Before I begin, I have to offer Mr. Cran's regrets. He was a victim of our snowstorm yesterday and was unable to get out of Vancouver.
My name is Margaret Ireland. I'm a member of the board of directors of the Consumers' Association of Canada.
We would like to thank you for inviting us to speak to your committee this morning.
The Consumers' Association of Canada is a 60-year-old, independent, not-for-profit, volunteer-based organization with a national office here in Ottawa and with provincial-territorial representatives. Our mandate is to inform and educate consumers on marketplace issues and to advocate for consumers with government and industry, and to work with government and industry to solve marketplace problems in beneficial ways.
At the time PIPEDA was enacted, we were only beginning to see the various ways that personal information could be mishandled or misused. Sufficient time has now passed to show us which types of improvements need to be made to the act. It's become quite obvious that theft of personal information from corporate data banks, specifically, is out of control. Voluntary guidelines have proven worse than useless, and the time has come to put some strict protection in place for Canadians, with some serious consequences for those who place consumers at risk. We believe the Office of the Privacy Commissioner should be given some real teeth. Regulations and penalties that are meaningful and rigorously implemented could make an enormous difference in the everyday lives of Canadian consumers.
It is time to move from voluntary guidelines for the protection of personal information to actual regulation designed to ensure that those entities collecting information have clear rules about what information they can ask for, what they can do with it, how long they can keep it, and what measures they must take to protect this information. This, together with stiff penalties for breaching these regulations and rules on notification of citizens when their information is compromised, will help reduce the disastrous consequences of identity theft.
Limiting the type of collectable information to the bare necessities is the first step. We have specific concerns about what type of information is collected from consumers and how this information is handled. We would also like to see limits on the length of time that corporations can keep this information and restrictions on sending it outside the country. There is very little reason for a company to keep, for example, a consumer's credit or debit card number in their computer system for extended periods of time unless they have an ongoing relationship that requires this.
In addition, we would like to be assured that the process, which is now ongoing, where all automated debit and credit card transaction records are obscured, is completed by the end of the year. We oppose sending Canadians' personal information, either financial or health information, outside this country. Removing this data from Canadian jurisdiction puts each of us at unnecessary risk, with no actual benefit to consumers.
In conclusion, I will be absolutely blunt. We do not believe that some commercial enterprises' right to collect a consumer's personal data for marketing purposes can be allowed to outweigh the rights of the consumer to be safe and secure in this day and age of international computer hacking, fraud, and identify theft. The only way to ensure that data are not hacked is not to have them available in the first place.
Thank you.