Evidence of meeting #19 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was personal.
A recording is available from Parliament.
4:15 p.m.
Liberal
The Chair Liberal Tom Wappel
I guess what you're basically saying is there should be some mechanism to determine whether or not the claim of solicitor-client privilege is in fact a valid claim.
4:15 p.m.
Assistant Commissioner (PIPEDA), Office of the Privacy Commissioner of Canada
That's right.
4:15 p.m.
Liberal
Sukh Dhaliwal Liberal Newton—North Delta, BC
Thank you, Mr. Chair.
Marlene, do you want to go ahead or do you want me to go ahead?
4:15 p.m.
Liberal
Marlene Jennings Liberal Notre-Dame-de-Grâce—Lachine, QC
If you have questions, go ahead. If not, I have questions ready.
4:15 p.m.
Liberal
4:15 p.m.
Liberal
Marlene Jennings Liberal Notre-Dame-de-Grâce—Lachine, QC
Thank you, Chair, and thank you, Mr. Dhaliwal.
Thank you very much for your presentation. I apologize for missing the first part of it. I had not received the information that the committee room had changed, so I was at 371 West Block.
I'd like to ask you about three issues. I'll try to be very brief in my questions, and if you don't have enough time to respond fully, you know the routine, that you can send it on in writing.
On the question of the obligation of notification when personal information held by a company--for instance, a credit card company or a bank--has been either lost or stolen, there's a whole issue about the need to have a mandatory requirement to inform the individuals that their personal information has been violated, and that at this point in time you, as commissioner, have no way to penalize companies that do not notify.
If you're seeking authority to be able to compel companies that hold personal information legally, but from whom illegal access to that personal information has been gained.... You're seeking the authority both to require the company to inform the individuals whose personal information has been violated and to penalize the company that does not do that. Does that not accord better with the model of a commissioner who has the power to issue executive orders, rather than an ombudsman model?
Secondly, on the issue of work product, I liked the point that Mr. Tilson raised. Notwithstanding that you would prefer to continue on a case-by-case model or process of dealing with the issue of whether the personal information is worthy of privacy or whether it is work product, I think there is a compelling need. There are companies that deal with personal information, and if we want to ensure that the processes that they put into place are in fact well founded and they're not going to suddenly be caught up short after possibly months and thousands and in some cases millions of dollars invested into putting into place the process in order to legally capture personal information, treat it, send it out legally, and all of that, and then all of a sudden there's a decision that says “Oh no, that's wrong, you can't do that with that information or parts of it”.... If there were a distinction between personal information that comes under privacy and under work product, with whatever clarifications are needed to ensure that the scope is not too large, is sufficiently narrow, but is very clear, I think there's a good argument for that. Professor Bennett, who came before the committee, also was in favour of it, as was the other professor who was here.
My third question is again on the issue of the ombudsman model. You have no executory powers. There are models that are not quite ombudsman--it's a mixture--and there is the authority and there is a way to build deadlines and delays into legislation in order to ensure that the process for handling the complaints and disposing of them can be done in a very fulsome manner, but very efficiently and quickly, rather than a year or two years, etc.
If you're not prepared at this time, I'd like you to reflect on that. I think the models in British Columbia and Alberta have provided sufficient information to allow us to move forward.
4:20 p.m.
Liberal
4:20 p.m.
Liberal
The Chair Liberal Tom Wappel
Could you please, Commissioner, either give us a very brief response to those three questions or perhaps a written response later? Do you have any comment on any of the three?
4:20 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Yes. What would be most useful to the committee?
4:20 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Could I do both, Mr. Chairman?
Very briefly, to the honourable member, we forget that in the current model the Privacy Commissioner has a whole series of powers. We forget because they were not used in a consistent way from the beginning. We are now taking cases to the Federal Court and are involved in 12 cases. We have an almost total rate of compliance when we say we're going to take cases to the Federal Court.
The Federal Court, remember, can order damages. None of the provincial commissions can order damages. You can make an order—it's the same as our recommendation—and it's a binding order, but it doesn't really put the person in the place they would have been had there not been a privacy breach, because it can't account for damages. I think that's an important issue.
4:20 p.m.
Liberal
The Chair Liberal Tom Wappel
I think I'll stop you there, Commissioner, if you wouldn't mind. If you could provide written answers to the other two, thank you.
4:20 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Okay, certainly.
4:20 p.m.
Conservative
Mike Wallace Conservative Burlington, ON
Thank you, Mr. Chair.
I'll ask questions and give you a chance to answer.
It's come to my attention that there are organizations who like the B.C. definition. Do you want to comment on the British Columbia work product?
4:20 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Certainly. I think the B.C. definition, as I understand it, is well received in B.C.—and I think you may have the commissioner here to comment on that.
I will simply reiterate, from the point of view of the protection of privacy, that when you go for any definition of work product, it may have the effect of narrowing the protections for other related information related to a person's employment.
Secondly, I note that the B.C. definition does not provide for consultation. In fact, as I remember, it excludes the work product from the definition of personal information.
Another provincial jurisdiction has in fact put in a step of consultation with those whose personal information is being collected. I think that's an interesting facet that is not in the B.C. legislation.
4:20 p.m.
Conservative
Mike Wallace Conservative Burlington, ON
Okay, I appreciate that.
I'm going to follow up on my colleague's question about the private sector piece. Because I'm new to this issue and didn't have the experience of working for a company related to this, what is the average cost of this program for a small business? I know you said that with your increased budget you're looking at ways to better communicate to organizations how to implement PIPEDA, but what are the costs to small and medium-sized business, if you have a sense of what those are? And do you care?
4:20 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Yes, I certainly care. I care that the law is as easy to apply as possible, because privacy is a fundamental right in this country and Parliament has adopted this law. I care about whether it is practical and easy to apply.
Mr. Chairman, the assistant commissioner deals very closely with a lot of these cases, but if I may, before I ask her to give some examples of how small business tries to comply, I'll just say that Parliament, as I understand, deliberately chose a very light and flexible regulatory system in 2000. I'm saying this to the honourable member because it could have chosen a much heavier system--for example, the British system, where you have to register your databases with the U.K. commissioner every year and then pay a registration fee. That's how the U.K. commissioner in fact finances his office.
But here in Canada we just said this is the law and you're expected to comply with it, and unless there is a complaint, or the Privacy Commission does an audit or something like that, we will presume—as with most of the laws of this country—you are in compliance with it. So it was supposed to be a light law.
4:25 p.m.
Assistant Commissioner (PIPEDA), Office of the Privacy Commissioner of Canada
As you probably know, the law is based on the CSA model code for the protection of personal information, which was developed as a voluntary instrument by various stakeholders, including business.
It's a management standard, so it's quite easy to apply. It wasn't developed as a law for big business or little business; it works for everybody. If you're a small business, your privacy policy can be one page. If you're a huge organization, your privacy policy is probably thicker than this binder. It's that sort of thing. So it's not difficult for small business to comply with the law. A lot of them are trying to comply, and I think part of where we could possibly do a bit better is in education and in working with small business.
4:25 p.m.
Conservative
Mike Wallace Conservative Burlington, ON
And during your budget consultations here a few weeks ago, that was part of the process. That extra money was to help promote PIPEDA on how to get up to speed on that. Is that an accurate statement?
4:25 p.m.
Conservative
Mike Wallace Conservative Burlington, ON
And when would we expect that to be available to the public?
4:25 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
In the course of this winter, I think, Mr. Chairman.