Thank you for the invitation.
I represent two organizations here, actually, the B.C. Freedom of Information and Privacy Association and the B.C. Civil Liberties Association.
On February 9, 1999, I appeared before the Standing Committee on Industry to present my views on behalf of Electronic Frontier Canada on Bill C-54, PIPEDA.
We supported the bill in principle. Now, on behalf of BC FIPA and BCCLA, I wish to renew our support for privacy protection in Canada by means of PIPEDA. However, there are a number of issues that must be addressed in order to ensure that the privacy of Canadians continues to be protected by this important piece of federal legislation.
In this submission, I will address a number of issues related to both the legislation itself and the operation of the Office of the Privacy Commissioner.
It's important to emphasize that privacy rights are increasingly under attack, and a necessary bulwark in defence of these rights is at the very least adequate legislation supported by a vigorous agency to defend privacy rights and to draw attention to current and anticipated problems.
The most important recommendation I will make in these notes is that the current ombudsman model for conflict regulation employed by the OPC be replaced, providing the minister with order-making powers.
I draw your attention to a story that appeared early in November in the newspapers, in which the British Broadcasting Corporation, the BBC, reported that Richard Thomas, the information commissioner of Britain, had referred to Britain as “waking up to a surveillance society that is all around us”.
Some of its characteristics are given as follows: by 2016, shoppers could be scanned as they enter stores; schools could bring in cards allowing parents to monitor what their children eat; and jobs might be refused to applicants who were seen as a health risk.
The report referred to above is a report on the surveillance society, and I take this as a very serious report. Britain, of course, has been described frequently as one of the most surveillant societies in existence.
To set the tone of some of the remarks that follow, let me turn to some comments I made a little more than six years ago, about the time PIPEDA was approved. I gave some examples of privacy invasions. I argued that one of the reasons for having a law in Canada was that it was necessary that both companies and government be responsible in their privacy activities, and that there be a possibility for questioning the privacy activities, and that the legislation could and should provide this.
Let me describe some of the concerns I have, and I think that will be the focus of my remarks. I have nine concerns, the first of which I'm calling publicizing complaints.
For the most part, the Office of the Privacy Commissioner, the OPC, has decided not to reveal the names of complainants, nor the organizations and companies against which complaints have been launched. It appears that under the current regimen there is little cost to companies that do not resolve their privacy issues; not properly implementing a required privacy regimen is just a small cost of doing business. Public attention would be a much more effective means to achieve compliance.
Second, a much more effective education function is required. The OPC could serve a more effective role than it has up to now; namely, to bring the office and its role under PIPEDA to the attention of the Canadian public. In my classes and talks I have rarely found anyone who knows about Canada's privacy law, his or her rights under the law, or the existence of the OPC, the current Privacy Commissioner, or the activities of the office.
A survey commissioned by the Office of the Privacy Commissioner in March of this year showed that something like 8% of Canadians had heard of PIPEDA. Clearly, if you're not aware of laws protecting you, it's going to be hard to take advantage of the protection they provide.
My third concern is the response of companies to breaches of their security. What, if anything, should companies be required to do when their security barriers are breached, with a resulting release of personal information? Such events have become fairly frequent, and most of the attention has been directed towards companies whose primary activity is the collection, compilation, and marketing of personal information.
When PIPEDA came into effect, the term “identity theft” probably was little known. Now ID theft is well known as one of the major crimes associated with Internet technology. In the body of the submission, I include a table showing the numbers of breaches that have occurred in the U.S. in the last couple of years.
The fourth point is on the transborder data flows of personal information of Canadians. The OPC has brought this issue to the attention of the Canadian public, especially with regard to the possible access to the personal information of Canadians held in the U.S. by the FBI under the U.S.A. Patriot Act. In 2004 this issue arose in British Columbia because the government had outsourced medical records to a subsidiary of the Maximus corporation, a U.S. company. It took B.C. Privacy Commissioner David Loukidelis's holding of hearings to find and determine what threats might occur because of this activity. Very briefly stated, the B.C. government introduced and passed legislation in response, which had some of the following requirements: no remote access to data from outside Canada; special restrictions on data access; and requirements for supervision of U.S. employees. I have more listed here. What's important is that the federal government has to deal with these possibilities as well.
Number five, on workplace privacy issues, PIPEDA does not cover information collected by employers about non-federally regulated private sector employees. Workers in three provinces--B.C., Alberta, and Quebec--have protection in the workplace, but basically there is a real lack of it. I should add, for full disclosure, that a researcher and I did a six-month research project for the Office of the Privacy Commissioner on workplace privacy, and we submitted a report to that office expressing our concern about the future of the rights of workers in Canada.
Number six is the development of the electronic medical record, the EMR, and its privacy implications. We recall that when PIPEDA was enacted, the application of the law to the protection of medical records was postponed for one year in order to provide for additional consultation to deal with any special issues associated with such records. I take medical information to be the most sensitive of all personal information and deserving of the highest degree of protection. We're now in the process, across the country, of instituting information systems that will contain, in part, the medical record of every patient who has been involved in the medical system.
Some serious questions arise as to who has access to this medical record and to what degree patients have a chance to say yes or no. One very simplistic model has most of the information about drugs and so on, or about visits, which are not of the most sensitive nature, being available in general without any special permission, but that particular information that's most sensitive might be considered to be in a special lock box, so that only when a patient gives direct permission can that information be released. You ask to whom it would be released. That would be to other doctors, to administrators to make sure that the health process is being conducted efficiently, and to researchers who would like to have access to medical records.
Point seven is on the challenges of emerging privacy-threatening technologies. The law, generally speaking, always seems to be behind new technologies that appear and have good uses, and all of a sudden they start applying to areas that hadn't been thought of. Obviously the law will still apply, but to try to figure out what's going on is the difficulty. I bring your attention to RFID technology, which is being used in U.S. passports. It's part of inventory control, and it also has possibilities for more sinister use. I don't think that's too strong a word.
Let me read you this story, which appeared earlier this year:
A Cincinnati video surveillance company CityWatcher.com now requires employees to use Verichip human implantable microchips to enter a secure data centre. Until now, the employees entered the data centre with a VeriChip housed in a heart-shaped plastic casing that hangs from their keychain. The VeriChip is a glass encapsulated RFID tag that is injected into the triceps area of the arm to uniquely identify individuals. The tag can be read by radio waves from a few inches away.
If it had slightly higher power it could be read from several metres away.
How do you feel about this? How should a privacy commissioner act in response to these kinds of activities? There is now talk about medical records going on chips to be implanted. Then you can't forget things, and you'll have this medical record. This is just one of the kinds of technologies to which we're really going to have to pay attention.
My eighth point is on current views of some aspects of consent. This is a very long area of great concern. Of a document released by the Privacy Commissioner to stimulate discussion, half of it had to do with various questions of access. Who has rights? Is there blanket access? In some of this, there was some concern about access now taking place under various acts of Parliament meant to deal with terrorism, and the requirements to gain information about individuals without informing them it's being taken. The general question is, how much information can you take from people without getting their assent or at least informing them you're taking it? I use the general term “access” to cover many of these things, but there isn't time to go into them in detail.
Let me turn very quickly to the last of my comments, which is where I began. The Office of the Privacy Commissioner of Canada is committed to the ombudsman model of mediation. Complaints are heard, meetings are held, and non-binding recommendations are issued, with the names of all parties almost always concealed. If they are dissatisfied, a complainant can bring the case to the Federal Court at his or her own expense.
Has this model been effective? There's some disagreement in public responses to this question. Certainly the OPC seems to be committed to its current mode of operation. It is significant that in the three other provinces in Canada with their own versions of PIPEDA, British Columbia, Alberta, and Quebec—and of course the Quebec model came in several years earlier—the model used involves order-making powers. That is, complaints are heard, decisions with legal force are made public, and parties are named. So the full force of public scrutiny is serving as a constant light shining on the privacy practices of companies and organizations, for whom negative publicity is not in their self-interest. That clearly is the single most important recommendation I'm making in this submission.
Let me thank you for the opportunity to appear before you on this very important matter.