Evidence of meeting #20 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.
A recording is available from Parliament.
Liberal
The Chair Liberal Tom Wappel
Let me stop you there, Professor, because there are other people who wish to ask some questions. Thank you.
Mr. Wallace.
Conservative
Mike Wallace Conservative Burlington, ON
Mr. Chair, I will try to be succinct. I am going to ask the commissioner some questions first.
One thing we've heard previously—and you can let me know whether British Columbia does it or not—is that if there is a breach.... I think our Liberal friend, who isn't here today, talked about a credit card: there has been an error, and people's private information has gone out, and there are hundreds and thousands of them, or whatever. Does the legislation in British Columbia require the company to notify the individuals that their information has been breached?
Commissioner, Office of the Information and Privacy Commissioner of British Columbia
The short answer is no. The only legislation in Canada of which I'm aware that has that requirement is Ontario's Personal Health Information Protection Act.
In British Columbia—and our legislation is up for its own statutory review, starting in the next few months—I would, if asked, at this time certainly not support any explicit notification requirement along the lines of what we've been seeing in the United States, for example. I think that as the legislation matures we should wait for evidence that mandatory notification actually is a cost-effective way to reduce risks, for example, of identity theft flowing from a so-called data breach.
For now I would prefer strongly to continue with our office's approach to assessing this, looking at risk under the PIPEDA obligation of organizations to take reasonable security measures to protect personal information against unauthorized use; and to work with organizations and issue guidance, which we are about to do—and we have been joined in this in the last little while by our Ontario colleagues—around risk assessment as to whether or not notification would be prudent.
Conservative
Mike Wallace Conservative Burlington, ON
Okay. You took my second question. Thank you for answering it.
The third question I had for you, and I just want to be clear on this, is: even though there is different privacy legislation—provincial, or federal in the absence of provincial—if I had a business that worked nationally, including in Quebec, are you telling me that there is no real, significant cost to business in doing something in British Columbia that I have to do differently in Alberta, or in Quebec, or in P.E.I.?
Commissioner, Office of the Information and Privacy Commissioner of British Columbia
I'm a lawyer by trade—
Conservative
Commissioner, Office of the Information and Privacy Commissioner of British Columbia
—with the usual caveats. I'm sure I could find many others in the legal profession who might take issue with what I'm about to say, but I would suggest to you that the similarities among the laws across Canada far outweigh such minor differences as may exist, and an organization that ensures that it is securely in compliance with PIPEDA, for example, with particular regard probably to the legislation in Quebec, would be well placed to say to me, and to perhaps others, even—and my colleague in Alberta might not like it that I've said this—that we're fine with your legislation.
Commissioner, Office of the Information and Privacy Commissioner of British Columbia
There are nuances, so there will be some costs there to ensuring that you've ticked all the boxes, but it is not as onerous, as I said at the outset of my remarks, as some might suggest. I would suggest to you that in other jurisdictions—the United States, for example—the costs are much higher to try to comply.
Conservative
Mike Wallace Conservative Burlington, ON
Higher, okay.
On the employee privacy piece, you said there is no direct consent needed for people's employment information, the basic employment information. Does that include their salary? Is that basic employment information?
Commissioner, Office of the Information and Privacy Commissioner of British Columbia
An organization, in principle, would be able to disclose one of its employees' salaries to a third party, the amount of the salary, but only if it was solely for a purpose reasonably required to, for example, maintain or terminate the employment relationship, and if that disclosure, that particular disclosure, was reasonable in the particular circumstances.
Conservative
Mike Wallace Conservative Burlington, ON
So in the case of an insurance company calling on another company, wanting to bid on, I don't know, some sort of product that they may be purchasing for their employees but is affected by the amount of payroll they have, it's not by individual, by a gross amount they're allowed to say that, but they're not allowed to give what each employee makes, is that an accurate—
Commissioner, Office of the Information and Privacy Commissioner of British Columbia
I have two quick points in response.
If the information is aggregated payroll, it is almost certainly not information about an identifiable individual, so it's not caught as personal information. It is therefore not covered by PIPA.
Our PIPA also has a special set of rules around the collection, use, and disclosure of personal information for the purpose of enrolling somebody as a beneficiary in a benefit plan or for something like group life insurance.
Conservative
Commissioner, Office of the Information and Privacy Commissioner of British Columbia
You can.
Commissioner, Office of the Information and Privacy Commissioner of British Columbia
So even if it were personal information, consent is not required for the purposes of enrolment and maintenance of those plans.
Liberal
The Chair Liberal Tom Wappel
No. Thank you, Mr. Wallace.
Commissioner, you mentioned the review. Section 59 of your act says that the review must begin within three years of January 1, 2004, which would mean, presumably, no later than next month. Usually these deadlines end up not meaning anything, but I'm wondering, in your preparation for your appearance before the special legislative committee of your province, are there any major issues under your act that you see coming forward that you're going to bring to the attention of the committee, that may in some way be interesting or relevant to this committee's review of PIPEDA?
Commissioner, Office of the Information and Privacy Commissioner of British Columbia
The committee contemplated by section 59 has not yet been struck. We're in the process of getting our brief together for the committee for when it is struck and the review actually begins. But certainly to the extent that I can provide the committee here with information in the coming weeks and months that might be of use to you, I'd be happy to do that.
Liberal
The Chair Liberal Tom Wappel
Weeks would be better than months, as far as this review is concerned. Thank you very much for that.
We'll now go to Mr. Dhaliwal, followed by Mr. Van Kesteren.
Liberal
Sukh Dhaliwal Liberal Newton—North Delta, BC
Thanks, Mr. Chair.
My question is to the commissioner.
Earlier, Professor Steeves was talking about the doctor collecting information on hormone replacement therapy and then giving it to the pharmaceutical companies. The way I look at it, it helps society when it comes to research into hormones and is the only way that industry can find out where the need is and what the needs of the consumer or society are. As long as the personal names of those women or other patients is not disclosed to the pharmaceutical companies, would you consider that a work product?
Commissioner, Office of the Information and Privacy Commissioner of British Columbia
Bearing in mind my initial lawyerly caveat around particular circumstances and general remarks, I think it's fair to say that the information you've described around the prescribing patterns of physicians, as opposed to patient information, on its face appears to fall certainly within the definition of “work product information” in the legislation in British Columbia.
Liberal
Commissioner, Office of the Information and Privacy Commissioner of British Columbia
As a policy choice? It's not my place to make that kind of policy pronouncement, if you will, but I think clearly the legislature in B.C. has made that choice in defining “work product information” in the way it has because, as I say, on the face of it that kind of information--prescribing pattern information--would appear to fall within that definition and be within that policy decision.