Evidence of meeting #33 for Access to Information, Privacy and Ethics in the 39th Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was personal.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

David Flaherty  Professor Emeritus, The University of Western Ontario, As an Individual

Sukh Dhaliwal Liberal Newton—North Delta, BC

On the one hand, I agree with you that we have to protect the privacy of Canadians. But that's to do with their dignity, with their personal perspective. Are there any economic benefits that would come with these increased privacy laws?

4:55 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

Richard Posner, the famous U.S. judge and economics professor, has a book on the economics of privacy. We argue, rhetorically, that privacy is good for business, that privacy is good business, that when you go to Costco or anyplace else and they tell you up front what they're going to do with your personal information and then they do it.... They have a massive database at Costco of 50 million employees on a North American basis. Obviously they're treating them properly and are not doing untoward things with them--profiling or extra things that would be untoward or that they didn't say up front.

You see, if you're open and transparent about what personal information you're going to collect, use, disclose, retain, and store, then people will know, if you go to whatever kind of person you're dealing with or with the federal government, what's going to happen.

4:55 p.m.

Conservative

David Tilson Conservative Dufferin—Caledon, ON

Thank you.

Mr. Hiebert.

4:55 p.m.

Conservative

Russ Hiebert Conservative South Surrey—White Rock—Cloverdale, BC

Thank you, Mr. Chair.

I'm going to try to pick up where I left off and give you another opportunity to explain the real reasons behind why we need to make these changes. I've asked you for specific examples. You've suggested that for confidentiality reasons you can't discuss how this applies in the private sector. You've given us some provincial examples.

The only federal example that I can think of immediately would be Canadians' tax records. That is because of the possible embarrassment or the negotiating position that might emerge if all this information were made public. I also understand that there are severe consequences for this information being leaked from Revenue Canada, including Criminal Code sanctions. So I think there's a very strong disincentive for that to happen.

Can you think of another commonplace example of where we could use this as a justification for this massive change we're talking about, this massive expense that might emerge if we pursue this path? In other words, what are the consequences of not addressing these concerns?

4:55 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

I don't like making public policy by anecdotes, but the Institute for the Study of Privacy Issues, which I subscribe to, every day sends me 30 to 50 English-language newspaper clippings from around the world and all over Canada about privacy breaches of the day.

What I'd like to do is get your e-mail address and send you one a day for a while. You can build up your archive of these sorts of things.

4:55 p.m.

Conservative

Russ Hiebert Conservative South Surrey—White Rock—Cloverdale, BC

Sure.

4:55 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

The biggest privacy disaster in the public sector in English-speaking countries in the last several months was in November or December. Tapes were lost in the United Kingdom, moving by courier from one government department to another, with information on something like 25 million people. It was some huge mass of data. It brought the government of Gordon Brown to a halt and increased the powers of the information commissioner and so forth. It was just a huge scandal. It was in our newspapers every day for a relatively long period of time.

I don't want to see that kind of thing going on. I want the average Canadian to be satisfied that if they give their personal information to the Canadian government, the Privacy Commissioner is there as a privacy watchdog, that rules are in place that are sophisticated and ready for the 21st century, and that the rules are going to be followed.

I am a pretty good fan of how the private sector is complying with PIPEDA and with the legislation in British Columbia and Alberta, but every month or two Alberta is whacking somebody--Winners or somebody like that--for doing things they shouldn't be doing. So there's still a big learning curve.

4:55 p.m.

Conservative

Russ Hiebert Conservative South Surrey—White Rock—Cloverdale, BC

The case of private sector privacy is very clear. Profiling and other economic incentives give people the motivation to take that data, distort it, change it, and use it in ways Canadians don't address. I'm more concerned about the federal government.

4:55 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

That's great, by the way.

Russ Hiebert Conservative South Surrey—White Rock—Cloverdale, BC

You suggested earlier in this meeting that if we were to adopt these ten recommendations all at once it would bring the government to a halt because of the impact it would have. Without chief privacy officers in each of these 250 departments, where would you start?

Do you have any recommendations on how this would roll out? Would you suggest a delayed ten-year timeframe to apply this information requirement, or can we all do it on day one?

4:55 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

I can't believe it. It's as if you're living in a 25-year-old house that hasn't been redecorated, and I'm the designer coming in to help you. And you say where should I start? Should I do the furnace first? Should I put a new roof on it? Do I do this, that, and the other thing. I'm not trying to be too facetious. I'm certainly not suggesting these ten recommendations of the Privacy Commissioner of Canada would bring the government to a halt, but in some ways they're so weak and namby-pamby. I mean, she's being a good person giving you easy things to do, so do them. But there's a heck of a lot more things. I think I had 40 or 50 points, and even more, in my paper. This is a whole housecleaning. This house is rotten. I'm exaggerating, and it's not going to bring the government to its feet. There are rules and regulations.

It would be as if a minister were preaching to the converted with one-third of the Bible at his disposal. Let's have the whole shooting match to work with.

5 p.m.

Conservative

Russ Hiebert Conservative South Surrey—White Rock—Cloverdale, BC

Okay.

You talked about having specific privacy officers for each government department. Fair enough. Is there a case to be made that it would perhaps be more cost-effective to train existing management within those departments, to add this responsibility to them?

5 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

I think Health Canada's privacy champion is at the ADM level. The only reason they didn't make him or her the chief privacy officer was because there was no tradition of doing it.

I think the Canada Millennium Scholarship Foundation here and the federal government have a chief privacy officer. Some others are scattered around. The Government of Ontario, as I point out in my paper, has a chief privacy officer. Every senior manager has to have some understanding of what privacy is all about. You can see I started by trying to tell you these ten simple principles are all you need to know, but once you get into it it's complicated. The privacy impact assessment gets into the niceties of security of encryption standards and of data-sharing agreements.

5 p.m.

Conservative

David Tilson Conservative Dufferin—Caledon, ON

Thank you.

Madame Lavallée.

Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC

Thank you very much.

First, Professor Flaherty, let me say that I do not quite agree with what you said about the Access to Information Act. Personally, I think the act is as quaint, as you said, as the one we are talking about today. I think, for example, about section 15(1), which is never justified, and about the timelines that are never, or very rarely, followed. It is a real disaster. Furthermore, it is impossible to file lawsuits and you can sometimes see departmental interference. All these reasons, and any number of others, lead me to think that dealing with access to information is extremely urgent. Personally, I would have liked to study the Access to Information Act before the Privacy Act. Unfortunately, Charles Hubbard voted on behalf of the Liberals and Russ Hiebert, I am afraid, will have to concede that he is not the father of the study we are currently doing.

Earlier, we looked at the ten recommendations and you said that you were all in agreement on them. The intent of recommendation 6 is for the commissioner to have greater discretion to refuse or discontinue complaints. You said that you agreed completely with that recommendation. I think that giving the commissioner discretionary power would pose no problem at the moment, but still, we cannot see into the future. Would it not be better to specify the kind of complaint that she must refuse or discontinue? Would it not be better to do that than to say that she can discontinue a complaint at her discretion?

5 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

I was shocked to learn the other day that there are now 13 federal officials--the ombudsman, Auditor General, and stuff like that. The reason I was shocked was this: imagine the risks, the increasing risks, of putting weak people or ineffective people in those jobs. That's the kind of concern I have about these high-level positions.

I've known every privacy commissioner of Canada--with the exception of Mr. Radwanski, and I'm not commenting on him--and they were all wise people. They were sound individuals. What we're talking about is how do you focus the limited resources of the office? Investigating one complaint after another is not effective if there are better ways to spend your time, doing auditing, site visits, education, policy advice, and so forth.

I must say, if you invited me back, I could give you a lecture on reforming the Access to Information Act or any other freedom of information act. My focus would be similar to what it is on Privacy Act compliance. You have to have a good law in the Privacy Act, but I'm interested in how you get effective compliance. What are the mechanisms you have in place? How do you educate people to accept a freedom of information act?

In British Columbia, when I was first visiting a certain deputy minister, he said, “Look, we have an ombudsman, we have an auditor general, we don't need an information and privacy commissioner.” I persuaded him, over the course of a year or two, to the point where he became a champion in cabinet and with his fellow deputy ministers on the importance of openness in society. That's the kind of thing I would be arguing on the Access to Information Act, which is not what you're dealing with here.

I'm delighted that this committee exists and has this broad focus. I think it's damned important. You have your work cut out for you over time.

Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC

There are other recommendations that, to my knowledge, are found neither in your document nor the commissioner's. For example, on several occasions, you mentioned the loss of data when it is being transported. Why do we not include a way to transport data in the legislation?

I would also like to talk about the way of destroying data. I say that so that we can organize our time accordingly.

5:05 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

You understand that, in the 1982 act,

there is no security standard at all. What we put in the other pieces of legislation in the public sector across Canada is a reasonableness standard: as PIPEDA asks, what would a reasonable person expect to have happen?

Well, no wonder security breaches are happening and then the requirements for breach notification, which should be in the law as well. People don't take it seriously enough, and they're sloppy. It's very difficult to do good security because it's routine work. As much as possible, we have to have machines doing it, and we build in the kinds of sophisticated security regimes that we have here.

I actually think that the federal government, being the federal government, probably has quite sophisticated security practices, and the RCMP has threat risk assessments and all this stuff. That's an integral part of privacy protection. That part is probably not as big and bad as some of the other areas, the lack of consent and things like that.

Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC

Do you not think that we should include mechanisms for transporting data in the act? No one has recommended it until now.

5:05 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

That's why I mentioned earlier, Madame Lavallée, the idea of data-sharing agreements. They will say not only what personal information is being exchanged between Quebec, Ontario, and the federal government, but how it's happening and what the transfer mechanism is. That would really be part of reasonable security. It's in the security domain.

I think where you're leading, or where you should be leading, is to breach notification. We really should be informing Canadians when the data goes missing, not a month later. Our friend on the government side was talking about identity theft. It's a very serious matter. My credit card was compromised in the last month. I was very unhappy. It had never happened to me before. I didn't feel like my house had been burglarized, but it was a very unpleasant experience.

5:05 p.m.

Conservative

David Tilson Conservative Dufferin—Caledon, ON

Yes indeed.

Mr. Dhaliwal.

Sukh Dhaliwal Liberal Newton—North Delta, BC

Thank you, Mr. Chair.

Mr. Flaherty, I met with a couple of individuals yesterday. It had to do with another topic, but I'm going to come back to this issue from there. The topic had to do with no-call numbers, where people can't call you unless it's for particular purposes. One of the purposes is for market research, which is very important in terms of dealing with the situations of new research, innovation, and technology.

Where would you draw a line between collecting personal information from a privacy perspective and information that can be used for research purposes?

5:05 p.m.

Professor Emeritus, The University of Western Ontario, As an Individual

Prof. David Flaherty

It might surprise you, given some of the positions I've taken, that I'm a great fan of research and public health surveillance, and big research projects. I have some wonderful clients at UBC who are doing wonderful work in child care, child protection, and things like that, the monitoring of children's health and vision and hearing over time. I simply make sure their privacy house is in order, which is the important component, so there will be no privacy problems that emerge when the work goes forward.

I dislike intensely being telephoned at home by people I don't want to hear from, so I can't wait to get on the do-not-call list. Michael Geist from the University of Ottawa set up his own do-not-call list, and I jumped on it the first day. I do recognize the importance of market research, of political polling, of Ipsos Reid finding out what Canadians think about this, that, and the other thing. There is a bit of a fine line. Some people love getting phone calls. Some people love getting junk mail, and that's an individual right. I used to complain more about junk mail than I do now, because between my mailbox and my office there's a garbage can, and I dump what I don't want to look at into the garbage can.

That's not much of an answer, and I really don't have anything very intelligent to say about the do-not-call business. As in everything else, there's a balance. We have to have a balance between our privacy interests and law enforcement, between our privacy interests and national security, between the need to give information to get health care and confidence that it's going to be properly protected when we give it out.

Actually, I should have given you some health care examples. That would have been easier, because that's what I work in most of the time.

Sukh Dhaliwal Liberal Newton—North Delta, BC

Thank you for coming out.

5:05 p.m.

Conservative

David Tilson Conservative Dufferin—Caledon, ON

Mr. Geist is coming, apparently, so we'll ask him those questions.

Mr. Hiebert, and then Monsieur Nadeau.