the law.

We also believe the ombudsman model works well. It is less intimidating for a small business owner to approach the commissioner's office to ask questions about their own privacy compliance issues.

Since its implementation on the broader private sector three years ago, CFIB has handled hundreds of calls from small business members across the country looking for direction on how to comply. To handle the questions, we've created a dedicated page on our website with links to where they can get more information. We've put together a handout summarizing their obligations, of which you have a sample in front of you. We also offer our members an online course for free on how to manage private information under PIPEDA.

While most calls came during the first phases of implementation in 2004, we continue to get inquiries on a regular basis. By far the most common calls we receive are questions on how to comply--specifically, how to put together a privacy policy for customers and for employees, and whether or not a template is available for them to use. We know a template was developed in Alberta and British Columbia specifically for SMEs, so we've been encouraging and we will continue to encourage the commissioner to consider producing something similar for PIPEDA.

Finally, you may be curious to know how well SMEs are complying with PIPEDA. While we do not have specific information for PIPEDA, we do have...members in Alberta who were asked this question in relation to the provincial legislation introduced at the same time.

On the last page you'll find a table of our findings, which were that most business members in that province, between 70% and 80%, were aware of the legislation, but far fewer had developed a formal privacy policy. The good news is that compliance is increasing, with 40% saying that they had a formal written policy in 2006, which is substantially higher than the 31% who said they had such a policy in 2005.

So what does all this mean? Well, at this point we do not see any need for substantial change to the act and request that PIPEDA be given more time so that SMEs can gain more experience with the law in its current form. Making changes at this early juncture could needlessly complicate the process and make it even more difficult for SMEs to comply. In other words, we believe more time is needed to really understand the full effect of this law on SMEs and consumers.

In the meantime, CFIB will continue to do what it can to help our members and the general small business population understand their obligations under the law.

Thank you.

Yes, it is the most recent, but we actually have a website we refer our members to that has more up-to-date information. We also refer them to the online course, which has also been updated.

Before I begin, I have to offer Mr. Cran's regrets. He was a victim of our snowstorm yesterday and was unable to get out of Vancouver.

My name is Margaret Ireland. I'm a member of the board of directors of the Consumers' Association of Canada.

We would like to thank you for inviting us to speak to your committee this morning.

The Consumers' Association of Canada is a 60-year-old, independent, not-for-profit, volunteer-based organization with a national office here in Ottawa and with provincial-territorial representatives. Our mandate is to inform and educate consumers on marketplace issues and to advocate for consumers with government and industry, and to work with government and industry to solve marketplace problems in beneficial ways.

At the time PIPEDA was enacted, we were only beginning to see the various ways that personal information could be mishandled or misused. Sufficient time has now passed to show us which types of improvements need to be made to the act. It's become quite obvious that theft of personal information from corporate data banks, specifically, is out of control. Voluntary guidelines have proven worse than useless, and the time has come to put some strict protection in place for Canadians, with some serious consequences for those who place consumers at risk. We believe the Office of the Privacy Commissioner should be given some real teeth. Regulations and penalties that are meaningful and rigorously implemented could make an enormous difference in the everyday lives of Canadian consumers.

It is time to move from voluntary guidelines for the protection of personal information to actual regulation designed to ensure that those entities collecting information have clear rules about what information they can ask for, what they can do with it, how long they can keep it, and what measures they must take to protect this information. This, together with stiff penalties for breaching these regulations and rules on notification of citizens when their information is compromised, will help reduce the disastrous consequences of identity theft.

Limiting the type of collectable information to the bare necessities is the first step. We have specific concerns about what type of information is collected from consumers and how this information is handled. We would also like to see limits on the length of time that corporations can keep this information and restrictions on sending it outside the country. There is very little reason for a company to keep, for example, a consumer's credit or debit card number in their computer system for extended periods of time unless they have an ongoing relationship that requires this.

In addition, we would like to be assured that the process, which is now ongoing, where all automated debit and credit card transaction records are obscured, is completed by the end of the year. We oppose sending Canadians' personal information, either financial or health information, outside this country. Removing this data from Canadian jurisdiction puts each of us at unnecessary risk, with no actual benefit to consumers.

In conclusion, I will be absolutely blunt. We do not believe that some commercial enterprises' right to collect a consumer's personal data for marketing purposes can be allowed to outweigh the rights of the consumer to be safe and secure in this day and age of international computer hacking, fraud, and identify theft. The only way to ensure that data are not hacked is not to have them available in the first place.

Thank you.

When it comes to PIPEDA, I think the biggest challenge they're facing is understanding what their obligations are. Most small businesses in Canada are not going to be handling huge amounts of personal information. Many of them don't necessarily always deal directly with the public, and so I think it gets a little complicated to understand what it is they need to do to comply.

The biggest question we always get is that they want to comply but they don't understand what they need to do. The irony is that most of them are probably doing it already. It just hasn't been formalized on a piece of paper, and that's the big challenge they face. So having some sort of tool that can help them understand how to put it down on that piece of paper to say, this is what you need to do to make sure you're protecting the public's information and your employee information.... Many of them are also calling on that, even though under PIPEDA most of them are not required to do so. I would say that's probably the biggest challenge they face.

No, we're not aware of any breaches. I would suggest that if a breach did occur, it would likely be because they weren't aware of what they were supposed to be doing in the first place to make sure. But I am not aware of any serious breaches at a small business.

That's a difficult question for me to answer. I don't have a legal or technical background in that respect. A lot of small business owners looking at how to protect personal information would probably think about it from the perspective of what they would want protected if it were their own information. I think that is how they would probably look at what they would decide to protect and what could probably not be protected as much. I think medical records and loan records and so forth need to be protected.

The other thing is that we had to build it so that it was national in scope; we had to make sure that it also underlined the fact that in some provinces there are medical information laws they have to comply with, and in other ones there aren't. We tried to make it a little more holistic in that respect as well--that it wasn't just PIPEDA, and there were responsibilities under other laws that might also implicate them with some provinces.

It think it would probably be best to keep it to a case-by-case situation. Defining a work product--I'm not 100% sure exactly what that means, to be honest with you, and I'm not so sure a business owner would know what it means. I think that would be part of the issue. Perhaps defining it a little bit better is not a bad thing to do, so that they can be more clear on the differentiation, but it gets complicated, because when you're a federally regulated company or a company in Alberta or B.C., you're dealing with different rules again.

Regarding the employee relationship and so on, we don't delve into that area. Our sole focus is consumers; we have a focus on the types of issues that affect consumers directly in their personal and private information.

I think I see what you're getting at. The health field in particular is a little different, because many people probably do disclose more information in that area than in any other aspect of their lives.

To a large extent I have enough faith in my own doctor that I still have a good view of the medical system. I have been comfortable personally with disclosing a fair amount of information, even though it may become part of his work product. I am relying on their ability to keep it confidential.

To this point we haven't seen a great number of difficulties with consumer information being breached in a medical situation. It hasn't been a huge issue related to the type of thing you see when a data bank is hacked and everybody's credit card numbers are stolen, or something like that; it seems to be a difficult type of scale.

Our only concern was the one specific instance in which medical information was sent out of the country from British Columbia. It was not properly handled.

Yes, and that is part of the reason we object to having personal information sent out of the country. As long as it is held within the country, it's subject to PIPEDA and other regulations, and we feel it's much easier to control the access.