Evidence of meeting #32 for Access to Information, Privacy and Ethics in the 40th Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was subamendment.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Elizabeth Denham  Assistant Privacy Commissioner , Office of the Privacy Commissioner of Canada
Carman Baggaley  Senior Policy Advisor, Legal Services, Policy and Parliamentary Affairs Branch, Office of the Privacy Commissioner of Canada
Daniel Caron  Legal Counsel, Legal Services, Policy and Parliamentary Affairs Branch, Office of the Privacy Commissioner of Canada

9 a.m.

Liberal

The Chair Liberal Paul Szabo

I call the meeting to order.

This is meeting number 32 of the Standing Committee on Access to Information, Privacy, and Ethics. Our order today is pursuant to Standing Order 32(5), report of the Privacy Commissioner on the application of the Personal Information Protection and Electronic Documents Act for the year 2008, referred to this committee on Tuesday, October 6, 2009.

This morning our scheduled witness was to be the Privacy Commissioner. Unfortunately, she has a cold and is not able to sustain any speaking. As a consequence, she has asked, and we certainly welcome, Elizabeth Denham, the Assistant Privacy Commissioner, who is very familiar with the annual report and is in a position to also deal with any of our questions.

I welcome you, Ms. Denham. Thank you for being here, for stepping in.

I understand you have some opening remarks. Please introduce your colleagues who are with you for the benefit of the members. Please proceed.

9 a.m.

Elizabeth Denham Assistant Privacy Commissioner , Office of the Privacy Commissioner of Canada

Good morning Mr. Chairman and committee members.

Thank you for inviting our office to address you on the privacy implications of camera surveillance as used in commercial applications, such as Google Street View and Canpages, and on other issues related to surveillance and new technology.

I am joined today by Carman Baggaley, our senior strategic policy adviser, and Daniel Caron, legal counsel. Unfortunately, Commissioner Stoddart can't attend today. She has laryngitis. I think this is a first for her, not attending.

We very much appreciate the committee's interest in this issue. We also followed your hearing on June 17, 2009, at which representatives from Google and Canpages appeared. We welcome the opportunity to discuss this interesting development in technology.

The Personal Information Protection and Electronic Documents Act, PIPEDA, is a technology-neutral law that does not, in our view, thwart the innovation of new technologies. We've sought to ensure that PIPEDA is a dynamic, modern, and effective tool for strengthening the privacy rights of Canadians. And we believe that PIPEDA can cope with the commercial collection and use of personal information through street-level imaging technology.

We're very much aware that the many services that use street-level imaging are very popular with the public. Our ongoing concerns about the commercial use of this technology really centre on ensuring that it protects the privacy of Canadians by meeting the requirements of PIPEDA, such as knowledge, consent, safeguards, and limited retention.

I would like now to briefly recap our office's involvement in the issue.

The Office of the Privacy Commissioner of Canada has been closely following, for a few years, the development and use of online street-level imaging technology by companies operating in Canada and elsewhere. As I indicated, such technology has potential privacy concerns, and we wanted to know more about it and how it would be deployed in Canada.

Street-level imaging applications use various means of photographing the streetscape. A camera is typically mounted on a vehicle that's driven down a street. The images are then shown on the Internet as part of the company's mapping application. Although the company's interest is to capture a streetscape so that users can take a 360-degree or virtual tour of a particular neighbourhood, the companies are also capturing images of identifiable individuals and tying those individuals to specific locations.

We began to monitor the issue in 2007, when we learned that Google was photographing the streets of certain Canadian cities, for the eventual launch of its Street View application in Canada, without the apparent knowledge or consent of the individuals who appeared in the images.

The commissioner wrote an open letter to Google outlining her concerns about the Street View application. She took that opportunity to point out that if companies like Google wished to use this technology for commercial services in Canada, there was private sector privacy law that would have to be adhered to, and stronger privacy protections would have to be put into place.

I would like to address a common misconception that some companies have about photographing people in public places. If an organization takes a photograph of an individual in a public place for a commercial purpose--for example, when a company, in the course of photographing a streetscape, captures an identifiable image of a person and that image is uploaded onto the Internet for a commercial reason--Canadian privacy law still applies. One of the key protections is that people should know when their image is being taken for commercial reasons and what the image will be used for. Their consent is also needed. And while there are exceptions under the law for the requirement for consent, they are limited and specific, and they concern journalistic, artistic, and literary pursuits.

Street View has now been launched in Canada—it went live on October 7—as well as in other countries. The Canpages service, called Street Scene, was launched earlier this year in certain cities in British Columbia. Canpages is seeking to expand its service to other Canadian cities and has recently provided notice that it is photographing streets in Montreal and Toronto.

Our office and our provincial counterparts with substantially similar commercial privacy laws, Alberta, B.C., and Quebec, have been in contact with both companies about their street-level imaging and mapping applications. Early this year those provincial privacy commissioners and our commissioner issued a fact sheet, which I believe you have a copy of, for industry and the public on what we think needs to be in place for these commercial services that use the technology to be in compliance with Canada's privacy laws.

This fact sheet, called “Captured on Camera”, details the privacy protections that are particularly pertinent in the case of street-level imaging. Among these are that citizens should know in advance that street-level images are being taken, when, and why, and how they can have their image removed if they don't want it to appear online. This could include visible marking on vehicles--and if you've seen the Google car you'll see that it's well identified--notification that the streets are being photographed through a variety of media, outlining dates and locations, the purpose of filming, and how people can contact them with questions.

We also think that faces and licence plates need to be blurred, so that the individual is made anonymous or is at least not identifiable. Companies need an effective and quick take-down process whereby an individual can have their image removed. Unblurred images retained for legitimate business purposes should be protected with appropriate security measures and the raw data should not be retained indefinitely.

We've seen changes to how the technology is used that are more respectful of privacy, and we played an important role in encouraging these changes, not only in Canada, but worldwide. Images of people and licence plates are blurred, but the process of doing so needs to continue to improve and evolve. Take-down processes have been established. The need for clear retention periods has also been addressed by Google.

Companies have solicited the views of umbrella community organizations about any possible sensitivity to filming in certain locations, such as shelters or clinics.

Notifying the public is an ongoing concern. We believe the nature of the information collected is not especially sensitive and that companies can rely on implied consent, provided they give reasonable notification to the public in the form of outreach. Individuals need to know in advance when the organization will be photographing their neighbourhood so they can adjust their plans accordingly.

As you know, the purpose of PIPEDA is to balance the individual's right to privacy with the organization's need to collect user-disclosed personal information. PIPEDA applies to a wide range of businesses, from banks and telecommunications companies to car dealerships and to the local neighbourhood store. It also applies to social networking sites.

The law is not prescriptive; rather, it requires that organizations adhere to a set of fair information practices or a set of principles. Each organization, given its business model and other regulatory requirements, has to find ways to adhere to the principles and achieve the balance between its own legitimate needs and the rights of individuals to their privacy. The Office of the Privacy Commissioner works with organizations to help meet their business objectives and their obligations under PIPEDA. I'd be very pleased this morning to talk to you about Facebook as a good example of that.

As I indicated earlier, PIPEDA is a technology-neutral and principle-based law, and so far it appears to be flexible enough to guide commercial uses of new technology. As you're likely aware, over the summer we released findings in two significant complaints originally filed in 2008, in which technology and new business models featured prominently. One, as I say, involved Facebook, and the other the use of deep packet inspection, or DPI, by a telecommunications company. Under PIPEDA, we were able to strike a reasonable balance that serves as a road map to help us face new privacy challenges on the horizon. These findings will have a positive impact on the privacy rights of Canadians and indeed on 300 million people worldwide who are users of Facebook, while at the same time acknowledging business interests.

What we have learned in the past 18 months through our work in street-level imaging, social networking sites, and deep packet inspection will help us significantly, and we believe these examples have served to raise the profile of privacy for business and average Canadians.

As we note in the PIPEDA annual report for 2008, new technology, for all its indisputable benefits, continues to pose privacy challenges. Indeed, our office is planning to explore over the next year the privacy implications of three significant technologies: behavioural advertising, cloud computing, and geospatial technology. We will be seeking the views of business, academics, advocates, and regular Canadians in order to better understand how PIPEDA applies to these technologies and business practices and their impact on privacy.

Since we were asked to appear, we tabled our 2008 PIPEDA annual report—and I understand that you all have copies. The main themes of the report are really a shout-out to youth, a reminder that Canadians need to take control of their personal information on the Internet. We think youth are particularly vulnerable, because they're big users of technology and may not realize the risks. Therefore, as our report indicates, we really focused this year on public education activities to reach out and talk to that demographic.

We've passed out some stickers for you that say “Think Before You Click”. We distributed those during frosh week. We also have many other tools. We have a youth blog and videos produced by youth, so we have youth talking to youth. You can find all these tools on our website, youthprivacy.ca. The federal, provincial, and territorial commissioners passed a resolution in 2008 on youth privacy, advising what individuals and organizations need to do.

Lastly, the other main issue I would highlight in the annual report is the matter of data breaches and notification. As you know, this is a global issue. Governments, organizations, and data protection commissioners are really grappling with various models, including mandatory breach notification.

The report highlights a study we conducted on our current voluntary reporting regime. I'm happy to talk about it more, but what it confirmed is that we can't possibly be receiving reports from businesses about all significant privacy breaches in Canada; there's just no way, because the numbers are relatively low. It underscores also the ongoing need for training, because one-third of the breaches reported to us were not the result of hacking, of technology breaches, but really simple employee errors, such as dialing the wrong fax number.

In conclusion, I would like to thank the committee for inviting us today to discuss privacy, street-level imaging and other new technologies.

I'd like to thank the committee for inviting us today, and I welcome your questions.

9:15 a.m.

Liberal

The Chair Liberal Paul Szabo

Thank you very much, Ms. Denham.

As the members will know, we have two items on our agenda: one is the annual report itself; and the other is an update on the camera surveillance issue. In the presentation, the comments of the Privacy Commissioner are combined into one.

I think what we'll do is simply proceed on a global basis and allow the members to go to either issue. That will probably be the best strategy for the committee.

We're going to start now with Madam Simson, please.

9:15 a.m.

Liberal

Michelle Simson Liberal Scarborough Southwest, ON

Thank you, Chair.

Thank you, Ms. Denham, for appearing before the committee.

The Office of the Privacy Commissioner is to be congratulated for this report. I found it very interesting.

I want to particularly address the matter of identity theft. We're seeing more and more reports of incidents that are quite devastating and have severe financial consequences for a great number of Canadians through no fault of their own. On page 8 of the report it says that last year there were 6,344 inquiries. Many were related to the misuse of SIN numbers and the loss or theft of personal information that led to potential identity theft.

I just want to get a sense, of the 6,344, are you able to comment on how many of those would be related to the loss or theft of personal information?

9:15 a.m.

Assistant Privacy Commissioner , Office of the Privacy Commissioner of Canada

Elizabeth Denham

You're talking about the number of inquiries we get. Those are telephone and written inquiries. I don't have the statistics in front of me, but I think it would be a handful of those calls.

A greater number of reports that involved theft or loss of personal information came in through voluntary reports that we would receive from companies. So there was a percentage of the self-reported breaches the cause of which was theft of personal information, often by employees or former employees, and mere loss of information, which means a laptop or a computer disc is lost that contains personal information and the company might not know what happened to it.

9:15 a.m.

Liberal

Michelle Simson Liberal Scarborough Southwest, ON

Thank you.

Turning to page 29, I want to refer specifically to the use of drivers' licences, for instance. It indicates that the commissioner worked with a home decorating chain that was photocopying and keeping on hand drivers' licences in the course of their business, and the office was able to convince them to discontinue this and dispose of the information. It does go on to state that with a major video rental chain, however, she didn't have the same success and that there is going to be an investigation undertaken.

Could you comment on the status and/or what the commissioner is able to do in terms of whether that is considered a breach? Is she able to do anything that has teeth?

9:15 a.m.

Assistant Privacy Commissioner , Office of the Privacy Commissioner of Canada

Elizabeth Denham

In that particular case we had an earlier complaint. We had investigated the complaint, and the video store had agreed to cease collecting the driver's licences, because of course there is a risk of exposure of personal information in the hands of the video chain when that information is no longer needed. So they agreed to stop, and then they began collecting them again.

We initiated a commissioner-led investigation and it's almost completed. All we have the power to do is make recommendations that a company cease the practice. We have to turn to the Federal Court for enforcement. We haven't completed the investigation. It will be completed before the end of the calendar year.

9:15 a.m.

Liberal

Michelle Simson Liberal Scarborough Southwest, ON

But that's obviously a cause for concern, a video chain or home decorating.

On a larger scale, my concern is that.... And I learned, in the course of selling my mother's house two weeks ago, that all real estate transactions now require that identification be presented and copied, as required under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. The acceptable forms of identification are all government identification: driver's licence, birth certificate, passport, or a health card are all acceptable.

So if there is a concern about a video chain, my question is about how we now have 100,000 people collecting this information and we have no idea how it's being stored. Personally, I was extremely uncomfortable. And I understand the money laundering issue very well, but you have real estate transactions that not only have the potential to scoop your identity, but also steal your home, because you've got the legal description of the land and you also have identification in a file--God knows where--and it's 100,000 people.

I did write to the commissioner just a few weeks ago on this. Do you have any comment on that and how we're going to manage that particular issue?

9:20 a.m.

Assistant Privacy Commissioner , Office of the Privacy Commissioner of Canada

Elizabeth Denham

The commissioner shares your concern, and a draft of that letter is on my desk right now, so you will be receiving it shortly.

The difference between the example you gave about the video store collecting a driver's licence, of course, and a real estate agent scanning or copying a driver's licence is that the latter is required by law. So as you stated, under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act there is a requirement to collect certain information.

9:20 a.m.

Liberal

Michelle Simson Liberal Scarborough Southwest, ON

But now we have one law that I would argue actually puts Canadians at huge risk of identity theft and of having their property stolen from under them. So is there any discussion about how we can fix that?

9:20 a.m.

Assistant Privacy Commissioner , Office of the Privacy Commissioner of Canada

Elizabeth Denham

There is discussion about that. The commissioner has the powers to audit FINTRAC, which collects this data, every two years. We are just completing an audit of that. And in fact there is over-collection by some agencies that are copying drivers' licences when they don't actually need to copy all of the information on the driver's licence. So we are also working on guidance along that line.

But information required by law or mandated by law is a different scenario from the video chain collecting that information for their kinds of transactions.

9:20 a.m.

Liberal

Michelle Simson Liberal Scarborough Southwest, ON

But the storage is still a huge issue--how a real estate agency chooses to store it-. Is there no mechanism to monitor how that information is being stored?

9:20 a.m.

Assistant Privacy Commissioner , Office of the Privacy Commissioner of Canada

Elizabeth Denham

All of the real estate firms are still required under PIPEDA, or the substantially similar provincial laws, to safeguard that information. So there still is a legal requirement to safeguard the data.

I hear you, though. They need to understand that they are now collecting extensive information.

9:20 a.m.

Liberal

Michelle Simson Liberal Scarborough Southwest, ON

Thank you.

9:20 a.m.

Liberal

The Chair Liberal Paul Szabo

Thank you.

We'll have another round. You've had very good questions.

Madam Freeman.

9:20 a.m.

Bloc

Carole Freeman Bloc Châteauguay—Saint-Constant, QC

Good morning, Mrs. Denham. Thank you for your presentation.

I would like some more details. On page 38 of your report, you talk about backlogs and how that works. You're hanging the way you operate because it used to be first-come, first-served. Now you're calculating your backlogs differently. You also requested additional resources to reduce those backlogs. Subsequently, I believe Lisa Campbell appeared before the committee and asked that this be used to settle the matter and to proceed with the hiring of 20 new investigators. I'd like to get a better idea of your new method for calculating backlogs.

Furthermore, how does that work with your 20 investigators? Where do they work? Are they here? Sometimes it's said that 20 investigators have been hired, but we realize that there are only perhaps 14. How does your staffing work exactly, in view of all the additional funding you've requested? I'd like more details on the use of those supplementary budgets that have been granted to you. How many investigators have been hired, why did you change the way you handle complaints, and what is the current status of the backlogs, please?

9:25 a.m.

Assistant Privacy Commissioner , Office of the Privacy Commissioner of Canada

Elizabeth Denham

I'll take your first question, which is about how we are changing the front end of the process and the triaging of new complaints.

We used to deal with complaints on a first-come, first-served basis. We felt that what we needed to do was put more resources into dealing with those cases that were most at risk. If Canadians were at risk by a certain practice or if somebody was suffering harm, we needed to deal with those cases first. There is a new triaging process and a complaint registrar who assigns the cases based on the resources needed and the urgency of the issue. So that's the first question. It seems to be working very well. It's only been in place for six months.

Your second question--

9:25 a.m.

Bloc

Carole Freeman Bloc Châteauguay—Saint-Constant, QC

Can you give me an example of what you consider an urgent complaint?

9:25 a.m.

Assistant Privacy Commissioner , Office of the Privacy Commissioner of Canada

Elizabeth Denham

If somebody was complaining about getting access to a certain record he or she needed for a custody dispute, if there was a medical issue at stake and information was needed from a physician, then we would deal with that first. So there was something urgently at issue.

Also, if you take a case where there's a systemic privacy risk to Canadians--Facebook is a good example--we would triage that complaint to be at the top of the pile and assign it.

9:25 a.m.

Bloc

Carole Freeman Bloc Châteauguay—Saint-Constant, QC

If I understand correctly, you have a code for establishing your priorities.

9:25 a.m.

Assistant Privacy Commissioner , Office of the Privacy Commissioner of Canada

Elizabeth Denham

We do. We have three levels of complaints. If a file is urgent, for the reasons I just outlined, then it would be given priority. It would be assigned right away. We also look at the level of the investigator. A senior investigator, an experienced investigator, would be given a case like Facebook, as opposed to a complaint about a disclosure of somebody's banking information, an allegation about a disclosure to an ex-spouse, or something like that. We have a lot of those kinds of cases.

Your second question was about the resources we've been assigned. In 2009, because of the new resources, we hired ten new PIPEDA investigators on the PIPEDA side of the office. We also put them through a six-week training program, which was a new initiative for our office. It's working very well. We've eliminated, under PIPEDA, 40% of the backlog in the last year, and we're on track for eliminating it by the end of the fiscal year, the end of March. So we're on track with that.

9:25 a.m.

Bloc

Carole Freeman Bloc Châteauguay—Saint-Constant, QC

You seem to have a lot of trouble retaining your staff. There seems to be an incredible turnover rate. You offer services to the public, but if you spend your time recruiting and training people, the service will be affected all the more as a result.

Have you determined why you were losing these people, why they went to agencies or elsewhere, and how it is you can't retain them? Do they have lower salaries? What are their working conditions?

Have you conducted an evaluation on that subject?

9:25 a.m.

Assistant Privacy Commissioner , Office of the Privacy Commissioner of Canada

Elizabeth Denham

I'm not the expert on the answer to these questions, but my understanding is yes, we have had high turnover for the last three years. The reasons for that.... The workload is heavy. As well, there's natural churn of these kinds of professionals, who are doing access and privacy work among the various agencies. They're in high demand, so it's very difficult to keep them in our agency. We hope by sending them through our in-house, six-week training process they'll feel more confident and hit the ground running. We're doing what we can. We don't think it's a salary issue. We just think there are many opportunities, especially after so many federal agencies became subject to the Access to Information and Privacy Acts over the last two years.

9:30 a.m.

Bloc

Carole Freeman Bloc Châteauguay—Saint-Constant, QC

Let's talk about one of your recommendations, concerning the referral of complaints. When a person files a complaint, if I've correctly understood, you encourage that person to go to the department or the business. How does that work? What are the various steps?

9:30 a.m.

Assistant Privacy Commissioner , Office of the Privacy Commissioner of Canada

Elizabeth Denham

That's exactly right. Our new process is a robust refer-back. If somebody comes to our office, we ask them to go to the business or the department first so they have the first chance to resolve the issue before we initiate a full-on investigation.