Evidence of meeting #18 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.
A recording is available from Parliament.
4:40 p.m.
Political Science Professor, University of Victoria, As an Individual
Yes.
On the issue of the work product thing, I'm not sure what I would have to add beyond what's in the Privacy Commissioner's paper on that. I'd have to go back to it. I can't quite remember. I think there were three or four different options that were included there, one of which was the way the issue has been handled in Quebec. I'm not quite sure what I could add to that.
4:40 p.m.
President, B.C. Freedom of Information and Privacy Association (FIPA)
I think the Alberta and B.C. legislation are fairly similar and the Quebec is different, but I have to admit that I'm not as familiar with the Quebec legislation as I should be.
What I've been concerned with in my research is gathering the variety of ways in which the privacy of workers is threatened. It's not just keystroke monitoring and Internet activity and television or video cameras in the workplace. It's also endless tests that are required of people now for various occupations--drug tests, genetic tests, psychological tests--and these can go on both in the hiring processes and in the ongoing work process. These bring a lot of issues. It will be very difficult to try to figure out how to regulate these in appropriate ways to allow the worker some sense of humanity, without there being this constant threat.
I think a lot of it results from the fact that there is very much a general rubric about technology--if you can do it, why not do it? If it's possible to have a technology that gives you this and this seems to be useful, then do it, and that seems to be what's going on.
I have to say, also, that things are terrible in the States, where there is no privacy protection. Employers basically have complete rights to do whatever they want.
One of the at least temporary measures has been to try to work out a common agreement between management and workers about general rules on how the technology will operate. Are they going to watch everything you do? When you're on your lunch break, can you use the computer in the company without it being monitored? We know that the telephone brought these issues. Is it okay for a worker to call home to see how her sick child is doing? No management would say no, you can't call home. Is it okay to sit at your computer during lunch break and plan your vacation for next year? Well, you're not actually working, then, but it's not your machine, not your software, not your anything. Are you okay with doing that?
There's an endless number of these kinds of issues about which you would think people could come to a common agreement without the law intruding, but it's not the case.
4:40 p.m.
Liberal
The Chair Liberal Tom Wappel
Thank you.
We have Mr. Stanton, followed by Madame Lavallée and Mr. Wallace.
4:40 p.m.
Conservative
Bruce Stanton Conservative Simcoe North, ON
Thank you, Mr. Chair.
Thank you to our witnesses today.
To Mr. Rosenberg, the first item that you raise in your list of nine concerns was with respect to the publicizing of complainants. In particular, you said that the public attention on these issues would be, I think, in your words—and I'm paraphrasing here probably—a much more effective means of compliance. Could you expand on that a little bit and perhaps add in there in comparison to what's happening now with respect to these compliance issues? Help me understand better what you mean by that, and bringing that out in the open.
4:45 p.m.
President, B.C. Freedom of Information and Privacy Association (FIPA)
I think, by and large, the process in the Office of the Privacy Commissioner is a process about which only the person making the complaint and the organization or company against which the complaint is made really know what's going on. They're the ones who heard the judgment. The Privacy Commissioner will then make a recommendation that can be followed or not followed, because it has no legal force.
There is an option for the complainant to go to the Federal Court and pursue it, which would presumably cost—
4:45 p.m.
Conservative
4:45 p.m.
President, B.C. Freedom of Information and Privacy Association (FIPA)
Yes.
The question is, is this the better way to go and complain? I think Professor Bennett talked at length about this, and there is some debate about what's the best way to go. There's a best way for the complainant and a best way for privacy protection in general.
If you make a complaint now and you are told that the Privacy Commissioner's office upholds your complaint, then what? What should you do? You could hope that the company would take that as a message and clean up its act or do something, but there's no requirement that they do it. So what have you gained by that?
4:45 p.m.
Conservative
Bruce Stanton Conservative Simcoe North, ON
Do you have any understanding as to why the Privacy Commissioner has opted for the approach that's currently there respecting—
4:45 p.m.
President, B.C. Freedom of Information and Privacy Association (FIPA)
It's been operating that way since the beginning. I think it's one of these things where they can make it public if there's a strong public interest; otherwise, it's not. I imagine that not every case would be seen as having strong public interest. It would be very constrained and a very individual kind of process.
I think the basic notion is to do it somehow by persuasion. Basically, if you can persuade companies to improve their operation, without going public, that could be a less tortuous way. I'm not sure. But I think the possibility of improving things is not being pursued as it could be by going public.
4:45 p.m.
Conservative
Bruce Stanton Conservative Simcoe North, ON
Professor Bennett, did you have anything to add on that topic?
4:45 p.m.
Political Science Professor, University of Victoria, As an Individual
Yes, I have one or two brief things.
The problem occurs in section 20 of PIPEDA. Subsection 20(1) obliges confidentiality in the proceedings. Subsection 20(2) allows the commissioner to “make public any information relating to the personal information management practices of an organization if the Commissioner considers that it is in the public interest to do so”. The commission has interpreted subsection 20(1) as overriding subsection 20(2), under most circumstances. I certainly understand the sensibilities there.
I have a couple of additional points to what Professor Rosenberg said. It does put an extraordinary burden on the complainant. When you receive a finding, and you know the name, and so on.... I recounted my story. I'm in a different position from most people, because I have a certain profile in this community. I have the opportunity to make things public, but most people don't. I don't think it should be up to the complainant to make a decision about whether to publicize the name of that company. There are some complainants, CIPPIC, for example--whenever they make a complaint, they simply put it on their website. That's an approach. Therefore, it's public anyway. You have this bizarre situation where everybody knows who we're talking about, except it's not actually publicized on the Privacy Commissioner's website.
The second thing about the naming of names is this. Often you don't understand the full context of the dispute unless you know what company we're talking about. If you anonymize the name of the organization, it's often difficult to understand exactly what the business practices are. Therefore, as I said earlier, it's difficult to really get some clear jurisprudence about what the law is and whether that would be a precedent for another case that might come along.
Those are the issues. I really do sympathize. They're difficult. It's not easy to simply name names as a matter of course. But so far, I don't think the balance has been struck correctly.
4:45 p.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
Thank you, Mr. Chairman.
Good day and welcome everyone.
I am very pleased to meet you, as I have many questions and I am hoping that you can clarify some things for me. I am new to the committee and I also know very little about the Privacy Act.
First of all, one of my concerns is about workers. You spoke a lot about the surveillance of employees while on the job, under the pretext of security. I would like you to tell me if the law prohibits an employer who has installed video cameras to ensure workplace security - I'm thinking of a port, an airport or a convenience store - from using these devices to monitor the work of employees, and then subsequently admonishing them if ever they slack off, for example.
I have a few questions to ask, but I will start with that one.
4:50 p.m.
Political Science Professor, University of Victoria, As an Individual
Thank you for the question.
The legislation doesn't make any distinction between consumers and employees; the information is collected on individuals. It makes distinctions in terms of employment, and the categories of information that are protected at the provincial and the federal level. And there are still some gaps in Canada, I have to say. There are many businesses in Canada where the employee information is not protected by private sector legislation.
Essentially, the test in section 7 of the legislation is whether there is a reasonable purpose for the installation of, in this case, video surveillance; and those purposes have to be explained at the time of collection. The employer-employee relationship is a very different one from the business-consumer relationship. And you'll be receiving quite a bit of advice, I think, about whether or not there should be some special provisions made for employee information.
But to answer your question directly, it is considered a capture of personal information, and it has to happen with the knowledge and consent of the individual, unless it falls under one of the exemptions—that is, if we're talking about a federally regulated institution, such as a bank or another federally regulated undertaking.
4:50 p.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
I will give you an example, since I'm not sure that I fully understood.
In a port, for example, where there are video cameras for security, does the employer have the right to use the recorded images to admonish employees who, for example, take longer than necessary to do a job?
4:50 p.m.
President, B.C. Freedom of Information and Privacy Association (FIPA)
Usually, yes.
You raised some examples, and there are many, many examples of the kinds of monitoring that can go on, some of which is related to the work process in which employees have rights. I'm not sure this exactly answers your question, but one of the arguments for employers to monitor is that they're responsible for the work of their employees. If I sit at my computer and send out a message harassing some individual, my employer is responsible, because I'm using my employer's equipment on my employer's time. The employer could legitimately say they have a perfect right to monitor, because if they're going to have legal responsibility, they have to show they took steps to be in charge, if you like, and to be aware. And this covers a whole bunch of activities, not just harassment: it could be trade secrets; it could be going to sexually explicit websites and creating problems in the workplace, and lots of things. So those are part of the work process. Clearly the employer has a right to monitor.
The questions that arise are what about how fast the employer is entering data into the computer; what about how long the employee is spending away from the desk, away from the computer; or what about monitoring in rest rooms? Recall the infamous case of Canada Post, which had video cameras installed in the men's and women's bathrooms because of concern about drug usage while people went to the bathroom. There are devices installed to make sure that restaurant workers are washing their hands before they leave. We all say, oh great, we hope they wash their hands, otherwise, who knows?
So there's a whole range of these things, and many have quite legitimate purposes. It would be hard to argue it is an intrusion on the work process.
4:55 p.m.
Conservative
Mike Wallace Conservative Burlington, ON
Thank you, Mr. Chairman.
I'm sorry I missed a chunk of your thing, but the timing has been all fouled up today with some speeches.
I'm new, as is Madame Lavallée, and the only experience I have with privacy at this point has been do we send them a Christmas card or not, and how did we get their name, and all of those kinds of things. And I'm not going there.
The question I have for you, to begin with, is that legislation has only been in place for about five years, to my understanding, because we're coming up to the review. The health part, which can be relatively controversial, and which may be the most important part, as has been mentioned, has only been around for about a year and a half. Are we premature in even reviewing it without having a good sense of whether or not the thing is working for us and where recommendations and changes might be needed? Should we be saying here's some information that we've had from witnesses such as you, but we really need two or three more years of education on the piece on how it's actually working before we can make any real solid decisions?
If you wouldn't mind answering that, I'd appreciate it.
4:55 p.m.
Political Science Professor, University of Victoria, As an Individual
I don't think it's premature. I think the five-year statutory review is a good thing. However--and I'm not sure this is going to answer your question--I think it is going to be difficult to separate out, when you see problems with the legislation or the implementation of privacy policy, whether it has to do with the statute or whether it has to do with the way the statute has been interpreted by the Privacy Commissioner or overseen by the Privacy Commissioner, or whether it has to do with the larger context since September 11, 2001, and the extraordinary pressures as a result of that to capture personal information. We'll help you try to sort through those issues as best we can, but we can't let this hearing go by without mentioning 9/11 and the fact that the world for privacy changed at that point.
Nevertheless, I do think you will hear some very practical recommendations about how you can tinker with the legislation to make it more effective, to clarify certain provisions and to help not only individuals to understand their privacy rights, but also businesses to know what they have to do. My perception is that the vast majority of businesses in this country understand the issue, get it, and just want some clear advice on how to comply, and there are ways the legislation can be amended in order to effect that.
November 22nd, 2006 / 4:55 p.m.
President, B.C. Freedom of Information and Privacy Association (FIPA)
I don't think it's too soon either, although I do agree, in part, with respect to health information, we're just in the working stage of building these large systems. An enormous amount of money is going into them. Requirements are being put on physicians' offices. There are still a lot of doctors who have paper files, and that's not going to work in this age. They have to go electronic, which means they have to transfer all that paper into computer files. Then there are a lot of questions associated with that kind of information about access.
I've been attending meetings of the Department of Health in B.C. and that group that's doing a lot of this work on the electronic medical record, and there are a lot of questions now. They're guided, of course, in B.C., by B.C. law, and so far it looks like it will be okay from a privacy point of view, except that there are just a lot of questions about access that are not well worked out yet, about routine access and special access.
As I mentioned previously, medical researchers believe it's their right to get access to whatever they want, as long as you strip off identifying information. A lot of medical research goes to looking at medical records and seeing people under treatment A, compared with people under treatment B, over long periods of time. The question is, if you strip off identifying information, there should be no privacy issue, because you can't identify the individuals, except that this is another technology appearing where work and statistics show it's possible for certain sizes of groups to recover information. You can do it, in part, if you know where people live and they have a certain disease, because there are only a few people who can satisfy those criteria; and even if you strip off the names in advance, it's possible to recover information about them. So we're forced to think more carefully about that, about the conditions under which the information is available.
5 p.m.
Conservative
Mike Wallace Conservative Burlington, ON
Based on this review that we're undertaking, and certainly learning, your expectation, then, based on those answers, is that it's more of a tweaking or what the department might call some minor changes, rather than a major overhaul of what we've done over the last five years. Is that accurate?
