Good afternoon, Mr. Chairman and members.
My comments will be focused specifically on the four issues identified by the Privacy Commissioner in his December 2, 2016, letter to this committee.
The overriding concern I'll commence with is ensuring that PIPEDA works better when it comes to small and medium-sized businesses. For brevity, I'll refer to them as SMEs in the course of my presentation. I was involved in the development of PIPA in Alberta. I co-chaired a working group of Alberta privacy lawyers who were providing advice to the people drafting the legislation that became PIPA. Much of the input from the lawyers participating was animated by a focus on small and medium-sized businesses. PIPEDA, at least at the time, was seen as better suited to large banks, airlines, and national corporations but not so well suited to the neighbourhood bookstore.
When I was the Saskatchewan Information and Privacy Commissioner, my office partnered with the Privacy Commissioner of Canada's office to undertake a program called privacy made easy. This was focused on businesses on the Prairies. In meetings with business organizations, we found a remarkably low level of PIPEDA compliance by small and medium-sized enterprises. In fact, I'm disappointed to say, we found even a remarkably low level of PIPEDA awareness.
Dealing first with enforcement powers, I support the commissioner's recommendation that his office have order-making power. That aligns his office with most of the major international data protection authorities as well as the Canadian provinces with private sector privacy laws.
I want to acknowledge that the current ombuds office probably works quite well for large corporations in Canada, which achieve a high level of PIPEDA compliance, I think. That may be because of more capacity and it may be attributable to a more sophisticated recognition that privacy compliance is a good business practice.
I'm interested in the conclusions of a 2010 study that had been done for the Privacy Commissioner of Canada. It concluded that there's a differential impact on different sized businesses by the role of the Privacy Commissioner of Canada, as SMEs tend to be more sensitive to financial risk and penalties. Furthermore, the deterrent effect of avoiding intervention by the Privacy Commissioner would be more effective with SMEs if the Privacy Commissioner of Canada had order-making power and the ability to impose penalties.
Another reason I support order-making is that it leads to the creation of a body of precedents, more detailed orders than the current summaries provided by the office. These would serve to provide businesses with much clearer direction as to how PIPEDA is being interpreted and applied.
In terms of the GDPR—the general data protection regulation—alignment makes sense from the perspective of international trade. I would submit, however, that it's important not to lose sight of the private sector privacy laws in Alberta, British Columbia, and Quebec, as well as the substantially similar health information laws in jurisdictions such as Ontario, Newfoundland and Labrador, New Brunswick, and other provinces that will soon achieve the substantially similar designation. Any changes to PIPEDA would necessitate a similar review of each of those substantially similar provincial and territorial laws.
I'm not sure that data portability and privacy by design are not already captured by PIPEDA. Data erasure appears to have no PIPEDA counterpart, however.
On reputation and privacy, I don't support a right to be forgotten. I simply don't think it could survive a charter challenge.
As a former commissioner, I was very concerned with the issue of public registries that were created long before we started to worry about data profiling, data matching, and identity theft. The response needs to be to encourage more scrutiny at the time registries collect the information and ensure non-collection of anything not essential to the purpose of the registry.
When Chantal Bernier was assistant privacy commissioner of Canada, I recall that she led a collaborative initiative with provincial commissioners to create a set of guidelines dealing with the Internet publication of administrative tribunal decisions. So there certainly is an issue that can be addressed, but I'm just not sure the right to be forgotten is going to be the answer.
I think freedom of expression in the charter limits what could be done. If you cannot compel a media outlet to take down content, then I contend you cannot stop a search engine from communicating to the world that the content exists.
Regarding meaningful consent, I'm going to submit to you, Mr. Chairman and members, that some useful privacy lessons have been learned from the Canadian experience with electronic health records, where the role of consent has been significantly diminished, notwithstanding the fact that we're dealing with some of the most sensitive and prejudicial information that Canadians have. I'm thinking particularly of Alberta and Saskatchewan, which have a largely completed electronic health record for every citizen. This allows thousands of providers in all parts of the province the opportunity to look at prescription drug profiles, laboratory test results, diagnostic imaging pictures, radiology reports, clinical notes from providers in hospitals, and immunization information on anyone in the province. Of course, they're not supposed to be viewing this material unless they have a legitimate need for the purposes of diagnosis, treatment, and care, but the point is they have the ability to be able to access that information. With funding from Canada Health Infoway, all other provinces are working to develop a similar system which should be interoperable with that of all other provinces and territories.
And we've certainly learned over the last decade that apart from the question of consent, there's a compelling need for other privacy enhancing features. At the top of my list would be a privacy management program to ensure a coordinated approach to PIPEDA compliance, because what you tend to see too often among health care providers is a fragmentation: a policy here, a policy there, and not appropriate coordination and leadership. So a privacy management program is an important feature.
There's also a need for a proactive audit program that's made known to all employees. Too often, organizations like to boast that they have an audit capability with the electronic system they've got. That isn't very helpful or very useful if there isn't an ongoing proactive program and all staff that have access to that sensitive information are aware that this capacity exists in the organization.
Furthermore, we need strengthened regulatory oversight both by commissioner offices and also regulated professional bodies.
We could spend hours talking about the development and expansion of secondary use of personal health information and big data. The historic view is that if you're dealing with identifiable patient information, if you're using it for the original purpose—namely, that it was collected for diagnosis, treatment, and care—you don't require additional consent, but if you're using it for research purposes, you would then typically require the express consent, unless you have approval from a research ethics board that says consent isn't necessary.
There are significant issues around that and then the need for hard safeguards.
Unlike Australia and the system they have there known as My Health Record, where there's a requirement that patients must opt in to the electronic health record system, in Canada we have compulsory enrolment of all Canadians and uploading of their personal health information to the system. They're not invited or asked whether they consent. The system of electronic health records is based on implied consent, not express consent. Moreover, implied consent typically requires transparency at the point of collection about the kind of PHI that's collected and how it will be used and disclosed. Implied consent typically requires that an individual can elect to opt out. The kind of masking that's offered in the electronic health record system we're building in Canada usually offers patients something quite different, and certainly something much less than an opt out.
Patient privacy, as we've seen in our experience over the last decade, is typically reinforced by a number of soft safeguards, including an oath or pledge by all health care workers to protect privacy; written policies and procedures for the collection, use, and disclosure of personal health information; training of staff; and an audit trail of those who view anyone's PHI.
The experience, though, is that despite these soft safeguards, we've experienced something of a rash of snooping incidents. You have read about that, because we have, I think, pending class actions in at least five Canadian provinces that come from unauthorized people snooping in patients' personal health information. This has sharpened the focus on hard safeguards to backstop the soft safeguards.
I'd recommend that if you're looking—as the commissioner has invited you to do—at possible alternatives or enhancements to consent, you might want to consider the kinds of hard safeguards that have been developed for electronic health records. These would be dismissal for cause or other disciplinary action by employers, prosecution, and fines—if you look at the stand-alone health information laws, they have huge fines—class-action litigation, and disciplinary action by professional regulatory bodies.
I say that on the issue of consent and determining whether there are some alternatives, there's some valuable experience to consider and to draw from when we look at electronic health records as we see them now in Canada.
Thank you very much, Mr. Chairman.