Evidence of meeting #33 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.
A recording is available from Parliament.
9:40 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Thank you, Mr. Chairman.
Of course anything dealing with personal information, its circulation, and the permission for it to circulate according to the laws of Canada is an important part of privacy. I refer the honourable member, Mr. Dewar, to the letter I wrote him trying to explain this.
To clarify my position, I'll say that in general we have to consider that the birthdate of somebody is key identifying information. In our society it is used in a way that unlocks the door to a lot of important personal information, so it should only be used very sparingly and when absolutely necessary. That's my position, and that's the philosophy that inspires my position on PIPEDA and any other advice that I would give the committee.
9:40 a.m.
NDP
Paul Dewar NDP Ottawa Centre, ON
I think we did, and thank you to our witness for doing that.
I just want to get back to the duty to notify. In terms of your point 12, you talk about duty to notify and say, “We strongly encourage the Committee to recommend amending the Act to include a breach notification provision.” Our party supports that very strongly. We know that this provision and what you're recommending here exist in 32 states. We know that approximately three million Canadians have had their credit cards compromised--I'll use that word--with no financial loss in some cases, but with no notification. I'm hearing from constituents, and I hear generally from my colleague Mr. Martin, who's been following this, that it's a real issue when people find out something happened and they weren't aware of it because of the failure to notify.
Could you expand a little bit on why this is important, and why you say you're strongly encouraged? I would say we should have it, but just give us a little bit more on the importance of having this provision and this change.
9:40 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
The events of the last few months, which I think most of the honourable members would have followed, suggest very strongly that this would be an important addition to the law, so that there is no hesitation on the part of companies and organizations holding personal information on behalf of Canadians that when this happens, they do have to take positive steps to notify them and to make them aware and to take action to prevent identity theft.
There was a reputable study done in the United States about the link between data breach and identity theft, because that's always the question: how do we know that data breaches are linked eventually to some harm, because many of them aren't? The study suggested that 5% of those people whose personal information has been obtained because of a data breach would be subject to identity theft. I find that very interesting. If people say that a data breach does not necessarily mean that something is going to happen to you, it would seem from this study that it will happen to 5% of the people. So if you have a breach of the personal information of 100,000 Canadians, then this would suggest that 5,000 of them are going to have serious issues with fraud, identity theft, or the same.
That's a very recent study and that finding is significant. That's why I'm asking this committee to move to make this mandatory, so that we'll have increased attention on the part of organizations to the security in which they keep personal information and then to their duty to act swiftly and appropriately to help people take the right steps to monitor their personal information and their credit cards and even in some cases their mortgages, their land holdings, so that they'll at least be aware. If you don't know that you've been a victim of a data breach, you may not be paying special attention. How many of us have time to read all our credit card statements in detail and so on? I think that's true of many Canadians in their busy lives.
I think this is an important public measure. I have more suggestions for the contents of data breach notification, given our research, and I'd be very happy to help the committee if you were to decide to move in this direction.
9:45 a.m.
Liberal
9:45 a.m.
Conservative
Mike Wallace Conservative Burlington, ON
Thank you, Commissioner, for being here today.
I just want to say, on behalf of the whole committee, we appreciate the book you provided us with and the list.
I have a couple of really quick questions first and then I want to focus in on the duty to notify.
Are these things that you've provided us listed by priority?
9:45 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Not necessarily, honourable member. We've tried to put them in an order that is compatible to the order in which we presented them, for easy reading and reference.
9:45 a.m.
Conservative
Mike Wallace Conservative Burlington, ON
Okay, thank you.
Have you done a financial analysis of how much this would cost us if you get everything you want?
9:45 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Cost the taxpayers?
9:45 a.m.
Conservative
Mike Wallace Conservative Burlington, ON
Yes, because you'd probably ask for more money, would you not?
9:45 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Possibly the only area that would be affected would be the duty to notify because--
9:45 a.m.
Conservative
Mike Wallace Conservative Burlington, ON
Okay. Could you provide us with that information, based on any analysis you've done, within the next couple of weeks?
9:45 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
We certainly could.
9:45 a.m.
Conservative
Mike Wallace Conservative Burlington, ON
Thank you.
Before I make some comments that I want to make to the whole committee in my time, I have a question on the duty to notify. You actually have that power in a sense now with the current legislation. Can you force an organization to publicize?
I got a letter from my company recently that one of my mutual funds got lost or something, and I saw the letter and I threw it out. Where does your power lie now on the duty-to-notify issue?
9:45 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
We consider that it's part of the duty to provide security for the safeguard of personal information, and then our powers are the normal powers that we have.
9:45 a.m.
Conservative
Mike Wallace Conservative Burlington, ON
Of the recent episodes that we've had in the newspaper, whether it was a local retail facility or a credit card, or in my case with my mutual fund, was your office involved in encouraging those individual organizations to notify their customers?
9:45 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Yes, it was. The organizations got in touch with us, and this has been the practice over the years. Major organizations have a close relationship with the office, and when there is a problem, as far as we know, they usually notify us. We don't know about situations when they don't notify us.
9:45 a.m.
Conservative
Mike Wallace Conservative Burlington, ON
So in practice it's been a pretty good process, as far as you know.
9:45 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Yes. What we don't know and what I can't provide you any hard facts on is what we're notified about and what we're not notified about and how quickly we're notified.
9:45 a.m.
Conservative
Mike Wallace Conservative Burlington, ON
I'm sorry I'm rushing, but I only have seven minutes and I have lots of questions.
Do you have an opinion on how you define what is notification? Is that a newspaper article or a direct letter to customers? Do you have that?
9:45 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Yes, we do.
9:45 a.m.
Conservative
Mike Wallace Conservative Burlington, ON
You've provided an overview on each page, and I've read it. It's very good. I didn't actually agree with everything.
Is there a reason you didn't provide actual wording changes to the act?
9:45 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Yes, because we think that is the job of drafters.
9:45 a.m.
Conservative
Mike Wallace Conservative Burlington, ON
Okay, I appreciate that.
What my suggestion to committee will be at the end of this.... We've heard from you right from the beginning, and at first you came and said basically the legislation is working. We heard from a number of private sector groups. It's only been around for the private sector for a couple of years. I personally think we're a little bit premature in reviewing this, so I'll give you a chance to comment on that. The other thing is we've not heard about a lot of changes from you, and then you provided these, some changes, based probably on testimony and issues.
The other piece is I'm interested in giving the minister an opportunity to have a look at what's been before us. So I'm going to be recommending to the committee that we ask the staff, the researchers, to do an interim report that we're able to provide to the minister before he appears before us--it happens to be a he--so that he can respond to issues, similar to what you've basically done here.
One, do you think that's an appropriate approach? And two, the legislation is only two years old and it may take a little longer for us to be able to review it properly. I want to know how you feel about the two-year issue.
