Information & Ethics Committee on Jan. 30th, 2007

It's a problem with the investigative bodies.

The issue of outsourcing is actually one of the matters that we did not address or highlight in the presentation this morning. Canadian Central does have a position on outsourcing. Recognizing that, for the most part, outsourcing is a business reality, as pointed out by our colleagues, credit unions generally don't have the size and scope for the same bargaining power in outsourcing agreements that other larger organizations, particularly federally regulated organizations, might have. That said, there has been discussion among members of Canadian Central about the need to share information with other jurisdictions. The general feeling at this point is that the mechanisms already in place are appropriate, so that perhaps the Privacy Commissioner does not need a direct mechanism, as might have been contemplated in some of her submissions, since there are other mechanisms in place for information sharing at that level.

Sorry, Mr. Law.

On the issue of outsourcing, the banks have the obligation under PIPEDA to protect the information they collect. So when they outsource, their outsourcers are agents, and they will have contracts in place with those agents to make sure that those agents offer the same protection as the banks would offer if they were holding the information and doing the job themselves.

The only thing I can add to that is the fact that you have a specific guideline, the OSFI guideline, that deals with outsourcing on the part of the banks, and it provides another controlling mechanism regarding the extent to which information can be outsourced.

I don't think we've gone down to that level of detail, but I think it would probably be the same affiliates and subsidiaries. The fact of the matter is--and this is a point I made in my opening remarks--that banks, as do a lot of corporations, operate as a corporate group now. Within a banking group you have a mutual fund dealer, a trust company perhaps, a securities dealer, and a bunch of companies carrying on different kinds of businesses, but for all intents and purposes they operate as one group. I think, as a result, it would be useful if you could share information among the particular companies within that group in an effort to prevent fraud.

I know of situations that have happened in the banking industry, for example, in which our BCPIO, our investigative body, has been seized of information concerning fraudulent activity, money-laundering activity, but it has been unable to share that information with a subsidiary of one of our member banks because of the fact that PIPEDA does not operate on a corporate groups approach. As a result, I think it would certainly be beneficial for this committee to consider making amendments to the act to allow corporate groups to share information among the members of their group.

Specifically to your question about the Income Tax Act definition, it probably doesn't work well enough in this instance. In the credit union system we have a large number of players with very small shareholder interests, so therefore the concept of associated corporations and related corporations in the Income Tax Act wouldn't be broad enough to cover what would be intended here for privacy purposes. We're interested in having a conversation about how that could be defined appropriately.

I'm not sure it's so much of a conflict, but saying we recognize some tweaking is needed, to use the word of the day. It's not so much an overhaul, but we need to look at changing the whole way privacy operates in Canada. Because of the statutory review, it is useful to take a look and say what's been going on in other jurisdictions and what's been working well. Are there things that can help improve this legislation for the benefit of all Canadians to make it work more effectively so it's more cost-efficient for business and more effective for consumers as well? I'm not sure we meant it to be a conflict, but more part of the continuum.

Because this has a lot of general application, I'm not sure it speaks specifically to any particular technology. You're speaking to personal information here and what you're talking about is the scope of personal information.

If you look at the provisions of the act, it would apply generally to whether the manner of outsourcing worked five years ago or today. As my colleague has pointed out, the law says you are responsible for that personal information. When you outsource or use agents, you have to have them agree to protect it the same way you have to protect it.

I'm not sure it's the delivery method, with the exception of business e-mail addresses, where perhaps e-mail was less trusted five years ago than it is perhaps in the business community today. I'm not sure there are significant changes that aren't captured by the existing wording. If you examine that, you might come to the conclusion that the existing wording does deal with some of these changes and might have been worded generally enough to accommodate future changes in technology or relationships.

PIPEDA applies to federal works and undertakings across the country. If it's a bank, telecom, or transportation company, PIPEDA applies wherever you are. The provincial legislation does not apply. In B.C., Alberta, and Quebec, for provincially regulated organizations, those acts apply, and PIPEDA does not apply. In provinces where there is no provincial legislation, PIPEDA applies to the commercial operations of organizations. Nothing covers not-for-profits and so on.