Evidence of meeting #28 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.
A recording is available from Parliament.
9:30 a.m.
Conservative
The Vice-Chair Conservative David Tilson
Thank you very much.
You've all raised some excellent points, and I know members of the committee will have some questions for you.
The procedure is that we go in a round, and each caucus has up to seven minutes for questioning, including answers.
Mr. Pearson is first.
9:35 a.m.
Liberal
Glen Pearson Liberal London North Centre, ON
I want to apologize for being late. I'm the newest member of Parliament here and I went to the wrong room.
I'm interested in your last few comments, Ms. MacKenzie, in that you want the respondent to be able to also have a right of appeal.
Can you tell me how that would look? For instance, a client does that. Therefore, a client has the right to appeal if they have any difficulties or if they feel some violation has taken place. How would a respondent do that? Who would do that in the case of a respondent?
9:35 a.m.
Privacy Officer, Dominion of Canada General Insurance Company
You're describing a situation, for example, in which one of our policy holders complains to the commissioner. The commissioner makes a finding that we don't agree with. We would then like to have an opportunity to appeal through some formal process, appeal to the commissioner to review the decision and challenge it. Currently, I believe, it goes to the Federal Court, which is very cumbersome, but we would like that right of appeal as well. That would be commensurate with the applicant's rights.
9:35 a.m.
Liberal
9:35 a.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
In several presentations, in particular those of Mr. Long and Mr. Bundus, we were told that it was the insurer's duty to notify their client when there had been a privacy breach. As you know, clients must provide their insurance companies with information such as their social insurance number, but also personal information on matters such as their financial situation, their health, their mortgage, and so on. There is very little personal information that is not provided to the insurer. The information that is given to you is very significant.
It is your duty to notify the client—at the very least—but once a claimant has been informed, what happens next and what kind of protection can he avail himself of?
My question is for Mr. Long or Mr. Yakabuski.
9:35 a.m.
Vice-President, Federal Affairs and Ontario, Insurance Bureau of Canada
Thank you very much, Ms. Lavallée.
As you know, consumers have a right to access their files and to correct any personal information that is incorrect.
That being said, we have pointed out today that a distinction must be made between personal information as such and work product information, which is entirely different.
Randy, would you like to expand on that?
9:35 a.m.
Vice-President, General Counsel and Corporate Secretary, Insurance Bureau of Canada
I would add to that. If I understood your questions properly, your question was specifically what the client can do when they get the notification of the privacy breach.
It would be in the client's best interest to check all of their records to ensure that nothing untoward happened with, say, their banking statements or any of their financial or whatever kinds of records. The client should pursue the companies that had the breach occur, to get those companies to assist them in correcting whatever harm had happened to them.
It is a very serious matter to have losses of personal information. We in the insurance industry are very cognizant of that concern, and we take every effort in our industry to make sure it doesn't happen. But if it were to happen, it would behoove us as insurers, or as industry in general, to assist our customers, for good customer relations, to make sure we correct the wrong in whatever manner it takes to do so.
9:35 a.m.
President, Murray Long & Associates
In my view, I think the onus should be even higher on companies, because they collected the information and they had the responsibility to safeguard it.
When a breach occurs, as a practical minimum standard if it involves financial information, the duty is not just to notify; the duty is to make sure the individual suffers no lingering harm as a result. It's hard to know whether this should be a standard put into the law or a standard that is encouraged by the Privacy Commissioner for adoption at a practical level, but certainly there should be an obligation on a company to make whole what has been lost. That goes to the heart of really dealing with the breach. If it was the company's fault, they should step up to the plate and they should be required to rectify any problems.
That includes things like the credit watch services. They should not be things people should have to go out and find on their own. Where you have a breach that could lead to identity theft or credit theft, you should have an obligation imposed on the company to actually pay for those kinds of credit watch services in order to make sure the individual has not suffered harm because of that breach.
9:40 a.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
Mr. Yakabuski, you spoke about witnesses in the case of accidents. If I understood correctly, you must obtain consent from the claimants or the victims before collecting statements from witnesses to an accident. Is that what you stated? Is that the current procedure?
9:40 a.m.
Vice-President, Federal Affairs and Ontario, Insurance Bureau of Canada
We absolutely want the act to be amended so that it is clearly stated that there is no obligation to obtain consent from a third party before being able to speak to a witness. Sometimes that is absolutely impossible. We want a witness' statement to be considered as part of the witness' personal information. We want that to be clarified in the legislation so that these situations no longer occur.
9:40 a.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
Is it that the current requirements are not clear or is it that in order to collect a witness' statement, you are obliged to obtain the consent of the victim?
9:40 a.m.
Vice-President, Federal Affairs and Ontario, Insurance Bureau of Canada
The current requirements are not clear and we simply want them to be clarified.
9:40 a.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
Has that prevented you from collecting statements from some witnesses?
9:40 a.m.
Vice-President, Federal Affairs and Ontario, Insurance Bureau of Canada
It prevents us in that a person can tell us that we don't have the right to collect the statement. Obviously that can cause problems for many people, including the witnesses.
9:40 a.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
Could you give us any examples or is this simply a situation that you are afraid might occur? I'm trying to understand.
9:40 a.m.
Privacy Officer, Dominion of Canada General Insurance Company
May I answer that question, as I actually work at an insurance company?
Yes, we do have examples of where that happens. For example, if someone is suing one of our policyholders for an injury claim and they're making allegations that our insured is at fault or caused a certain amount of damages, then if we have witnesses to the accident, we have had numerous cases in which the lawyers representing the person who is suing our policyholder, who we're required by law to defend, have said, “You've obtained witness statements, but you don't have my client's permission to do that, so you can't use them”, or, “You've done it inappropriately”. So we do have examples, because they happen quite frequently.
9:40 a.m.
NDP
Pat Martin NDP Winnipeg Centre, MB
Thank you, Mr. Chair, and thank you, witnesses.
I have three areas I'd like to touch on. First of all, this duty of notification if a breach occurs is currently of great interest to Canadians, considering the Winners and CIBC incidents. It's huge.
In the context of that news, a lot of us, even those of us on this committee, don't realize that there are 30 million breaches per year in the U.S. There is no corresponding research in Canada, but if you take 10% of the population, you might be able to assume there are 3 million breaches of credit card information. That's not even touching on what other financial information may be held by other sectors, such as the insurance sector, and there is no duty to notify clients, although I do notice people are getting new credit cards in the mail this week. My own staff member got one today, and so have others I have talked to.
The credit companies are catching breaches and often fixing them with no injury to the client, but they are not telling us. I think I might change how I do business if I knew my card had been compromised one or three or seven times. I might change where I do business, etc. I have a right to know, I think.
You touched on that, but how do we tighten that up? In the U.S. there is a duty to notify in 32 states. Briefly, Mr. Long, do you recommend that Canada implement a hard and fast obligation to notify clients of any breaches?
9:45 a.m.
President, Murray Long & Associates
I can address that first. I certainly agree with you, Mr. Martin, that we need to have some formal legal duty to notify built into the act. I think Canadians demand it, just to build trust in the electronic commerce world.
I don't necessarily recommend the U.S. approach; in that approach, most state laws are based upon the California model that was the first law. It's very binary, in the sense that if any one of certain specific elements is disclosed in an unencrypted form, you must notify.
I think David Loukidelis, who is watching this to see whether the model works or not, made the point when he was here that it could lead to tons of disclosure notices going out to people, and they become lost in the.... You get so many that you end up losing the impact.
I certainly think there needs to be a certain level of discretion given to business about when they notify, but it should be based upon objective standards, such as a reasonable person's standard, which is something on which the law is fairly clear. It's based, of course, upon the tort of negligence and the idea that reasonable persons must act in a prudent manner. It is something you could look at very objectively. I think the duty should be there so that if there is any breach whatsoever--not just of financial data, but of health information or anything else that is sensitive information--and a reasonable person would expect notification of it, then you must notify the public.
9:45 a.m.
NDP
Pat Martin NDP Winnipeg Centre, MB
That helps me segue into another issue I had.
Health information has just recently been added to the obligations here under PIPEDA. In 2002, I believe, the act was extended to cover health information. A lot of us, in reading about PIPEDA, seem to feel that it was hastily thrown together to comply with the European Union's demand that in order to trade e-commerce information, the nation you're trading with must put in place legislation comparable to the Europeans' data protection directive, which they implemented in 1995. They said if you're going to play ball with us, you have to have comparable, similar protection or we're not going to share information.
Well, in the province of Manitoba, the Tories sold the Manitoba health data services crown corporation to a private outfit. That private outfit then, of course, as private companies do, got sold to a company in Houston, Texas; that company got sold to a company in Denver, Colorado. My personal health information is now out of the country.
Do you know of any American protection, comparable and similar to the EU's data protection directive and Canada's PIPEDA, that would give me confidence that my health information isn't being sold to Pfizer so that they can crank out advertisements or something?
9:45 a.m.
President, Murray Long & Associates
Mr. Martin, I actually checked into that story. I actually checked with the Manitoba ombudsman. I was very, very curious about your comment earlier that your health information was in the U.S.
I got total assurances that it never left the province. I was very interested in that story and I did some research into it because I write a thing called Privacy Scan, and I have been following these hearings and looking at the issues raised. Anyway, I'm glad to tell you that according to the ombudsman in the province—
9:45 a.m.
NDP
Pat Martin NDP Winnipeg Centre, MB
—although not from a political point of view, because I use that story a lot.