Information & Ethics Committee on Feb. 15th, 2007

I don't. I had turned everything over to the clerk. I'm sorry.

To my mind, a business product is primarily a person's work address, the employee's e-mail address that is given to the employer. This is information that the company has about the employee, details that are part of his work.

Most SMEs do not use a great deal of information. Occasionally, retailers use information about credit cards, but systems already have ways of protecting this information.

I'm not very familiar with work-related information. I'm not clear as to what details are important in terms of the regulations.

I would be easier for me to answer that question in English.

The course itself is really just an overview of PIPEDA and what their responsibilities are under PIPEDA. So it would essentially take the rules and regulations under PIPEDA, what they need to do to build a template, and what they need to understand in order to protect their clients' information.

It doesn't really get into much more detail than that. It's meant to be a way for them to get an introduction to privacy information and what they need to do to protect it. It's also meant to give them an idea of whether they're holding information that's considered very personal, versus what's not as personal. Also if they have personal information of a more important stature, then perhaps they need to get some help on how to protect it.

So we're not telling them how to do this. We're basically showing them the guidelines and what they need to do to take the next steps.

Within our own organization?

Yes. Our organization has a privacy policy. It's on our website. When we no longer need business information in records and data bases, it is destroyed.

We give our policy to our members who ask how to build a privacy policy. This is the type of information we collect as an organization and this is what we do to protect information. We use it as an example for our members.

It would be shredding the files. If anything is in the database, it would basically be cleared and destroyed.

We believe the current regulation, as it exists, hasn't had the time to really be implemented. We would like to see it fully take effect so that SMEs are complying with it 100%. I think it has taken some time to get off the ground.

I believe SMEs don't like prescriptive regulations, because generally speaking it's difficult for them to comply. The more restrictive a rule becomes, the more difficult it is to get them to comply. Giving a principle approach allows them to decide for themselves the best way to deal with consumer information.

I'd like to remind you once more that our members are also consumers. They believe it's important to have national privacy legislation. They will try to do the best they can to protect that information. I think the approach you're taking now is a more effective approach in helping them comply with protecting personal information. Trying to be more restrictive will just cause more confusion and fear.

Actually, I believe the incident you're referring to involves the Bank of Montreal. We've been receiving phone calls over the last few days. For instance, some people got a letter, were told to phone, and weren't able to get through on the phone. Some showed up someplace to use their credit card and were told the credit card was no longer valid. Or because so many people had received cards in the mail, when they tried to phone in to activate their cards, the lines were busy.

So we've received a number of phone calls over the last few days about this. It is something we're very concerned about. It's very difficult for consumers now to keep track of who has what information and where it might be.

If a security breach happens and someone gets your credit card number or your social security number, you may not know for months and months. By then untold damage can be done. In the case of identity theft, you're looking at a destroyed credit rating or an inability to get a mortgage. In some cases, a credit rating can affect employment, because some employers do check your credit rating before they hire you.

Absolutely.

We absolutely believe that notification should be mandatory. It would be nice if they would also explain to these people why they're changing their credit cards. No one has been told why; it has just been, here you go, you're getting a new card. And of course this raises all kinds of suspicion in people's minds, which is part of the reason we're getting the phone calls.

Speaking personally, two years ago the Bank of Montreal did the same thing to me. They phoned and told me they were sending me a new card, and not to use the one I had. When I asked why, they said they couldn't tell me. Even when I said again that I wanted to know, they said they couldn't tell me.

I do believe that actually having people report when there is a breach is important when there's a risk associated with the information that's been breached. I think businesses should be required to let their customers know if there has been a major breach in terms of the information that has gone out--for instance, if it includes credit card information, SIN numbers, medical records, all those types of thing. But I would think that there are probably different levels of breaches, and I would suspect that sometimes a breach can be fairly minor, and won't have a huge impact on the public.

The other side of this, and one where I can see the business community and I think our members having some concerns, is the fact that they may not even be aware of why the breach occurred. It could have been something that was stolen from them, for instance, or wasn't really their fault.

Those are the situations where it becomes difficult and where perhaps there is a responsibility, I believe, to notify those that have been affected by it. At the same time--

I think it would depend on the level of breach. If it's a breach where there's a risk to the consumer, then yes, I think they should be required to report--