Information & Ethics committee  Yes. And I do believe, unless I'm not correct, the current legislation puts that responsibility onto the employer or onto the business owner, and they are, under current rules, attempting to be able to protect that information as best they can. When it comes to small business, the fact is that they don't collect a huge amount of information.

Information & Ethics committee  I believe there's responsibility on the business side and on the consumer side. I believe a small business owner collects information that they need to do a transaction that is being demanded by the consumer, and they will use that information to transact that particular service or product.

Information & Ethics committee  Yes, that is definitely our recommendation. More time is needed to really understand the implications of this particular legislation, as it exists today, on the small business community and on consumers, frankly. I do think education is absolutely the biggest key component of that.

Information & Ethics committee  Less onerous? I think there needs to be a simplification in terms of understanding what the obligations are, because the biggest hindrance right now for our members is this policy they have to come up with. They know they have to come up with a policy, a written policy, but they don't know what it entails or how it is supposed to work.

Information & Ethics committee  The Personal Information Protection Act in Alberta actually goes somewhat beyond PIPEDA from a small business perspective, because it also has an order-making power. That made it a little bit more intimidating for them to deal with the Office of the Information and Privacy Commissioner, but that's less of an issue.

Information & Ethics committee  I'll just repeat what I said. Small businesses know their customers, they know their clients. They do the best they can. For the most part, they are good corporate citizens who are aware of this, who think it's important to protect their own information, and we believe they are doing what they can to protect the information of others.

Information & Ethics committee  I don't think I talked about a code of ethics in terms of--

Information & Ethics committee  Yes, but this is based on our recommendations to members of our federation. However, in the case of small firms... I don't think you can stop that. I don't know how you could, and I think it's a challenge for this committee to balance the fact that people want their information protected, but they want the convenience as well.

Information & Ethics committee  We're a heavily survey-based organization. Really the only place we've surveyed is Alberta, but our other avenue is that we have counsellors across the country who deal with member inquiries on a daily basis. We have had probably thousands of calls over the course of the last three years from small businesses on this issue.

Information & Ethics committee  I think it relates back to the fact that privacy policy is going to be different for every firm because every firm has a different amount of information that it's protecting. So to expect one size to fit all in this particular scenario, I think, is incorrect. Our fear is that the bar is always put at the highest.

Information & Ethics committee  Be more prescriptive.

Information & Ethics committee  My initial reaction is simply that a lot of small businesses know their customers personally. I think that makes a huge difference in terms of making sure they are protecting the people they know. This is their livelihood. As you grow as a company, you may lose a bit of that. Therefore systems have to be put into place, and those sorts of potentials for abuse can happen.

Information & Ethics committee  I do believe that actually having people report when there is a breach is important when there's a risk associated with the information that's been breached. I think businesses should be required to let their customers know if there has been a major breach in terms of the information that has gone out--for instance, if it includes credit card information, SIN numbers, medical records, all those types of thing.

Information & Ethics committee  I think it would depend on the level of breach. If it's a breach where there's a risk to the consumer, then yes, I think they should be required to report--

Information & Ethics committee  It would depend on how the breach occurred. I do believe that sometimes businesses are not aware of it, or may not have been the cause of it. Imposing a $100,000 penalty on a small business--versus a large bank--would put them out of business. When you talk about levels of breaches, and the impacts on the business community, I think you have to be very careful when you start going down that road.