Evidence of meeting #45 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was problem.
A recording is available from Parliament.
10 a.m.
Liberal
Sukh Dhaliwal Liberal Newton—North Delta, BC
In your opinion, should we have something like that? Would the clearing house in the U.S. that you mentioned help?
10 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Yes, I think that's one of the possibilities. And you don't have to have either a task force or a clearing house. Presumably one of the roles of the task force is to document all this. How does it happen? What are the problems from different perspectives? Who can bring remedies? It's not just a criminal law issue; it's also a civil law issue, it's an issue across Canada enforced by the provinces, and so on.
So I think you need some combination of a study group and somebody who's going to run a central depository of information and analyze the information in order to capture the trends and suggest the solutions.
10 a.m.
Conservative
The Vice-Chair Conservative David Tilson
I have two questions before we proceed to Mr. Stanton.
First, what role can your commission play?
10 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
I've tried to briefly indicate the role that we have. We've done a lot of ongoing education on personal information protection. We do investigation of cases relating to it. I mentioned the cases having to do with unsolicited credit cards arriving in the mail with your name on it. I think that practice has been virtually eliminated because of the problems it obviously posed to one's own personal information. We are concerned with convenience cheques. We have had quite a few discussions with the Canadian Bankers Association about convenience cheques, again arriving in your mailbox, where they can be stolen, in the wrong mailbox, and so on.
All the standards that we enforce through our complaints system—I say “enforce” because we enforce them on a consensus basis—have to do with the more secure storage and protection of personal information. That goes to inadequate shredding, inadequate disposal, updating lists, who has access to your personal information among companies or within the Canadian government.
10 a.m.
Conservative
The Vice-Chair Conservative David Tilson
The second question is perhaps to Ms. Campbell, as to whether she has any jurisdictions that the Canadian government should look at to model either new sections of the Criminal Code or the tightening up of existing sections of the Criminal Code.
10 a.m.
Senior Legal Counsel, Office of the Privacy Commissioner of Canada
That's a good question. We probably should look to Commonwealth countries because of the similarities in our judicial systems. But it's a new problem internationally. I think what we're seeing here is its emergence as a criminal problem because of the value of personal information as a commodity.
There are not a lot of examples out there. It's a good idea to talk with our international counterparts to see what they're doing. Many are establishing task forces, as the U.S. is doing, and developing and considering criminal sanctions, civil sanctions. So it is a good idea to consult with them, to make sure that if we end up doing international agreements we're on the same page.
10 a.m.
Conservative
Bruce Stanton Conservative Simcoe North, ON
Thank you, Mr. Chair.
Thank you to our panel, again, this morning.
I have a whole bunch of different questions. This is obviously the first testimony that we've heard on this topic, so it's a real eye-opener in some ways.
One of the things that I was quite intrigued with early on...and just as a point of background, when we decided to engage in this topic, we initially considered that we wouldn't be that interested in the criminal side of it so much. I see by your presentation here today that in fact it very much encompasses that, because one part of the toolbox is going to be the criminal side, if you will.
Actually, the chair jumped on a question that I wanted to spend a bit of time with as well, and maybe I'll build on that.
In terms of that toolbox, your office will be part of that. We've already spent some time on PIPEDA. I wonder if you could continue on along the same lines. I noticed that in your remarks you talked about some additional measures that could be taken in the Privacy Act. What other things do you see your office providing in terms of leadership and moving this forward?
10 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Thank you for that question.
I think making sure that the information rights of Canadians are up to date is clearly part of that general picture. That's why I'm happy this committee, as I understand, is thinking of moving to the issue of the reform of the Privacy Act, which is the basic law governing the relationship between Canadians and the federal government in terms of the personal information the government holds for them and on their behalf. I've pointed out several times that this is inadequate, so that's certainly one thing that can be done.
As you probably know, my office now has a more extensive audit program of federal government agencies to make sure they are holding personal information appropriately, that the databases are not likely to be hacked into, that there are appropriate safeguards in place to prevent employees, as unfortunately could happen from time to time, selling this information. We regularly investigate, it seems, laptops here or there that are stolen or forgotten. You can read our past annual reports. There's a history of that. I think there have been fewer recently, which is a good sign.
In terms of the federal government, I think our presence and our role helps to maintain a higher standard of information security and confidentiality within the federal government.
10:05 a.m.
Conservative
Bruce Stanton Conservative Simcoe North, ON
I have one other brief question.
On the global picture, you had some references to the task force in which the U.S. is involved. Do you know of anything that's happening at an international level, for example at the UN? Because of digital technology, there's a real flattening there. These issues can crop up not just in North America but on the other side of the world.
Is there any coordination at the international level?
10:05 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
I'll ask Steve Johnston if he can tell you about it, because he coordinates the technological issues. He follows that internationally for us. There's certainly a London action spam plan, but you're asking about international initiatives.
10:05 a.m.
Senior Security and Technology Advisor, Office of the Privacy Commissioner of Canada
I'm not aware of anything dealing specifically with identity theft. I know there are efforts under way under the OECD to deal with cross-border enforcement of privacy law. That is going to be a huge issue, considering how easily personal information can be moved across borders. It involves harmonization of legislation, putting in place agreements between law enforcement agencies to enable mutual assistance, and so on.
The commissioner alluded to the London action plan, which is an international group dealing specifically with the spam problem. It consists of members of the OECD, the European Union, and other groups. Because spam is one mechanism used to deliver phishing attacks, Trojan horses used to collect personal information, etc., it will have an indirect benefit in solving the identity theft problem. It's just one piece of a large puzzle.
May 8th, 2007 / 10:05 a.m.
Bloc
Robert Vincent Bloc Shefford, QC
Thank you, Mr. Chairman.
Welcome, Ms. Stoddart. You talked a little earlier, but I just understood that it was the responsibility of Industry Canada.
What was it? Industry Canada should conduct a study on the measures that we can adopt or not adopt. Is that it? Can you tell me a little more about that? I only understood that passage, because some segments were in French and others in English. What was the Industry Canada study about?
10:05 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
It was in response to the question by your colleague Mr. Dhaliwal. Who could conduct such an initiative to coordinate the fight against identity theft? I talked about Justice Canada, but I'm also suggesting that you start a dialogue with Industry Canada representatives.
Industry Canada had the Personal Information Protection and Electronic Documents Act drafted. Industry Canada has a lot of expertise in the field. Industry Canada heads Canada's delegation to the OECD and to the group working on the implementation of transborder measures on the protection of personal information.
I don't know whether they're appearing before you, but they have a lot of expertise in this field.
10:10 a.m.
Bloc
Robert Vincent Bloc Shefford, QC
That's a happy coincidence, because I'm a member of the Standing Committee on Industry, Science and Technology, and we're preparing the upcoming meetings today. I'll take care of that.
Let's talk about another sector. You also mentioned thefts of unshredded documents from containers. You were pleased that the idea of raising personal protection standards had been talked about in Edmonton. What should we amend in the act or what measures should be taken to prevent people from finding documents containing personal information in garbage cans or elsewhere? I don't want to talk about giving people a little more education or making them more aware of their responsibilities; those are passive measures. We can say that the speed limit on the highway is 100 km/hr and that, if you drive at 150 km/hr, there will be consequences. It's the same thing here. We're saying that documents containing personal information should be shredded, but, if we find them in the garbage can, what do we do? Do we rap the person who is at fault on the knuckles and tell him not to do it again? Is there a more aggressive measure that we can implement to make people aware that the confidentiality of personal information is important. To that end, what measures should be taken with regard to these businesses or these people who lose our personal documents.
10:10 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Various statutes on the protection of personal information apply to businesses. In addition, penalties can generally be imposed, in accordance with those statutes, if we show that harm has been caused. One of the current problems is that there is no statutory system of fines for having done something.
10:10 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
I'm telling you that, for example, the federal act does not provide for a system of fines. You have to prove damage has been caused. That's part of the problem of defining identity theft. Throwing away information without shredding it isn't, in itself, something for which you should be directly punished. If one of the federal or provincial commissioners heard about the incident, he would intervene in order to say that you absolutely have to change the way you do things, or else he will prosecute you, institute proceedings against you.
10:10 a.m.
Bloc
Robert Vincent Bloc Shefford, QC
That's what I just said; it isn't just a little rap on the knuckles. We tell them to stop doing that, to stop throwing away papers because that can hurt someone somewhere. There aren't any tougher measures for these people to make them aware of the fact that this is important.
Would you recommend that there be a fine or something tougher that tells people that this information is invaluable, that they have to be careful with it and not throw it away? Would you recommend that approach?
10:10 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
That's one of the options that a task force should consider. As I mentioned a number of times during our meeting this morning, we need a range of penalties, and not just resort to the Criminal Code. We have to prove intent, which is hard to do.
A system of fines, if you think of it, is a little like the way it is for the environment. For people to be aware, you have to tell them that, if they throw away something toxic, they will be liable to a fine. However, I don't know whether we've got to that point. You should consider that possibility.
10:10 a.m.
Conservative
The Vice-Chair Conservative David Tilson
Thank you.
I'm sorry, we're way over, Monsieur Vincent.
Mr. Wallace.
10:10 a.m.
Conservative
Mike Wallace Conservative Burlington, ON
Thank you, Mr. Chairman.
I have a couple of questions, and they sort of start at the beginning.
I was reading over what you provided—and what you provided us with today is excellent—and you do have information here on how to protect yourself. One of the points was to avoid collecting and using your SIN, your social insurance number. You know, we use it. Service Canada has an ad on the television trying to convince people to get their SIN numbers so that they can get a job. We also have a senior's card. It has come to my attention recently that the number we use on the senior's card is the SIN number. It gets sent through the mail, and so on and so forth, because it's the only number, I think, that the Government of Canada has to identify individuals.
I would like your comment on what the options are, other than using your SIN number for different things. From a privacy perspective, as commissioner, have you had a chance to look at that at all?
10:15 a.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Yes, that's one of the things we look at, perhaps not in detail.
Can I ask Carman Baggaley to speak to the issue of SIN numbers and the vulnerability that they can cause for Canadians?
10:15 a.m.
Senior Strategic Policy Analyst, Office of the Privacy Commissioner of Canada
One of the points we made is that we need a much clearer idea of what the underlying problems and causes are for identity theft. One of the things we know is that there is a great deal of concern that the social insurance number can be used for identity theft. If we had more information about what's actually causing identity theft, then we'd have a much clearer idea of the extent to which problems with the SIN contribute to it. There have been concerns that there were more SIN numbers out there than there are live Canadians. We're told that's being fixed. But that's one of the many areas where we really need to know what the various factors are that are causing the problem. Then we can decide how we need to proceed in terms of the SIN. Do we need to restrict its use further, or in fact is it not as much of a problem as some people think?
In the online world, of course, there are alternatives to the SIN. That's what the whole secure channel is about, where randomly generated numbers are used to identify people.