Evidence of meeting #19 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was personal.
A recording is available from Parliament.
3:55 p.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
Okay. Perfect. I understand better.
You also refer to the disclosure of personal information, and you say it would be a good idea to include a requirement concerning notification in the act.
3:55 p.m.
Bloc
3:55 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
No, that's not provided for in the act. Perhaps at the time there hadn't been enough leaks from large data bases for anyone to think it was a problem.
Yes, we're in favour of the principle. The problem is in knowing how to implement it.
3:55 p.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
Okay. In the meantime, you must have formed an idea about how to implement it.
3:55 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
We considered a number of American examples. That's one thing we should look at with government lawyers because it's quite complex. To whom do you give notice? What would be the scope of it? Would it concern all the information, or only where there's a significant risk? Who will bear the cost of that?
3:55 p.m.
Liberal
The Chair Liberal Tom Wappel
Merci, Madame Lavallée.
Before we go to Mr. Martin, could you give us--or if not now, could you send to us--the exact section of the Privacy Act that are you are suggesting we import to PIPEDA?
3:55 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Yes, Mr. Chairman.
3:55 p.m.
NDP
Pat Martin NDP Winnipeg Centre, MB
Thank you, Mr. Chair.
Ms. Stoddart, good afternoon.
I would like to jump right to the paragraph in your document from July that you circulated for comment, dealing with the fact that--and I'm actually quoting from your document--“By the end of 2005, roughly half of U.S. states had passed laws” making notification mandatory if your personal information is compromised. I'm most interested in that. I'm wondering what your current views are and if that is something you would strongly recommend the committee look at--mandatory notification.
3:55 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Yes, Mr. Chairman, this is something that we suggest the committee add to the act. This has become an important problem. It's become, we think, a source for identity theft, although there hasn't been a lot of work done linking identity theft to the data spills, but it must contribute to it.
We would suggest that you recommend there be a breach notification provision in this law. However, the exact wording of the breach notification is, honestly, quite a challenge. We looked at almost all of the American models, and there are quite a few variations on it.
3:55 p.m.
NDP
Pat Martin NDP Winnipeg Centre, MB
Do you think it should be graded on how serious the breach was? For instance, I've heard that one of the credit card companies, which I won't mention for commercial interests, had over three million breaches or compromises that they haven't notified their clients about. But some of those may be a matter of pennies and they were quickly corrected. Would you try to gradate the severity of the incident as to what would have to be reported?
3:55 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
I would think you'd want to put in some criterion like “significant”. You can have a technical breach of personal information, but if it's not significant, then you get into a company having to notify millions of people, which is extremely costly from the company's point of view.
3:55 p.m.
NDP
Pat Martin NDP Winnipeg Centre, MB
By the same token, those millions of people have a right to know if the credit card they're using is being regularly and frequently compromised.
3:55 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
That is.... But if it's not necessarily significant--and then, as I say, it's not clear the exact links between breach notification and identity theft. In fact, I haven't seen any studies. Perhaps some of your other witnesses will know about that. So you can't say that because of this breach, we know that these numbers of people whose—
I think there are some states whose models seem to us more workable. We could come back at the end of your hearings and see which are the better ones.
I don't know if the assistant commissioner has any comments on this.
3:55 p.m.
Heather Black Assistant Commissioner (PIPEDA), Office of the Privacy Commissioner of Canada
It's an interesting question and something we have spent a lot of time thinking about and looking at.
On the question of credit cards, it has probably happened to you—I know it has happened to me—that I get a call from the bank saying, “Did you charge so much in a saloon in west Texas?” Gosh no, I was here in Ottawa.
It's in the interests of the credit card issuers to keep track of these things, and they do it, actually quite well, because they pay. You don't pay, they pay, because your liability is limited.
You mentioned the three million breaches. I think at one of the earlier hearings we tried to track it down and couldn't find it. It's really hard to know what kind of breach they're talking about.
4 p.m.
NDP
Pat Martin NDP Winnipeg Centre, MB
Okay, that's very helpful.
If I have a minute left, there are two other issues that have my interest—and I think I've mentioned this at other meetings too.
I know the Province of Manitoba contracted out their health data information to a private firm. That firm was then bought by an American firm, and now my personal medical records are in Dallas, Texas. God knows how many times the ownership has changed hands through corporate mergers and buyouts since then.
This has been flagged by a number of witnesses and you in your presentation, but on the cross-border jurisdictional problem of trying to protect Canadian information in other people's hands in other jurisdictions, I don't know if there are enough measures that you could possibly take to be able to give me any confidence that they're not selling my information to some drug company that's then going to use that for advertising or who knows what.
4 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Well, there are several things that can be done.
First of all, in the example the honourable member gave, I believe that is your health information that you would have given to the Manitoba government. So the Manitoba government can issue guidelines—it may have, like the federal government—and suggest that there is a scale of sensitivity. For the most sensitive things, the government may wish either its contractors to be bound by very strict contractual clauses or the data to be processed in Canada.
You'll remember the Lockheed Martin and Statistics Canada discussion of some years ago. That's in the private sector.
In the public sector, we come back to the responsibility principle I was discussing with the previous honourable member. We encourage organizations to bind those to whom they give personal information with very strict contractual clauses that allow them to do more than probably a law in the other country would, which is to go in and check, to do audits, to hold the other party responsible for damages. So I think it's quite a useful tool.
Assistant Commissioner Black has worked on some of these cases.
4 p.m.
Assistant Commissioner (PIPEDA), Office of the Privacy Commissioner of Canada
When we investigated the complaint we had about CIBC Visa, where the information does in fact flow into the United States, we discovered that CIBC had done everything they could to protect the information it dealt with. The agreement they had with the company they outsourced to dealt with safeguards, how the information could be used—as in not used, not disclosed—all that sort of thing. So they had taken all the appropriate steps, and the law in fact requires that to happen. If you're going to outsource, whether it's to the United States or to India, or wherever you're going, you are ultimately responsible. If you're ultimately responsible, you do the best you can to protect yourself as the organization in Canada so that we can't come along and say “We hold you responsible for the fact that this information was sold”, or what have you.
November 27th, 2006 / 4 p.m.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
Thank you, Mr. Chairman.
First of all, I'd like to say I'm pleased that you feel PIPEDA is working well. There are a couple of things, though, I would like to ask you about.
One of the issues that's been raised at our meetings--and we really just started and we've had two or three sessions of people coming to talk to us--is the issue of personal information, the definition of personal information in the legislation and whether or not it should exclude work product information. And you referred briefly to that in the report you made to us today, in the third paragraph on page 2. You've said that you've addressed this issue by adopting a case-by-case approach to assessing whether or not the information in question is about the individual. I gather from what you're saying that you don't believe that there should be a change in the definition, or am I misinterpreting what you're saying?
4:05 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
No. Mr. Chairman, that is correct. The honourable member has exactly stated what our position is. We raise it, but our preference is that we leave PIPEDA as it is. I believe this issue was looked at in 2000. It is a flexible definition. In some of the decisions made by the Privacy Commissioner we have dealt with the issue of work product and decided that in very obvious situations it is not covered by the act, but in situations where the information is of a more personal type, more of a revealing type, the act could cover it. This is an important issue for many people. I'm concerned, Mr. Chairman, that if we go to a definition, as we go on and increasingly it's easy for employers to set up video cameras and monitor their employees in all kinds of ways, this definition will hamper our attempts to minimize workplace surveillance and to limit that kind of surveillance to what is necessary. So I think for the moment the status quo is reasonably satisfactory.
4:05 p.m.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
I guess the reason I asked that question, Madam Commissioner, is this matter did go before the Federal Court. I think it was involving a competitor challenging.... Do you know what I'm talking about?
4:05 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
Yes, I do.
4:05 p.m.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
So one asks the question, does this give the commission too much discretion to decide on the case-by-case approach? And secondly, should the public require more certainty so that they know exactly what they should and should not do, as opposed to leaving it to the commission to decide on a case-by-case approach?