Evidence of meeting #33 for Access to Information, Privacy and Ethics in the 39th Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was personal.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

David Flaherty  Professor Emeritus, The University of Western Ontario, As an Individual

4:40 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

I meant change.

4:40 p.m.

Conservative

Dave Van Kesteren Conservative Chatham-Kent—Essex, ON

The point is that the average guy in the street wants to throw a glass at you because he's sick and tired of getting beat up on the street, or he wants to change the age of protection, or he's sick and tired of juveniles not.... That's reality to Canadians.

Justice departments are facing those types of challenges, so when they look at this they say, “All right, what are we getting so worked up about?” I'm asking you.

4:40 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

I want the police, my friends in the police and in the RCMP, to follow the ten privacy commandments. I want them to catch all these bad people. I want them to end child pornography. I want them to use surveillance for that particular purpose. But privacy is a manageable issue.

So many of the issues you face in government or in opposition are hopeless. I'm watching people smoke out here on the streets, or people with obesity, or something like that. How are you going to make people eat the right food, exercise well?

4:40 p.m.

Conservative

Dave Van Kesteren Conservative Chatham-Kent—Essex, ON

You want to do that, we'll talk about privacy.

4:40 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

Privacy is easier to manage when there's a set of rules that you can put in place. It's a specialist issue. You don't have to become privacy experts. Know that there are ten privacy commandments. Remember that there are ten commandments in Christianity, in religion, if that's what your bag is, and you're supposed to be following them.

Remember, consent is crucial. Consent cures all. Most of the time you're engaged in consensual activity. I'm telling you things about myself because I choose to make a point, but other stories I'm telling you are anonymous.

4:40 p.m.

Conservative

Dave Van Kesteren Conservative Chatham-Kent—Essex, ON

So to wrap up my statement, can we do this thing and just say “We're going to slap you really hard if you collect this stuff and...”? I don't mind doing these other things, but without building a huge bureaucracy.

4:40 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

I would want to reorient the existing resources from other activities to making privacy management work, because it's in the best interests of every government institution. I'm anti-bureaucratic in several ways, as I've indicated, based on direct experience. I'm a one-person consulting shop. You might think no one would work with me, but that's not the case.

The Chair Liberal Paul Szabo

Thank you very much.

I will have to excuse myself shortly--I have to catch a flight for an important meeting in Toronto--but there was a question I wanted to make sure we got the answer to. Perhaps it can be dealt with.

It has to do with the concerns around outsourcing. B.C. had some issues there. There was a need for blocking provisions--I assume that these are the criteria--to establish the applicability or the appropriateness of outsourcing. Did B.C. have to amend their legislation for that, and are the criteria effective and working now?

4:40 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

I appreciate your asking me that question. As usual, I have all kinds of conflicts. I advised Sun Microsystems and MAXIMUS in their outsourcing wins in British Columbia. I think I advised EDS as well, but this is the MAXIMUS story. I'm a director of MAXIMUS for my sins, so you can take what I'm saying with a grain of salt.

The British Columbia government wanted to outsource the management of the Medical Services Plan, which is like OHIP in Ontario, and also PharmaNet, which has everybody's prescription history in it. There was a great reaction from the unions, so they went to court to try to block the outsourcing deal on privacy grounds. The response of the British Columbia government was to amend our Freedom of Information and Protection of Privacy Act to say all data processing has to be in Canada. The American company could have no direct links with the United States and could not have our personal information going back and forth to the United States. There had to be privacy training, privacy audits, etc.

The part of the story that I like is that we ended up with MAXIMUS B.C. Health, a subsidiary that runs these operations with the tightest privacy rules and security rules in the country. They have 400 staff that are being monitored all the time. They have to report privacy breaches within an hour of their happening. They have a chief privacy officer. They have online privacy training, and they have annual audits of their compliance by Deloitte Touche and people like that.

What's my problem with that? I have none whatsoever. That shows what good privacy protection could be put in place for reasonably sensitive personal information in British Columbia. But does the Ministry of Health do that? Do the Vancouver Island health authorities do that? Does Vancouver Coastal Health do that? No, they don't. They don't have the resources to do it, and nobody's making them do it. They might have privacy officers, but they don't have the resources to do the job.

Vancouver Island, where I live, has 45 different places like hospitals and things like that. There's one half-time person doing privacy protection for the Vancouver Island Health Authority. There is a population of probably 750,000 people. MAXIMUS B.C. Health is providing an excellent service. The Minister of Health has said that. The deputy minister of health has said that. People are happy working there. The same workforce came from the government and was privatized. It's working very well, and it's making money. It's not making a hell of a lot of money, because they signed a pretty tough contract, and the government really watches them. Why isn't the government watching itself according to the same standards? That's my point, especially with regard to the e-health field.

The Chair Liberal Paul Szabo

Thank you kindly.

Mr. Hiebert, please.

4:45 p.m.

Conservative

Russ Hiebert Conservative South Surrey—White Rock—Cloverdale, BC

Thank you, Mr. Chair.

Mr. Flaherty, I intuitively support your propositions, since I'm an opponent of big government. I'm an opponent of big brother snooping into the privacy of my life or anybody else's life mostly because I'm concerned about the potential abuse of power. Information can provide power to individuals who want to manipulate or extort or, in the case of identity theft, impersonate individuals.

I recognize those concerns. A couple of minutes ago you responded to the question of one of my colleagues about why we should be concerned about this. You asked whether he was taking drugs, whether he had ever had psychiatric care, what the balance of his bank account was. The drugs and psychiatric care are provincial responsibilities, and the bank account information is a private matter that PIPEDA would apply to.

So I want to hear from you, from a federal government perspective, apart from identity theft, apart from people stealing people's social insurance numbers and birth dates and impersonating them, what other example of a risk you can think of that the federal government is trying to prevent.

4:45 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

I was using those specific questions to establish if he had any sense of privacy, which we quickly established he does, as most of us do.

Regarding the federal government, I describe agencies and departments as privacy-intensive if they collect a great deal of personal information. So Human Resources Development Canada, Revenue Canada, Health Canada, Canada Border Services Agency, the RCMP, Canada Post to a lesser extent--these are examples that come to mind of places where there's a heck of a lot of personal information--

4:45 p.m.

Conservative

Russ Hiebert Conservative South Surrey—White Rock—Cloverdale, BC

And each one of these departments you've mentioned has very strict legislation and codes or regulations that prevent them from sharing that information, especially Revenue Canada.

4:45 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

With all due respect, I'm not sure that's indeed the case, and I say that from the basis of my consulting work. In my paper, which I'll be sharing with the committee shortly, once it's translated, I use Health Canada, as I explained earlier, as a pretty good model, and I think I had something to do with stimulating them to put privacy risk management strategies in place.

I don't really know enough. Certainly one of the recommendations of the Privacy Commissioner in her audit of the Canada Border Services Agency two or three years ago was that they should do the same sort of thing, because they're into the same privacy risk management strategy as I am, but it's still a work in progress.

So I appreciate that you think the glass is half full when I think the glass if half empty, and there's obviously a bit of a difference of opinion, but I don't have a comfort zone, nor have I done the empirical work to really give you as many illustrations as you might like, to be comforted that in fact the rules and regulations in the Privacy Act are being complied with the way they should be to meet the challenges of the 21st century.

4:45 p.m.

Conservative

Russ Hiebert Conservative South Surrey—White Rock—Cloverdale, BC

Just to correct your impression, I'd like to believe that it was my persistent cajoling of this committee that brought this Privacy Act review to its attention. I've been doing so for about six months, so you have me to blame for being here today. But I'd still like to get a sense—

Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC

A point of order, Mr. Chair. [Editorial note: inaudible.]

4:45 p.m.

Conservative

Russ Hiebert Conservative South Surrey—White Rock—Cloverdale, BC

That's not a point of order.

I'd still like to get a sense from you, if you could provide an example of a specific risk we are facing. What's something tangible we can take to Canadians to say this is why we need to get this done, this is why we need to adopt these recommendations?

4:45 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

I'm going to use a provincial example, because the report came out yesterday. New Brunswick was shipping personal information on 750 people from B.C. who had been treated, I guess, in New Brunswick. British Columbia was going to pay the Ministry of Health. The Ministry of Health was shipping data on tapes from New Brunswick's Ministry of Health to British Columbia, to Victoria. Guess what they did? They sent them by courier unencrypted on disk. Guess what? They were lost. So now the commissioners from New Brunswick and British Columbia issued a report yesterday about how lousy the security was. They should have been using much more modern ways of doing it. It should have been sent electronically to start with.

That's a very specific example that was all over the newspapers in both New Brunswick and British Columbia, and it led the Ministers of Health to be very embarrassed politically, to be beat up on by the opposition in their Houses, to have to make embarrassing admissions that they'd lost the damned data. Does that move you?

4:50 p.m.

Conservative

Russ Hiebert Conservative South Surrey—White Rock—Cloverdale, BC

A federal example, then, to extrapolate, would be that if the federal government were transferring data about Canadians--tax information, potentially, or RCMP files--to another department within the government, and that data was lost, then, potentially, somebody could use that data and embarrass and extort. Is that the concern?

4:50 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

The problem I have is that a lot of the privacy breaches I'm aware of I have knowledge of under confidentiality agreements with my clients. I can't come and whistle-blow on my clients, but let me assure you, there are far more breaches taking place, which are far more sensitive in nature than you even read about in the newspaper. Hardly a week goes by that there isn't another privacy disaster that has happened.

4:50 p.m.

Conservative

David Tilson Conservative Dufferin—Caledon, ON

Thank you.

Mr. Dhaliwal.

Sukh Dhaliwal Liberal Newton—North Delta, BC

Thank you, Mr. Chair.

I'm going to continue where you left off, Mr. Flaherty.

You have a lot more examples that you don't want to disclose, and we don't want to hear them. But certainly, from a general perspective, as Mr. Hiebert was saying, most of the security breaches or these privacy breaches are provincial matters.

From your experience, even though you don't want to disclose them, are there many breaches that occur at the federal level, in general?

May 8th, 2008 / 4:50 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

There are some reasons, which I'm not going to go into in public, why I've been doing less federal work the last couple of years than I did from 1991 to 2003 or 2004. The best examples I can use are from the provinces and territories. You should be aware that Manitoba announced last week that it was finally going to set up a proper privacy commissioner and, to the best of my understanding, take the power away from the ombudsman, who had too many other things to do, and give the Privacy Commissioner of Manitoba regulatory power. I think that's considerable progress. There's an excellent privacy commissioner in Saskatchewan, who doesn't have regulatory order-making power, and he would love to have it, because he can't do much when records are found in boxes on the street, or patients' records are found all over the place.

What we don't hear about, because they are very technical breaches, is the number of times data that has identifiers on it is disclosed--personal health numbers, for example, and things that should not have been disclosed--because of sloppiness or human error. So going back to the point you were making earlier, I want as many privacy-enhancing technologies as possible.

As I may have already said to you, I want machines watching machines. I want that, as do the banks. The banks are just bringing this in now. If a teller in Prince George is always communicating with Rimouski, something's wrong, because most of our customers should be up there. If a nurse in the genetics department is always looking up people in emergency, there's something odd there. Using an electronic system, we can monitor that, and a security person or a privacy person working for the organization could check it out. It could be like a TILDE system.

So this is the way we can use technology that already exists to audit and to monitor transactions. The Social Security Administration in the U.S. and American Express have done that kind of thing for a long time. My understanding is that the Canadian banks are just bringing in more of that kind of monitoring.

Sukh Dhaliwal Liberal Newton—North Delta, BC

On the other hand, we also hear from some of the members of the committee that the Privacy Commissioner has a backlog, that she's trying to deal with that situation. But when she was here and I asked her the question, she didn't ask for any more resources than she's had for the last years. She said she could handle that situation.

How much extra pressure would it put on the Privacy Commissioner and her department if the reforms that you have in mind were enacted by the justice minister?

4:50 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

I'm a typical academic in the sense that I'm not very good at answering resourcing questions.

It would not be a trivial cost but I don't think it would be major. I think everybody working for a government or a private sector has to work more efficiently, has to work smarter, has to focus on what ought to be done. They should be using more individuals to do things rather than groups of people doing things.

The privacy experts in the Privacy Commissioner's office should be meeting with the privacy experts in these various ministries and sorting out issues in a conciliatory fashion, not fighting like this. I call them privacy watchdogs, but I want them to be non-confrontational, to win the attention of the people who are supposed to be regulating, to depend on goodwill, to promote privacy interests properly, to recognize that eventually Parliament is going to decide anyway. If Parliament doesn't decide properly, the courts can tell Parliament they didn't do it properly, just as they could tell the Privacy Commissioner they didn't do something properly.