Evidence of meeting #21 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was information.
A recording is available from Parliament.
NDP
Pat Martin NDP Winnipeg Centre, MB
Obviously personal health information would require the most stringent type of informed consent.
President and Chief Executive Officer, Canadian Marketing Association
Mr. Chair, I don't want to eat into Mr. Martin's time, but let me make a general comment about the act that I think is important for the committee to understand.
The ten principles that form the basis of the act were negotiated over four long and difficult years—I know, because I was there—by a group of privacy advocates, business representatives, and government officials. We very deliberately did not make it media specific or sector specific or technology specific, because we wanted those principles to apply no matter how technology changed, no matter what sector you're dealing with, and no matter what medium you're in or how that medium was evolving, so that the ten principles we agreed on—and it was, as the Attorney General said, a series of delicate compromises—would last for a long time and could govern conduct no matter what comes at us in terms of technology change or other innovations. That's why we're very supportive of the basic principles of this act.
Liberal
The Chair Liberal Tom Wappel
Thank you.
You did eat into his time, but it was only a few seconds.
Mr. Tilson.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
Thank you, Mr. Chairman.
I would like to ask a question that I've asked the commissioner, and that is whether the legislation is doing enough to facilitate small business.
President and Chief Executive Officer, Canadian Marketing Association
We did some research funded by the Privacy Commissioner—and we've left a copy—with respect to small and medium-sized business. The basic problem right now is the lack of awareness. When there is a complaint, then small business will pay attention to it; they will follow the recommendations of the Privacy Commissioner. But in our belief, probably the most needed thing in the marketplace right now is more education, whether it's better funding for the Office of the Privacy Commissioner or the office of consumer protection. We've cooperated on a joint paper with the Ontario Privacy Commissioner as a guide to small and medium-sized businesses in implementing these principles, but there's much more to be done. That's one area we can certainly pay more attention to.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
This afternoon we've talked about breaches, and you indicated that one penalty could be the disclosure of the name of the company breaching the legislation either after one shot, two shots, or whatever. Should other penalties be set forth? One of you gave an example of an item kept on file for a specific purpose and then disposed of. The question is, what happens if it's found that it's not? What happens if a breach has a serious effect on the public?
President and Chief Executive Officer, Canadian Marketing Association
There are provisions in the act. I'll defer to Ms. Cody-Rice to talk about it.
Senior Legal Counsel, Privacy Coordinator, Canadian Broadcasting Corporation, Canadian Broadcasting Corporation
I'm not sure I could be deferred to, but there is a power in the Federal Court to award damages, as I recall, and I'm just looking for the section now. One can get an order from the Federal Court. In fact, as the Privacy Commissioner pointed out, I believe, this legislation in terms of orders has somewhat more teeth than the federal Privacy Act.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
That's where I'm going on this. I was aware of that, and sometimes you ask a question knowing what the answer is. But the next question would be, should the Privacy Commissioner have quasi-judicial powers? You find out something is wrong and off you go to Federal Court, whether you're talking small business or large business, or whether you're talking a small individual or a large group of individuals.
President and Chief Executive Officer, Canadian Marketing Association
We would have difficulty with that concept because the Privacy Commissioner is quite rightly a privacy advocate, and there's a bias there. That's not a criticism, that's the way she's appointed and that's the way it should be, but giving order-making powers to the Privacy Commissioner is like making the police the judge, the jury, and the executioner all together.
If the Federal Court were impractical, you might look at an independent tribunal or some neutral tribunal, but at the moment I think the Privacy Commissioner is fairly satisfied that this process with the Federal Court--and the teeth behind Federal Court is sufficient, my colleague here has pointed out, at least in our current experience.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
There is an article in a periodical called FrontLine Security.I don't know what the date is, but it's issue 3, 2006, and it's on cyber security. It's a series of articles dealing with transborder data flow. There's an interesting observation in an article by Peter Hillier where he pointed out that the private sector must step up to the plate by adhering to the provisions of PIPEDA or similar provincial legislation, where it's available. Then he got into a number of suggestions, and this is with security: the segregation of personal information being handled under the contract from other records held by the contractor, audit trails to closely monitor how information is handled, and the limiting of right to access based upon specific user profiles.
I don't know whether these are good ideas are not; it's his opinion. But it raises the question as to whether you have philosophized on the differences between the information legislation, which says we have to have access to all kinds of things, and for heaven's sake, whether you're a business or whether you're a government, don't categorize. People out there are saying that. He's almost suggesting, for security purposes, you should.
It's unfair of me, because you probably haven't seen this article, but could you comment on whether or not there's any conflict between the information legislation in this country and the PIPEDA legislation?
Senior Legal Counsel, Privacy Coordinator, Canadian Broadcasting Corporation, Canadian Broadcasting Corporation
The information legislation specifically forbids a head of an institution from providing personal information, unless there's a very strong overriding public interest in some cases. CBC is not yet subject to ATI, although we get third party requests all the time. We have not yet found a conflict, because when we get a request—and I'm sure other companies are the same—if it contains personal information, then we don't release it. We claim an exemption and we will sever portions. For example, under our current regime, if someone's given an opinion, you might release the opinion but not give the name of the person who gave it , because we are under PIPEDA.
Can you think of an example where there is a conflict that you've seen? If you were addressing—
Conservative
David Tilson Conservative Dufferin—Caledon, ON
We've spent some time quite recently on this topic. We had a session here in this committee with respect to allegations of someone in the government releasing information on a reporter. The question is whether the government—this is the government, mind you, this isn't private—should categorize people or categorize individuals.
Senior Legal Counsel, Privacy Coordinator, Canadian Broadcasting Corporation, Canadian Broadcasting Corporation
By categorizing, do you mean, for example, that it was a reporter who made—
Senior Legal Counsel, Privacy Coordinator, Canadian Broadcasting Corporation, Canadian Broadcasting Corporation
Yes, but it's interesting, because the Access to Information Act forbids your categorizing a request under the Access to Information Act, and it is quite improper to reveal to anyone, other than the person who has to handle the request, who that person was. You have a right to the information. It doesn't matter who you are, you have the right to information under access to information.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
Okay, you've answered my question. You don't agree with this article, and that's fine.
Senior Legal Counsel, Privacy Coordinator, Canadian Broadcasting Corporation, Canadian Broadcasting Corporation
I haven't seen the article, so I can't—
Liberal
The Chair Liberal Tom Wappel
Thank you, Mr. Tilson.
Next up is Mr. Peterson. Do you have any questions?
Liberal
Jim Peterson Liberal Willowdale, ON
Thank you.
Going through your recommendations, Mr. Brazier, recommendation number 11, “That employers be exempt from fulfilling requests for information that are clearly frivolous or vexatious”, I can understand that, but how do you know if a request is frivolous or vexatious?
Executive Director, Federally Regulated Employers - Transportation and Communication (FETCO)
For example, somebody who puts in, “Give me anything that has my name on it.” I think there has to be some legitimacy to the request. It isn't a fishing expedition. There has to be some basis on which the request is being made.
This is not an unusual provision in law. Frivolous and vexatious complaints can be dismissed by the Human Rights Commission, as an example. We don't really think that we're doing anything here that expands something that isn't already found in other legislation.