Evidence of meeting #35 for Access to Information, Privacy and Ethics in the 39th Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was powers.
A recording is available from Parliament.
Liberal
Glen Pearson Liberal London North Centre, ON
Thank you, Mr. Chair.
Welcome, Mr. Geist.
The government of B.C. recently outsourced health information. Are you aware of that?
Liberal
Glen Pearson Liberal London North Centre, ON
Then they got into some difficulties. They changed their public sector act to not allow it to be shifted, and then they ran into difficulties with that as well and had to make further changes.
Can you help us understand what happened there and how the changes had to be modified, as far as this data-sharing in the outsourcing?
Prof. Michael Geist
You've put your finger on what may be unquestionably one of the biggest issues, if not the biggest issue, that our private sector companies, global companies, and our government face. And that's the issue of outsourcing, particularly around sensitive data. The issue is particularly acute in a governmental context when you move towards that outsourcing. Where it was previously just the government that controlled the information subject to something like the Privacy Act, the concerns about what happens when it's in India or elsewhere in the hands of the private sector simply didn't arise.
As you likely know, in the context of British Columbia, we were talking about arguably the most sensitive information, or certainly one of them, when we talk about health information. There was very real concern that by outsourcing--in this instance, there was a choice between one of two U.S.-based organizations--that suddenly access to that information could fall into the hands of U.S. law enforcement or others. Previously, that simply wouldn't have been the case.
That presents an enormous challenge. On the one hand, there are efficiencies from outsourcing and value to the taxpayer to outsource in certain circumstances. At the same time, there are real concerns about some of the costs, not costs in terms of what you pay for it, but the broader costs in terms of privacy and other issues that arise in that context.
The B.C. government, and now some other provincial governments, tried to strike a balance of whether to establish a statute in that regard, or at least create a greater level of accountability so you can achieve some level of protection through contract. That's another potential avenue.
It's an issue that I think really needs to be at the forefront when you think about some of these outsourcing opportunities. On paper they look fabulous, until you realize there are some costs once you scratch below the surface.
Liberal
Glen Pearson Liberal London North Centre, ON
Just to dig down a bit deeper, when they tried to limit the information going out, that didn't work either, and they had to make modification. Can you go into that modification again?
Prof. Michael Geist
Sure. Part of the concern comes from a technological perspective. There was early talk, for example, of requiring an organization to ensure that the information only resided on computer servers based, say, in Canada, so the information would never physically leave the jurisdiction. The outsourced company could provide some level of assurance that yes, it's in the private sector, but Canadian law still applies and it's going to remain in Canada.
For many of the major outsourcers, creating that clear distinction, essentially creating a virtual border where the real space borders exist, is challenging if not impossible. Data really does flow that freely. It's difficult to create those kinds of strictures in an environment. Many organizations say they can't provide that level of assurance.
Liberal
Glen Pearson Liberal London North Centre, ON
To go back quickly to the order-making powers--and I'll be kinder to you than Mike was--I'm still grappling with whether the commissioner being given order-making powers assists her or him in triaging the backlog of information. What I'm trying to get to is if they don't have order-making powers, then what is available to the commissioner to triage, to be able to set aside some of these frivolous kinds of things? Is she actually able to do it without order-making powers? What would be required?
Prof. Michael Geist
Well, here we get into this issue of how we're going to describe it. I think it's certainly the case that you could create a power, which isn't the order-making power we were just discussing, that could give the commissioner the power to dispense with say the frivolous complaints without at the same time moving the full way towards providing a full order-making power--conduct-based orders. It's really an order-making power in the sense of giving the commissioner's office the power to dispense, to issue an order that they aren't going to continue.
I see that as something different. I think that was brought up with the earlier witness, and it's certainly within the realm of possibility to do one or the other. If you were to go for the broader order-making power, then certainly I think that would include the ability to dispense with a decision.
Liberal
Glen Pearson Liberal London North Centre, ON
But in your mind, the order-making power would be better.
Liberal
Conservative
David Tilson Conservative Dufferin—Caledon, ON
Mr. Chairman, thank you.
I'd like to continue on this topic of outsourcing. I don't know whether you've had a chance to look at the recommendations, but outsourcing may be partially dealt with in recommendation 10.
There's a paragraph in the booklet that the commissioner provided to us that I find startling. It's on page 29:
However, the Privacy Act does not reflect this increase in international information sharing. The Privacy Act places only two restrictions on disclosures to foreign governments: an agreement or arrangement must exist; and the personal information must be used for administering or enforcing a law or conducting an investigation. The Privacy Act does not even require that the agreement or arrangement be in writing. The Privacy Act does not impose any duty on the disclosing institution to identify the precise purpose for which the data will be disclosed and limit its subsequent use by the foreign government to that purpose, limit the amount of personal information disclosed and restrict further disclosure to third parties. Moreover, the Privacy Act even fails to impose any basic obligations on the Canadian government institution itself to adequately safeguard personal information.
I just find that an incredible statement. The recommendation simply says that we strengthen the provisions governing the disclosure of personal information.
I'd like to know how to deal with this.
There was a book that I read, and I can't remember the name of it, but I think it was called The World Is Flat, by somebody called Friedman, which also scared the heck out of me. It dealt with the very things Mr. Pearson was talking about.
So then you start asking about what a government can abuse. They can abuse all kinds of things. They can abuse outsourcing. We don't even know what could be done. There's income tax. It could go on and on—police abuse, security abuse, and no-fly lists. People are gradually getting very concerned about this, because all of a sudden they try to get on a plane and they can't get on a plane.
So in regard to recommendation 10—and I don't know whether you have looked at it or not—how can we make the public feel better about all of these things? The wording that's on that page, or the two pages for recommendation 10, I don't think the average person in this country would really feel very confident about, with its general phrase, well, let's strengthen the provisions.
How are we going to deal with all of these things?
Prof. Michael Geist
Well, in some ways that's the very question I was asked right off the bat. Do we have no privacy, and get over it, or are there solutions?
Unlike the environment we lived in when the Privacy Act was first introduced, where much of the privacy may well have been protected, because it was obscured or largely inaccessible, since it was, by and large, in paper form, the environment today is such—as Friedman talks about in his book and as I think is readily apparent to everyone around the table—that data really do traverse instantly around the world.
There's the story of the person with the credit card in India. I was at a hotel recently in Montreal where I couldn't get onto the Internet, and I called down to the hotel desk and they tried to help me and it didn't work. So they said, let us put you through to tech support. I spent five minutes with this person, who was literally looking at my computer, the IP address and the like; and then at the end, I asked, do you mind if I ask where you are? She was in Warsaw, literally able to look at my PC in real time in another part of the world. So that's an environment that I think in many ways is very scary, but at the same time, it obviously provides a great deal of opportunity.
Now, what the commissioner is recommending and what I think many people are saying is that we aren't going to take an approach where we're simply going to shut down and not take advantage of these technologies and move data across borders. It doesn't work in the private sector, and it doesn't work in the public sector; it doesn't even work from a government-to-government perspective. And if these are being labelled as quick fixes, there is no quick fix, as it were, to this issue. But what there is, I think, is a starting point to move us toward an environment where we have a greater level of accountability and a greater level of transparency about what some of these rules are, so that when we go in and begin to pass along that information in some instances, or recognize that the information may be put at risk in certain circumstances, we will do so with some sort of framework around that, taking whatever precautions are possible—albeit there is nothing that can provide people with an absolute assurance.
When you say this sort of stuff is scary, it speaks exactly to the question Mr. Pearson raised in British Columbia. The effect of knowing that people's health information was suddenly going to be elsewhere and subject to the U.S.A. Patriot Act, in an extreme circumstance, is what crystallized in the minds of many that, well, let's hold on a second and back up to see if we've taken all the precautions we need to. The answer in B.C. was no, we haven't; let's do something about it. If people were to ask those same questions in a federal context, I think the answer would again be no, and it's time to do something about it.
Liberal
Liberal
The Chair Liberal Paul Szabo
We have seven or eight minutes here. Carry on--you're on a roll. Go ahead.
Conservative
David Tilson Conservative Dufferin—Caledon, ON
I appreciate everything you've said. Some of this stuff may be rather impossible, but there have to be jurisdictions around the globe that have looked at this topic. Do you know of any governments that have looked at this and have tried to create some sort of government legislation to protect us against our own government?
Prof. Michael Geist
Many governments have privacy legislation. From an outsourcing perspective, there have really been two schools of thought. One is the accountability principle that you've heard discussed, the idea that whoever collects that information is accountable for it, wherever it goes, which effectively places the obligation on the data collector in the first instance to ensure that no matter where that data goes, it will meet a certain standard.
The other school of thought is to create a prohibition against data moving across borders unless there is an adequate level of protection in that other jurisdiction. That's the approach that, as you may know, has been adopted in the European Union. There are those who are supportive of it. Others would say that even though it came in the mid-nineties, it still predates the kind of world we live in just 13 years later, and that creating absolute prohibitions on data transfers is just a very difficult thing to do, and that an accountability principle, for all its shortcomings, may better reflect the current realities of both technology and the marketplace.
Conservative
Mike Allen Conservative Tobique—Mactaquac, NB
Thank you, Mr. Chair.
Obviously my personal information hasn't been disclosed, because Mr. Tilson said “Who's he?”, so I should be pretty safe then. I'm safe.
You made a couple of comments on security breach disclosure, and also on the timeliness of reporting. I just want to follow up on a couple of those.
Just about a month or so ago we got a letter from a company that my wife had been working for in the U.S. It indicated that a computer with a lot of personal information from a number of employees had been stolen. The letter detailed in infinite steps what happened, roughly when they thought it had happened, and the detailed steps that we needed to take to protect ourselves. While it was traumatic being told that, we were still able to know what the actions were.
So my question to you is, with something like that in this large government bureaucracy, given your experience, how long would you say it would take to implement something like a breach disclosure requirement? It wouldn't seem to me to be that easy to implement.
Prof. Michael Geist
I'm not sure that it's easy to implement security breach disclosure legislation, but it has been implemented effectively in some organizations in the U.S. that are probably equal or quite close in size to the federal government and are located in multiple jurisdictions with client bases that could rival, in theory, the number of people who might be affected by a security breach from a governmental perspective.
I don't think it's easy, but I think it's essential. In light of both the concerns around identity theft, as well as to create appropriate incentives for real safeguarding of that personal information, mandatory security breach disclosure legislation has proven by far to be the most effective tool in addressing both of those issues, based on our experience to date in the United States.
We have certainly seen quasi-public state organizations face those requirements in the U.S. And it's come up, particularly in a university context. Some very large universities--including the University of California, which is one of the largest sets of state universities in the United States--have faced precisely these kinds of issues, and have had to notify literally hundreds of thousands of students and alumni. It's a big obligation, but at the same time the potential costs to those individuals are great as well.
Conservative
Mike Allen Conservative Tobique—Mactaquac, NB
Do you see that as a complement to privacy legislation, or legislation on its own?