Information & Ethics Committee on Jan. 30th, 2007

Thank you, Mr. Chair.

Mr. Chair and members of the committee, thank you for inviting us to be here with you today to contribute to your review of part 1 of the Personal Information Protection and Electronic Documents Act, PIPEDA.

I am the senior vice-president of corporate operations and the general counsel of the Canadian Bankers Association. I also act as its chief privacy officer. With me today, as you've heard, is Terry Campbell, our vice-president of policy, and Linda Routledge, our director of consumer affairs.

At the outset may I say that the banking industry has long been a leader in privacy protection, being the first industry to have a detailed privacy code, first introduced about 20 years ago. The industry also participated in the development of the Canadian Standards Association model privacy code that is referenced in schedule 1 of PIPEDA. Our privacy code was the first to be acknowledged as being consistent with that standard. I might say that protection of personal information has always been a cornerstone of banking and one of the banks' highest priorities.

Nevertheless, when handling over 11 million transactions each day for our customers, errors can and do happen. The banks' goal is to minimize such errors, to protect our customers' interests, and to take steps to ensure that such problems do not recur. Considering the almost daily interactions that customers have with their banks, the relatively small number of privacy complaints raised with the Privacy Commissioner provides strong evidence of the banks' success in protecting personal information.

The banking industry was one of the first industries to be subject to the PIPEDA when it came into force in 2001. Generally the banks are of the view that the act has served Canadians well. We have only a few suggestions—mostly of a technical nature—for changes that we recommend be made to the act. They are set out in detail in our submission, but I would like to highlight a few of them for you today.

I'd like to speak first about a proposal dealing with the public interest exemption. Situations arise where the act's current requirements prevent employees from acting in the interest of the greater good of an individual or group of individuals. An example of such a situation in the banking context is where a banker suspects financial abuse, particularly with seniors, and when a customer is withdrawing money from his or her account and it appears that the customer may be under pressure from the person accompanying him or her, or the withdrawal is uncharacteristic of that person.

Prior to PIPEDA, under common law, banks were able to disclose their suspicions about abuse to the authorities, to the vulnerable customer's family, or to another responsible person who might be able to investigate and stop any abuse. Financial abuse of the elderly is a significant issue in Canada. The public and families of such customers expect bankers to help prevent any abuse. Under the current legislation, though, while branch employees want to help, they are not allowed to because there are no exceptions that cover such situations.

We are recommending an exemption for disclosure without consent when it is in the public interest.

Next I'd like to suggest changes to the way PIPEDA deals with investigations. The banks spend considerable effort and expense to prevent their operations and customers' personal information from being used for any kind of financial crime, whether it is a scam, identity theft, deceptive telemarketing, debit or credit card fraud, or money laundering. They provide employee training and customer awareness programs, and they cooperate with governments, law enforcement agencies, and other bodies at both the national and international levels.

It would help our efforts if the act were amended to follow British Columbia's approach. Instead of designating “investigative bodies”, as is the case now under PIPEDA, adopting the B.C. approach would allow organizations to collect, use, and disclose personal information for the purposes of an investigation. This would eliminate some of the current inconsistencies and allow information to prevent fraud.

Inconsistencies in the act frequently interfere with the bank's ability to investigate and prevent illegal or fraudulent activities. For instance, while the act allows an organization to collect and disclose information relating to a breach of an agreement, it does not allow for internal use of that same information to prevent further fraud against that customer, other customers, or the bank itself.

Similarly, a bank investigating a fraud could find and use internally information suggesting contravention of a foreign law, but would be unable to collect any further information to confirm that suspicion. The bank could even disclose that information to the banking industry's investigative body, the Bank Crime Prevention and Investigation Office, but the BCPIO could not do anything further with that information because it is not able to disclose information relating to the contravention of a foreign law, even to local authorities or other local organizations that might be similarly impacted. This causes significant barriers to investigating and preventing further crimes against the broader cross-section of the industry and its customers.

We are recommending that the act be amended to include these and other valuable enhancements from their provincial statutes.

There is also a need to change how PIPEDA deals with corporate groups.

To meet regulatory reporting requirements, for example for anti-money laundering and risks/capital adequacy, banks are required to report on their entire corporate group as one entity. Many organizations, including the banks, have located their privacy officer at the most senior levels in the overall corporate group and this officer acts in that capacity for all entities within the group. In both types of situations it is necessary for personal information to be collected, used and disclosed within the entire corporate group, not held exclusively within one part of it. The act needs to be amended to better address the needs for corporate groups to share information amongst corporate entities for such purposes.

I should note that there are areas where some stakeholders are seeking changes to the act, but where the banks believe that the legislation continues to effectively balance the needs of various stakeholders. For example, let's talk about the commissioner's powers. The commissioner's existing ombudsman approach to oversight appears to be working well. In almost every instance where the complaint has been deemed well founded and the commissioner has recommended changes, the organizations affected have followed the commissioner's recommendations. Where there have been any difficulties, the threat of Federal Court action generally has led to compliance. The commissioner has the option also, where it is in the public interest, to name organizations that have not complied with the act, and the commissioner has done so at least twice. She also has the ability to conduct audits and to instigate her own complaints, which she has already begun to do. In our view, the current oversight approach and the tools for the Privacy Commissioner are consistent with similar regulatory bodies. The banks concur with the commissioner's own view expressed to you that her current powers have proven to be effective and that no changes are needed at this time.

There is also the issue of breach notification. The banks support the need for an organization to notify individuals of a breach if an internal investigation concludes that there is a reasonable risk that the individual's personal information could be misused for fraudulent purposes or for identity theft. This is a standard accepted internationally in financial services. Banks take very seriously the responsibility to keep their customers appropriately informed and believe that organizations in Canada have been fulfilling this responsibility effectively on a voluntary basis. We do not believe that legislated requirements are needed.

Lastly, there is the issue of outsourcing. The existing provisions in the act provide the necessary framework to protect personal information about Canadians when organizations outsource functions either domestically or internationally. An organization must ensure that the personal information provided to third party processors is given the same protection as the organization itself must provide under PIPEDA. Outsourcing is a reality of Canadian business and contributes to Canada's economic growth and prosperity. The act provides the necessary protections to balance this interest with the protection of individuals' personal information.

Mr. Chair and members of the committee, we thank you for your attention to our comments, and of course we would be pleased to answer your questions.

I'll begin.

Good morning, Mr. Chair and committee members.

Thank you for this invitation to come before the committee today to discuss the Personal Information Protection and Electronic Documents Act.

My name is Gary Rogers. I'm vice-president, financial policy, with Credit Union Central of Canada, commonly known as Canadian Central. My co-presenter today is Charlene Loui-Ying, general counsel and government relations officer at Credit Union Central of British Columbia, commonly known as B.C. Central, which is our largest shareholder and member institution.

Canadian Central is a federally regulated financial institution that operates as the national trade association and financial facility for our shareholders, which are the provincial credit union centrals and through them the 501 affiliated credit unions across Canada.

I mentioned that Canadian Central is federally regulated. Provincial centrals are provincially regulated, although some of them are also federal regulated through OSFI. And credit unions, of course, are provincially regulated.

A statistic that surprises many is that our credit unions employ more than 24,000 Canadians coast to coast, many or most of whom require knowledge of and training regarding privacy issues. Those employees serve our members, who number over 4.9 million Canadians.

At the end of the third quarter of 2006, our credit unions held close to $93 billion in assets, which grew by 10% over the previous year.

The evolution of PIPEDA is of great interest to the credit union system, because the activities of some parts of our system, including Canadian Central, fall directly under that act. Credit unions are also directly regulated by PIPEDA in those provinces that have not introduced substantially similar privacy legislation. Further, the evolution of PIPEDA will undoubtedly have a strong impact on provincial privacy legislation, which in turn will directly impact credit unions.

Like all Canadians, credit union members set a high priority on the protection of their personal information, and credit unions have a long-standing commitment to protect the privacy of our members. In fact, Canadian Central was a contributing member of the Canadian Standards Association technical committee on privacy that worked on drafting the model code for the protection of personal information. That model code eventually formed the basis for PIPEDA.

Credit unions work to prevent their members' personal information from being used in a manner that's not been consented to and they endeavour to prevent such information from being used in any kind of financial crime, be it identity theft, deceptive telemarketing, debit and credit card theft, or money laundering.

This commitment to member privacy is enhanced through employee training programs, strong internal policies and procedures, member awareness programs, and continuing cooperation with provincial and federal governments and law enforcement agencies.

In general, the credit union system believes that PIPEDA serves Canadians well in protecting personal information. The act, and similar provincial legislation, has provided business organizations, including credit unions, with that practical framework for formalizing our policies and procedures aimed at protecting the privacy of member customers.

We recommend that the federal government proceed cautiously with changes to PIPEDA, especially in light of the fact that Canada is only two years into the full application of the act. It may be too early to properly judge the real impact of the existing legislation.

If amendments to PIPEDA are to be recommended, Canadian Central suggests aiming for a couple of principles: that there be greater harmonization between federal and provincial privacy legislation, and that consideration be given to selecting the easiest and most cost-effective approach to achieving the objectives of each change.

In the following comments, my colleague, Ms. Charlene Loui-Ying, will outline six specific recommendations in regard to PIPEDA, although three more are included in our submission. These recommendations are the result of consultation within our credit union system among representatives who have experience in the area of privacy protection, as well as with our national legislative affairs committee, which has representation from across Canada.

Turning to our first recommendation, Canadian Central believes the existing ombudsman model has been generally effective in protecting the privacy rights of individuals and garnering the compliance of organizations that are subject to privacy complaints. Thus, we recommend that the enforcement powers of the Privacy Commissioner not be enhanced at this time.

As you know, the Privacy Commissioner currently has the power to investigate complaints, conduct audits, make findings, issue recommendations, and initiate court actions. In particular, the current ability to publish names of offending organizations has been effective in inspiring compliance, as most organizations value their reputation. Once again, it is important to consider that Canada is only two years into the full application of PIPEDA and, as consumers and businesses increase their awareness of privacy issues, the effectiveness of legislation will also expand.

Recommendation 2: Canadian Central manages a credit union office for crime prevention and investigation, which is an investigative body designated under PIPEDA. Under PIPEDA organizations are allowed to disclose personal information to a designated investigative body without the knowledge or consent of individuals concerned. However, to do so, there must be reasonable grounds to believe that the information relates to a breach of an agreement or a contravention of the laws of Canada, a province, or a foreign jurisdiction.

PIPEDA also permits investigative bodies to disclose personal information without the individual's knowledge or consent if the disclosure is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province. Canadian Central is concerned, however, that the act does not define the term “investigation”, thus leaving some ambiguity in the legislation and requiring organizations to interpret the act on their own.

Canadian Central recommends that the legislation be amended to include a definition of “investigation” in the act, especially one that specifically addresses fraud prevention activities in the definition. This may be done by adopting the model found in the Personal Information Protection Act of British Columbia.

Recommendation 3: Canadian Central recommends that PIPEDA be amended to allow designated investigative bodies performing similar functions to share information with one another. For example, the Credit Union Office for Crime Prevention and Investigation should be able to readily share information with other designated investigative bodies, such as the Bank Crime Prevention and Investigation Office, for the purposes of fraud prevention.

Along with this, the current framework should be clarified to identify when and how information sharing should take place between investigative bodies. Specifically, what is an appropriate response to a request for information from another investigative body? This guidance may not be necessary through legislative or regulatory measures, but rather through the issuance of guidelines.

Recommendation 4: At the moment, PIPEDA does not contain provisions allowing an organization to disclose personal information to prospective purchasers or business partners without the consent of the individuals whose personal information forms part of the transaction. Canadian Central supports an amendment to PIPEDA's consent requirements to permit the disclosure of information in the event of a business purchase, merger, or mortgage securitization. Of course, such disclosures should only take place when there are stringent confidentiality agreements in place.

Furthermore, such agreements should include provisions to ensure that information is either returned or destroyed if a transaction is not completed unless laws otherwise require retention. This sort of amendment will have the dual impact of facilitating business transactions while further ensuring that the protection of personal information is specifically contemplated during these transactions.

Recommendation 5: The privacy community is debating whether a “duty to notify” should be included in PIPEDA. Such a duty would require that organizations suffering involuntary disclosures or security breaches or the outright theft of personal information mitigate the risk of identity theft to the individuals involved. Such mitigation after a security breach could involve notifying the individuals whose information is at stake, along with credit agencies, relevant government agencies, and other commercial entities such as financial institutions.

Canadian Central supports, in principle, the concept of a duty to notify. However, if the Government of Canada decides to legislate in this area, there must be reasonable thresholds established before such notification is required. For example, before a notification takes place, there should be a determination that there is a clear risk of fraud, that the loss or theft creates a reasonable likelihood that the personal information will be used to the detriment of the individual affected, or that the loss involves large numbers of records with similar concerns. Those thresholds should also consider if notification might either cause a greater risk of fraud or other harm or might unduly alarm individuals. Canadian Central would be pleased to participate in future consultations in determining such thresholds.

Turning to the final recommendation that I'll be highlighting this morning, in a 2005 decision the federal Privacy Commissioner concluded that under PIPEDA, business email addresses are considered an individual's personal information. In investigating the case, the Privacy Commissioner found that while the definition of personal information in PIPEDA excludes an employee's name, business title, address, and telephone number, business email addresses, because they are not mentioned, are personal information.

Canadian Central recommends that this anomaly be addressed by amending PIPEDA to mirror B.C. and Alberta legislation that specifically excludes business email from coverage under provincial law. There appears to be little purpose served if business telephone numbers are exempt from the legislation, but business email addresses are not.

In closing, I would like to thank the committee for this opportunity to present our views on PIPEDA. We would be happy to answer any questions the committee may have.

Mr. Peterson, I'll look to see what my friends in the credit union industry have to say, but I think we're very consistent. As we've gone through the two recommendations, I think the overall view is that the legislation works well. We think it's a good base. We think it's working well. I think we both need what I would call some “technical tweaks” to make it work better, work more efficiently, but I don't think we see the need.... For a piece of legislation that is so relatively new, quite frankly the track record, from our sense, shows that it operates quite effectively. The Privacy Commissioner's office operates quite effectively. I don't think we need much more than technical tweaks. That's our sense, but I'll defer to my friends at the Credit Union Central.

I think we're generally of the same view. Perhaps we may vary in a couple of the nuances or in how far we think changes need to be made, but generally we're of the same view--that it's generally working well and only needs some technical tweaks.

It's circumstance-driven. There have been cases in which members have contributed to the loss, but even in some of those cases, the financial institution has reimbursed the members.

They gave their debit cards and PIN numbers to someone else, and that person took money out.

There are a number of provisions. I know my colleague Mr. Law will want to talk about this. You can look through different kinds of products--for instance, on credit cards there's a zero-liability policy out there: if somebody gets your identity and uses your card fraudulently, you, the customer, are held blameless. It's zero liability.

I'm very glad you raised identity theft, because it really is an issue. I'll ask Mr. Law to comment a bit further.

Just to underscore what Mr. Campbell has said, for many, many years we have been pressing the Government of Canada to do something about the problem of identity theft. It's a huge problem. It's growing, and unlike the United States, the Government of Canada has not acted on the problem with respect to addressing it in the Criminal Code. It's interesting when you look at the Criminal Code. There are provisions in the Criminal Code, for example, that deal with sending a telegram under a false name, but there's nothing to deal with e-mails. The fact of the matter is there's no provision in the Criminal Code that specifically addresses the identity theft problem in Canada, and I would urge the Government of Canada to look at this.

The Department of Justice has done at least a couple of consultations. They're inching towards the point where they may be proposing legislative changes to the Criminal Code. It is a significant problem. It's not enough simply to have the Criminal Code kick in when in fact a fraud has occurred. My view and the view of the Canadian Bankers Association is that the Criminal Code should get involved at the point where personal information has been misappropriated, because it's at that point where the trauma has been created for the individuals affected. It's at that point that losses do begin.

It's something that I think the Government of Canada should consider very seriously.

Well, yes, and after your political life, Mr. Peterson, perhaps you might consider it.

The Criminal Code kicks in when in fact a fraud occurs, obviously. But what we're saying is that the Criminal Code should kick in much earlier in the continuum of criminal activity, at the point where in fact the bad guy has gone on the Internet and stolen personal information about you. I don't think we should wait for the point where a fraud has been committed; I think the Criminal Code should apply at the time the misappropriation has occurred.