Evidence of meeting #33 for Access to Information, Privacy and Ethics in the 39th Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was personal.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

David Flaherty  Professor Emeritus, The University of Western Ontario, As an Individual

5:05 p.m.

Conservative

Russ Hiebert Conservative South Surrey—White Rock—Cloverdale, BC

Identity theft is an issue Canadians have expressed a concern about. With respect to the government and with respect to individuals, how can the government help prevent identity theft? How can individuals protect themselves?

5:10 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

I have a whole shtick about how important it is for people to be sensitive to privacy as a human right, to be concerned. One of the good things these privacy commissioners have done is to give parents kits for their kids and training for schools about being careful with Facebook, and about giving out information on the phone and things like that as part of general education.

I actually believe that at the end of the day, everybody has to be their own privacy commissioner. I'll leave that idea with you. You shouldn't simply depend on the Privacy Commissioner of Canada to protect your privacy interests, but if there's a problem, you should be going to the Privacy Commissioner to make a complaint. Then you should expect her, in the highly sophisticated areas such as what Statistics Canada or Revenue Canada are actually doing with our personal information.... Despite saying they're going to do X, are they doing Y? Who's checking on that? Who's the inspector?

5:10 p.m.

Conservative

Russ Hiebert Conservative South Surrey—White Rock—Cloverdale, BC

I haven't heard an answer to the question about what Canadians can do. I appreciate the personal encouragement to be a privacy protector for yourself, but on the topic of Stats Canada--this came up at the last committee meeting we had--do you think Stats Canada should have the right to require Canadians to provide personal information?

5:10 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

Well, Parliament, around 1905, when they first enacted the Census Act, said yes, it does.

Russ Hiebert Conservative South Surrey—White Rock—Cloverdale, BC

What do you think?

5:10 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

One of my first privacy books, published in 1978 or 1979, was about statistical agencies around the world. The theme of it was the importance of using individual data for epidemiological research and statistical research and so forth. The strongest privacy legislation in the country governs Statistics Canada. They cannot give out identifiable information under any circumstances. As each piece of legislation goes through Parliament, whatever it is, if it involves personal information, you should be putting in privacy provisions, specialized ones that apply to a law enforcement database like CPIC or a Health Canada public surveillance database, or whatever it is.

A really neat way of strengthening the Privacy Act is to stick the privacy stuff in it as each bill goes through. It's a more specialized form of data protection, something they do very well in the United States, by the way.

5:10 p.m.

Conservative

Russ Hiebert Conservative South Surrey—White Rock—Cloverdale, BC

So you don't have any problem with Stats Canada collecting all kinds of personal information?

5:10 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

I'm a professor and I'm a researcher. I just did the work for the regional health survey for the Assembly of First Nations. I asked if they really wanted to be going into homes and asking children, adolescents, and adults these kinds of extremely sensitive, personal questions about drug use, sexual abuse, residential schools, and sexual practices. They said they'd only go in there with the consent of the chief and council, and if it was consensual. In my privacy impact statement, that was one of the questions asked. They said, “We need to know this information”.

5:10 p.m.

Conservative

Russ Hiebert Conservative South Surrey—White Rock—Cloverdale, BC

Should Canadians have to give their consent to Stats Canada to fill out their forms?

5:10 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

The census of population is certainly mandatory. I loved it when I was Privacy Commissioner. I had an employment survey, and they were all nervous about what was going to happen, but I was quite happy to participate. I watched them like a hawk. They didn't do anything wrong. Again, in the footnotes to my essay, I've cited Ivan Fellegi, the Chief Statistician of Canada since kingdom come, as an excellent example of a model person who's put privacy mechanisms in place at Statistics Canada to manage privacy quite well. I used to get a lot more work from them, and I'm not getting it now because they've put their own house in order.

5:10 p.m.

Conservative

David Tilson Conservative Dufferin—Caledon, ON

Okay.

Mr. Nadeau.

Richard Nadeau Bloc Gatineau, QC

Thank you, Mr. Chair.

Earlier, you mentioned risk management. Could you be more specific and tell us, in concrete terms, how we can make sure that we manage risk adequately and in accordance with the legislation?

5:10 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

I was working with a client in British Columbia last year, a crown corporation with a lot of sensitive personal information. It did an assessment of the risks involved in its public sector and private sector relationships. It was a very sophisticated management review of what the privacy risks were, and it even involved a rating scheme of one to ten. I was really skeptical about this, but it was quite well managed, and they ended up with the top ten privacy risks to this crown corporation. They were able to do it based on a whole bunch of people inside the organization pulling together.

I don't think that's being done in the federal government, but I don't really know. It should be. And the reason I talk about privacy risk management is that senior executives are having to deal with risk management all the time. I want the financial risk management, labour relations risk management, and even resources risk management to put on their risk management hats when they think about privacy. And there the risks are that data goes missing, that data is used for unintended purposes that it's not supposed to be used for, that it's used to harm individuals, or it's stolen, or it's used to invade their privacy by people who are browsing databases, or it's sold to criminal elements.

Richard Nadeau Bloc Gatineau, QC

I have another question, Mr. Chair, dealing with destroying documents.

We know the process. There comes a time when a document is considered to be no longer useful. How do you see the process of destroying documents?

5:15 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

There's probably nothing more important that could be done to protect the privacy of Canadians than to destroy more personal information. I mentioned to you earlier that I've worked for organizations that have been in existence for 25 or 30 years or even longer. They've never destroyed anything, partly sometimes because they don't have a records management schedule. They have 85,000 boxes in storage at the expense of the taxpayers. It's just crazy.

Hospitals do quite a good job. If you haven't been there for nine years, they destroy your health record. If you were born there and you keep going back every year, you'll have a cradle-to-grave health record. That's perfectly acceptable.

So you want an economic argument. Let's get rid of these huge warehouses of records that are of no possible use. No one could ever use them again. If they're of historical significance, the archivists know how to clean out the stuff that's of historical significance, like your memoirs or your letters, whatever it is. So data destruction is incredibly important.

The French in France have a wonderful concept in their privacy law called droit à l'oubli , the right to be forgotten. It's a very important concept. We need to import that into Canadian privacy practice, not so much into law. Get rid of records. If you don't need them, burn them.

5:15 p.m.

Conservative

David Tilson Conservative Dufferin—Caledon, ON

Monsieur Nadeau, are you finished?

Richard Nadeau Bloc Gatineau, QC

I have one more question, Mr. Chair, and it will be my last one.

I am looking for simple examples. We have been talking about our fellow citizens, about bills we are working on, particularly this one, dealing with personal information. It affects us all. We ask ourselves how private is our private life really if government, corporations and companies can come and dig around in our private lives. You gave examples earlier. Do you have simple examples that make a solid argument for the relevance of amending this legislation to protect Canadians in an appropriate way?

5:15 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

I explained earlier when I was asked a similar question that some days I remember wonderful horror stories. Some days I remember them less. This happens to be a day when horror stories are not springing to mind, partly because I like to put them out of my mind, because they're often so appalling they shouldn't have happened. I think if you just pay attention to your daily newspapers for the next month or so, you'll come up with lots of privacy horror stories--that's how we refer to them--or privacy disasters, things that shouldn't have happened.

What is so important is that 30% or 40% of the population, it is estimated, is very sensitive about their personal privacy. You ask them for their social insurance number, and they get really excited, even though I know if you have a social insurance number you can call up Bathurst, New Brunswick, where the social insurance number registry is, until you're blue in the face, and they're not going to tell you anything.

So one of the reasons to get sound privacy management in place for the federal government, based on strong legislation, is to have reduced paranoia in the population, to be able to feel that in fact the Government of Canada is respecting your personal information, taking it for legitimate purposes, using it in authorized ways, destroying it when it should be destroyed, linking it when it's supposed to link it to profile you for disease risk, for example.

I'm incredibly enthusiastic about what I gather are some forthcoming initiatives to monitor larger groups of the population for health over longer periods of time. That can be done in a very privacy-sensitive way, and it's very much in the public interest, so it's not as though I'm sitting here as a Luddite.

5:15 p.m.

Conservative

David Tilson Conservative Dufferin—Caledon, ON

Thank you.

Mr. Hiebert, and then Mr. Norlock.

5:15 p.m.

Conservative

Russ Hiebert Conservative South Surrey—White Rock—Cloverdale, BC

Mr. Flaherty, earlier you talked about these ten commandments that apply to the private sector. One of them was consent. You referred to it as the law of “adultery”.

In my last set of questions, we talked about Stats Canada. You seemed to suggest that Canadians should not necessarily be required to give their consent because Stats Canada does such a really good job of protecting their privacy.

Would it be fair to say that this requirement for consent has a different standard when it applies to the government from when it applies to the private sector? Because the government is a different institution--it's there to serve the community and doesn't have private economic interests--is there a different standard?

5:15 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

Certainly Parliament has decided that there's a much higher consent standard for the private sector than for the public sector, because there's almost no consent standard. There is a requirement in the Privacy Act that you should only use personal information without the consent of the individual for very, very limited purposes.

I was trying to turn the tables on you, in a way, by asking who set the consent standard for Statistics Canada; it was Parliament, particularly for the census of population. My recollection is that most of the rest of their surveys are consensual. They don't come to you and say “You're in this survey for five years.” So it's not a good example of the consent thing.

If you go to your doctor, he's operating on the basis of informed consent. If you go to the bank nowadays--and it should be the same with Revenue Canada--in the initial transaction you have with them you should know what their privacy practices are, that they don't disclose your identifiable personal information to anybody without your consent. And they're pretty good at that. I have an accountant who does work for my company. They make me get a signature, through my accountant, to Revenue Canada, that the accountant can discuss my personal affairs. They're very cautious.

5:20 p.m.

Conservative

Russ Hiebert Conservative South Surrey—White Rock—Cloverdale, BC

I guess the point I'm trying to make is that we can't just directly adopt the ten commandments of the private sector privacy principles into the public sector sphere. Issues like consent and perhaps other ones--I haven't probed them--don't simply apply in the same way.

5:20 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

I don't agree with what you're saying, with all due respect. I want to push the....

And I'm being a bit of a privacy advocate here--a privacy radical, almost. Some of my friends behind me might not agree; they're free to speak their minds in due course.

I want as much consent as possible. Obviously, if I go to an emergency room and I'm unconscious, they can't get information. There the issue is consent to treatment versus information consent. You know we're talking about information consent, and you're perfectly right about that. I want my relationship with the federal government to be as privacy-sensitive as is my relationship with my investment brokers, with my auto plan agents in British Columbia, etc.

5:20 p.m.

Conservative

Russ Hiebert Conservative South Surrey—White Rock—Cloverdale, BC

Yes, but if the RCMP stops you, or if the CBSA officer holds you up at the border, or if the tax auditor comes to your business and says “I want your information”, governments can't reasonably suggest that if you withhold your consent, you don't have to answer. So there's a different standard.

5:20 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

Yes, yes, there are different obligations.

There was a wonderful cartoon last weekend in a national newspaper. In the cartoon somebody opens the door to “Audits”; the answer is, “I'm not interested”.

Obviously there are obligations and duties of government that have to be carried out. Sometimes information is collected about us coercively. But the Supreme Court of Canada said recently, “Thank you very much, but you can only use sniffer dogs at Greyhound terminals and schools under certain circumstances, where there's reasonable cause.” It may very well be that crossing the border, somebody will....

I was once stopped going to England because I smiled at somebody--last time I smiled at one of these characters. They harassed me. And I'm such an innocent abroad.

The argument I want to make to you is that if you've had such a high privacy standard for the private sector, which you have done in PIPEDA--and in Alberta and British Columbia with PIPA, and with the Quebec legislation--why do you think you'd let the government off the hook? It's not that we want the government to stop doing what a government should be doing, but they have to follow the rules of the road with respect to collection, use, disclosure, security, destruction, retention, records management.