Information & Ethics Committee on Jan. 30th, 2007

Yes, these are all “without consent” situations.

On investigation—

I think the difference is this--and I would characterize it as a discussion and not a debate—

Yes, there you go.

I would characterize it like this--and I don't want to get too hung up here. In our remarks to you and in our submission, we have suggested some criteria for renotification, but we're not suggesting a hard bright line, because you have to look at every case. Is it serious fraud, or is it a bit of fraud?

We're just saying you can't hard-wire that. You have to look at the facts. And that's where the dialogue with the commission is important.

The difference here with what Warren is talking about is if person X is the bad guy and we're doing an investigation on person X, and we need to dig into some data to find out about person X because he's breached an agreement or he's kiting cheques or he's involved in money laundering, we don't want to tell him. But if you've had your personal information violated or breached, by golly, we're going to tell you. That's the difference.

Yes, there are two completely different situations.

And what we're looking for as well is for the act to define “investigation”, and to define it in a very narrow way.

What we're suggesting is allowing investigations related to a breach of an agreement, contravention of a law, prevention of fraud, or circumstance or conduct that may result in remedy or relief being available under an enactment, under the common law, or in equity. That's from the B.C. legislation. So it's very specific that this is what we want to be able to share the information more broadly for.

Usually what we suggest is that we go to the customer and we give the customer the information to be able to go to the credit bureau, so then the customer is in control of their own information.

If there's a large breach and a number of customers are affected, the bank may go to the credit bureau and say that there has been a breach and you will be getting calls from customers, but the banks prefer to deal directly with the customer and have the customer notify the credit bureau.

We look at the consents pretty carefully and take them pretty seriously. Our view--and I think it's been confirmed--is that the consents the banks use are consistent with PIPEDA.

I think the standard you want to have is this: the customer should have a pretty clear idea of how the consent is going to be used--so that, for instance, if we say when you open this account that we'll be sharing your information with our trust company and investment subsidiary, it should be clear enough that you should not be surprised if in turn you are contacted by the investment subsidiary.

The standard you want to meet is a balance: you don't want to have it so spare that nobody really knows what's happening, but at the same time you don't want to have it so long and so detailed that in effect either the customers won't read it or they'll be irritated by it. It's got to have that balance. We think we've struck that balance. I wouldn't characterize what we see in our industry as blanket; it's actually very specific, but we have tried to strike that balance so that nobody's surprised.

Perhaps my colleague with Credit Union Central can talk about that too.

We would support their suggestion that there does have to be a balance, because the reality is that consumers aren't interested in another piece of paper or even business transactions. They like to do things very quickly, so if they needed to get another separate consent for a similar type of re-advance on their mortgage, they would see the process as being more bureaucratic than helpful if they weren't able to give a continuing consent for all the advances on a mortgage at the time the mortgage was originally entered into.

The test really should be whether it's informed consent from a public policy perspective, I would suggest, because if the individual knows what he or she is consenting to, then it isn't the form of the consent that matters so much, but the substance, so if there's informed consent and the blanket consent provides for the necessary information, then it is still in the best interest of the consumer.

I apologize for not having looked that up specifically, so I can't speak to it specifically.

I'm in the same boat. I don't have knowledge of that.

What we would say is we are aware of those. In effect, they are guidelines, and we have said a guideline approach is actually a very useful approach, because it works with flexibility and is the non-mandated approach that we talked about. We all want guidance on how best to do it, and if the commissioner can come out with suggestions and guidelines, they would be very useful for us to consider--so, yes, we think that's a useful approach, and quite frankly, sir, from our perspective it's better than hard-wiring it into the legislation.