Evidence of meeting #31 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was business.
A recording is available from Parliament.
9:35 a.m.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
And what if they don't? Any ideas?
Siberia, someone says.
Do I still have time, Mr. Chairman?
9:35 a.m.
Liberal
The Chair Liberal Tom Wappel
You have one minute, but Ms. Ireland may want to say something. In her opening remarks, she said there should be meaningful penalties.
9:35 a.m.
Director, Consumers' Association of Canada
We would like to see significant penalties in the case of a major breach. I'm thinking in terms of something like the Winners incident. I would go as high as saying that they must notify each individual customer, with penalties up to $100,000, escalating for each incident. Make it serious.
9:35 a.m.
Conservative
9:35 a.m.
Director, National Affairs, Canadian Federation of Independent Business
It would depend on how the breach occurred. I do believe that sometimes businesses are not aware of it, or may not have been the cause of it.
Imposing a $100,000 penalty on a small business--versus a large bank--would put them out of business. When you talk about levels of breaches, and the impacts on the business community, I think you have to be very careful when you start going down that road.
9:35 a.m.
Liberal
February 15th, 2007 / 9:35 a.m.
Liberal
Glen Pearson Liberal London North Centre, ON
Good morning, everyone.
My question relates to something in your presentation. In the business area, you asked whether the federal government should introduce national privacy legislation, and you have Alberta with 52% saying yes.
In the area below, you have the awareness of the need to protect personal information in Alberta. In 2005 it was 80%, and in 2006 it's 70%. It seems to me to be going the wrong way. Could you explain why that is, because we have heard often about the Alberta model. I'd just like to know that.
9:35 a.m.
Director, National Affairs, Canadian Federation of Independent Business
Yes. Part of it is that the question slightly changed. The question in 2005 was whether they were aware of their obligation to protect personal information. In 2006 it was whether they were aware of the Personal Information Protection Act, PIPA.
So I think the first instance is really that they know they have protected information. They may not know that there's an act related to it. I would suggest to you that it probably continues to be around the 80% mark in Alberta. So it's the slight difference in the wording of the question that we believe caused that blip-down.
9:35 a.m.
Liberal
Glen Pearson Liberal London North Centre, ON
All right, thank you.
When chambers of commerce were in here and we discussed with them earlier, they had done a lot on their website to make members aware of what was required under PIPEDA. I asked them what was happening in return, how they got the information in return from businesses as to how they felt about this. Do you know what I mean? It's not just your trying to provide direction and make people aware. Have they found it too onerous? What kind of mechanisms have you set up so that they can return information to you on how they feel about this?
9:40 a.m.
Director, National Affairs, Canadian Federation of Independent Business
We're a heavily survey-based organization. Really the only place we've surveyed is Alberta, but our other avenue is that we have counsellors across the country who deal with member inquiries on a daily basis. We have had probably thousands of calls over the course of the last three years from small businesses on this issue. I did go through a lot of those logs in preparation for this, and I would say, as I mentioned in my opening remarks, that the bulk of the calls came in 2004, with its implementation, when people were trying to understand what they had to do.
We continue to get calls, though, on a fairly regular basis. Now I would say 90% of those calls are about compliance and about how to write a privacy policy, essentially. They just want to understand what they need to do to put it down on paper and to make sure they're compliant with the law.
This is why I hesitate to put in prescriptive information, because then instead of thinking about what they need to do to really protect personal information--which is what the principle approach, I think, does--they'll just make sure that the privacy policy adheres to the specific rules that are put into the legislation and not necessarily think what they can do best in their firm. The principle approach allows them to think about how they can best deal with the information, and so we try to guide them through that process. When it becomes clear to us they have lots of personal information to protect, we suggest they see a consultant to help them put it together.
9:40 a.m.
Liberal
Glen Pearson Liberal London North Centre, ON
My final question is this. Mr. Dhaliwal asked you a question, and you responded to him by saying that you would prefer to see it handled on a case-by-case basis. We've had witnesses come before us and say that deciding everything on a case-by-case basis provides real uncertainty for future planning and other things. Can you make a comment on that?
9:40 a.m.
Director, National Affairs, Canadian Federation of Independent Business
I think it relates back to the fact that privacy policy is going to be different for every firm because every firm has a different amount of information that it's protecting. So to expect one size to fit all in this particular scenario, I think, is incorrect.
Our fear is that the bar is always put at the highest. So you create rules that'll fit the banks, but they ain't going to be fitting the small businesses. The flexibility of this particular legislation is what we like about it--the fact that it's a principle approach and it allows businesses to do what they think is best to reach the end goal, which is to protect personal information. We would like to see that continue going forward, because once it becomes more prescriptive, we fear that our members will be lost when it comes to doing it correctly.
9:40 a.m.
Liberal
Glen Pearson Liberal London North Centre, ON
Some of the contention we've seen at this committee is that small businesses would rather have it that way. Larger ones would rather have it--
9:40 a.m.
Director, National Affairs, Canadian Federation of Independent Business
Be more prescriptive.
9:40 a.m.
Liberal
9:40 a.m.
Conservative
Dave Van Kesteren Conservative Chatham-Kent—Essex, ON
Thank you all for coming. I'm so glad to see you. I've been a member of your organization since 1987 and still am. I can testify that you do a great service to small businesses.
I have to say that when I read what the act covers, it conjures up images of exactly what you talked about when I was running my dealership. We saw this sort of stuff. We said, oh gee, it's exactly like you said; that's all we need.
I'm looking at accountability, the access. We must appoint an internal privacy expert commissioner with knowledge. You're absolutely right, a small business is totally hampered by those things.
As we begin to examine this whole privacy commissioner issue, there appears to be—and I want you to make a comment on this—a dividing line. I'm speaking to the consumers as well. Many of the problems, and much of the seriousness of privacy, seem to concern the larger firms more. When I look at your chart and see the incredible numbers--and I am familiar with those numbers, but every time I see them again, I am astounded by them--that this is the engine of our country....
Am I right in assuming this, or can you make a comment? Is this something that has more to do with larger businesses, larger corporations, that would possibly abuse it? Is there the same danger for a small or medium-sized business?
Could both sides make a quick comment? Ms. Ireland, could you please comment as well?
9:40 a.m.
Director, National Affairs, Canadian Federation of Independent Business
My initial reaction is simply that a lot of small businesses know their customers personally. I think that makes a huge difference in terms of making sure they are protecting the people they know. This is their livelihood.
As you grow as a company, you may lose a bit of that. Therefore systems have to be put into place, and those sorts of potentials for abuse can happen. I think that's a big part of why you don't see breaches among smaller firms, because they're more aware of making sure they are protecting the people they know and rely on.
9:45 a.m.
Conservative
Dave Van Kesteren Conservative Chatham-Kent—Essex, ON
Ms. Ireland, are you as worried about small businesses as you are about larger ones? Am I right on this?
9:45 a.m.
Director, Consumers' Association of Canada
We agree with the general direction you're going in here. Usually the smaller businesses don't collect as much information. They don't have it as accessible to a computer hacker. Frequently they do know their customers.
As far as privacy breaches of small businesses are concerned, what we tend to see is one person's information being inadvertently let out in an inappropriate way, as opposed to some kind of massive thing, where credit cards are going all over the place, and so on.
So definitely small business is different. We are not seeing the same kinds of problems.
9:45 a.m.
Conservative
Dave Van Kesteren Conservative Chatham-Kent—Essex, ON
Obviously we're getting different testimony. There are two sides to this argument. There are those who say we should leave it the way it is. I'm wondering, can we make some adjustments that would allow consumers to feel a bit more comfortable, so that smaller businesses, the very engine of our industry, won't be hampered by that, and subsequently we won't suffer? As Bruce said a minute ago, all the things we ask business get passed down to the consumers, and so it results in higher costs.
9:45 a.m.
Director, Consumers' Association of Canada
We have not done any kind of survey, but what we are finding from the phone calls we receive is that very few consumers know anything about the act--that there is an act, that they can complain, and that there is an ombudsman they can go to. They have no idea, and this is an issue.
It's possible that if things were more widely known.... As the member over here said, surveys have suggested that many small businesses don't realize how the act applies to them or that there is an act, especially very tiny mom-and-pop outfits. This is an issue, and it's possible that more education may help toward solving this.
9:45 a.m.
Liberal
The Chair Liberal Tom Wappel
I don't know if it's a help or a hindrance, but I don't know how many legislators are fully aware of the impact of this legislation. I was around when we passed this, and boy, have I learned a lot about the implications of what we passed since I've been on this committee. So we're all in the same boat in trying to protect consumers, while at the same time recognizing there are so many problems.
Monsieur Ouellet, followed by Mr. Stanton.
9:45 a.m.
Bloc
Christian Ouellet Bloc Brome—Missisquoi, QC
Thank you.
Ms. Pohlmann, my question is directed to you because, if I understand correctly, you maintain that all of your information is based on a code of ethics, more or less. You say that people, particularly those working in small firms, pay attention to what they're doing.
On looking at your table, we see that 56 of the businesses that belong to your federation are one-person operations with no employees. That's a fairly large number. This means that they do not necessarily have help destroying their documents. It also means that they may dispose of these documents in bulk.
Even if we assume that small firms face a lower risk than large firms because many people can be affected by errors that occur in large firms, the fact remains that in small businesses -- and I know something about this area -- information is often passed on from one person to another.
Do you have some way of preventing information from getting passed along from person to person within small businesses? What happens is that people know and call one another, requesting information about a particular individual. Ultimately, information ends up in the hands of someone other than the person requesting it.
How would your code of ethics and the voluntary compliance measures you mention limit this transfer of information?
9:50 a.m.
Director, National Affairs, Canadian Federation of Independent Business
I don't think I talked about a code of ethics in terms of--