Evidence of meeting #22 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.
A recording is available from Parliament.
5:10 p.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
Both of those are being reviewed. The Alberta legislation is currently being reviewed, and the B.C. one is about to be reviewed by the legislature.
5:10 p.m.
Conservative
Gerald Keddy Conservative South Shore—St. Margaret's, NS
There's a prepared question here that deals with the B.C. Information and Privacy Commissioner. He stated that he would not support an explicit notification requirement along the lines of those that have been happening in the United States. He would prefer to wait for evidence that mandatory notification is actually a cost-effective way to reduce risk of, for example, identity theft flowing from a so-called data breach. In the meantime, he's saying it would be better to reconsider the PIPEDA obligation for organizations to take reasonable security measures to protect personal information against unauthorized use and to work with organizations and issue guidance.
Do you have a comment on that? Where does that come from? It just seems to be contrary to what they're doing.
5:10 p.m.
Counsel, Public Interest Advocacy Centre
It seems out of the blue to me, and we think it would be an incentive for people to do better security, because they then have this requirement.
5:10 p.m.
Conservative
Gerald Keddy Conservative South Shore—St. Margaret's, NS
I'm not in disagreement. I'm wondering where that came from.
5:10 p.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
I think I know where it comes from. The B.C. Information and Privacy Commissioner had an experience with a particular data breach example involving a local mental health organization that had files on the psychiatric conditions of many people. There was some breach. Something happened and they didn't know who got the information, so they felt they needed to notify all these people. In that situation the B.C. Information and Privacy Commissioner was involved, and there were all sorts of difficult questions that needed to be answered. Would the patients themselves be further traumatized by receiving the notification? How would they be notified? The details of going about the whole thing were difficult.
I think it was that particular experience with a mental health organization that led him to question whether we want to jump into this. Of course, I would recommend asking the question directly to him.
5:15 p.m.
Conservative
Gerald Keddy Conservative South Shore—St. Margaret's, NS
Just for my own personal revelation here—and I apologize for not knowing this file really well—are there different levels of offences, different levels of business? If I'm the Canadian Imperial Bank of Commerce, quite frankly, then I need to have encryption and I need to have a series of protective measures in place to protect your and my personal information. If I'm delivering something from door to door in sales and I have an address and a name or a phone number, I need another level of protection to protect my client's information. Is there a clear differentiation for that under the act?
5:15 p.m.
Counsel, Public Interest Advocacy Centre
It's not that clear, but there is a principle that says you have to take physical, organizational, and technological measures that are appropriate to the sensitivity of the information.
5:15 p.m.
Conservative
Gerald Keddy Conservative South Shore—St. Margaret's, NS
So if you're keeping information in a scribbler, take care of it and don't lose it.
5:15 p.m.
Counsel, Public Interest Advocacy Centre
Yes. And if you're a large bank, you have to do encryption and have security personnel, and I think the Privacy Commissioner recognizes that.
5:15 p.m.
Conservative
5:15 p.m.
Conservative
5:15 p.m.
Conservative
Dave Van Kesteren Conservative Chatham-Kent—Essex, ON
Thank you, Mr. Chair.
Mr. Keddy has probably gotten some of my questions answered. Again, I just want to pick up where I left off.
I serve on the industry committee as well. One of the foremost concerns of industry today is that they're just laden down with so much bureaucracy. Are we witnessing the birth of a bureaucratic nightmare? That's my biggest concern.
I've heard all the witnesses say, too, that they have this in place and it shouldn't take more than a little bit. But if you've been in government for a while, you know things just don't happen that way. They just have a tendency to grow. I'm wondering if this is all necessary.
I'm just reading some of the other suggestions too, and I don't know if anybody has brought this up yet. The CSA code was suggested. Can you comment on that? Is it something that would make this a whole lot simpler?
5:15 p.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
The CSA code has become PIPEDA. PIPEDA is the CSA code, basically.
5:15 p.m.
Conservative
5:15 p.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
That's exactly it. PIPEDA is really just legislating good business practice that has been recognized by businesses.
I can certainly say, for myself, that when we were coming up with these recommendations, I was taking the kinds of concerns you're raising now very much into consideration. The last thing we want to do is create more bureaucracy and more expense from it, but what we want to do is make it more effective, in an efficient way. We've tried to design the recommendations here in a way that doesn't require more expense or effort on anyone's part. They will for sure on the part of the Privacy Commissioner, and they will require expense on the part of private businesses that are not currently up to shape in terms of their privacy protection practices, but they should be.
5:15 p.m.
Conservative
Dave Van Kesteren Conservative Chatham-Kent—Essex, ON
Just to go back to the point that we were discussing the last time I was flooring some questions, isn't public education a solution too? Isn't it just something as simple as telling folks that when they're playing on that computer...? We do that all the time. The government has advertising. Wouldn't a solution like that be just as efficient?
5:15 p.m.
Counsel, Public Interest Advocacy Centre
It's a big part of the solution, but it is only part. We can see, just from the cases we've had in the last three years, that one part of the solution is convincing businesses to change certain business practices that have been found to be privacy-invasive and that they're not changing.
But a big part of it definitely would be getting the consumer up to speed on what the act requires.
5:15 p.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
A lot of what's required here is just pure transparency. It's saying to businesses, tell the consumers what you're doing. Don't do it behind the scenes; tell them if you've had a data breach and that they might be the subject of identity theft.
These are all pretty common-sense kinds of things that I think most businesses who have thought about it are already doing, or would do in those circumstances.
5:20 p.m.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
Getting back to the order-making capabilities, my understanding is that the only major order-making capability the commissioner has now is to identify a company that's breached something, which I think Mr. Lawford said she has done either not at all or once.
What happens if there's been an identity theft because of some action of a corporation or individual, and it's been established that the identity theft was caused by confidential information being released? And when you say order-making power, are there any suggestions on what other penalties there should be?
I'm thinking specifically of a very serious case where someone has stolen someone's identity and the most you can do is say, “Oh, the company breached it,” because that's all there is.
5:20 p.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
We've actually recommended that this be treated as an offence and that there be a penalty for that.
