Evidence of meeting #33 for Access to Information, Privacy and Ethics in the 39th Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was personal.
A recording is available from Parliament.
Professor Emeritus, The University of Western Ontario, As an Individual
Yes, definitely.
Professor Emeritus, The University of Western Ontario, As an Individual
When I circulated my paper to the Ontario commissioner, to my friends.... I know all these commissioners. I work with them. I do consulting work for them. They employ me to do things. In fact, I think the Privacy Commissioner can and should use more consultants and law firms to help her when she has huge backlogs. There are lots of people with privacy expertise in these places, and consultants.
How's that for a self-interested statement? I already do work for these various commissioners.
At any rate, she has a staff of about 100 or 120. It's a big operation. She has the entire health sector, the municipalities, and the provincial government in Ontario. She's a leader in very many ways on critical issues, such as RFIDs, biometric encryption, and all this stuff.
Under PHIPA she has much broader order-making power. What happens is that the later the law, the better and the more power there is to it. PHIPA, the Personal Health Information Protection Act, was enacted in 2004. You'll be amused to know that it's 120 pages long, and the non-legal guide to it is 800 pages long. I might try to tell you all this stuff is pretty simple, but it's simple at the ten privacy commandments stuff; it gets more complicated when you apply it in practice.
Her job is to apply these rules in a sophisticated way by doing investigations and things like that....
As I said, I have a bit of jet lag. I've lost track of what you actually asked me.
Liberal
Glen Pearson Liberal London North Centre, ON
That's fine, I understand.
She doesn't have limitless powers.
Professor Emeritus, The University of Western Ontario, As an Individual
It's not unlimited power, no.
You have to remember that a parliament, a legislature, a government can do whatever they want. I opposed PharmaNet in British Columbia. Glen Clark and his government did it. That's perfectly acceptable. No one is trying to make these privacy watchdogs have absolute power of any sort. But I want them listened to. That's the strongest argument I have. In the federal government, the Privacy Commissioner's office is not being adequately listened to. I know that because I do consulting work for these organizations. I know what's going on. And it's not good from a privacy protection point of view.
Liberal
Glen Pearson Liberal London North Centre, ON
Thank you.
I'm still trying to get my head around privacy impact assessments, especially in light of what the Privacy Commissioner told us. Can you tell me how they currently work? And can you add whether you think the policy for that should be legislated?
Professor Emeritus, The University of Western Ontario, As an Individual
Yes, I definitely think the policy should be legislated, but I don't want a whole bunch of cookie-cutter PIAs every time they change the personal information system. Any significant personal information system at Health Canada or Service Canada or Revenue Canada--whatever they're called nowadays--should have a privacy impact assessment done so that Canadians who are interested can go to the website and find out, “Oh, this is what they do with my personal information.”
My favourite client is the Canadian Institute for Health Information. They have 18 major databases. They're kind of the Statistics Canada for health, as you likely know. They have 18 privacy impact assessments on their website, www.CIHI.ca, under privacy and data protection. I wrote the first drafts of each of them with the staff. One is about therapeutic abortions. CIHI has a therapeutic abortion database? Yes, it does. Does it have identifiable data? No. Does it have very strong security provisions? Is it audited? Is it monitored? Yes. Does it exist for good purposes? Yes. And if you don't think it exists for good purposes, you can fight with them.
The PIA is the story of a database. Why does it exist? What are its purposes? Why do you need this in the first place? Is it rational? What personal information do you collect? What personal information do you disclose? Do you get consent? What security provisions do you have in place?
I always end up with a privacy report card, measuring the thing against the ten privacy principles. I've done it for the Assembly of First Nations regional health survey, which is in the field at the moment. I sometimes give actual grades to it--for example, 72% on security, 85% for consent or accountability.
Liberal
Glen Pearson Liberal London North Centre, ON
Just to follow up on what Mr. Tilson was saying, you were talking about the Privacy Commissioner. Part of the problem she has is that she has such a backlog, she ends up investigating things that are useless to do. How does the Ontario Privacy Commissioner triage or prioritize those things?
Professor Emeritus, The University of Western Ontario, As an Individual
I don't know why they're getting so many complaints federally. I think I read in the last 24 hours, or somebody told me, that 50% of the complaints are from Corrections Canada. Is that right?
Anyway, it's a huge number. I was laughing to myself, as I was thinking about this, that it's a good thing....
Pardon me?
Professor Emeritus, The University of Western Ontario, As an Individual
In British Columbia we can ignore requests and say they're frivolous and vexatious. I think that's what the language is.
What I learned in 1993, when I finally ran something, having been a professor all my life, was that a lot of people have various things happen to them that they want to change. They go to the ombudsman, they go to the Auditor General, they go to the Privacy Commissioner, and so on. They somehow think they can change the facts of what happened. It's like a circus.
Bloc
Richard Nadeau Bloc Gatineau, QC
Thank you, Mr. Chair.
Good afternoon, Professor Flaherty. In the documents that you provided to us...The present commissioner made ten recommendations. The act should have been amended a long time ago to bring it up to date rather than leaving it as a kind of artifact.
What are the critical amendments?
Professor Emeritus, The University of Western Ontario, As an Individual
Critical?
Professor Emeritus, The University of Western Ontario, As an Individual
Very, very important?
Professor Emeritus, The University of Western Ontario, As an Individual
Okay.
I'm extremely reluctant to recommend to you that you throw this issue to justice department lawyers and policy analysts for serious study, because it could be five or ten years before something happens. You have to ask yourself why nothing has happened for all these years. Partly they fight among themselves at the Department of Justice, etc.
I appreciate the fact that Madam Stoddart, for whom I have the greatest admiration, and her staff have a lot of burdens. They're doing as well as they can under the circumstances. I think her idea of ten quick fixes for you is a good thing. I have trouble imagining that you're going to have the resources in the next couple of months to redo the Privacy Act by yourselves.
I think the most important thing is to, through your caucus of the government, persuade Mr. Nicholson to do something. It doesn't have to be done in two weeks, but really, some things have to be done seriously and as quickly as possible. I believe it shouldn't be just one caucus. This is the kind of issue that's cross-cutting. It's not a small-l liberal or a big-L Liberal or small-c conservative issue. It's not an NDP issue or a Bloc Québécois issue or whatever. It's for all Canadians, all residents of the country, all privacy interests. And it's your privacy interests as much as mine, and your constituents'.
So I'll take anything I can get. If ten quick fixes is what you can do reasonably, then do it. I hope you will give, as they say in French, les grandes lignes. I hope your committee will give les grandes lignes to the public servants and to Kevin Lynch. Kevin Lynch, who was responsible for PIPEDA, as the Deputy Minister of Industry Canada, understands these things. I lobbied him myself in the mid-1990s, when I was the privacy commissioner over in Oxford, that PIPEDA was worth doing. He would remember that. We walked for a couple of hours and he asked at least as difficult questions as you're asking me today: why should we do all this stuff, why should we regulate the private sector? And you should build on that.
We regulated the private sector. There were all kinds of howls. People didn't like it. Is Aeroplan in front of you, or Air Canada, or Bell Canada, or Air Miles, saying they want you to get rid of this legislation? No. They've learned to live with it. Why? Because they systematically implemented it. They know how to make something work in the private sector. We have to get the same things in place in the public sector.
Bloc
Richard Nadeau Bloc Gatineau, QC
Quebec, Ontario and British Columbia, and others, have laws governing personal information. You say that the commissioners there have more teeth, more clout. We cannot say the same at federal level.
Is this because it is bigger, or because there is a lack of political will?
Professor Emeritus, The University of Western Ontario, As an Individual
There was great enthusiasm in the 1970s and 1980s for the concept of the ombudsman and ombudsman powers. It was reason together, conciliate, moderate--all a great idea. You could argue that for the level of privacy issues we had in the 1980s, the Privacy Act was sufficient, but we're now in the World Wide Web in which you're using cell phones, and you're sending e-mails, and you have no idea where the information is. You have no idea where your data is being stored.
Growth in Facebook is exponential. I bring to your attention the case of somebody who informed her friends in England a week or two ago on Facebook that she was leaving her husband. He murdered her. There are risks of using even something like Facebook, and the various commissioners have done good work on that.
We all know, from the way our own lives have changed with the BlackBerry and computers and terminals and automation, how dramatic the change has been, and we don't even know some of the risks involved for our children, and things like that.
What I really would like to talk about sometime is health and the electronic health record. Once you build a big database of electronic health records without robust data protection and privacy and security in place, then you're really in trouble, because if there's a big database, somebody is browsing the database. We have lots of reports in the privacy community, from my successor in B.C., about people who just like to go into databases and abuse personal information. There has been lots of theft by the Mafia and gangs in Quebec from various databases of the government. That's another reason we have to have really good security, really good auditing. I want machines watching machines. We can do that if the will is there, but the public service has to be told to do it and make it work efficiently.
