Evidence of meeting #3 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was issues.

On the agenda

MPs speaking

Also speaking

Jennifer Stoddart  Privacy Commissioner, Office of the Privacy Commissioner of Canada
Raymond D'Aoust  Assistant Privacy Commissioner, Office of the Privacy Commissioner of Canada
Heather Black  Assistant Commissioner (PIPEDA), Office of the Privacy Commissioner of Canada

The Chair Liberal Tom Wappel

We're going to get started. Committee members, just so you're aware, we only have 89 minutes. We have to adjourn at 5 o'clock on the nose because the Bill C-2 committee is starting its deliberations at 5 p.m.

On that note, there is a very good likelihood that we will not meet next Monday because the Bill C-2 committee doesn't look like it's going to be able to complete its work by the end of this week. Therefore, it's very likely that it will continue on Monday, and as we know, if they're working we can't. So we'll keep you informed of that. If something happens, the Information Commissioner is scheduled to appear, as he was today, and the Registrar of Lobbyists.

So without further ado—

Yes, Ms. Lavallée.

Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC

Exactly how much time do we have?

The Chair Liberal Tom Wappel

We have 88 minutes.

Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC

That gives us a grand total of 158 minutes since the beginning of May. Thank you, Mr. Chairman.

The Chair Liberal Tom Wappel

I don't want to hold up while waiting for electronic means. The Privacy Commissioner has been kind enough to provide us with a paper copy of the documents, so allow me to introduce our witnesses and let them get right to their presentation.

First, of course, we have Jennifer Stoddart, the Privacy Commissioner. Welcome. And we have Heather H. Black, assistant commissioner, PIPEDA, the Personal Information Protection and Electronic Documents Act.

Parenthetically, members, the five-year mandatory review, for reasons best known to others, was referred to the industry committee. I and the chairman of the industry committee, Mr. Rajotte, have written to the House leaders, with the support of Mr. Tilson, to suggest that the reference should be to this committee. We haven't heard back yet from the House leaders, but hopefully the logic of that will dawn on them and they will refer that act to us.

And we have Raymond D'Aoust, assistant privacy commissioner.

Welcome to all of our witnesses. We'll start with Ms. Stoddart, who has a presentation, as you can see before you.

You have up to 20 minutes, but in view of the length of time we have and the questions that no doubt will come, we'll ask Ms. Stoddart to keep it in the vicinity of 15 minutes.

Jennifer Stoddart Privacy Commissioner, Office of the Privacy Commissioner of Canada

Good afternoon, everyone.

The Chair Liberal Tom Wappel

No matter how fast computers are, they're always slow when you're waiting for them.

3:35 p.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

Thank you very much, Mr. Chairman and honourable members, for inviting me here.

On the screen you will see an overview of the presentation that I hope to run in the next 15 minutes, which I hope will give you an initial introduction to our role and mandate, the laws we administer, and some of the key issues.

I'll begin by explaining the role and mandate of the Office of the Privacy Commissioner. Unlike other provincial offices, the OPC is an ombudsman office with several roles, the most important of which, from a resources standpoint, is to conduct investigations.

The OPC also conduct audits under two federal privacy laws. Furthermore, it publishes information about personal information-handling practices in the private sector and brings privacy issues to the attention of Parliament.

Although it requires minimal resources, public education is one of the OPC's most important roles, as is research and policy on emerging privacy issues.

We administer two laws, and you're going to hear a lot about the first one in the coming weeks. This is our basic federal government Privacy Act. It came into force about 25 years ago, and this is your basic set of ground rules for the public sector. It's standard in terms of international data protection. Standards now are fairly low. You can use information collected from the public as long as it's directly related to a program or to an activity. You don't need the consent of Canadian citizens, and you don't need to inform them in any direct way about how you're using their information.

Since 2001, the second law we've been administering is our newest privacy law in Canada known by its acronym, PIPEDA, but you can call it the PIPED Act or...there are various ways of pronouncing it. It is now fully in force and it applies to the jurisdiction where the federal government has authority---federal works and undertakings, federal crown corporations that might have private-sector-related activities, and activities of trade and commerce in Canada under section 91 of the BNA Act. Like its counterpart, it sets out rules. These consent-based rules are far more extensive and the standard for privacy protection is a lot higher.

In the last few years, one of the important goals of the office has been to work cooperatively with the provinces and the territories. Some of you will know that privacy protection is also a provincial jurisdiction because provinces have authority over property and civil rights. Privacy is a civil right. It's a human right in the Canadian context, so it was important for us at the Office of the Privacy Commissioner to work cooperatively with the provinces to make sure Canadians have seamless privacy protection as much as possible. I can give you some examples of various joint efforts with the provinces.

Very briefly, some of our current key issues and concerns are these. Under the Privacy Act, the national security agenda, we appeared on the Anti-terrorism Act last spring. We have been asking questions about the purview or the extent to which the Anti-terrorism Act has reduced the individual right to privacy under the Privacy Act as it is now constituted. We're concerned there's less reason for judicial authorization. We think the judiciary is key, that the judicial authority be there when you're going to regiment individual rights and liberties. And we're giving Canadians less opportunity to challenge the curtailment of their freedoms.

On a separate issue, we're also concerned about the increasing blurring of the lines between the private sector and the public sector. In Canada, we're used to the state carrying out laws, certainly carrying out criminal law and national security issues. With a change to PIPEDA that came about two years ago, organizations in Canada are now mandated to specifically request information, to collect it for the express purpose of giving it to the national security authority. Again, this is a trend we want to watch.

The transborder flow of information has been a constant theme in the last few years. There are two major subsets of issues. The first issue is what happens to our information at the border, information we are specifically sharing at our land and air borders, particularly our land border with the United States, given the flow of people and traffic to the United States. We have just finished a first audit of the handling of personal information at some of the land crossings by the Canada Border Services Agency, and we'll be publishing that in our next annual report on the Privacy Act that will come out at the end of June.

We also just received the draft rules for the do-not-fly list from the Department of Transport. We'll be doing a privacy impact assessment on the ground rules for the do-not-fly list.

The second set of issues is known now as the issues linked to the U.S.A. Patriot Act. They're not a U.S.A. Patriot Act set of issues per se; they are issues of transborder data flow--the global flow of our personal information. It has become accentuated in the last few years. It has existed for decades now, but what happens to Canadians' personal information once it leaves the borders of Canada and Canadian law has just recently come to public attention.

The Chair Liberal Tom Wappel

Madam Stoddart, can I stop you for just one second? I want to inform the committee that those bells are not an annoying signal; they actually mean something. There is a vote. The vote will take place in about 22 minutes--something like that.

I suggest we let Madam Stoddart finish, and then we can decide that either we're all going to stay or we'll all go to the vote. Then we'll come back, assuming there's at least half an hour left. I don't know what the vote is about or how long it will take--oh, it's to proceed to orders of the day, so some games are being played, I gather.

I don't think it's fair to have the witnesses stay here and wait if none of us returns. If we can get back here by 4:30 p.m., then at least we'd have another half-hour before we'd have to adjourn.

Without further ado, let's allow the Privacy Commissioner to finish her comments.

June 5th, 2006 / 3:40 p.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

Well, thank you. I'll try to be economical.

One of the requests of this committee as it was constituted in the previous Parliament was that we table a paper on Privacy Act reform. This was the first law. The law is now 25 years old, and I've consistently been criticizing it for its inadequate protection of Canadians' personal information.

At your request, Mr. Chairman, I have formally tabled with you our first paper on Privacy Act reform. Some of the issues have to do with transparency. We talk about transparency and accountability; we're saying the government should be accountable not only for amounts of money, for projects, but should also be accountable for Canadians' personal information.

Canadians should have a right to see what's in their files now, but they virtually have no further rights. They cannot request in front of a court that this information be corrected if it's erroneous. Lord knows, sometimes we all have mistakes in our government files; you have no right of correction if the government does not want to correct it. You have no right of damages, as was recently confirmed by the Federal Court in the Murdoch case.

It is virtually impossible for Canadians to track where their personal information is going now. As blood flows through arteries, it takes experts, and even then.... There's a publication called InfoSource, but InfoSource is out of date and it's often erroneous.

Basically what we're saying, Mr. Chairman, is that the federal government should live by the standards it's imposing on the private sector--ask for the same transparency, accountability, and privacy policies it now asks of companies under PIPEDA.

Apart from the basic reform of the Privacy Act, in the meantime, because this is not perhaps a simple affair....

One of the current key issues is ID management. The call to identify the individual in each transaction and to have a secure, reliable identity that cannot easily be stolen is becoming increasingly prevalent. At the same time, however, measures must not represent an unwarranted invasion of privacy. Nor should there be too many demands made in terms of sharing information with the government or a financial institution. These are just a few of the ways in which identity is used.

Another key concern of ours is surveillance. Recently, we have put particular emphasis on video surveillance. Guidelines have been published on our website. Video-surveillance, which is prevalent just about everywhere in the workplace and on the streets across Canada, falls under both federal and provincial jurisdiction and affects each and every one of us. In Toronto, for example, consideration is being given to installing video-surveillance devices on buses and in the subway system. Other municipalities will likely soon follow suit.

The OPC has reached several conclusions as to the legality of video-surveillance in the workplace, pursuant to private sector legislation. Generally speaking, the direction advocated by the OPC has the backing of the Federal Court.

The third key issue that I bring to your attention is the whole burgeoning issue of health information in Canada. Again, like so many of these issues, it's provincial jurisdiction and also federal jurisdiction, because all this information crosses provincial boundaries. As well, the federal government has its own employees, the veterans hospitals, and so on.

When PIPEDA came into force we worked very closely with health providers, notably the Canadian Medical Association, and developed some 75 frequently asked questions about health information on the website.

The fact that the whole health sector was legislated was a bit of a shock back in 2002-03. I think things have calmed down, and the whole health sector is now used to the idea of having a program for the management of personal information. Ontario has moved to adopt its own health information act, and Quebec has had one for many years. So it's an area where we're working with the provinces.

One of the issues we're monitoring is the unfolding of electronic health records across Canada, notably through Canada Health Infoway. It has a billion-dollar budget to assist with the development of electronic health records. In order to make sure that the framework for the management of electronic health information respects privacy principles, we're working with Canada Health Infoway and the provinces. Those are some of the issues in the public sector.

In the private sector, I'll quickly go to anti-spam issues and the need for strong anti-spam legislation. This is something that preoccupies not only the Office of the Privacy Commissioner but the police, because of what spam now carries. It's not just an annoyance or a giggle, depending on what's in the spam message. It carries serious viruses and spyware, and it is a threat to critical infrastructure security as well. This is an issue of competition and consumer protection, and any spam legislation that comes down would probably give various agencies a different role in enforcing spam threats.

Technology generally is a concern, and you may have heard about our annual report on PIPEDA that we launched just last week. We brought to the public's attention the issue of RFIDs, radio frequency identification chips, that are being rolled out across Canada. At the moment they're only in supply chains, but soon they will be brought down to the consumer level, as they are in Europe. We have done a fact sheet with basic information on this, and we will be developing guidelines for industry and consumers in the next months in cooperation with the provinces, because of their role in regulating privacy.

RFIDs is basically a technology that's been around since Word War II, but now it's being adapted to the consumer and supply-chain-level management. I'm not a techie, but I've been told it consists of an antennae, a computer chip, and a casing. It allows this little device to emit a unique signal so that each object is uniquely identified in the universe. That means we can track objects, which is useful in the supply chain for inventory management, national security threats, theft, transportation across continents, and so on. Eventually, because we are linked to the objects we purchase or use, it will allow for the unprecedented tracking of people. They will be entered into a database by linking them with the objects they manipulate or purchase. Therefore there are privacy preoccupations.

To conclude, as an agent of Parliament we can give you policy advice, expert advice, and slants and ideas on some of the legislation that doesn't seem to have privacy implications but may. Of course, we can make appearances, at your request or our request, at various committees.

What will be on in the future? You have our reform proposal with you, and we hope you will invite us back to talk in detail about it. Many months of preparation have gone into our proposal.

We will be bringing out our Privacy Act report in three weeks, and in the fall there will be the review of PIPEDA. We'll see which committee we'll be called to appear before.

The Chair Liberal Tom Wappel

Thank you very much.

I see people getting ready to go, so we'll go for the vote. The committee stands adjourned until the vote is over, hopefully no later than 4:30, so we will have about half an hour for questions.

We only need three people here to have a fully constituted meeting. I'll be one of them, so if two people can come back, we can at least get some questions in.

The Chair Liberal Tom Wappel

We have 24 minutes, and that doesn't give us enough time to do our normal rounds, so it's been suggested by the clerk and members of the committee that we have one question per party, starting with the official opposition, and just keep going until we run out of time. Does that meet with everybody's approval? If somebody doesn't have a question on the first round, they can always jump in on the second round. I don't hear any “nays”, so that's how we'll proceed.

Would anyone on the Liberal side like to go?

Mr. Regan.

Geoff Regan Liberal Halifax West, NS

Yes, Mr. Chairman, I'd be happy to do that as soon as I find the note I'm looking for. There are a couple of things, actually.

You were talking about the RFIDs, and I guess I'd like to know what your view is. I read about this on the weekend. Companies are claiming that they would only use the RFIDs on pallets--you know, the larger cases that contain smaller boxes--and not on individual boxes that are sold to consumers. I presume you don't see a particular problem with that as long as the RFID doesn't go with the consumer out the door as part of the item they've bought. Is that a fair question?

I shouldn't use that as my only question, mind you, so I'll add to that.

4:35 p.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

The answer is yes.

Geoff Regan Liberal Halifax West, NS

In terms of the concerns you expressed about privacy matters, have you examined the proposed accountability bill in relation to access to information matters and matters related to privacy, and what are your thoughts on it?

4:35 p.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

Thank you, honourable member.

I'd direct you to our latest annual report on RFIDs. Of the companies we surveyed, two indicated already that they've linked goods to personal information and one was using RFIDs to track employees. So it's moving down.

On the accountability bill, we appeared in Parliament last week to point out, notably, that we're concerned that, as it is now presented, this bill will lower the level of personal information protection in three organizations: Atomic Energy of Canada, the CBC, and VIA Rail. All are now covered by PIPEDA, as I said very rapidly. PIPEDA has a better level of personal information protection than the Privacy Act does.

To give you an example, honourable member, if you travel with VIA Rail, under the Privacy Act you have a right to see your file, and you can ask for a correction. But if they don't make the correction and you think you're right, or if there's a slip and somehow your travel information is spilled--published--and it causes you some damage, you have no right of redress. So as we pointed out, why would we take a step backwards? Personal information also needs accountability at the highest level for the Canadian public.

The Chair Liberal Tom Wappel

Merci.

Do you have any questions, Mr. Laforest?

Jean-Yves Laforest Bloc Saint-Maurice—Champlain, QC

Good day, Ms. Stoddart.

You stated in your opening remarks that one of the OPC's important roles was to educate the public about the measures employed to protect identify theft. This is one of your Office's responsibilities.

Do you have an overall plan of action to educate the public about this issue? Have you planned for follow-up action? Do you have an idea of the results? Is the general public aware that right now, a number of organizations have important personal information about them on file in their data banks?

4:40 p.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

Mr. Chairman, if I may, I'd like to ask Deputy Commissioner Raymond D'Aoust who is responsible for this particular area to answer Mr. Laforest's question.

Raymond D'Aoust Assistant Privacy Commissioner, Office of the Privacy Commissioner of Canada

Yes, sir, we do have a communications and public education plan in place. One of our branches is dedicated entirely to this effort.

To further our understanding of this subject, we commissioned several public opinion polls, one of which will be made public shortly. The findings show that the Canadian public do not have a very clear understanding of privacy and of various related legislative provisions.

We know that the need is great. We have focussed our efforts on small and medium-sized enterprises. Working with an expert-adviser on the subject, we are developing an on-line training module. We hope to develop tools of this nature to help SMEs comply with the legislation.

The Chair Liberal Tom Wappel

Mr. Wallace.

4:40 p.m.

Conservative

Mike Wallace Conservative Burlington, ON

Thank you, Mr. Chairman. I'm new here, and this is all new to me, so these are probably fairly elementary questions. In your report, you talk about there being similar legislation in the provinces. Are there any major gaps between our legislation and the provinces', and could you explain what they are and the significance of those gaps?

4:40 p.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

There's a very complex picture. Maybe I'll start the answer and the assistant commissioner, Heather Black, could complete it, as she was a long-time general counsel and knows....

This is an area of joint jurisdiction, and only three provinces have chosen to go ahead in this area with legislation of their own that meets the test set up in PIPEDA of being substantially similar. I'm sorry, it's three and a half, I guess, if you count health in Ontario.

This law is set up such that the federal legislation applies to the federal sector and commercial activities, unless the province has its own legislation. Quebec has had private sector legislation since 1995. Then Alberta and B.C. have had their own legislation since 2003, and Ontario since 2005.

Do you want to add to that?

Heather Black Assistant Commissioner (PIPEDA), Office of the Privacy Commissioner of Canada

There are significant gaps. For example, in the province of Manitoba, where there is no substantially similar law and PIPEDA applies, it applies only to commercial activities. It covers the federally regulated private sector for customer information and employee information. When you move into the provincially regulated private sector—say the retail level, or what have you—it only applies to customer information, so for all of the employees of those organization there is no protection.

The other gap is in areas where the federal law simply cannot go; that is, such areas as health, education, municipalities, schools, hospitals—all of that. That's an enormous gap.

4:40 p.m.

Conservative

Mike Wallace Conservative Burlington, ON

Are there ongoing conversations to try to improve in those gap areas, or is it an issue that's on the back burner for the provinces?