Industry Committee on Feb. 5th, 2015

Basically, the act and amendments impose obligations of that nature on organizations. Bill S-4 sets out new obligations.

For those specific provisions, currently under PIPEDA there's a regime called the investigative body regime. It lists a number of entities that are allowed to do these activities now. The range of entities that are there are, for example, the bank crime prevention organization that works for the bank association. They share information back and forth among banks around people who have been robbing ATMs. They have videos at ATMs. They use and share that information without the thieves' consent so they can identify and do an investigation into the crimes. I've visited them. They share information across the country from different banks on people who are stealing from ATMs or robbing right inside the location. It's that kind of sharing we're talking about in that context.

Under the current investigative body regime there are those kinds of sector organizations. Then there are professional associations, such as professional engineers associations, colleges of physicians and surgeons, and the Law Society of Upper Canada, that do investigations into their own members in assuring that their own members are following the code of conduct for their organizations.

You have a third grouping such as forensic auditors who do that kind of activity on behalf of somebody else.

They share information without consent in the course of investigations. These investigations are generally for other public policy purposes in protecting Canadians from crimes, as in the bank example. That kind of information gets flowed back and forth.

What Parliament recommended in the first review of the act was to take an approach of regulating the activity rather than regulating the specific entities, which is the approach that B.C. and Alberta have taken. Rather than having the prescribed list of organizations that has to be updated—if you change your name, you have to go through regulation to have your name changed in the regulation—they said regulate the type of activities rather than regulate the individual entities and put them all on a list in the back.

That's what S-4 has done. It's taken that investigative bodies regime and split it into these two other sections to go and regulate the type of activity rather than the bodies themselves. That's what Parliament recommended and that's what B.C. and Alberta do now.

They are completely separate pieces and not related. The anti-terror law is about exchange of information within government. This is about private sector privacy rules. They're quite separate pieces.

To answer your question I think the first step is always to ask if there is a warrant. The next step is to ask if there are any limited areas where consent is not required, and there are some very specific areas where that applies. That's the way the digital privacy act works.

I should be clear that this law does not apply to the police. This is a law that applies to the exchange of information from businesses to citizens.

Yes, that assurance is there. I will explain again. The act already sets out exceptions. Amendments are being made, but the exceptions are already there.

As we go through this, there are lots of things that have to be established through regulation. We're quite conscious of the fact that these data breach provisions apply, from the local dry cleaner down the street all the way up to a big bank or a telecommunications provider. We're looking for the most simplistic ways we can have in terms of reporting, in giving out clear guidance. We'll work with the Privacy Commissioner's office once the provisions are in place to come up with really clear, straightforward guidance for small companies. We are conscious of the fact that this does apply all the way from the mom-and-pop shop up to the major multinational corporations that are better prepared for these kinds of things.

To bring the data breach provisions into force we're going to have to pass regulations, so we'll need to consult on the regulations and go through that. Then after that's done it's the role of the Privacy Commissioner to help provide guidance to companies about how to comply in these areas.

It's specified in the law as “as soon as feasible”. For us that means once you've closed the breach, you're not at risk by informing folks. If the breach is ongoing, by going around informing people it could be further exasperated, so once you've clearly identified the breach and you're able to contain it and move forward with it.

It's meant to be as soon as feasible, so without any undue delay. The exact time's not specified because each breach is different. There could be quite a few different elements.

In terms of determining that risk assessment, we haven't prescribed, and in general PIPEDA doesn't prescribe. It isn't very prescriptive in terms of providing these kinds of things. It provides a general sense.

I can maybe just add, though, that in terms of the offences that are under the act, there are three new ones related to data breach. There's a real demand for compliance in this respect. New offences are related to failing to report the data breach to the commissioner as required, failing to notify an individual of the data breach as required, and failing to maintain the records. These are actually offences now, so there is a lot of incentive for firms to do what is required as soon as possible.