Information & Ethics Committee on Oct. 4th, 2016

From our perspective, we've never experienced having the two separate. Just from the work we do, there are often cases where there are access to information and privacy issues involved in the same investigation. Our people have expertise on both sides.

I agree with Drew.

At the provincial level, it works really well, because this is the system we're used to. At the federal level, though, these are two huge issues and they take a lot of attention. It seems to have worked well having them separate. Those are my thoughts.

We are not muted here.

At the national level, especially, I think it's important to have a champion for access to information and a champion for privacy, who can be recognized and speak to those issues separately, be leaders across the country, and represent those issues internationally as well. I think it has worked very well from that perspective to have them as separate offices. At the provincial level, functionally, I don't think there would be any need to have that separation.

My initial response to that question is that there is a threshold in our provincial legislation that the data must be necessary for the operation of a program.

The inclusion of the word “necessary” in our legislation [Technical difficulty—Editor] the amount of over-collection and therefore protects from over-sharing in the after sense. The inclusion of “necessary” covers off the concern about whether information may be over-shared in one sense. In the other sense, in our case, we do have in our legislation the requirement for information sharing agreements, which would typically make the process transparent or—in the case of information that is sensitive for national security—at least ensure that the appropriate protective measures are being implemented when information sharing agreements are put in place.

I think the only thing that comes to mind is that the size of our operation in British Columbia is approximately 40 people. That is not a large operation when considered against the size of the federal Privacy Commissioner's office or the Information Commissioner's office. There may be opportunities of scale, but in our case, because of our size and our jurisdiction, it remains effective for us having both access to information and privacy in one piece of legislation.

In some cases in the international context, the two are separated. It may make a difference when you're dealing with issues internationally.

I think the only other thing I would add is that the issues on the privacy side are complicated. The technology issues associated with it, the fact that data is moving around the world, these are all managed by these data protection offices that our Privacy Commissioner is an equivalent to. Having a leader in Canada on that issue I think is very important for our government and for the provinces as well. That stands out when you have an identifiable privacy commissioner and it's consistent with the approaches taken in other jurisdictions. I would say that it's likewise on the information side, having a leader in that way.

I think those are very important voices, for sure, but there's a whole layer of these oversight agencies contributing significantly to the conversation around what our privacy standards are. Not only that, but they have these enforcement authorities, these fining authorities, that are making sure that these rules are followed. They're an important part. Both things have to exist, for sure.

I don't think we're saying that they can't be done together and should never be done together. It's just that in certain circumstances it would seem better to have them apart. If you're talking economies of scale, when you go to, for example, order-making powers, then you're talking about expanding two offices.

It depends on where your values lie and to the extent that you have, in any given situation, a Cadillac or a Civic, I suppose.

In terms of an order-making power, as noted, we have that ability in our sector legislation. We have taken the opportunity to use that from time to time, and find it effective. It also, as we've indicated, turns the parties' minds, through the mediation process, to be much more in tune with the sensitivities of each party. It assists us in getting to the resolution of complaints at the mediation phase rather than having to proceed through, but it provides us with the ability for order-making powers should we have to go beyond the mediation phase or if mediation hasn't been accepted.

In a recent presentation I made I highlighted some of the shifts in moving from being regulated to being a regulator. It's been an interesting learning curve for me and I've become more sensitive to some of the issues.

Specifically I'll talk about mandatory breach notification. When I was in the private sector, we worked very hard to come up with voluntary breach notification guidelines, and we worked with the privacy commissioners across the country to implement those as guidelines for organizations. I now see those embodied in the federal privacy legislation, Bill S-4. When the regulations are implemented, we will see that for federal private sector organizations. We see it in Alberta, and we've recommended it in B.C., and the B.C. government has accepted that.

What was once voluntary in the private sector is now becoming de facto standard of being mandatory. We also note that in Europe the general data protection authority has come out to indicate that mandatory breach notification is required. I'll also note that they've taken a few steps further than that, and it's going to be significant for Canada to continue to be substantially similar with the requirements of GDPR for the free flow of information as it relates in the private sector for organizations that operate multinationally.

I will say the triple-delete investigation—we call it a scandal here in B.C.—resulted in a significant number of recommendations for government and a catalyst for change, so there has been some good coming out of that investigation. On the specific circumstances around the individual, you are correct in that he perjured himself in his testimony given to my former colleague Elizabeth Denham, the then privacy commissioner, and he was charged under the act. That was the first circumstance where that had occurred.

We have recommended that the fines to individuals be increased to a substantial level, and the reason for that recommendation is evident in some of the more recent, as the media calls them, snooping incidents into personal health records of individuals, where employees of health authorities who have access to patient information, but no need or business need to access specific patient files, go in and snoop. We believe there are significant deterrents required in order to prevent the amount of snooping that we see going on, not only in B.C. but across the country.

Correct. We recommended to our committee that they be increased to $50,000, and the committee recommended to the legislature that they be increased to $25,000.