Evidence of meeting #26 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.
A recording is available from Parliament.
10:20 a.m.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
Thank you, Mr. Chairman.
I'd like to return to the question of notification.
I do find interesting your observations about the sharing of information, that the banks, the credit people, and I suppose the police should be allowed to share information. And I gather you're saying “without consent”. You're all saying—
10:20 a.m.
Senior Vice-President, Corporate Operations and General Counsel, Canadian Bankers Association
Yes, these are all “without consent” situations.
10:20 a.m.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
—without consent of the individuals. Notwithstanding, you're not going to tell the individual. Right?
10:20 a.m.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
I'm returning to my debate with you, quite frankly--and I suppose it is a debate--that if someone has a whole bunch of information that somehow disappears and we don't know where it is, maybe it's just lost or maybe it's been stolen, both organizations are saying that unless there are signs of fraud or reasonable possibilities of fraud, they don't need to be notified. Notwithstanding, you think it's okay to notify the police and other banks and other credit unions.
10:20 a.m.
Vice-President, Policy, Canadian Bankers Association
I think the difference is this--and I would characterize it as a discussion and not a debate—
10:20 a.m.
Vice-President, Policy, Canadian Bankers Association
Yes, there you go.
I would characterize it like this--and I don't want to get too hung up here. In our remarks to you and in our submission, we have suggested some criteria for renotification, but we're not suggesting a hard bright line, because you have to look at every case. Is it serious fraud, or is it a bit of fraud?
We're just saying you can't hard-wire that. You have to look at the facts. And that's where the dialogue with the commission is important.
The difference here with what Warren is talking about is if person X is the bad guy and we're doing an investigation on person X, and we need to dig into some data to find out about person X because he's breached an agreement or he's kiting cheques or he's involved in money laundering, we don't want to tell him. But if you've had your personal information violated or breached, by golly, we're going to tell you. That's the difference.
10:20 a.m.
Senior Vice-President, Corporate Operations and General Counsel, Canadian Bankers Association
Yes, there are two completely different situations.
10:20 a.m.
Director, Consumer Affairs, Canadian Bankers Association
And what we're looking for as well is for the act to define “investigation”, and to define it in a very narrow way.
What we're suggesting is allowing investigations related to a breach of an agreement, contravention of a law, prevention of fraud, or circumstance or conduct that may result in remedy or relief being available under an enactment, under the common law, or in equity. That's from the B.C. legislation. So it's very specific that this is what we want to be able to share the information more broadly for.
10:20 a.m.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
The Privacy Commissioner goes even further and says that information should be shared with credit bureaus. Do you have any comment on that, on whether that's a good thing?
Is my credit rating going to be damaged if someone—
10:25 a.m.
Director, Consumer Affairs, Canadian Bankers Association
Usually what we suggest is that we go to the customer and we give the customer the information to be able to go to the credit bureau, so then the customer is in control of their own information.
10:25 a.m.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
Yes, the Privacy Commissioner.... Parliamentary information research, which is always excellent, gave us something here. One of their points is that the Privacy Commissioner has noted an addition to adding a duty to notify, or as an alternative, a provision could be added to PIPEDA that would allow for an organization that has suffered a security breach to notify credit bureaus about the breach without the consent of the individuals affected. That's her recommendation.
The rationale is that it would allow credit bureaus to be more proactive in protecting consumers from identify theft and fraud. Having heard that, do you have any observations about it?
10:25 a.m.
Director, Consumer Affairs, Canadian Bankers Association
If there's a large breach and a number of customers are affected, the bank may go to the credit bureau and say that there has been a breach and you will be getting calls from customers, but the banks prefer to deal directly with the customer and have the customer notify the credit bureau.
10:25 a.m.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
I'd like to turn to the topic of blanket consent clauses. Again, this issue of the possibility that privacy consent clauses are too broad has been raised by the research people. Do you have any observation on that?
10:25 a.m.
Vice-President, Policy, Canadian Bankers Association
We look at the consents pretty carefully and take them pretty seriously. Our view--and I think it's been confirmed--is that the consents the banks use are consistent with PIPEDA.
I think the standard you want to have is this: the customer should have a pretty clear idea of how the consent is going to be used--so that, for instance, if we say when you open this account that we'll be sharing your information with our trust company and investment subsidiary, it should be clear enough that you should not be surprised if in turn you are contacted by the investment subsidiary.
The standard you want to meet is a balance: you don't want to have it so spare that nobody really knows what's happening, but at the same time you don't want to have it so long and so detailed that in effect either the customers won't read it or they'll be irritated by it. It's got to have that balance. We think we've struck that balance. I wouldn't characterize what we see in our industry as blanket; it's actually very specific, but we have tried to strike that balance so that nobody's surprised.
Perhaps my colleague with Credit Union Central can talk about that too.
10:25 a.m.
General Counsel and Government Relations Officer, Credit Union Central of British Columbia
We would support their suggestion that there does have to be a balance, because the reality is that consumers aren't interested in another piece of paper or even business transactions. They like to do things very quickly, so if they needed to get another separate consent for a similar type of re-advance on their mortgage, they would see the process as being more bureaucratic than helpful if they weren't able to give a continuing consent for all the advances on a mortgage at the time the mortgage was originally entered into.
The test really should be whether it's informed consent from a public policy perspective, I would suggest, because if the individual knows what he or she is consenting to, then it isn't the form of the consent that matters so much, but the substance, so if there's informed consent and the blanket consent provides for the necessary information, then it is still in the best interest of the consumer.
10:25 a.m.
Liberal
The Chair Liberal Tom Wappel
Thank you, Mr. Tilson.
I have two names left, mine and Mr. Van Kesteren's. If anybody else wants to ask a question, please put your hand up.
I have one question and I'll ask it of credit unions. It is on the issue of notification. Apparently the Ontario and the B.C. privacy commissioners have released a breach notification assessment tool as a guide for public and private sector organizations in responding to a breach. A direct notification is the preferred method in the guide whenever the identities of the individuals are known and current contact information is available.
Do you know about this breach notification assessment tool? If you do, do you agree with it, and would you recommend it to PIPEDA?
10:30 a.m.
General Counsel and Government Relations Officer, Credit Union Central of British Columbia
I apologize for not having looked that up specifically, so I can't speak to it specifically.
10:30 a.m.
Vice-President, Financial Policy, Credit Union Central of Canada
I'm in the same boat. I don't have knowledge of that.
10:30 a.m.
Vice-President, Policy, Canadian Bankers Association
What we would say is we are aware of those. In effect, they are guidelines, and we have said a guideline approach is actually a very useful approach, because it works with flexibility and is the non-mandated approach that we talked about. We all want guidance on how best to do it, and if the commissioner can come out with suggestions and guidelines, they would be very useful for us to consider--so, yes, we think that's a useful approach, and quite frankly, sir, from our perspective it's better than hard-wiring it into the legislation.
10:30 a.m.
Conservative
Dave Van Kesteren Conservative Chatham-Kent—Essex, ON
Yes, very quickly.
Of course PIPEDA came about in our new age of technology and information. When I listen to you, I get the impression—and I'm not trying to flatter you—that for banks, it's really in their self-interest to do these things. I look at self-regulated industries, such as the insurance industry.
In my former business life I was a car dealer, and I know that OMVIC was created after Consumer Affairs ceased regulating the auto industry. Quite frankly, they're much more stringent than Consumer Affairs was.
I'm teeing up for a shot here.