Information & Ethics Committee on Feb. 6th, 2007

Through the Department of Commerce, they created something called the “safe harbour” arrangement. Companies voluntarily enter it, and when they do so, they declare that they will abide by a set of privacy rules. Because they're declaring that, they are subject to the Federal Trade Commission Act, which prevents misleading and deceptive advertising. If you say that you adhere to the safe harbour rules and you don't, then the Federal Trade Commission has the power to investigate you and charge you. There are very substantive penalties for companies that breach their declared statements about privacy.

Mr. Martin, I would like to add that, in the property and casualty insurance context, insurers are also required by the Office of the Superintendent of Financial Institutions, the OSFI.... They have very stringent guidelines on outsourcing that we must follow that would provide protections for that situation in the property and casualty realm.

I'm hoping that someone will ask me a question about the duty to notify, since I'm the only actual privacy officer here.

Yes, it is, and I'm going to ask Ms. Bercovici to explain that. I'm not bragging, but I'm not a lawyer either.

It was the Federal Court, Trial Division, that said, “Sure, Commissioner, you're right, you interpreted your powers correctly and you may require production of solicitor-client privilege documents”, which was a finding that is really quite inconsistent with the common law—

—and the Supreme Court of Canada. It was appealed to the Federal Court of Appeal. The Federal Court of Appeal is the decision at tab 8, which you have.

My understanding, from the transcript of when the commissioner appeared, is that the Privacy Commissioner has sought leave to appeal this decision to the Supreme Court of Canada. We don't know yet whether leave to appeal will be granted. So this is the law that now stands. It was something that she discussed in her comments before the committee. Notwithstanding the fact that it may not have been raised many times other than that, it is a terribly important issue.

That's correct.

Oh, sorry. I apologize for being slow in picking up.

I did want to say that as a privacy officer I actually work.... The Dominion of Canada has not had a breach, but I would caution against being too prescriptive about notification and the procedures. I'm going to make an analogy. This is a lot like when insurance companies have to deal with a catastrophe client. You can set out generally the steps that you want to follow in order to contain, evaluate, determine the impact, decide whether you want to notify your clients, and then prevent future things, but you can't be too prescriptive about it. Otherwise, you're going to miss the opportunity to actually address your policyholders' concerns.

I also want to say that insurance companies already have a duty of utmost good faith to deal with our policyholders. We believe that we already have a responsibility to appropriately notify our clients and assist them, if there's anything we've done, to rectify the situation.

We support the IBC's position on notification, which is set out in their submissions. But in terms of requiring notification, there has to be a threshold. It has to be based on some reasonableness, and it has to be to the client and not to some administrative tribunal.

It's already happened. There has been at least one case where a respondent won the right to have a judicial review of a finding made by the Privacy Commissioner's office. It's already entering the common law realm in that sense.

I have no difficulty with it. I think there are situations, but they're going to be rare ones. There will be situations where organizations feel strongly that their position has not been well represented or there has been some injustice done to them. Keep in mind that these are only recommendations and they're not binding orders.

I was quite surprised that one organization would actually go to the Federal Court to challenge what was not a formal binding order but only recommendations. They did so, and they won the right at the Federal Court to have the application heard.

I think it creates a balancing of interests in the law, and I don't see a huge harm coming from that. It'll be rarely used.

I would say it is frequently happening. I'm sure Ann will be able to confirm that, being closer to the company front, where it does happen.

Our argument is that they will have the ability to access that kind of information through the court processes. Once it's in litigation, there are procedures in place to protect both parties. They were designed over years and years of courts analyzing these kinds of issues.

To override these civil procedures that are currently in place, because a request has been advanced under PIPEDA, strikes us to be—

It is happening. We are being asked by plaintiffs' counsel, by lawyers who are representing people who are suing our clients. They have made access requests for the information. We have no trouble giving them the information. We are saying that documents subject to solicitor-client privilege should remain under solicitor-client privilege.

This gets to our point about the respondent's right to appeal a decision, because it shouldn't happen. It should be clearly set out in the statute and should not be ambiguous or something that happens along the way. It should be clear.

We have also seen privacy commissioners' findings that, despite the Blood Tribe case, still continue to say yes, you have to hand over the documents. They'll decide whether it's privileged or not and then release them.

No, the privacy commissioners decide.

We take issue with that.

I can cite one particular case that I'm dealing with right now, where we've already made full production in the civil proceedings. Full production is very prescribed and you have to set out everything. You have to say what you have and what you don't have. It's still being challenged. The Privacy Commissioner's office is still saying they want to see the full file and they'll decide.