Digital Privacy Act

An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act

This bill was last introduced in the 41st Parliament, 2nd Session, which ended in August 2015.

Status

This bill has received Royal Assent and is now law.

Summary

This is from the published bill. The Library of Parliament often publishes better independent summaries.

This enactment amends the Personal Information Protection and Electronic Documents Act to, among other things,
(a) specify the elements of valid consent for the collection, use or disclosure of personal information;
(b) permit the disclosure of personal information without the knowledge or consent of an individual for the purposes of
(i) identifying an injured, ill or deceased individual and communicating with their next of kin,
(ii) preventing, detecting or suppressing fraud, or
(iii) protecting victims of financial abuse;
(c) permit organizations, for certain purposes, to collect, use and disclose, without the knowledge or consent of an individual, personal information
(i) contained in witness statements related to insurance claims, or
(ii) produced by the individual in the course of their employment, business or profession;
(d) permit organizations, for certain purposes, to use and disclose, without the knowledge or consent of an individual, personal information related to prospective or completed business transactions;
(e) permit federal works, undertakings and businesses to collect, use and disclose personal information, without the knowledge or consent of an individual, to establish, manage or terminate their employment relationships with the individual;
(f) require organizations to notify certain individuals and organizations of certain breaches of security safeguards that create a real risk of significant harm and to report them to the Privacy Commissioner;
(g) require organizations to keep and maintain a record of every breach of security safeguards involving personal information under their control;
(h) create offences in relation to the contravention of certain obligations respecting breaches of security safeguards;
(i) extend the period within which a complainant may apply to the Federal Court for a hearing on matters related to their complaint;
(j) provide that the Privacy Commissioner may, in certain circumstances, enter into a compliance agreement with an organization to ensure compliance with Part 1 of the Act; and
(k) modify the information that the Privacy Commissioner may make public if he or she considers that it is in the public interest to do so.

Elsewhere

All sorts of information on this bill is available at LEGISinfo, an excellent resource from the Library of Parliament. You can also read the full text of the bill.

Votes

June 18, 2015 Passed That the Bill be now read a third time and do pass.
June 18, 2015 Failed That the motion be amended by deleting all the words after the word “That” and substituting the following: “this House decline to give third reading to Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, because it: ( a) threatens the privacy protections of Canadians by allowing for the voluntary disclosure of their personal information among organizations without the knowledge or consent of the individuals affected; ( b) fails to eliminate loopholes in privacy law that allow the backdoor sharing of personal information between Internet service providers and government agencies; ( c) fails to put in place a supervision mechanism to ensure that voluntary disclosures are made only in extreme circumstances; ( d) does not give the Privacy Commissioner of Canada adequate order-making powers to enforce compliance with privacy law; and ( e) proposes a mandatory data-breach reporting mechanism that will likely result in under-reporting of breaches.”.
June 2, 2015 Passed That Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, as amended, be concurred in at report stage and read a second time.
June 2, 2015 Failed
June 2, 2015 Failed
May 28, 2015 Passed That, in relation to Bill S-4, An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act, not more than one further sitting day shall be allotted to consideration at the report stage and second reading stage of the Bill and one sitting day shall be allotted to consideration at the third reading stage of the Bill; and That, 15 minutes before the expiry of the time provided for Government Orders on the day allotted to the consideration at the report stage and second reading stage of the said Bill and on the day allotted to consideration at the third reading stage of the said Bill, any proceedings before the House shall be interrupted, if required for the purpose of this Order, and, in turn, every question necessary for the disposal of the stage of the Bill then under consideration shall be put forthwith and successively, without further debate or amendment.

March 24th, 2015 / 11:55 a.m.
See context

Public Guardian and Trustee, Public Guardian and Trustee of British Columbia

Catherine Romanko

Thank you.

Yes, I would be happy to do that. Of course, my comments are very narrowly restricted to the ability of financial institutions to report.

The Public Guardian and Trustee of British Columbia was working closely with the Canadian Bankers Association back when these proposed amendments were first suggested. We were very much in support then of allowing an amendment that would enable financial institutions to report proactively, not just when there was an actual contravention of the law.

It is in that proactive measure that we think vulnerable persons are better protected. Then the responsibility for investigating falls to the provincial bodies, the public guardians and trustees, to do what they already are able to do under the law.

The missing piece was the proactive reporting. Bill S-4, in the provision in proposed paragraph 7(3)(d.3), I believe will accomplish that. I believe that is a positive measure.

March 24th, 2015 / 11:55 a.m.
See context

Conservative

Mark Warawa Conservative Langley, BC

Thank you, Chair.

Thank you, witnesses, for being here.

I want to focus my questioning on how the digital industry has so dramatically changed since PIPEDA first became law in 2000. I believe that things have changed dramatically since it came into effect. It actually came into force from 2001 to 2004, over three years. Then, as is normal, there was a judicial review, a parliamentary review, and that started in 2006-07. I think some of you have been involved with that and have provided submissions or have testified.

Bill S-4 contains I think important updates that relate to what we saw when it was established in 2000. In regard to what's being proposed now in Bill S-4, the world has changed. Technology has changed dramatically. That includes the number of people who are using digital technologies for emails, banking, and so on.

We've heard from you. We've created Bill S-4. It provides important updates to current private sector privacy laws that will help protect consumers with regard to their personal information, whether it's been stolen or lost.

There is currently no legal requirement for a business to inform consumers when there has been a data security breach. A business could be hacked and decide right now not to inform customers, but the changes in Bill S-4 will compel businesses to report when hacked and will impose fines of up to $100,000 per individual if the business fails to notify the customer.

It also provides some very important focus on protecting the vulnerable, both the youth and our seniors.

Ms. Romanko, you touched on that, as did Mr. Brown, and that's the focus of your organizations.

The Bankers Association was one of the many that really supported Bill S-4. They applauded the amendments in the bill that will allow banks and financial institutions to advise public guardians, law enforcement, or family members when they have evidence of financial abuse. I think you touched also on the abuse that may be coming from family members. The banks would now have the discretion in regard to how to deal with these serious situations and protect the vulnerable. That does not exist now.

We also heard from the Privacy Commissioner about the tools necessary for the commissioner to do their job. There was not adequate time for them to be able to act. Now, with the changes in Bill S-4, that would change.

If you could, just touch on how things have changed and on these changes that have been now incorporated in Bill S-4 to update PIPEDA.

Ms. Romanko.

March 24th, 2015 / 11:50 a.m.
See context

NDP

Peggy Nash NDP Parkdale—High Park, ON

Thank you.

I want to ask you about information sharing by companies in a prospective business transaction, which would be allowed under Bill S-4 without the knowledge or consent of an individual. Do we need this clause and does it strike the right balance around privacy and the need for businesses to have certain information?

March 24th, 2015 / 11:45 a.m.
See context

NDP

Peggy Nash NDP Parkdale—High Park, ON

Thank you.

I want to ask you about breach notification. The threshold is pretty high, it's “a real risk of significant harm”. Do you think that is the right threshold? We've had some witnesses suggesting a two-step system where the Privacy Commissioner is informed of all breaches and then there is a decision about when an individual is notified about a breach. Do you think that the way it is structured now under Bill S-4 it's leaving these decisions to industry itself? Is that the right approach?

March 24th, 2015 / 11:25 a.m.
See context

Professor Avner Levin Associate Professor and Director, Privacy and Cyber Crime Institute, Ryerson University, As an Individual

Thank you, Mr. Chair. Thank you for the invitation to appear in front of the committee. I apologize that I'm not bilingual, so my comments will be in English. I'm an associate professor and the director of the Privacy and Cyber Crime Institute at Ryerson University and I'm appearing as an individual. I research privacy and I've been privileged to appear in front of the access to information, privacy and ethics committee as well.

I am not going to repeat comments that you heard from earlier witnesses in previous meetings. I take these hearings that the committee is conducting at this time as a sign that the government is interested in considering some amendments to the bill before it proceeds. I would like to reiterate what previous witnesses have said that I think the following amendments should be considered by the committee.

First, I think the committee should consider adding order-making powers to section 12.1 of PIPEDA for the commissioner. Section 52 of the B.C. or Alberta personal information protection act can certainly serve as a model. That does not preclude leaving in the provision for compliance agreements that is in the new proposed bill, which would be the new section 17.1. I'm happy to discuss the reasons for my thoughts on this if we have time for questions later, but other witnesses have already made this point.

Second, I would suggest to the committee that it delete proposed paragraph 7(3)(c.1). That would eliminate the possibility for government institutions to request personal information without judicial supervision. I think that point has also been made by previous witnesses, so I would leave that for questions as well if there's any interest.

Third, I would leave paragraph 7(3)(d) as is. In other words, I do not think the committee should proceed with allowing organizations to share information with other organizations. I think that the committee should leave the investigative body model that is currently in PIPEDA intact and that point has been made.

I would like to spend my time introducing a new point to the committee, as far as I know, and that is regarding the issue of workplace privacy that is in this proposed bill. To the best of my knowledge it has not yet been discussed. Under PIPEDA the personal information of employees of a federal work, undertaking, or business is protected and the collection, use and disclosure of it requires the consent of the employee. That's currently in PIPEDA in paragraph 4(1)(b).

Bill S-4 proposes a new section, section 7.3, that will govern such employment relationships, according to which employee consent will no longer be required. Employers will have to notify employees instead. That's going to be in the new paragraph 7.3(b), but they will be able following this notice to collect, use, and disclose information that, quoting from the bill, “is necessary to establish, manage or terminate an employment relationship.” That's the new paragraph 7.3(a).

In my opinion, as currently worded, this presents an unfortunate erosion of workplace privacy that ignores previous OPC findings as well as Federal Court decisions. I note to the committee there's a decision from the Federal Court for Eastmond and there's another one for Wansink. I can provide the full citations later. The implications are broader than just for federally regulated employees. Labour arbitrators for those employees who are unionized look to PIPEDA as a guidance and as a source, and to the OPC guidelines. Employers in provinces that do not have private sector legislation look to PIPEDA as guidance even though they do not fall under the jurisdiction of PIPEDA directly.

The proposed amendment appears to follow B.C.'s and Alberta's PIPA, but in my opinion it does not. In those provincial laws—and bear with me, please—the collection, use, and disclosure must be reasonable for the purposes that I've listed. For reference, in the British Columbia act, those are sections 13, 16, and 19. I quote from paragraph 13(2)(b) of the British Columbia Act:

the collection is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual.

The new section 7.3 does not refer to the reasonable standard at all. I imagine that's presumably because PIPEDA has built into it subsection 5(3) that says:

An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

I would hope the committee would follow me in seeing that existing subsection 5(3) refers to the purposes being appropriate to the reasonable person, and it does not refer to the collection or the use or the disclosure as being reasonable. If you want to follow the B.C. and Alberta model, of course the collection and use and disclosure should be reasonable. The purposes of managing, and so on, the employment relationship, needless to say, are reasonable already.

In my opinion the current wording in the bill would allow, to take perhaps a little bit of an extreme example, an employer to install closed-circuit television cameras inside washrooms at the workplace, for the purpose of managing the workplace as long as a notice was posted to that effect. I would argue that for the purpose of managing the workplace and wanting in that case to ensure that facilities are clean and well maintained, doing that is reasonable. But the collection of personal information would not be reasonable in that situation. That is the distinction that I wish to draw to the attention of committee members at this point in time, which I don't think has been articulated up to this point.

I would suggest two simple amendments as a result. One would be to simply add the word “reasonable” before “necessary” so that the amended clause, which would create the new paragraph 7.3(a) would read “the collection, use or disclosure is reasonable and necessary to establish, manage or terminate an employment relationship between the federal...business and the individual”. Alternatively you may wish to consider amending the clause by borrowing language used in Quebec's legislative framework. Section 2087 of Quebec's Civil Code requires employers to protect the dignity of employees, so the committee may wish to consider an alternative formulation such as, “the collection, use or disclosure protects the dignity of the individual and is necessary to establish, manage or terminate the employment relationship”.

I'll make one last point on this, Mr. Chair, before I end my comments. I do think that employees cannot meaningfully consent to their employers' practices in an employment relationship. In that sense I do think that it is useful to move to regulating employers' conduct in those circumstances. I could add more on the issue of consent, but again I think you've heard from earlier witnesses in previous meetings.

I will leave it at that regarding the point on privacy at work. I would be happy to answer questions if there is any time.

Thank you again for the invitation to appear today.

March 24th, 2015 / 11:20 a.m.
See context

Janet Cooper Vice-President, Professional Affairs, Canadian Pharmacists Association

Thank you.

Good morning. My name is Janet Cooper. I am a pharmacist and I am vice-president of professional affairs with the Canadian Pharmacists Association. I am pleased to be here today to discuss Bill S-4, an act to amend PIPEDA.

CPhA, the Canadian Pharmacists Association, is the national voice for Canada's 39,000 pharmacists. Pharmacists practise in a range of settings, including community pharmacies, hospitals, academia, industry, and government.

CPhA and the pharmacy profession have a long history of speaking out for the interests of patient privacy and confidentiality, and as far back as 2001 CPhA was involved with a privacy working group of other health care provider organizations that provided advice to Health Canada on privacy matters related specifically to health care. Since then we've appeared before parliamentary committees on numerous occasions to offer our perspective on PIPEDA changes.

Today pharmacists' commitment to privacy is reflected in the professional codes of ethics and standards of practice that guide our profession, as well as CPhA's own privacy code for pharmacists. Given that pharmacists routinely dispense more than 11 million prescriptions each week and they're conducting a range of new, expanded services for patients in almost all jurisdictions, the need for ensuring confidentiality of patients' personal information has never been greater.

Community pharmacists were very early adopters of digital records, having maintained computerized medication profiles for more than three decades. Most of the 600 million prescriptions that are dispensed each year, which is close to $30 billion in spending, are actually sent electronically for claims adjudication by public drug plans or private insurers. So there is a lot of electronic transmission of patients' medication information.

Increasingly, Canadians' medical records are maintained electronically by other health care professionals as well, including physicians' records, lab test results, and diagnostic images. The goal of electronic health records is to increase accessibility and sharing of patient information by those providers who need access to inform patient care and to support interprofessional collaboration.

For example, in several jurisdictions, drug information systems, or DIS, are in place to allow access to a complete profile of medications regardless of which pharmacy dispensed the prescription. This improves safety and efficacy of medications, supports improved prescribing, supports detection of adverse drug events, and deters prescription drug abuse. We hope that in the near future all prescriptions will be electronically created and then transmitted to the patient's pharmacy of choice. With this change to electronic health records comes increased need to ensure that Canadians' private health and medication records are protected.

Let me state up front that CPhA supports the amendments in Bill S-4 as they relate to protecting personal health information. There are two amendments in particular that we want to address.

First, CPhA supports the amendment in the bill in which personal information may be obtained without consent for the purposes of communicating with the next of kin or authorized representative of an injured, ill, or deceased individual.

Pharmacists, as well as any health care provider, may find themselves in the difficult situation of having to deal with patients who may be severely ill, unconscious, or incapacitated for any number of reasons. In such circumstances it may be imperative for the pharmacist or other health professional to immediately contact family members or next of kin to inform them of the patient's condition, or to seek valuable information on the patients' medical history. But seeking permission or consent to contact those individuals in advance may simply not be reasonable nor in some cases possible. This clause would provide pharmacists and other health care providers with the comfort and knowledge that in the case of a severe health emergency they will not be in contravention of PIPEDA for acting in the best interests of their patients by contacting next of kin or authorized representatives.

Second, CPhA also supports the amendment in Bill S-4 requiring organizations that have encountered a privacy breach to report that breach to the Privacy Commissioner and notify individuals, if it is reasonable in the circumstances to believe that a breach creates a real risk of significant harm to an individual.

For pharmacists who access a significant amount of sensitive information related to the medication and health of their patients every day, a breach or disclosure of this information has the potential to put the patient at risk. Patients who are on medications for HIV, mental illness, or infectious diseases would certainly not want all of that information to be known. As defined in the legislation, this risk could include threats to employment, reputation, or relationships. As a result, CPhA believes that, should a privacy breach occur, reporting this breach to the individual concerned and the Privacy Commissioner are reasonable steps to take in order to mitigate any risk that may occur.

It's also reasonable for the organization in question to maintain proper records of these occurrences as stated in the bill.

Although not specifically related to this bill, I want to thank Health Canada for introducing a regulatory change this past summer that will better enable pharmacies to protect privacy. There's a requirement in the Food and Drugs Act that requires pharmacists to maintain up to two years' worth of prescription records, and until last summer the regulation required prescriptions to be maintained in hard copy format even though more and more prescription records are now retained in electronic format. Last July Health Canada reinterpreted that regulation to allow for electronic retention of prescriptions. In addition to being more efficient for pharmacies, electronic retention is safer and more secure from a privacy standpoint.

Thank you, Mr. Chair and committee members, for the opportunity to meet with you today to discuss Bill S-4. I'd be pleased to respond to your questions.

March 24th, 2015 / 11:15 a.m.
See context

Douglas Brown Public Guardian and Trustee, Public Guardian and Trustee of Manitoba

Thank you for the opportunity to comment on Bill S-4, the digital privacy act. I'm Douglas Brown, the public guardian and trustee of the Province of Manitoba.

My comments today will be limited to subclause 6(10) of the bill, which would amend the Personal Information Protection and Electronic Documents Act to permit the disclosure of personal information about an individual by an organization to a government institution in circumstances where there is a suspicion that the individual may be a victim of financial abuse. The Public Guardian and Trustee of Manitoba supports the amendment as a positive step that strikes the necessary balance between the need to maintain privacy of personal information and disclosure of that information to potentially identify and stop what are the devastating consequences of financial abuse.

The Public Guardian and Trustee of Manitoba, or PGT, is a corporation sole established under The Public Guardian and Trustee Act of Manitoba, that operates as a provincial government special operating agency. The PGT manages and protects the affairs of Manitobans who are unable to do so themselves and have no one else who is willing or able to act. This includes mentally incompetent and vulnerable adults, deceased estates, and children. The PGT manages approximately 5,800 clients, estates, and trusts, with approximately $230 million of assets under administration by our office.

The PGT becomes involved in the management of an individual’s financial affairs in a variety of ways. Most frequently, the PGT is appointed by the chief provincial psychiatrist under The Mental Health Act or by an order issued under The Vulnerable Persons Living with a Mental Disability Act, both Manitoba legislation. The PGT can also be appointed by a judge of the Court of Queen’s Bench of Manitoba to act in various circumstances. When the PGT does become involved, an investigation is conducted to gather and record the assets owned by the individual for whom we're now managing affairs. This includes all their property, investments, and any accounts at financial institutions. Unfortunately, in some situations our investigation will uncover evidence of possible financial abuse. In the worst of these situations, the financial abuse has resulted in all or a large part of the finances of that individual having been lost.

The impact of these losses caused by financial abuse cannot be overstated. As you or I choose to save, invest, or plan for our retirement and anticipate having the financial resources to be independent and exercise some level of control over our affairs in the future, people who have been the victim of financial abuse have lost that independence and have lost that control over their futures. Often we see that the health and well-being of the victim of financial abuse can be negatively impacted. More often than not, a victim of financial abuse has little chance of recovery. In many cases the money is gone, and there is little likelihood of recovering the money from the perpetrator of the abuse.

Organizations such as financial institutions can play an important role in detecting possible financial abuse through their ongoing contact with the public. My experience is that these institutions do want to cooperate with government institutions when they have a suspicion of financial abuse. While the privacy objectives of the existing legislation are clearly important, privacy laws should not become a tool used by perpetrators of financial abuse to avoid detection. Amendments that allow for a controlled disclosure of personal information in limited circumstances can still maintain privacy objectives while also providing an additional set of eyes out in the community to help identify and hopefully stop cases of financial abuse. I would strongly recommend to this committee that this is the right result.

In reviewing the amendments and the various submissions that have been made to the committee, there are a couple of recommendations that I would also support.

First is that the definition of “government institution” needs to be clear. The PGT or similar agencies in other provinces or territories have a role in these situations, and should be included in the definition. There should be caution taken not to apply the definition too narrowly, as this could discourage the reporting of information. A reasonable check and balance to apply could be to look at the role and use of the information that could be made by the institution that is receiving the information. In the case of the PGT, we're subject to provincial privacy laws. We also have specific statutory authority that allows us to collect information that would otherwise be private where it's required to carry out our duties, responsibilities, and powers. By having that control, you've put some control over how the information could be used once it's received by a government institution.

Second, in most cases the perpetrator of financial abuse has to gain the trust of the victim before the abuse can begin. This unfortunately means that relatives and family can often be the perpetrators of financial abuse. Any requirement to report suspected financial abuse in all circumstances to next of kin may place the victim at greater risk. Organizations that are contemplating making a report should have some discretion in those situations, and where appropriate, should make the report only to a government institution and not to the next of kin in circumstances where the next of kin may be involved in the abuse.

Third, in some cases an individual may not be a victim of financial abuse but is no longer capable of managing his or her affairs. The indicators of financial abuse and financial neglect can often be the same, so an organization that's contemplating whether to report should have the ability to report suspected financial abuse even though it may not be clear where the unusual financial activity originates, or whether the irregular financial activity is a result of a third party or the individual himself or herself. The organization should not be required to make this determination before it has the ability to make a report to a government institution. The loss of financial independence resulting from neglect is just as significant as a financial loss caused by a third party, so again, it's in everybody's interest that the matter be identified and dealt with as quickly as possible.

In conclusion, while the privacy objectives of the existing legislation are clearly important, the benefit of permitting disclosure of personal information in a limited and controlled manner would be a positive step in detecting and hopefully stopping cases of financial abuse.

Thank you.

March 24th, 2015 / 11:05 a.m.
See context

Catherine Romanko Public Guardian and Trustee, Public Guardian and Trustee of British Columbia

Thank you, Mr. Chair.

Good morning. I am the public guardian and trustee of British Columbia. I thank you for the opportunity to comment on Bill S-4 today. In addition to my oral comments, I have provided a written submission. My comments today are restricted to subclause 6(10) of Bill S-4, and that is with respect to the proposed provision that will enable federally regulated organizations and in particular financial institutions to report concerns of potential financial abuse of a customer, without the knowledge or consent of the customer, to a government institution with authority to investigate and to take appropriate responsive action.

The jurisdiction to respond to suspected financial abuse typically falls to provincial authorities and territorial authorities with respect to civil investigation and in particular to public guardians and trustees across the country. The Public Guardian and Trustee of British Columbia has participated in the multi-year consultation process that led to the development of the anti-financial abuse provisions in subclause 6(10). My office supports the objective of the proposed anti-financial abuse amendment and offers three recommendations for refinement of the provision to ensure that the provision is effective, and secondly, to minimize the risk of harm to an individual who is the subject of a report and a potential victim of financial abuse.

My recommendations are based on the experience my office has in responding to financial abuse and I will provide those recommendations at the conclusion of my comments.

By way of background, the Public Guardian and Trustee of British Columbia is a statutory corporation sole created under the laws of the province. My office provides fiduciary and protective services to vulnerable adults, to persons who are mentally incapable, to minor children. We administer the estates of deceased and missing persons when there is no one else able and suitable to do that. We serve approximately 29,000 clients and administer almost $900 million in private client assets.

Among the various statutory functions given to the Public Guardian and Trustee under British Columbian law is the role of investigating allegations of financial abuse, including financial neglect and financial self-neglect of mentally incapable adults. The definitions of financial abuse, financial neglect, and financial self-neglect, which guide the investigations of the Public Guardian in British Columbia, are set out in legislation, but generally speaking, abuse is an action committed by a third party. Neglect is the failure of a third party to act, and self-neglect is an individual's own failure to manage his or her own affairs due usually to mental incapacity.

When my office receives information that an adult may be mentally incapable and may be a victim of financial abuse, the Public Guardian and Trustee of British Columbia has a legislative mandate to investigate the circumstances. My office has the powers to seek disclosure of financial information from legal representatives such as an attorney acting under an enduring power of attorney, and from financial institutions where an adult may hold assets. If my office has reason to believe that the adult's assets are in need of immediate protection, the Public Guardian and Trustee of British Columbia has the authority to instruct financial institutions to, in essence, freeze bank accounts to stop any withdrawals from the accounts or transactions with respect to those accounts, to halt the sale of property, and to take any other reasonable step necessary to protect the adult's assets from dissipation or misappropriation.

Each year, my office responds to approximately 1,600 allegations of suspected financial abuse. Approximately 1,200 of those cases result in a full investigation by my office, and of approximately 400 cases, the Public Guardian and Trustee is appointed committee of estate as a result of the investigation, and that is for the purpose of acting as property guardian to manage the financial and legal affairs of the adult on an ongoing basis.

The experience of my staff in responding to allegations of financial abuse has highlighted for us the critical role played by financial institutions in identifying issues of potential financial abuse and ensuring that vulnerable adults receive the support and assistance they need when it is required in order to curtail or end the financial abuse.

Employees of banks are often in the best position to observe potential financial abuse as a result of ongoing personal contact with their customers and with their knowledge of the customers' financial affairs. While it may be best practice for a bank employee to communicate with a customer directly about concerns of potential abuse, in many cases such communication is simply not practical, nor is it prudent. In some instances, bank customers may have diminished mental capacity due to mental illness or due to diseases of aging, making direct communication with a customer challenging and often ineffective.

In other cases, a customer may be unduly influenced by or subject to the control of another person, so that advising the customer of suspected financial abuse may in fact alert the abuser to the fact that the abuse has been discovered and put the customer at greater risk. Currently, PIPEDA permits financial institutions to report financial abuse to relevant authorities, such as the police, where the financial institution has reasonable grounds to believe that a law has been contravened.

However, if no law is contravened, federally regulated organizations are restricted by the act as to what actions they are permitted to take even if financial abuse is suspected, so my office of course is responding to allegations of abuse, not certainties. No crime has been committed as yet. Enabling financial institutions to proactively report concerns of potential financial abuse to an organization such as the Public Guardian and Trustee of British Columbia, with the legislative authority to investigate and to take steps to protect the assets of the vulnerable adult if necessary, is critical in the effort to reduce the incidents or continuation of financial abuse.

The Public Guardian and Trustee of British Columbia offers three recommendations for refinement of the proposed legislative amendment in proposed paragraph 7(3)(d.3) of PIPEDA. They are as follows.

One, specify that provincial authorities, and in particular public guardians and trustees, who are authorized to respond to financial abuse, are included in the term “government institution” to which an organization may report financial abuse. The term “government institution” is currently not defined in PIPEDA, nor is a definition proposed in Bill S-4.

The difficulty here is that the act is a federal legislation governing federally regulated bodies. Public guardians and trustees fall under provincial jurisdiction. We want to ensure the legislation is clear that reports may be made to provincial bodies. The act contains regulation-making power, which would permit the creation of a regulation to define “government institution”.

Making it clear that organizations are authorized to report to provincial and territorial government institutions, and in particular public guardians and trustees across the country, will assist financial institutions in effectively reporting. Another alternative, of course, would be simply to provide the definition directly in the act. Either way, the definition would be very useful.

Two, delete the reference to “next of kin” from the list of individuals and government institutions to which organizations may report concerns of potential financial abuse. The perpetrators of financial abuse, particularly with respect to vulnerable adults, are often next of kin. Disclosure of concerns of potential financial abuse to next of kin may have the effect of alerting the abuser to the fact that the abuse has been discovered and may in fact end up putting the vulnerable adult at greater risk of harm—or at least the adult's assets at greater risk of harm.

Three, explicitly recognize financial neglect and financial self-neglect in proposed provisions, along with financial abuse. Many provincial authorities have statutory power to investigate and assist individuals who are victims not only of financial abuse but of financial neglect and financial self-neglect, the effects of which can be equally devastating. In fact, the indicators of potential financial difficulty are the same, whether it's abuse, neglect, or self-neglect. Permitting financial institutions to report concerns of financial abuse, neglect, and self-neglect of their customers, I submit, would protect the interests of vulnerable British Columbians.

Those are my comments. Thank you very much. I'd be pleased to answer questions.

March 12th, 2015 / 12:40 p.m.
See context

NDP

Charmaine Borg NDP Terrebonne—Blainville, QC

I have a question for Mr. McLinton and Mr. Littler.

Bill S-4 provides for a mechanism to notify individuals of security breaches. You appear to support that. The model proposed under Bill S-4 will require organizations to, themselves, determine whether the breach creates a risk of significant harm to the individual or not. Do you think it would be easy for your members to make that assessment? Do you expect to receive some support to ensure you are properly complying with the bill's provisions?

March 12th, 2015 / 12:40 p.m.
See context

NDP

Charmaine Borg NDP Terrebonne—Blainville, QC

We received a letter from the privacy commissioner indicating that Bill S-4 was based somewhat on B.C.'s model. That is what it was supposed to look like, but suggestions changed in light of the report. I think that calls into question the provisions in Bill S-4. Would you agree with that? Do you think we should find a way to bring the bill in line with the report recommendations as well, in order to achieve that alignment between the acts?

March 12th, 2015 / 12:40 p.m.
See context

Conservative

Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON

I will go back to the banking association. Financial institutions also provide insurance coverage for loans. What aspects of PIPEDA or Bill S-4 prevent the banking system from accessing the metadata or medical information on an insurance applicant under that same umbrella with the banks? The reason I ask is, the bank lender knowing a client's medical information could prejudice the lender. What you had stated previously is that you'd like to have more sharing of information to prevent a crime. How does the customer know that this barrier will not be crossed?

March 12th, 2015 / 12:35 p.m.
See context

NDP

Charmaine Borg NDP Terrebonne—Blainville, QC

Thank you very much.

Ms. Sali, I'm going to read a comment made by your executive director. I'm going to read the quote in English as I don't have it in French. It reads as follows:

...this legislation, while welcome, does almost nothing to tackle the serious problem of ongoing government surveillance against law-abiding Canadians.

Since we are studying the bill before second reading, we have the ability to propose amendments to PIPEDA that don't necessarily appear in Bill S-4. I see that as a golden opportunity. Unfortunately, the government seems convinced that the bill is going to pass as is, regardless of the amendments suggested by all the witnesses. That's truly unfortunate.

In light of your executive director's comments, do you think the committee could improve certain aspects of the bill?

March 12th, 2015 / 12:25 p.m.
See context

Conservative

John Carmichael Conservative Don Valley West, ON

—and when there is an opportunity for somebody to report, you want to know that the report is going to fall on ears that are able to listen and respond.

Going over to the Retail Council, I'd like to refer to your opening comments on consent in Bill S-4. In this paragraph you say, “We note that the bill contains a provision specifying that 'Consent is not valid unless how the information will be used is clearly communicated in language appropriate to the target audience.'”

Could you expand on that and talk to how that is going to benefit your membership?

March 12th, 2015 / 12:25 p.m.
See context

Conservative

John Carmichael Conservative Don Valley West, ON

Bill S-4 provides that ability for you.

I think it's important, because this is an area we all know is growing—

March 12th, 2015 / 12:25 p.m.
See context

Director, Consumer Affairs, Canadian Bankers Association

Linda Routledge

The banks generally speaking would see potential or suspected financial abuse in the branches. It could be a client coming in with a caregiver or whoever and there being some kind of suspicious transaction. Right now, the first step of the bank would be to try to take that client aside so that they get them away from the suspected abuser, so that they can determine what the client wants to do. But in some cases that's not possible, and so we just have a suspicion.

Many times the amount of money may not be large in that instance, and that instance may not be fraud. We are constrained in being able to approach the police or the public guardian and trustee to ask for their assistance, because there is not a contravention of the law or fraud.

What we're looking for, and what Bill S-4 is giving us, is the ability to then escalate this matter and have it investigated further—because within the banks there is an escalation process—so that we can assess whether there is somebody else out there we can contact who would be able to help our customer avoid the abuse. It may be a parent, a sibling, or someone like that. We would assess and try to determine to the best of our ability whether that person is involved in the abuse—we recognize that in many cases it's a family member—and we would do our utmost to determine that the person we're contacting is not involved in the abuse.

That is where Bill S-4 would help.