Information & Ethics Committee on Feb. 8th, 2007

Evidence of meeting #29 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pipeda.

A recording is available from Parliament.

On the agenda

Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)

MPs speaking

David Tilson
Robert Vincent
Glen Pearson
Pat Martin
Bruce Stanton
Sukh Dhaliwal
Mike Wallace
Carole Lavallée
Dave Van Kesteren
Jim Peterson

Also speaking

Anita Fineberg  Corporate Counsel and Chief Privacy Officer, Canada and Latin America, IMS Health Canada
Gary Fabian  Vice-President, Public Affairs and Corporate Relations, IMS Health Canada
Dave Carey  Chair, National Association for Information Destruction - Canada
Léo-Paul Landry  Member, Medical Advisory Board, IMS Health Canada
Robert Johnson  Executive Director, National Association for Information Destruction - Canada

10:35 a.m.

Vice-President, Public Affairs and Corporate Relations, IMS Health Canada

Gary Fabian

Once again, as Ms. Fineberg explained at the outset, this is the very aspect we want to protect, up to a certain point. The information that we provide is always part of a vast aggregate of data. A minimum of 30 physicians is always required to make up a group, but there could be as many as 150 or 1,000.

Therefore, it is really impossible to single out a physician and to say that he was the one who prescribed such and such a drug. The physician is included in a group that prescribes certain kinds of drugs. Our objective ends there. That is as precise as we get.

10:35 a.m.

Bloc

Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC

All right, you cannot do that.

10:35 a.m.

Conservative

The Vice-Chair Conservative David Tilson

Merci.

It came up in one of our hearings, through one of our guests who came, that the B.C. pharmacists had passed a resolution that they would not release information.

Ms. Fineberg, do you know about that, and do you have any comment about it?

10:35 a.m.

Corporate Counsel and Chief Privacy Officer, Canada and Latin America, IMS Health Canada

Anita Fineberg

Certainly. It's actually a reference to a bylaw that was passed by the B.C. College of Pharmacists in 1997. Effectively, the college was mandated by the B.C. health minister at that time to change its bylaws to effectively prohibit the disclosure of any information that identifies a physician for the disclosure for commercial purposes.

Since 1997, the board of the College of Pharmacists has voted, I believe it's three times now, to amend that bylaw to remove that prohibition, but because the approved bylaw must be approved by the B.C. government through an order in council, that has yet to be done.

10:35 a.m.

Conservative

The Vice-Chair Conservative David Tilson

So in British Columbia that's the law?

10:35 a.m.

Corporate Counsel and Chief Privacy Officer, Canada and Latin America, IMS Health Canada

Anita Fineberg

The situation is that you have that bylaw, and as you've heard, you have the B.C. PIPA, which excludes work product, which would exclude the type of information. From a legal perspective, there are opinions out there that because one is a law—i.e., PIPA's a law—and the other is only a college bylaw, legally the PIPA exclusion would take precedence over the college bylaw. But there are also practical realities of doing business.

10:35 a.m.

Conservative

The Vice-Chair Conservative David Tilson

Mr. Martin.

10:35 a.m.

NDP

Pat Martin NDP Winnipeg Centre, MB

Thank you.

There's another piece of legislation that's going through the House of Commons right now that has an implication I'd like your views on. They want to change the permanent voters list for identification to try to deter voter fraud. And I should tell you there was one case of voter fraud in the last federal election, none in the election before, and three in the election before that. But the permanent voters list would now have your name, address, telephone number, and date of birth.

I had something like 200 volunteers in my election campaign, and it's not unusual to tear off a sheet of the voters list and give it to one of your volunteers and say, canvass these 50 people. As privacy experts, do you have any comment on that? Dumpster divers love to find date of birth. It's like a PIN number.

10:35 a.m.

Executive Director, National Association for Information Destruction - Canada

Robert Johnson

Yes. My comment would only be that when we look at proposed regulations regarding information protection, very often we do recommend that the definition of personal information be expanded.

We mentioned the Georgia state shredding law, which we like to use as an example. That law excluded phone numbers as a piece of personal information, much as PIPEDA does. We disagree with that as an association because, as always, it's the ability to coordinate several pieces of information that give you the critical mass—

10:35 a.m.

NDP

Pat Martin NDP Winnipeg Centre, MB

You can get that from your phone book, though. Name, address, and phone number is pretty accessible.

10:35 a.m.

Executive Director, National Association for Information Destruction - Canada

Robert Johnson

I understand, but if it's matched with an account number and matched with an address and with the name, it becomes kind of a ballet for those experts: how many different pieces do they have to be able to put your mosaic together?

10:35 a.m.

NDP

Pat Martin NDP Winnipeg Centre, MB

What if you add date of birth in there?

10:35 a.m.

Executive Director, National Association for Information Destruction - Canada

Robert Johnson

That is my point. The things you exclude are the things that they're going to put together to make the mosaic.

10:35 a.m.

NDP

Pat Martin NDP Winnipeg Centre, MB

So if the government does it for you on the permanent voters list, isn't that a recipe for identity theft?

10:35 a.m.

Executive Director, National Association for Information Destruction - Canada

Robert Johnson

I won't go so far as to say that. It certainly could aid and abet those trying to do that.

10:40 a.m.

NDP

Pat Martin NDP Winnipeg Centre, MB

Do you have any opinion on that, Ms. Fineberg?

10:40 a.m.

Corporate Counsel and Chief Privacy Officer, Canada and Latin America, IMS Health Canada

Anita Fineberg

Only to suggest that perhaps the way to address the issue is to tightly control what happens to that extra piece of information, the date of birth, once it's used for the alleged purpose that it's necessary for—i.e. to confirm the identity of the voter to prevent fraud—and then it disappears after that from any subsequent circulation or documentation.

10:40 a.m.

NDP

Pat Martin NDP Winnipeg Centre, MB

That's interesting.

My other questions brings us back to the—You want to destroy everything.

10:40 a.m.

Some hon. members

Oh, oh!

10:40 a.m.

Corporate Counsel and Chief Privacy Officer, Canada and Latin America, IMS Health Canada

Anita Fineberg

That's right—[Inaudible--Editor].

10:40 a.m.

NDP

Pat Martin NDP Winnipeg Centre, MB

Coming back to the B.C. privacy commissioner's testimony, he raised the issue that in the sale or transfer of a business, sometimes the database or the customer list is the most valuable part of that business. He was saying that in B.C. this is guarded, and I guess the obligation of privacy is passed along to the successor company.

But do you think PIPEDA should be amended in a similar way? Also do you think that individuals should have the opportunity to opt out of being on that list; in other words, should they be notified?

For instance, regarding the census, I don't want Lockheed Martin having my personal information. In fact, there was a whole boycott being planned in Canada that, if Lockheed Martin gets the census, we're not going to cooperate with it. Do you think people should have the opportunity to opt out of being on a list if the business sells, and should PIPEDA address this?

10:40 a.m.

Executive Director, National Association for Information Destruction - Canada

Robert Johnson

Personally I would like more time to think about that before I declare myself. Certainly I could see how someone would be concerned, and it seems to me a reasonable proposition that because I've entrusted my information to one entity, if they sell their business or do business with another entity, I should be aware of that.

At minimum, our recommendation said that there should be a very clear contract that specifies the fiduciary responsibility, the chain of custody, and the obligations under whatever regulations exist within the jurisdiction to which the information was originally entrusted to the first custodian.

10:40 a.m.

NDP

Pat Martin NDP Winnipeg Centre, MB

That might help from a legal point of view, but what if I'm openly hostile to a company? What if I don't just dislike the company that's being sold or is buying my information, but I don't want anything to do with them? Do I not have a right to withdraw the information that I confided into company A, which I don't want to be controlled by company B? Where are my rights there?

10:40 a.m.

Executive Director, National Association for Information Destruction - Canada

Robert Johnson

There's the practical—and then I think the presupposition of all privacy legislation as a human rights issue is that it's actually the person the information is about who should be the ultimate decision-maker on where that information can go. If that's where the basis of it all starts, I think that might answer your question.

10:40 a.m.

Conservative

The Vice-Chair Conservative David Tilson

Thank you, Mr. Martin.

Does Ms. Fineberg have an opinion on this?