Evidence of meeting #28 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.
A recording is available from Parliament.
Privacy Officer, Dominion of Canada General Insurance Company
That is interesting, because it depends. In some respects Quebec does, in some respects Ontario does, and in some respects B.C. does. We pick and choose whatever is best for our customers.
As far as transborder flows of information, I touched on that briefly earlier when I talked about OSFI regulations for outsourcing. Perhaps Mark can speak to that more precisely than me.
Vice-President, Federal Affairs and Ontario, Insurance Bureau of Canada
I simply want to add that all insurance companies in Canada that are federally incorporated are subject to the Office of the Superintendent of Financial Institutions. There are very strict regulations on transfer of information outside of Canada. It is permissible, but it is reviewed by OSFI. It is important that it be allowed, because this is a very international business.
You have to understand that a very large portion of the capital that comes to provide insurance to homes, businesses, and automobiles in this country is provided from outside of Canada. So there is obviously going to have to be some transfer of information. I can assure you that this is highly regulated already.
NDP
Vice-President, Federal Affairs and Ontario, Insurance Bureau of Canada
No. I believe it is more properly regulated by the Superintendent of Financial Institutions, which is where it is currently regulated. They have the expertise in financial transactions, and I think that's where it should reside.
President, Murray Long & Associates
PIPEDA, of course, applies to all business organizations, not just those in certain sectors like insurance. I think the Quebec amendment was useful. It brought their law up to a higher standard, for sure. PIPEDA already has that standard to a certain extent. When you are transferring data for processing anywhere, whether it's to another province or outside the country, you have an obligation to put in place safeguards, including contract-type safeguards, that will protect the information.
On top of that, the Privacy Commissioner has offered a lot more detailed guidance on what she thinks should be required of organizations. Even if this does not get into the statute, there will be strong guidelines provided to the business sector on what constitutes reasonable safeguards when data is being transferred to another country for processing. So I think we're going to be bringing PIPEDA up to the Quebec standard through those kinds of mechanisms.
Liberal
Sukh Dhaliwal Liberal Newton—North Delta, BC
Thank you, Mr. Chair.
Thank you to the panel for coming out.
Reading through the presentation made by the Insurance Bureau of Canada, you make the very strong statement that if you don't have access to this work product, Canadians will be losers. On the other hand, you are saying that by work product information you mean information that's created by a company--by employees in the course of their business activities.
Could you clearly distinguish what you would call work done? You are also collecting names and ages, and getting all the information.
Vice-President, Federal Affairs and Ontario, Insurance Bureau of Canada
That's not what we mean by work product information. I think personal information is clearly defined in the legislation as information that relates to an identifiable individual. There are all kinds of other pieces of information that do not permit you to identify the individual.
I'll give you an example of what we're talking about. Let's take the health care industry. It's very important for lots of businesses out there to be able to have access to information that says they're seeing this number of patients in the system; this is the average cost of the services that are being provided; these services are being provided in these geographical locations. That's important for them to be able to build better services, improve services, and—I want to just answer Mr. Van Kesteren's question—this is more important than ever to small business in this country.
I'll tell you, if you don't distinguish work product information, and if the commissioner tells us some day that we can't have work product information—because her latest statement is along those lines—you are going to be shutting down access to small businesses all over the country that want to know what the big guys are doing so that they can compete better against them. That's essentially what it is. It's information that is not identifiable. It is commercial information and it is information that other actors in the economy need to be able to create, innovate, and improve products and services. We don't believe you should use privacy legislation to restrict that type of access.
Now the flip side of the coin, because there are two sides of the coin, is that when someone says, “I want access to my personal file”, of course we'll give them the file that contains their personal information. But what we're saying is that this file shouldn't contain the work product information that has nothing to do with that identifiable individual.
Those are the two sides of the coin, and I really think it is fundamental for a competitive economy in Canada that we make that distinction. If there's one change you make with this legislation, that's the one I'd recommend.
Liberal
Sukh Dhaliwal Liberal Newton—North Delta, BC
Do you see any negative impacts on individuals? In fact, this is very useful for the businesses, the small businesses in particular, but is there a negative impact on the individuals or on the clientele?
Vice-President, Federal Affairs and Ontario, Insurance Bureau of Canada
There might be a negative impact on some and a positive impact on others. If I'm a small business and I'm able to get access to work product information, say I'm a real estate broker and I want to grow my business, I want to know where the houses have been selling in Toronto or Victoria or somewhere else, and I might be able to build my business. Maybe someone else will be selling fewer houses because I'm selling more.
There are always some negative consequences, but these are the consequences that you would expect in a competitive economy.
Liberal
Sukh Dhaliwal Liberal Newton—North Delta, BC
You say that the person should have access to the file and that right now in the act it says companies should be charging the minimal fees. On the other hand, you say that companies should be charging reasonable fees for that access to information. How would you distinguish between reasonable fees and minimal fees? What would be the criteria? This is with respect to page 13 of your presentation to the House of Commons.
Vice-President, General Counsel and Corporate Secretary, Insurance Bureau of Canada
I'll attempt to answer that one.
The concept of the minimal fee may mean that you would have to put a less experienced person to prepare the response, whereas a reasonable fee is the fee that reflects the resources the company has to put internally to develop that response.
The example we would give is for insurance files. There is oftentimes a lot of documentation. Some of it is work product of the insurer. Other aspects of the insurance claims file is the personal information. To have a minimal cost, you'd put a very junior person without the experience to do that analysis, and they would get it all mixed up. Therefore, you have to have the right level of expertise internally assigned to that task. That right level of expertise will have perhaps a higher cost than the minimal cost that the insurer could do, but they have to do it right. Therefore, the reasonable cost is the cost of getting the right expertise to do the job to assemble the information to respond to the request.
Conservative
Conservative
Bruce Stanton Conservative Simcoe North, ON
Thank you, Mr. Chairman.
I want to go back, Mr. Yakabuski, if I can, on this question of work product, because we've talked around it. I'll first say that I don't in any way disagree with your contention that this is an important aspect for research, for understanding products, and for marketing. Coming from the small business sector, I can tell you these are very important measures that often the small business sector could not get access to were it not for the ability of larger industry associations, for example, to be able to crunch these numbers.
My point of view is simply to get to the essence of how we achieve that correct balance. Again, revisiting the Privacy Commissioner's own suggestions on this...well, let me first go to your example. In your presentation, you cite, for example, in the case of vehicle repairs--if I can get it correctly here--“...effectiveness of billions of dollars of vehicle repairs we pay for each year, so that we can improve the service provided to our customers”. How is it that PIPEDA would prevent that information from being disclosed now?
Vice-President, Federal Affairs and Ontario, Insurance Bureau of Canada
Well, when there wasn't a clear distinction between personal information and work product information.... Take a garage, for example, that contributes to one of a few databases available in the industry. They'll submit that this was the repair they did, the time it took to do it, the cost of the repair, etc.--a lot of information like that. These databases are available. Everybody in the industry uses them. They take that work product information and use them, as I say, to improve their own products and services. Now if that garage owner didn't want to give his competitors a chance to do as well as he was doing and he said that this is personal information and he's not providing it to anyone, I think we'd all be losers. That's potentially what we're facing by not defining work product information as distinct from personal information.
I can give you a million other examples of where you have a provider of a service who says he is not going to give the information about how many patients he saw today, where he saw them, and what the cost of those services were.
February 6th, 2007 / 10:35 a.m.
Conservative
Bruce Stanton Conservative Simcoe North, ON
With respect to the example you cited, and it's a good example, I must say, wouldn't that be more the decision of the company itself, say, if it's a member of an association that shares that type of information for its own purposes?
Vice-President, Federal Affairs and Ontario, Insurance Bureau of Canada
In business, as you know, you're probably submitting information in a myriad of ways every day of the week. If you were to submit that information to some organization and said that it's personal information and you don't want that released to absolutely anybody, you shut these things down.
Conservative
Bruce Stanton Conservative Simcoe North, ON
The Privacy Commissioner, in her decision in finding 14--and this is contained in your brief as well--certainly contends “that the meaning of 'personal information', though broad, is not so broad as to encompass all information associated with an individual”. She goes on to say, “An individual prescription, though potentially revealing about a patient, is not any meaningful sense about the prescribing physician as an individual”. It's talking about the professional process. There seems to be an agreement there that this type of information should in fact be available for the reasons you and your industry espouse.
I would say, again, where do we need to make this more ironclad?
Vice-President, Federal Affairs and Ontario, Insurance Bureau of Canada
I appreciate the commissioner's remarks; they're in our own brief. The fact is that the previous commissioner had a different view of work product information, and this kind of uncertainty is not good for the Canadian economy. I believe it is incumbent on this House to make that clear, that work product information ought to be accessible to everyone for the benefit of improving and innovating products and services in this country. It's the uncertainty that is unproductive.
I know everyone is well meaning; we're not in any way saying otherwise. But we are saying that this question is important enough that it should be clarified in law such that all companies and individuals in Canada have the certainty that this information--work product information only--will be accessible.
Conservative
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
Thank you very much.
My first question is for Mr. Yakabuski, who represents the Insurance Bureau of Canada.
Your written submission contains something that worries me considerably. The passage is on page 11 of the French document. Unfortunately, I do not know what page it is on in the English version. Your proposal reads:
The responsibility of an organization to notify affected individuals of a privacy breach is a sound business practice and does not need to be included in the PIPEDA.
You understand that if we were to always rely only on what is considered sound business practices, there would be no law. That is why I do not agree with your proposal.
You call this a proposal, but really you're stating a principle. I find this to be rather peculiar, even more so because it would seem to me that an insurance company holds a lot of personal information on an individual. An insurance company is the kind of company that holds the most personal information on one's financial health as well as physical health. As such, insurance companies have more responsibilities than any other type of business. Nothing would be better than to legislate these responsibilities to make sure that everyone complies.
I must point out that the current legislation does not provide that those who are found to be in violation of the law will automatically be identified. When I found out about this, I was just floored. I do not understand why we would protect offenders and hand over discretion to the commissioner to decide whether the names of those who are found to be in breach of the law should be disclosed publicly.
In my opinion, the responsibility of a company is not only to advise its clients when personal information has been stolen, which may concern them, but also to make amends, as Mr. Long was saying earlier. I would like Mr. Long to elaborate on that subject.
Usually, such a letter is rather vague. The insurance company informs an individual that personal information has been stolen, that his or her information may have been included, and that out of the great kindness of the company's heart, it was considered that the client should be informed; and that's it.
The recipient of the letter does not know exactly what information has been stolen, what steps to take, what recourse he may have. To my mind, the company is responsible for our personal information. The company is not only responsible for providing us with the details, but also for making restitution.
Mr. Yakabuski, or Mr. Long, I don't know if you wish to comment.
Vice-President, Federal Affairs and Ontario, Insurance Bureau of Canada
With great pleasure, Madam.
In turn, I wish to ask you a question. How many times have you heard of cases where Canadian damage insurance companies had violated an individual's privacy?
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
That information is not made public; the issue is handed over to the Privacy Commissioner of Canada, who, in turn decides whether or not to disclose the information publicly. To my knowledge, she has not made much information public in the three last years.
Vice-President, Federal Affairs and Ontario, Insurance Bureau of Canada
It is precisely because insurance companies fully understand that personal information is sacred and must be protected as such.
We are already subject to a good number of regulations. As Ms. Bercovici has already mentioned, all insurance companies are subject to the law of good will. It is a principle of common law which is absolutely sacred. It is in the contract between an individual and an insurance company. The Supreme Court of Canada has already noted that when a company violates the principle of good will, this may cost it millions of dollars.
The government's job is to legislate, but not to overlegislate. There is a gap when it comes to how work product information is regulated. Therefore, I am recommending that you legislate on this particular matter.
Where insurance companies and the protection of personal information is concerned, there are already many regulations in place, in addition to the Office of the Superintendent of Financial Institutions. Madam, one should avoid overlegislating.
Conservative
The Vice-Chair Conservative David Tilson
Thank you.
Time has expired, but we'll give you a couple of moments, Mr. Long.
