Information & Ethics Committee on Feb. 22nd, 2007

Thank you very much, Mr. Chairman and committee members.

You have met Assistant Commissioner Heather Black, who has been here before and will present part of our position this morning.

We previously sent you the reading material that the chairman just referred to. We did this in an attempt to make reference materials organized and easy for you to consult.

I don't have a prepared opening statement. I'll simply remind you of our position, which we have tried to summarize for you in a way that I hope you found useful. It's on the second, unnumbered page, opposite the table of contents.

The summary is on the page across from the table of contents.

right at the beginning, on the right-hand side.

You can see a summary of our position in both English and French. There, we include suggestions on amendments to the legislation, as well as state the points we believe require no recommendation.

Just to summarize very quickly, you've heard many witnesses, from most walks of life in Canadian society. You've seen a wide variety of opinions. Some of them are radically opposite one from the other.

In our presentation, we're going to try to advise you on the reform of the law in a way that is both privacy-protective and takes into account wherever possible any consensus or any reasonable position that we could move to, given some of the diametrically opposed positions on these issues.

Let me begin, at the bottom of the first group of bullets, with the changes we would recommend you make in your report on possible PIPEDA modification.

Cooperation with other enforcement authorities is extremely important in a globalized world. The drafters of PIPEDA did a good job in ensuring my ability to cooperate fully with the provinces. For greater certainty on this, we would suggest that you extend that.

The duty to notify possible victims about data breach has emerged in the last few months in a very critical way. I am suggesting, honourable members, that your committee suggest there be a compulsory duty to notify about any violations in the security within which personal information is kept on behalf of Canadians.

I have some material on that. You'll see that we did a résumé in appendix 6. There's an overview of existing American data breach laws that can inspire you as to what would be the composite elements of a duty to notify.

Another practical issue that has arisen is the omission from PIPEDA of the disclosure of personal information before the transfer of businesses. This is known colloquially as due diligence. This is simply an omission. We suggest that you move to have this modified.

We have given as an example, in appendix 2 in your binder, the Alberta model, which we think is a reasonable model to follow.

Again, on the same level of omissions from PIPEDA, we think you could widen the public interest exceptions to consent in cases of emergency, such things as accident victims, dental records being required to identify after death, humanitarian grounds, and elder abuse, which was brought up by the banks, and so on.

To the notion of attempted collection without consent, we should add the notion of wilfulness. The Federal Court states that if an attempt is made to collect an employee's personal information, but the attempt is not successful, the legislation does not apply. So that notion of wilfulness needs to be included.

Lastly, when it comes to the thorny issue of national security, in section 7(1), our position is and has always been that PIPEDA should keep the form it had before the amendments brought to it in 2004 by the Public Safety Act. PIPEDA should return to its previous provisions, under which companies did not become agents of the state for the purposes of collecting personal information in order to provide it to security authorities.

Heather Black will go on to talk about the other three suggestions we make to you for legal reform.

Moving right along to the employer-employee relationship, it has become clear to us over the past six years that the consent model doesn't work very well in that context. We would propose that you consider the wording from the Alberta law, which establishes a reasonableness test, and temper it with the added notion of dignity of the person, from the Quebec law.

While we say that the consent model doesn't work very well, we are still concerned about the imbalance of power between employers and employees. We always need to consider that things employers are trying to do may not always sit very well with employees.

Business contact information is a relatively simple fix. There's already an exception to personal information. We would suggest it be broadened somewhat to include all business contact information, but that the exception be limited to the purposes of contacting an individual in their business capacity.

Solicitor-client privilege for us is a huge issue, as a result of decisions by the Federal Court. Individuals under PIPEDA have a right of access to their personal information. There are exceptions to that right of access. One of those exceptions is that the information is privileged.

We are not suggesting that privileged information be turned over to individuals. What we would like to be able to do is see that information, to ensure that the privilege is correctly being invoked. That's a very narrow focus, and it's all we're really asking for.

Thank you.

I would then like to move down to the areas where we're not recommending any changes and briefly explain to you why.

On the issue of the commissioner's powers, I maintain my position that this is not the time, given all the upheaval in the Office of the Privacy Commissioner and given the fact that we are one of the agents of Parliament and closely linked to other agents of Parliament legislatively, to do a wholesale change in the office.

The act, as it is presently constituted, has a number of powers. We've not had time to use all of them, so I would recommend the status quo on that.

You heard that the process of designating investigative bodies is seen by many as long and cumbersome. I'm not in a position to deny that it is. But I think the opposite—having no regulation and no approval process for investigative bodies—means that we have an open season for self-appointed detective agencies, spy agencies, and so on. It's a very good thing that the federal government has some process for regulating these: they would be operating until somebody made a complaint or somehow they came to our attention, which is very difficult in a country as large as Canada.

Blanket consent has not really been an issue at all, so we suggest we simply pass on that one.

Heather, could you talk about work product and our position on that?

You've heard a lot about work product. Our experience indicates that in many cases work product is not essentially personal information. There are some circumstances where something that appears on the face of it to be work product could be personal information, in that it reveals something about the individual.

We are recommending that we continue to operate the way we have in the past, which is to say that we look at these things on a case-by-case basis.

You may have more questions about work product, but that's essentially our position now.

Thank you.

Just to conclude, the issue of transborder flows of personal information is an issue that in our opinion we can deal with through the law as it stands and through contractual provisions in the private sector. I refer you to my first request, that we reinforce our ability to cooperate with other entities throughout the world.

Finally, I'd conclude with something that is not in PIPEDA but I think is a huge problem, and I took the liberty of addressing to this committee, Mr. Chairman, a copy of the letter I sent to Mr. Bernier on the issue of spam. I believe this has been distributed to you. I'm taking this opportunity, as you are the committee that deals with privacy matters, to remind you of how serious this problem is, how privacy-invasive it is.

The fact that we are the only G8 country not to have any legislation against spam is very worrying. I would encourage you to focus on the issue.

Mr. Chairman, that concludes our remarks. We would be pleased to answer any questions by committee members.

The law, as it is and as it has been interpreted, already distinguishes work product on the basis that it isn't personal information. So we are concerned that there's no reason to carve out for any particular constituency any type of personal information at this time.

Secondly, we're concerned, as you will see in the appendix that we submitted to this committee, that any kind of carve-out has an indirect effect on surveillance issues.

We're also concerned that if the members think of legislating in terms of work product, they take into account the context in which this particular amendment is requested, the particular industry that this request is involved in, and the legislative initiatives in other provinces that call, for example, in one province, for the consent of those whose work product it is.

That I think is a résumé of why we think it's inappropriate to proceed at this time with that.

I'm referring specifically to the Quebec modification of its law in order to accurately capture work product--and this is summarized, honourable member, very briefly in 11 and in our appendix--in Quebec. And because, quite frankly, we're only talking in this case about prescribing habits, those whose prescribing habits would be captured are given, number one, the opportunity to be consulted, and secondly, the opportunity to opt out, neither of which are in this recommendation. I also point to the other provinces' particular experience, for instance, B.C. where there is a ban on collecting this type of information--

It does.

I think it is, honourable member, because you don't have a wide, shall we say, request for this kind of amendment. It doesn't seem to touch a huge variety of sectors. It seems to be focused. So I submit to you that, given that focus, you have to look at the context and the different laws that apply to have a result in various jurisdictions.

Well, part of PIPEDA regulates de facto the personal information in the hands of doctors. Because part of medical information is in fact commercial information, and increasingly so, PIPEDA does have that effect and has since its inception, as I understand it.

Of all significant breaches.

That's something that we tried to provide as much material as possible for you. We did the survey of the American experience, so it's there for you and for eventual drafters of, we hope, this change.

Clearly, we don't want the public alarmed with something that is not significant, something that is lost and found from one person maybe the next day. There has to be, I think, some threshold that it is significant, highly likely to cause harm.

Yes, my office is working with them on these guidelines. I've spoken to representatives of the private sector, and I believe we're meeting with them in the month of March.

First of all, it would depend on the sequencing of a possible amendment and guidelines. Clearly, we'll work to guidelines as soon as possible, because I think businesses are interested in guidelines. The Canadian public would feel more reassured by guidelines.

If the legislation were to pass rapidly, then I think eventual guidelines would become much more functional and have an interpretive value, depending on what would be adopted as legislation.