Information & Ethics Committee on Feb. 6th, 2007

Thank you, Mr. Chairman.

I am Mark Yakabuski and I am Vice-President, Federal Affairs and Ontario, with the Insurance Bureau of Canada. I'm joined by Randy Bundus who is IBC's Vice-President, General Counsel and Secretary.

IBC is pleased to be here today to participate in your review of the Personal Information Protection and Electronic Documents Act or PIPEDA. IBC is the national trade association representing the private general insurance companies that provide insurance for homes, cars and businesses.

IBC has been actively involved in the development of private sector privacy laws since the early 1990s. IBC and its members are strong supporters of PIPEDA and the general privacy laws in Alberta, British Columbia and Quebec.

This morning we would like to highlight three issues from our written submission to the committee.

We have three points. We know your time is valuable. The first issue is with respect to work product information. Now I know that you've already had representations on this issue before the committee. There are really two different components to our position with respect to work product information, which we believe can be dealt with by one unique recommendation.

PIPEDA sets out the rules regarding the collection, use, and disclosure of an individual's personal information, as you know, which is identified as identifiable information with respect to an individual. However, PIPEDA does not specifically address the matter of work product information currently, that is, information that is created by a company and its employees in the course of their business activities. This information is not personal information and therefore not regulated by PIPEDA. Yet it is important in our view that PIPEDA be amended to formally recognize work product information, and I'll tell you why.

In a competitive economy--and I know that Parliament wants a competitive economy--it is absolutely essential that companies have access to information about the products and services that they in turn buy from other businesses, so that they can use this information to innovate and improve the products and service they sell their customers.

Without access to work product information, innovation and competition will be stifled in the economy. For insurance companies, for example, we need access to work product information, generated by the many businesses from whom we buy products and services. For example, we need to be able to analyze the quality, the durability, and the effectiveness of the billions of dollars of car repairs that we pay for each year, so that we can improve the service that is offered to our customers. If PIPEDA is not amended to recognize work product information, we believe very strongly that Canadians will be the losers.

Now the second component of work product information can be illustrated by the information in an insurance claims file. A claims file contains both personal information--identifiable information about the claimant--and work product information about the handling of a claim. An individual absolutely ought to have a right to their personal information in the file, but that should not be the case for the work product information that is generated by the company itself. This work product information is created by the insurance company for the purpose of handling that claim and it is important that it be recognized that it is not personal information.

The issue of work product information is too important to be left to an interpretation of PIPEDA and must be addressed and defined in law, in our opinion. We recommend the approach that British Columbia has taken in its Personal Information Protection Act, in which work product information is defined and explicitly recognized as not being personal information.

Mr. Bundus will now speak about two other issues.

Our second issue is whether an individual can make a request under PIPEDA for access to their personal information at the same time they are suing the insurance company in court. This issue may be unique to property and casualty insurers, which deal not only with their own customers but also with non-customers. We refer to these as third parties. The third parties will say that they have suffered damages or injuries because of the acts of the insurer's customer. The relationship that exists between the third party and the insurer is often adversarial.

The experience of our members is that these access requests are not being made for the PIPEDA-stated purpose of correcting inaccuracies in the information, but rather so that the individual can use information in the insurance claims file to assist them in their court action against the insurer. This should not be allowed to continue. It is prejudicing the ability of insurers to fulfill their legal obligation to defend their customers in any lawsuit.

We recommend that PIPEDA be revised so that the rules of civil procedure that regulate access to information during lawsuits take precedence over PIPEDA when a legal action has been started.

Our third issue also reflects the unique nature of the P and C insurance business in which insurers have to investigate the events of an accident. This includes collecting statements from people who witnessed the accident or who have information about the accident. A witness statement will typically contain information about the witness, the witness's observations of the incident, and information about another individual who was involved in the incident. This other individual is the subject of the statement. A witness statement may as easily confirm and verify the claimant's version of the events as it might cast doubts about the incident. It is to everyone's benefit if all of the relevant facts and information are gathered by the insurer as quickly and accurately as possible.

Witness statements are not specifically addressed in PIPEDA, and this results in uncertainty about their treatment under that law. The first issue is whose personal information a witness statement contains. In our view, the observations of the witness are the witness's personal information, and therefore the witness may freely give a statement to the insurer.

It has been suggested that an insurer should, before collecting a witness statement, obtain the consent of the person who is the subject of the statement. This suggestion defies common sense. It would effectively allow the subject of the witness statement to prevent the witness from reporting what they saw or heard.

We recommend that PIPEDA be revised to clarify that the personal information expressed by a witness is the witness's personal information. PIPEDA should also provide that an organization may, during the course of investigating and settling contractual issues or claims for loss or damages, collect, use and disclose a witness statement without the subject's knowledge or consent.

This morning we have briefly summarized three of our issues and proposed solutions. We would be pleased to answer any questions that you may have on these or any of the other issues in our written submission.

Thank you.

Thank you very much for inviting me here today.

I am a self-employed privacy consultant who has been living and breathing PIPEDA since the law was first tabled in Parliament back in 1998. I'm something of a privacy law expert, or at least people refer to me that way. Although I am not a lawyer—and my clients always tell me they're glad I'm not—I'm willing to attempt to answer any questions you may have about the law and give you the best insights I can.

I look forward to a dialogue with you and to the opportunity to address, to the best of my ability, any aspect of the law that you wish to ask about and how it works in practice.

PIPEDA is important legislation. It establishes a fundamental right to privacy in the commercial marketplace and sets out a framework under which the interests of citizens in controlling their personal information are balanced against the needs of businesses to collect, use, and disclose it for reasonable purposes.

By and large, this balancing of interests works very well, and by and large, PIPEDA is a good law. In fact, as someone who helped write the CSA code that is a fundamental underpinning of this law, I have found it remarkable at times just to look back on it and notice how durable this law really is. The CSA principles were very well crafted and have stood up very well over the years, despite the fact that there's some complexity in the wording in places.

Despite the lack of clarity, the law is founded upon broad concepts that are solid and provide a basis for reasonable people to make reasonable judgments about how their personal information should be protected. This review process is nevertheless a very important opportunity to fix some problems with the law and to make it even more effective, more efficient for business in some ways, and more fair to the public in others.

To the comments that have been made that it is too soon to hold this review, I would say that is not the case. There are problems that need fixing right now on the basis of six years of application of the act, the insights gained from the next generation laws in Alberta and B.C., and growing concerns over such public issues as identity theft. The work you are doing right now about such problems is extremely important and will have a major impact on making PIPEDA an even better law in the years to come.

From the back rows, I've been intently watching the other witnesses over the past several weeks, and I've decided at this juncture to restrict my formal comments to addressing seven issues. I understand that my brief has not been translated but will be available soon.

I think the seven issues I'll be focusing on in my written submission are all important issues, some of which have not yet received a lot of attention. I'd be pleased to talk about any one of these. They are the question of commissioner powers; access barriers to the Federal Court; consent in the employment relationship; breach disclosure; attempted collection without consent; collection for national security purposes; and collection without knowledge or consent for administrative law purposes.

Of these seven issues, in my oral comments I want to speak about three of them. The first is breach notification.

Identity theft is a major problem and it affects the entire marketplace, even responsible companies that have strong data safeguards and have never encountered a breach. The costs of security breaches and identity theft are borne throughout the marketplace and result in higher costs to goods and services, and as importantly, lead to a diminished public trust in data sharing.

Responsible companies may believe that breach notification rules should be left up to them, and I have no doubt that responsible companies will act responsibly in this regard, mindful of the reputational risk, fiduciary responsibilities, and other such factors. However, as Canadian Marketing Association President John Gustavson once remarked about the need for a privacy law, when he advocated for one, in the world of privacy, the world is not made up of responsible companies.

There needs to be a mechanism that will enforce responsible behaviour throughout the marketplace, especially in this area.

Looking at the mechanics of breach notification, I am proposing a four-point model that I think is clear, fair, strong, realistic, and protects the public interest.

The first point is that there would be a duty to notify that would apply to all types of sensitive information, not just financial data. For example, a breach of health records can cause as much harm and damage to the individual as loss of information that could lead to identity theft.

Secondly, organizations should have some discretion to determine when to notify the public, but that should be based upon not just their own self-assessment on their own factors, but also upon an objective standard such as the reasonable persons standard that is currently embedded in the act, which forces organizations to act prudently.

They must notify the Privacy Commissioner when a reasonable person would consider it appropriate to do so and must make this notification in a short, legally prescribed timeframe following a breach. When they notify the Privacy Commissioner, under my model, they would be required to describe the impacts of the breach, the efforts taken to mitigate it, and what decision was made to notify affected persons. If they decide not to notify persons, which should not happen in most cases, but there could be exceptional circumstances, they must explain why they choose not to. The Privacy Commissioner could then question these decisions that were made.

The really important point about breach exposure, though, is that we need to have enforcement tools, and in this regard I believe it should be an offence under the act to fail to disclose notice of a breach where a reasonable person would expect that disclosure to have taken place. That offence should have similar penalties as other offences in the act.

To further back up enforcement, I think the act should state that whistle-blower rights specifically apply where employees notify the Privacy Commissioner about a breach.

My second point deals with consent in the employment context. I have seen enough evidence through PIPEDA complaint investigations and Federal Court decisions to satisfy myself that the requirement for employment consent for new purposes that are reasonable ones in the workplace imposes a huge administrative burden on companies and can and does lead to situations where employees exercise a right to refuse consent in an arbitrary manner and for what are really justifiable information collection purposes.

The Alberta and B.C. laws foresaw this problem. They wisely removed the requirement that consent be required in the employment relationship, moving instead to a standard where purposes must be identifiable, and actually identified to the individual, and must be reasonable.

I've seen no evidence whatsoever to indicate that the Alberta and B.C. model does not work well or that any real privacy rights of employees are trampled as a result of this model.

I undertook a very detailed analysis of the consent issues in my written submission, which I hope you will take a look at.

My final comments deal with a matter that has not received very much attention so far, and that's the way in which the Public Safety Act, 2002, amended PIPEDA to permit private sector organizations to collect new information about customers or employees, or about any other party on their own for purposes related to national security, defence of Canada, and the conduct of international affairs, or to do so at the request of a national security agency.

In making these amendments, which were added in the wake of 9/11 and the heightened concern for public security, PIPEDA enters a very different sphere than normal commercial business activity. With these amendments, organizations can, on their own or at the prompting of a state, undertake the kind of information collection that is normally undertaken only by state agencies and where our society has recognized a need for the highest level of constitutional protections under the charter.

With these amendments, because they enable a business to collect new information about a person on the suspicion of a security threat or to do so at the request of the RCMP or other security agencies, there's a great risk that charter rights could easily be offended.

As you know, private businesses are not subject to the charter directly, and in some cases have very little knowledge or understanding that charter rights could therefore be trampled if they collect information in ways that would not be considered reasonable. Moreover, if private companies are co-opted by security agencies to collect such information on their behalf, there's also a further risk that such agencies could use PIPEDA to bypass or to do an end run on their charter obligations.

In my written submission I made the effort to explain in great detail the nature of my concerns. This is a complex issue. I hope you'll take the time to read these detailed comments and consider them carefully.

I must stress that I am not a lawyer and not schooled in the intricacies of constitutional law and charter rights. However, as a privacy consultant who studies the details of PIPEDA very carefully, I was struck the moment I saw these new Public Safety Act amendments that there was a grave and real risk that charter rights--first section 8 and possibly section 7--could be violated if such collections of information ever took place. As constitutionally protected rights are at issue here, I urge the committee as a matter of public duty to give this issue the attention it deserves, and I recommend that it report to Parliament that the government should reconsider these amendments with a view to removing them from the act.

Thank you for the opportunity to give you my comments. I must say, in closing, that as a privacy consultant I am constantly asked in training sessions all kinds of questions about the act, and I'd be glad to answer any question you've got about the act and how it works.

Hi.

Members of the committee, ladies and gentlemen, good morning.

I am Ann MacKenzie, privacy officer of the Dominion of Canada General Insurance Company. Presenting with me today is Vivian Bercovici. Until recently, Vivian was general counsel at the Dominion, and she continues to advise us in private practice. We appreciate the opportunity to present our views and concerns directly to this committee.

We have provided a booklet of materials to you, which includes our submissions made in September 2006 to the Office of the Privacy Commissioner regarding a statutory review. The bound material starts with our table of contents. It's followed by today's written submission. The tab materials that follow it support our written submission, and the French and English versions are separated by blue pages. The French translation of our oral presentation will be provided later, in a few days.

The Privacy Commissioner has provided this committee with a summary of submissions that can be found at tab 5 of our material. I note that certain positions put forward by the Dominion in our September 2006 submission to her do not appear to be reflected in the OPCC résumé. So today we intend to focus our comments on two issues: first, the matter of solicitor–client privilege, PIPEDA, and the recent Federal Court of Appeal decision in the Blood Tribe case; and secondly, the right of the respondent to appeal a complaint made to the Privacy Commissioner under PIPEDA.

Vivian will now present our position regarding the first issue, solicitor–client privilege and related issues.

Thank you.

The discussion of solicitor–client privilege in this PIPEDA context was focused very recently by the Federal Court of Appeal decision in Blood Tribe, which was given in October 2006. You'll find it at tab 8 of our material. I know this is a heavy booklet, but we thought it would be convenient to have everything in one place. I'm sure you've heard a lot about Blood Tribe up to now. We have been following these hearings, and we wanted to make some comments on some of the things that have been said, because solicitor–client privilege is so important.

This case, the Blood Tribe case, is really about the scope of power of the Privacy Commissioner and the manner in which that power is exercised. It's a case about considering what the statute allows explicitly and the limits of discretionary interpretation. To analyze these fundamental principles, we must consider the intent of Parliament in enacting PIPEDA. I'm going to direct you to page 2 of our written submission at the front of the booklet where it's set out, where we talk about the balance and the purpose of the statute, and you can read it at your leisure.

When Parliament intends to legislate an ombudsman-type adjudicative structure, as in PIPEDA, then I submit that's what Parliament does. When Parliament intends to grant more expansive powers, such as those we might find in an administrative tribunal with rule-making powers, then that's what Parliament does. When Parliament intends to require that material protected by solicitor–client privilege be disclosed, then that's what Parliament does. Parliament did not do this in PIPEDA, and we must presume that this was not a matter of inadvertence or an oversight. Parliament did not intend that the Privacy Commissioner should have the power to compel the production of solicitor–client privileged documents.

I take you to tab 8 of the booklet now. Writing for the bench in the Federal Court of Appeal decision in Blood Tribe, Mr. Justice Malone states—

I'm sorry. That's in paragraph 14 on page 6 of tab 8, so just near the bottom.

So right at the bottom, it reads:

the recent approach used by the Supreme Court of Canada suggests that if Parliament wished to create a power to compel privileged documents then express language must be used.

If I can just refer you to page 8 of the same case, paragraph 22, about two-thirds of the way down, after going through all of the relevant case law, the summary comment states:

In short, the reason express language is required to abrogate solicitor-client privilege is because it is presumptively inviolate. The exception for solicitor-client privilege in PIPEDA is not what shelters privileged documents from disclosure. The law of privilege does that.

Ladies and gentlemen, solicitor-client privilege goes to the heart of the order and integrity of our system of justice. An individual or party in any proceeding must know with confidence that any communication with their solicitor will not be disclosed. This allows free and unthreatened communication between solicitor and client, which facilitates the preparation and execution of a full and vigorous defence.

The impact of qualifying solicitor-client privilege, which has anchored a common law tradition for centuries, would be seismic. Just to bring it home, I'd ask you to imagine the sudden and retroactive abrogation of executive privilege and the profound effect this would have on government. I suggest to you that the impact of the Privacy Commissioner's position regarding solicitor-client privilege would be no less dramatic.

It is of the utmost importance that power be clear and be interpreted clearly. It is of the utmost importance that the commissioner's discretion in interpreting powers be consistent with our legal practices and system.

The insurance industry receives many requests from plaintiffs' counsel. You've heard about this already from our friends from the IBC. Often when litigation is contemplated—sometimes after a claim has been filed—counsel seeks production under PIPEDA of documents to which they are not entitled under common law or pursuant to the rules of civil procedure. These documents are protected by either solicitor-client privilege, litigation privilege, or both.

Sure.

My apologies.

Certainly.

I apologize for that, but it will be a relief that I'm not quoting any more from case law.

That's okay. It's a good thing I have written remarks.

I was just talking about the difficulty in the insurance context, because very often requests are made during the litigation process for privileged documents.

With respect, we submit that it was highly unlikely that Parliament intended an interpretation of PIPEDA that would permit the circumvention of privilege in this manner. Parliament would not have sanctioned this result.

We also have to ask, what happens if the commissioner finds that documents, which are the subject of a complaint, are not privileged or that they must be disclosed anyway? Then what?

Ann MacKenzie will address this issue with you.

Our interpretation of PIPEDA is that there is no clear right of appeal for the respondent to a PIPEDA complaint. This is raised in our September submission at tab 2, page 3, and in our current written submission at page 5—and our current written submission is translated into French, my apologies.

This issue that we're raising today wasn't raised in the commissioner's oral testimony before the committee, or in her written submission or the résumé of submissions received from third parties. We think it's very important that we should bring it to your attention.

Section 14 of PIPEDA allows the applicant to appeal a finding of the Privacy Commissioner to the Federal Court. There is no such explicit right of the respondent. We respectfully submit that this is a matter that should be corrected in this statutory review. The powers of the Privacy Commissioner are significant powers that may profoundly affect a commercial interest. To allow one party a right of appeal and to deny another party the same fundamental right or opportunity is inconsistent with the common law standards of fairness. We ask the committee to consider recommending to Parliament that the statute be amended to explicitly provide for a right of appeal for the respondent.

In addition, we ask this committee to consider addressing the current practice of the Privacy Commissioner regarding disclosure of complaints. Based on our experience, it seems that the identity of a complainant is not always disclosed to the respondent, nor is the complete original complaint. Rather, the respondent receives a paraphrase.

PIPEDA was intended to be a general guideline for a principled approach to the collection, use, and disclosure of personal information, not to create a parallel justice system. All Canadians would benefit from a clarification of the commissioner's powers, so that we understand with certainty and confidence the standards that are being applied.

In closing, on behalf of the Dominion, I wish to thank the committee for hearing us today and for indulging us. We commend the Privacy Commissioner and this committee for such careful consideration of the matters before us.

Thank you.