Evidence of meeting #31 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was business.
A recording is available from Parliament.
February 15th, 2007 / 9:20 a.m.
Bloc
Robert Vincent Bloc Shefford, QC
Thank you, Mr. Chairman.
My question is for Ms. Pohlmann. Mention was made earlier of business products. I see that you mention personal information such as age, weight, marital status, disciplinary measures and credit history.
In your opinion, could personal information of the nature stated in your document be considered a business product?
Do you not have that document?
9:20 a.m.
Director, National Affairs, Canadian Federation of Independent Business
I don't. I had turned everything over to the clerk. I'm sorry.
9:25 a.m.
Bloc
Robert Vincent Bloc Shefford, QC
I understand. However, what do you consider to be a business product?
9:25 a.m.
Director, National Affairs, Canadian Federation of Independent Business
To my mind, a business product is primarily a person's work address, the employee's e-mail address that is given to the employer. This is information that the company has about the employee, details that are part of his work.
Most SMEs do not use a great deal of information. Occasionally, retailers use information about credit cards, but systems already have ways of protecting this information.
I'm not very familiar with work-related information. I'm not clear as to what details are important in terms of the regulations.
9:25 a.m.
Bloc
Robert Vincent Bloc Shefford, QC
You mentioned retailers. That surprises me, because according to a fact-finding report released in 2006, out of a total of 64 retailers working via the Internet, virtually none was aware of the requirements under the act.
Would you care to venture an opinion on the subject? You said that you had given a short course. What did this involve in terms of training members of your association?
9:25 a.m.
Director, National Affairs, Canadian Federation of Independent Business
I would be easier for me to answer that question in English.
The course itself is really just an overview of PIPEDA and what their responsibilities are under PIPEDA. So it would essentially take the rules and regulations under PIPEDA, what they need to do to build a template, and what they need to understand in order to protect their clients' information.
It doesn't really get into much more detail than that. It's meant to be a way for them to get an introduction to privacy information and what they need to do to protect it. It's also meant to give them an idea of whether they're holding information that's considered very personal, versus what's not as personal. Also if they have personal information of a more important stature, then perhaps they need to get some help on how to protect it.
So we're not telling them how to do this. We're basically showing them the guidelines and what they need to do to take the next steps.
9:25 a.m.
Bloc
Robert Vincent Bloc Shefford, QC
When these people want to destroy personal information that has been in their possession for several years, do they proceed in any particular way? Do the companies with whom you are involved have a specific way of destroying these documents, or do they simply throw them out with the trash, or some such thing? Are special steps taken to destroy this type of document?
Businesses also trade lists of members or employees as well as personal information. Are you aware of any businesses that do this?
9:25 a.m.
Director, National Affairs, Canadian Federation of Independent Business
Within our own organization?
9:25 a.m.
Director, National Affairs, Canadian Federation of Independent Business
Yes. Our organization has a privacy policy. It's on our website. When we no longer need business information in records and data bases, it is destroyed.
We give our policy to our members who ask how to build a privacy policy. This is the type of information we collect as an organization and this is what we do to protect information. We use it as an example for our members.
9:25 a.m.
Director, National Affairs, Canadian Federation of Independent Business
It would be shredding the files. If anything is in the database, it would basically be cleared and destroyed.
9:25 a.m.
Bloc
Robert Vincent Bloc Shefford, QC
I see, because we've seen where people have placed documents like this in boxes that have then been thrown in trash bins. It is quite common for small businesses not to give much thought to protecting people's personal information.
You're not aware of similar things happening? You know what happens in your organization, but you're not aware of what other members of your association might be doing.
Do you have any recommendations to make to us today concerning the protection of personal information?
9:30 a.m.
Director, National Affairs, Canadian Federation of Independent Business
We believe the current regulation, as it exists, hasn't had the time to really be implemented. We would like to see it fully take effect so that SMEs are complying with it 100%. I think it has taken some time to get off the ground.
I believe SMEs don't like prescriptive regulations, because generally speaking it's difficult for them to comply. The more restrictive a rule becomes, the more difficult it is to get them to comply. Giving a principle approach allows them to decide for themselves the best way to deal with consumer information.
I'd like to remind you once more that our members are also consumers. They believe it's important to have national privacy legislation. They will try to do the best they can to protect that information. I think the approach you're taking now is a more effective approach in helping them comply with protecting personal information. Trying to be more restrictive will just cause more confusion and fear.
9:30 a.m.
Liberal
The Chair Liberal Tom Wappel
We'll go to Mr. Tilson, followed by round two, beginning with Mr. Pearson.
9:30 a.m.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
Thank you, Mr. Chairman.
I'd like to ask a question. It has been suggested by some witnesses that there should be an amendment that would require you to notify your public of a breach. Either last year or the year before, a whole bunch of information was found in some scrap yard in the southern states. Then we had the Winners situation a number of weeks ago. CIBC lost the data of 470,000 people, which included client names, addresses, signatures, dates of birth, bank account numbers, beneficiary information, and/or social insurance numbers.
A story came out this morning on the news. I don't know what's in the press, but it was on the television. It said that CIBC--I think it was CIBC, one of the banks--was sending out new credit cards to everyone, but they weren't saying why. Why was that? Was that as a result of the loss of all this information?
I understand business. Whether it be the big banks or individual businesses, the cost of notification would be unbelievable. On the one side, I understand that dilemma. On the other side of the coin, people want to know. They want to know whether someone has their social insurance number, or their names even.
Could both sets of witnesses comment on that? My specific question is whether notification of a breach should be a requirement.
9:30 a.m.
Director, Consumers' Association of Canada
Actually, I believe the incident you're referring to involves the Bank of Montreal. We've been receiving phone calls over the last few days. For instance, some people got a letter, were told to phone, and weren't able to get through on the phone. Some showed up someplace to use their credit card and were told the credit card was no longer valid. Or because so many people had received cards in the mail, when they tried to phone in to activate their cards, the lines were busy.
So we've received a number of phone calls over the last few days about this. It is something we're very concerned about. It's very difficult for consumers now to keep track of who has what information and where it might be.
If a security breach happens and someone gets your credit card number or your social security number, you may not know for months and months. By then untold damage can be done. In the case of identity theft, you're looking at a destroyed credit rating or an inability to get a mortgage. In some cases, a credit rating can affect employment, because some employers do check your credit rating before they hire you.
9:35 a.m.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
Should the bill be amended to make it mandatory for customers or the public to be notified of any form of breach, whether it be--
9:35 a.m.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
The banks, or I think at least the banking people--I hope I'm not misquoting people--have come across and said, you know, if there's a suggestion of fraud, we'll notify.
Now, that's a pretty vague statement, but that's what they've said.
9:35 a.m.
Director, Consumers' Association of Canada
We absolutely believe that notification should be mandatory. It would be nice if they would also explain to these people why they're changing their credit cards. No one has been told why; it has just been, here you go, you're getting a new card. And of course this raises all kinds of suspicion in people's minds, which is part of the reason we're getting the phone calls.
Speaking personally, two years ago the Bank of Montreal did the same thing to me. They phoned and told me they were sending me a new card, and not to use the one I had. When I asked why, they said they couldn't tell me. Even when I said again that I wanted to know, they said they couldn't tell me.
9:35 a.m.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
Okay. I want to hear what the CFIB thinks about this.
9:35 a.m.
Director, National Affairs, Canadian Federation of Independent Business
I do believe that actually having people report when there is a breach is important when there's a risk associated with the information that's been breached. I think businesses should be required to let their customers know if there has been a major breach in terms of the information that has gone out--for instance, if it includes credit card information, SIN numbers, medical records, all those types of thing. But I would think that there are probably different levels of breaches, and I would suspect that sometimes a breach can be fairly minor, and won't have a huge impact on the public.
The other side of this, and one where I can see the business community and I think our members having some concerns, is the fact that they may not even be aware of why the breach occurred. It could have been something that was stolen from them, for instance, or wasn't really their fault.
Those are the situations where it becomes difficult and where perhaps there is a responsibility, I believe, to notify those that have been affected by it. At the same time--
9:35 a.m.
Conservative
9:35 a.m.
Director, National Affairs, Canadian Federation of Independent Business
I think it would depend on the level of breach. If it's a breach where there's a risk to the consumer, then yes, I think they should be required to report--