Information & Ethics Committee on Nov. 22nd, 2006

You have to go as far as you need to go. If you contract with a company and it violates the agreement by either storing it where it shouldn't be stored or allowing access that is not allowed by the law, you have to go to the limit of the law in pursuing those companies.

Yes, but the American laws demand notification of consumers. Is that your question? Many of them do--they differ. If there's a security breach, the individuals affected have to be notified that this has occurred so they can take appropriate steps.

Who would keep it on record? I think that's the question.

On my preferred solution to this issue, I know a bit about the way the American laws are not working.

I don't have that in front of me right now.

Of course.

I'm influenced mostly by the operations in B.C. and Alberta, where it is in the office. The office makes the orders. I see no reason why that couldn't function in Canada.

I'd be willing to listen to arguments on why a tribunal is a better way. I can see it in a way. It allows the office to focus. It doesn't get into this controversial or the continual legalistic process. But I don't see why it would not be a legitimate activity in the Privacy Commissioner's office. I know reasonable people could differ reasonably on this, but it seems to me that you need a parallel institution with as much expertise on the privacy issues as you already have in this office. Why couldn't this office's powers be extended—with additional funding, I would guess—to carry out those orders if necessary?

In my written submission that you will be receiving, I do discuss this a little bit, and I'll provide you more information about it.

The argument in favour of a tribunal is that you take the judicial function away from the Privacy Commissioner and the Privacy Commissioner maintains the ombudsman's role. You can also give it to a group of experts on the subject. This is the way the system works in the United Kingdom, and I'll give you information about how the British system works under the Information Commissioner and their Information Tribunal.

I think the Canadian Bar Association has come out in favour of such a model that is based on the Canadian Human Rights Commission and the Canadian Human Rights Tribunal. I'm not an expert on that, but I understand that it has led to delays. The perception is that it's just one other step on the way to a court, and I certainly wouldn't be in favour of establishing such a tribunal if it were of that nature. I am aware that there are arguments in the literature in favour of tribunals and that there may be a way one can be constructed in this situation, which would avoid the problems that the Canadian human rights area has. But at the moment, my preference would be some quite specific order-making powers for the Privacy Commissioner, and then an appeal to the Federal Court directly.

I'm not an administrative lawyer and I couldn't get into the details, but in most other jurisdictions there is a power to say, for example, “Stop doing that. Stop collecting that information.” That, as we argue, typically provides the incentive to comply at an earlier stage in the process.

The role of penalties in this area of law is a tricky one, because, to a large extent, the penalties that are imposed or the penalties that are perceived by a non-compliant organization are not necessarily financial. As I said before, they are as a result of lack of reputation and bad publicity.

There are plenty of models in Canada and there are plenty of models in B.C. and Alberta—and you will receive information about those pieces of legislation as well—where there are quite precise order-making powers concerning cease-and-desist and other functions like that. Those can assist the entire investigation and ombudsman function.