Evidence of meeting #27 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.
A recording is available from Parliament.
Liberal
The Chair Liberal Tom Wappel
But on that example, could you not go to law enforcement with your suspicions and ask them to investigate? And by the way, how would you have a suspicion if you can't get the information?
Assistant Vice-President and Senior Counsel, Sun Life Financial, Canadian Life and Health Insurance Association Inc.
We may get suspicions, they may come up through tips. People may call in. We may see an irregular claims pattern. From time to time we do look at claims. I don't know exactly how we would. I can find out, because I know we've had that situation and I don't know how we learned of it. I can't tell you, but I could let you know about that, if it helps.
Liberal
The Chair Liberal Tom Wappel
Maybe it's not a good idea to do so, because then someone will know how to do it.
Assistant Vice-President and Senior Counsel, Sun Life Financial, Canadian Life and Health Insurance Association Inc.
That's true.
Liberal
The Chair Liberal Tom Wappel
Anyway, the point I'm asking is if you had such a suspicion, you could bring that suspicion to the attention of the police and ask the police to further investigate, could you not?
Assistant Vice-President and Senior Counsel, Sun Life Financial, Canadian Life and Health Insurance Association Inc.
We could. We can hand over our file. There'd be more evidence for the police if they knew it was happening. They'd have to go and then ask for information from this other insurer. The other insurer might say, “You have to serve us with a subpoena. We can't disclose personal information unless there's....”
Liberal
Bloc
Robert Vincent Bloc Shefford, QC
Thank you.
I would like to go to page 13 of your submission. It says:
A question that has been much discussed in recent times is whether organizations that suffer loss or theft of personal information should have a legal duty to report the loss or theft. It is worth noting that the openness principle (Principle 8 of Schedule 1) already suggests that an organization has responsibilities along these lines. Consequently, the industry is of the view that no specific legislative provision is needed at this time.
Here is my first question. Does this mean that if you lost information or had it stolen, it would not be necessary to tell anyone at all, that the industry would decide what to do about it?
Continuing on:
The industry supports a risk-based approach to notification, where the need to notify and the method of notifying the individual are proportional to the risk of harm that may be experienced by those whose personal information has been compromised
My interpretation is that if you lose my personal information or have it stolen, you are going to decide for me whether I am going to be harmed by it. And reading on:
Where the breach is material; where the organization has reasonable grounds to believe that disclosure of personal information to unauthorized individuals has taken place; and, where the disclosure presents a significant risk of harm to individuals (e.g., identity theft or fraud). In applying such parameters, an organization would perform an analysis (taking into consideration the sensitivity of the information, whether that data was encrypted, etc.) with a view to determining whether notification should occur and, if so, how notification should take place.
If I understand correctly, regardless of the situation, it is you who will decide if it is necessary to advise me if personal information is lost or stolen.
Senior Vice-President, Quebec Affairs, Canadian Life and Health Insurance Association Inc.
I think it is necessary to exercise some discretion. We were talking earlier about encrypted information. Under those circumstances, since it is not useful to anyone, it might be more damaging to inform the public than to keep the information confidential. That’s one factor.
Senior Vice-President, Quebec Affairs, Canadian Life and Health Insurance Association Inc.
For consumers as well. It creates uncertainty for them.
Besides, we were talking earlier about the information found on all the telemarketing lists. If it is already on all these lists, it may not be necessary to make a specific disclosure.
That is the background to our decision to support risk-based decision-making. The risk can be real, non-existent or insignificant. In some cases, information can create more problems than it solves. Moreover, as we say in our submission, it is not the company alone that makes the decision. It consults the information commissioner and regulator.
Bloc
Robert Vincent Bloc Shefford, QC
That is not what I got out of reading your submission. I’m not trying to corner you: I’m just trying to understand. We have all insurance. I would like to be sure that I would be told, without you deciding whether it is appropriate, if my personal information is lost or stolen, or sent to someone by one of your employees. It might not be good for your image. The fact remains that I might consider that information to be crucially important. The potential for identity theft might be greater than you think.
Senior Vice-President, Quebec Affairs, Canadian Life and Health Insurance Association Inc.
In fact, the company doesn’t decide, it refers it to the commissioner.
Bloc
Robert Vincent Bloc Shefford, QC
I see no mention of the commissioner in your submission. In fact, it is about the organization that loses the personal information, it says that the organization must analyse the situation, but there is nothing anywhere about transmitting this information to the commissioner. You decide whether it is appropriate or not, whether the loss is serious or not. I don’t see anywhere that you are going to advise someone, but I do read that you are going to decide about what you have said. I can only read what is written in your submission. You have to explain to me whether my personal information is safe with you or not.
Senior Vice-President, Quebec Affairs, Canadian Life and Health Insurance Association Inc.
Your personal information is safe with us, no question. I understand that you would like a public notice every time there is a possibility of an information breach.
Bloc
Robert Vincent Bloc Shefford, QC
Or that it be sent to the commissioner, as you said. A notice should be sent immediately to the commissioner, who could decide whether that information should be sent to the victims of the theft, for example, or whether there should be a public announcement that someone has lost the information. The commissioner could decide, rather than the organization. What do you think?
Senior Vice-President, Quebec Affairs, Canadian Life and Health Insurance Association Inc.
I think that’s a good question. Your suggestion is probably very interesting. I think that, in any case, an insurer will do that if there is a serious information breach. It is clear that it will have to make risk-based decisions, if only with the insurance regulator, for example. The superintendent of financial institutions monitors risk management. There are specific risk-management regulations that apply to insurers. At that point, the superintendent of financial institutions would have to be advised, if there is a dangerous breach, if there is a threat to the company’s reputation or a business risk. All these things must be revealed to the regulator.
Liberal
The Chair Liberal Tom Wappel
Okay. Merci.
Mr. Vincent asks a very important question, which I want to be sure we have an answer to.
The industry supports a risk-based approach to notification. Who makes the determination of the risk? Is it the company alone, is it the company in conjunction with the Privacy Commissioner, or is it the Privacy Commissioner who institutes it? In other words, who decides that the breach is material?
This is what Mr. Vincent was asking, so let's get a clear answer.
Vice-President and Associate General Counsel, Canadian Life and Health Insurance Association Inc.
Mr. Chairman, the decision as to whether the breach is material is made by pooling the information and resources from all those groups, not only from the Privacy Commissioner and the company, but also from forensic accountants, if it's appropriate, and our financial regulator, whom we would inform at the same time as we would the Privacy Commissioner.
One of the concerns in this area is that if something very specific is put in the legislation that ties your hands in all circumstances to having to follow the same procedure, you may end up doing what is right now in the circumstances, but have to follow that specific set of rules.
I think those rules are followed; that due diligence, if you like, is done in determining whether a notification is made. But it's in conjunction, by everybody pooling their efforts.
Liberal
The Chair Liberal Tom Wappel
I understand your point that enshrining something in legislation may be too confining, depending on the circumstances. I think we all understand that.
Vice-President and Associate General Counsel, Canadian Life and Health Insurance Association Inc.
Yes.
Liberal
The Chair Liberal Tom Wappel
But just to be clear, isn't it your position that the company and the company only should determine whether the breach is material? Is that right?
Vice-President and Associate General Counsel, Canadian Life and Health Insurance Association Inc.
There is all kinds of pressure on the company to listen to what the financial regulator says, to what the Privacy Commissioner says, and for reputational reasons, etc. But ultimately, under the current rules, it would be the decision of the company.
Liberal
The Chair Liberal Tom Wappel
Well, that's exactly the point. Right now, it is the decision of the company and the company only, unless someone complains and involves the Privacy Commissioner. That's exactly the point.
And that's the answer, is it not?
Vice-President and Associate General Counsel, Canadian Life and Health Insurance Association Inc.
But I just want to add that in the normal course, whenever I've heard of any instances in this regard, the first step that our companies take is to talk to the Privacy Commissioner and our regulator.