Turning to our first recommendation, Canadian Central believes the existing ombudsman model has been generally effective in protecting the privacy rights of individuals and garnering the compliance of organizations that are subject to privacy complaints. Thus, we recommend that the enforcement powers of the Privacy Commissioner not be enhanced at this time.
As you know, the Privacy Commissioner currently has the power to investigate complaints, conduct audits, make findings, issue recommendations, and initiate court actions. In particular, the current ability to publish names of offending organizations has been effective in inspiring compliance, as most organizations value their reputation. Once again, it is important to consider that Canada is only two years into the full application of PIPEDA and, as consumers and businesses increase their awareness of privacy issues, the effectiveness of legislation will also expand.
Recommendation 2: Canadian Central manages a credit union office for crime prevention and investigation, which is an investigative body designated under PIPEDA. Under PIPEDA organizations are allowed to disclose personal information to a designated investigative body without the knowledge or consent of individuals concerned. However, to do so, there must be reasonable grounds to believe that the information relates to a breach of an agreement or a contravention of the laws of Canada, a province, or a foreign jurisdiction.
PIPEDA also permits investigative bodies to disclose personal information without the individual's knowledge or consent if the disclosure is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province. Canadian Central is concerned, however, that the act does not define the term “investigation”, thus leaving some ambiguity in the legislation and requiring organizations to interpret the act on their own.
Canadian Central recommends that the legislation be amended to include a definition of “investigation” in the act, especially one that specifically addresses fraud prevention activities in the definition. This may be done by adopting the model found in the Personal Information Protection Act of British Columbia.
Recommendation 3: Canadian Central recommends that PIPEDA be amended to allow designated investigative bodies performing similar functions to share information with one another. For example, the Credit Union Office for Crime Prevention and Investigation should be able to readily share information with other designated investigative bodies, such as the Bank Crime Prevention and Investigation Office, for the purposes of fraud prevention.
Along with this, the current framework should be clarified to identify when and how information sharing should take place between investigative bodies. Specifically, what is an appropriate response to a request for information from another investigative body? This guidance may not be necessary through legislative or regulatory measures, but rather through the issuance of guidelines.
Recommendation 4: At the moment, PIPEDA does not contain provisions allowing an organization to disclose personal information to prospective purchasers or business partners without the consent of the individuals whose personal information forms part of the transaction. Canadian Central supports an amendment to PIPEDA's consent requirements to permit the disclosure of information in the event of a business purchase, merger, or mortgage securitization. Of course, such disclosures should only take place when there are stringent confidentiality agreements in place.
Furthermore, such agreements should include provisions to ensure that information is either returned or destroyed if a transaction is not completed unless laws otherwise require retention. This sort of amendment will have the dual impact of facilitating business transactions while further ensuring that the protection of personal information is specifically contemplated during these transactions.
Recommendation 5: The privacy community is debating whether a “duty to notify” should be included in PIPEDA. Such a duty would require that organizations suffering involuntary disclosures or security breaches or the outright theft of personal information mitigate the risk of identity theft to the individuals involved. Such mitigation after a security breach could involve notifying the individuals whose information is at stake, along with credit agencies, relevant government agencies, and other commercial entities such as financial institutions.
Canadian Central supports, in principle, the concept of a duty to notify. However, if the Government of Canada decides to legislate in this area, there must be reasonable thresholds established before such notification is required. For example, before a notification takes place, there should be a determination that there is a clear risk of fraud, that the loss or theft creates a reasonable likelihood that the personal information will be used to the detriment of the individual affected, or that the loss involves large numbers of records with similar concerns. Those thresholds should also consider if notification might either cause a greater risk of fraud or other harm or might unduly alarm individuals. Canadian Central would be pleased to participate in future consultations in determining such thresholds.
Turning to the final recommendation that I'll be highlighting this morning, in a 2005 decision the federal Privacy Commissioner concluded that under PIPEDA, business email addresses are considered an individual's personal information. In investigating the case, the Privacy Commissioner found that while the definition of personal information in PIPEDA excludes an employee's name, business title, address, and telephone number, business email addresses, because they are not mentioned, are personal information.
Canadian Central recommends that this anomaly be addressed by amending PIPEDA to mirror B.C. and Alberta legislation that specifically excludes business email from coverage under provincial law. There appears to be little purpose served if business telephone numbers are exempt from the legislation, but business email addresses are not.
In closing, I would like to thank the committee for this opportunity to present our views on PIPEDA. We would be happy to answer any questions the committee may have.