Evidence of meeting #27 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.
A recording is available from Parliament.
Policy Analyst, Canadian Chamber of Commerce
Thank you. We'll take that recommendation.
Liberal
The Chair Liberal Tom Wappel
Mr. Gray, I don't think you should assume—this is my own personal opinion—that because you don't get a lot of questions, everybody understands it. I think it may very well be the opposite. If they don't understand it, they don't go to it, and so they don't pay attention to it and therefore have no questions about it.
Policy Analyst, Canadian Chamber of Commerce
I agree. It's true that we don't get a lot of questions on it, but just going back to Mr. Dhaliwal's questions, we will be redoing our communications on this file, if you will. I'm almost hoping that more discussion on it results from that, so that more organizations—especially the SMEs—can understand. If they have questions, they can—please—give us a call, and we can help them.
Liberal
The Chair Liberal Tom Wappel
I'm not a web designer, and in fact I must admit that I rarely use my computer. But don't call it PIPEDA, because no one knows what that is.
Policy Analyst, Canadian Chamber of Commerce
Yes, that's what we have called it.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
Thank you.
I would like to ask a question, at the risk of the chairman accusing me of cross-examining you.
The question has to do with it being at a company's discretion, as he tried to make clear, for whatever reason, as to whether or not customers or clients would be notified. That's the understanding of both groups, just so I'm clear.
Vice-President, Regulatory Law, Bell Canada
Actually, if I could add a gloss to that, I would say it's typically the decision of the organization at first instance, but it's ultimately a determination to be made by the Privacy Commissioner of Canada.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
But there's no obligation to tell the Privacy Commissioner.
Vice-President, Regulatory Law, Bell Canada
Well, in many cases, it's certainly not a course of action that we would recommend.
Vice-President, Regulatory Law, Bell Canada
If you look at the act, it's the same for determining what form of consent to use. It's the same for determining how much access to give someone to personal information that you have on file. It's the same for determining what constitutes personal information in the first place.
In all of those cases, the organization by necessity makes the initial determination. But the Privacy Commissioner is there to ultimately make that determination, if called upon, and to publish those findings such that all organizations can learn from those and can benefit from that guidance in going forward.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
I understand. These recent cases that have been in the media, and the finding of information in the scrap yard in West Virginia a year ago, were so extreme. If they weren't talked about and it ever got out, it would be terrible publicity for the companies, banks, or credit companies. They did the right thing. But I assume there are situations of a much lesser degree where a company makes a decision, for whatever reason, whether or not to advise anybody, whether it be the Privacy Commissioner, the individual client, or the customer.
It leads to the question on the international business you mentioned, with China or other countries. Any foreign countries having subsidiaries here or doing business in this country, whether it be insurance or otherwise, do not have to talk either, do they? If they are notified of some breach, there are no repercussions if they don't tell anybody. Isn't that right?
Vice-President, Regulatory Law, Bell Canada
I'm trying to understand your examples.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
All right. Obviously, I'm hung up because of what's recently happened on this whole issue of notification. There were individuals who found vast amounts of personal information, everything from names to social insurance numbers. Should people be notified?
The answer that seems to be coming out is that if there are signs of fraudulent activity, yes, we're going to talk. But other than that, there's no obligation and it does not even create an obligation. There's no obligation to tell the Privacy Commissioner, clients, or customers, whether you're a foreign company or a national company.
Vice-President, Regulatory Law, Bell Canada
I think that in many cases there may well be an obligation.
Vice-President, Regulatory Law, Bell Canada
The Privacy Commissioner is working through some of these schemes right now.
As we mentioned, we're working with her office to develop a set of brief notification guidelines. But it's open to the commissioner to issue findings on a case-by-case basis as these things come up. I think we've recently seen that she initiated an investigation into T.J. Maxx.
These things will result in a finding that says in this kind of a case, when this much information goes forward, you have a duty to notify and this is what the notification looks like. I think those tools are already there.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
Okay. In any event, your summary is to let it go a little bit, and hopefully, whether it's through guidelines or code ethics, which someone talked about, you'll want to try that process to see how it goes before we start putting too much into legislation.
That's the general position of both groups. You're both shaking your heads, yes.
