Information & Ethics Committee on Feb. 8th, 2007

Evidence of meeting #29 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.

A recording is available from Parliament.

On the agenda

Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)

MPs speaking

Also speaking

Anita Fineberg Corporate Counsel and Chief Privacy Officer, Canada and Latin America, IMS Health Canada

Gary Fabian Vice-President, Public Affairs and Corporate Relations, IMS Health Canada

Dave Carey Chair, National Association for Information Destruction - Canada

Léo-Paul Landry Member, Medical Advisory Board, IMS Health Canada

Robert Johnson Executive Director, National Association for Information Destruction - Canada

10:15 a.m.

Corporate Counsel and Chief Privacy Officer, Canada and Latin America, IMS Health Canada

Anita Fineberg

There are a number of ways to ensure that it can't be done. At first instance, the information that we receive from our data suppliers goes through a software program that leaves anything related to the patient behind. So that's at first instance, and then we have technological means to ensure that everything is totally screened out. As well, all of our contractual provisions prohibit any provision of anything that might identify a patient to us.

As I mentioned before, we are a strong supporter of patient privacy rights with respect to personal health information, and collecting anything that might identify a patient is illegal in this country, not only under PIPEDA but under all the privacy legislation. We would expect any organization that might engage in that kind of activity to be called to account and that the legislation would be enforced against them.

10:15 a.m.

Liberal

Jim Peterson Liberal Willowdale, ON

Who could possibly object to what you're asking for?

10:15 a.m.

Corporate Counsel and Chief Privacy Officer, Canada and Latin America, IMS Health Canada

Anita Fineberg

I agree, and I was considering Madame Lavallée's question, and I appreciate your asking it again. The short answer is, subject to what Dr. Landry said, nobody that I know of, quite honestly. And I think you've heard from a wide variety of representative organizations and groups who have appeared before the committee, all of which support the distinction. I think one thing—

10:15 a.m.

Liberal

Jim Peterson Liberal Willowdale, ON

My only problem is this. I don't know whether the amendment you've suggested is the proper way to do it. I'd be happy to propose an amendment saying IMS is not in breach. But, for example, the amendment you've proposed is quite different from what B.C. has put in.

10:15 a.m.

Corporate Counsel and Chief Privacy Officer, Canada and Latin America, IMS Health Canada

Anita Fineberg

No, it's not.

10:15 a.m.

Liberal

Jim Peterson Liberal Willowdale, ON

Well, it's different. It's worded differently.

10:15 a.m.

Corporate Counsel and Chief Privacy Officer, Canada and Latin America, IMS Health Canada

Anita Fineberg

It has the added part in part 2, the little exclusion, to make sure to address the commissioner's concern that workplace surveillance information might not be inadvertently captured. I think, given that you've heard from different groups, there's a wide spectrum of work product information out there that is of concern to different organizations.

We have a particular concern with respect to the prescription information, but any memorandum, any letter, any opinion, any document created by employees or professionals as part of their business responsibilities, if we do not proceed with this work product exclusion, could well be considered to be personal information.

I know that the commissioner in B.C. addressed the access issue, and the committee has spoken about small business concerns with respect to compliance. Ex-employees could say that anything they wrote or put their names on when they worked for you is their personal information. They could leave, put in an access request for all of that, every e-mail. From a business perspective, particularly smaller business perspective, they could get totally snowed under.

10:20 a.m.

Liberal

Jim Peterson Liberal Willowdale, ON

I wouldn't mind hearing, Mr. Chair, from anybody—maybe previous witnesses—who has concerns with the precise wording of the amendment that's been suggested.

10:20 a.m.

Conservative

The Vice-Chair Conservative David Tilson

The commissioner's coming. She may have some thoughts.

10:20 a.m.

Liberal

Jim Peterson Liberal Willowdale, ON

That's a good idea, yes, thank you.

10:20 a.m.

Conservative

The Vice-Chair Conservative David Tilson

Are you finished, Mr. Peterson?

10:20 a.m.

Liberal

Jim Peterson Liberal Willowdale, ON

Is there an association that protects the other side of your enterprise—for dumpster divers or things like that?

10:20 a.m.

Chair, National Association for Information Destruction - Canada

Dave Carey

I would not think so.

10:20 a.m.

Executive Director, National Association for Information Destruction - Canada

Robert Johnson

I don't think they've unified yet, although I do have an article here on a theft ring that specialized in dumpster diving to get private information and capitalize on it.

10:20 a.m.

Liberal

Jim Peterson Liberal Willowdale, ON

Is it fairly widespread?

10:20 a.m.

Executive Director, National Association for Information Destruction - Canada

Robert Johnson

Very much so. It's the primary source of the information that goes into identity theft. It's hard-copy access. These are not high-tech breaches.

10:20 a.m.

Conservative

The Vice-Chair Conservative David Tilson

Dumpster diver--that's one of the main things the committee's learned in this session.

Go ahead, Mr. Wallace.

10:20 a.m.

Conservative

Mike Wallace Conservative Burlington, ON

Thank you, Mr. Chair.

I just have a really quick follow-up, because I was politely cut off.

I wanted to ask the information management folks about the question of notification. I was interested to hear you say that you want to extend that or have more detailed notification requirements. The commissioner has come to tell us previously—and we're going to have the commissioner back—that the notification system we have now is adequate and that, if possible, notification is not required and the issue gets resolved internally. Then nobody's hurt by it and that's sufficient.

Have you actually surveyed your members so they know that they will be more liable, based on your presentation today, if there is a change to the notification piece, in that, as some have argued, for any breach at all there should be notification to the person?

In my mind, a lot of records in this country are stored near warehouses, and sometimes they get destroyed and sometimes they don't. I think you're at a higher risk than many. So I'd like to know for sure that I can say that I heard from your organization, and that you have surveyed your members, and they are confident that you are right that there should be a greater notification process than what exists now in PIPEDA.

10:20 a.m.

Executive Director, National Association for Information Destruction - Canada

Robert Johnson

I think one of the reasons that NAID Canada and NAID Europe have been such a most credible source, of information is that we don't always take a position that might be the best economic thing for our members. We actually use this as a consumer advocacy organization, by our mission and charter.

We're supported by the industry. We took a position on professional liability insurance requirements for our members that cost them a lot of money, and I got a lot of hate mail as a result, but that was the right thing to do. In this case, we feel that notification is the right thing to do. Our members support NAID having an entree to venues like this because of that credibility, and they continue to support the association, even if we might take a position in that way.

That said, I think that if we were to in fact go to members and ask them--and we have not taken that survey—they would definitely see the benefits to the consumer, as well as the benefit to the industry, to have notification provisions that not only extend to high-tech, sensational electronic breaches, but include in that notification people put at risk by the casual disposal of hard-copy documents.

10:20 a.m.

Conservative

Mike Wallace Conservative Burlington, ON

Let's say somebody breaks into a warehouse, steals some boxes, and the stuff ends up on the streets of Toronto. If they found out it came from Iron Mountain, it could hurt the business considerably. Are you telling me, today, that you are willing to take that risk?

10:25 a.m.

Chair, National Association for Information Destruction - Canada

Dave Carey

In our particular case, yes, absolutely. We have an internal notification policy in place for situations exactly like that. Even without your legislation, as a records management company we have an internal policy of notification.

10:25 a.m.

Conservative

Mike Wallace Conservative Burlington, ON

Thank you very much.

Thank you, Mr. Chairman.

10:25 a.m.

Conservative

The Vice-Chair Conservative David Tilson

That concludes the second round.

We have three more individuals who wish to ask questions.

I have one brief question to Ms. Fineberg.

I represent a community that has a lot of little villages and towns. Everybody knows everything about everybody. It's wonderful. You indicated that the information you receive is anonymous. It may be in the big city, but it's wonderful how people find things out in these communities. You may live next to someone and your neighbour knows everything about what you're doing.

Is it possible that people could piece together the little pieces of information you have and then it's no longer anonymous?

February 8th, 2007 / 10:25 a.m.

Corporate Counsel and Chief Privacy Officer, Canada and Latin America, IMS Health Canada

Anita Fineberg

I come from one of those small towns too, by the way.

We have had our data examined, from a number of different perspectives, to address precisely those types of questions. We've had statisticians from McGill look at our internal databases with respect to whether you can slice and dice and potentially combine anything to identify an individual. The expert answer was no. There are contractual provisions in place with respect to our employees not being able to do anything with the data except process it internally to undertake that exercise.

10:25 a.m.

Conservative

The Vice-Chair Conservative David Tilson

The problem is that people guess. They're very good at guessing. I don't want to make a big deal of it. I'm just telling you that from the community I personally represent—and there are other members of this committee who represent similar communities—people are very good at piecing these little pieces of information together. That's all I'm saying. And they challenge the experts.

Mr. Dhaliwal.