Evidence of meeting #48 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was consent.
A recording is available from Parliament.
4:35 p.m.
Conservative
Pat Kelly Conservative Calgary Rocky Ridge, AB
There's no glaring shortcoming that's crying out for immediate action?
4:35 p.m.
Commissioner, Office of the Information and Privacy Commissioner of Alberta
I think there is. That's my concern.
One of the things we did talk about, and a recommendation I made to amend our provincial legislation, was to require that organizations have a privacy management program in place. This does speak to some of what we're expecting to see when the GDPR comes into force. Alberta, B.C., and the federal office all came together in 2012 and came up with a published joint guidance document called, “Getting Accountability Right with a Privacy Management Program”. That document sets out the basic foundational building blocks of a privacy management framework and says, before you can do privacy compliance, you need to have these basic things in place. We all agreed on that, across the country.
4:40 p.m.
Conservative
Pat Kelly Conservative Calgary Rocky Ridge, AB
If I think of some of the very smallest enterprises, particularly organizations or enterprises that may not conduct business on the Internet, is that recommendation a bit onerous? Does the local curling club need a privacy officer, a written privacy policy, and a privacy management framework to have people curl at their club, for example?
4:40 p.m.
Commissioner, Office of the Information and Privacy Commissioner of Alberta
I think somebody should be responsible for privacy, and that's already in our legislation. They do need to have policies, but they don't need to be written, according to Alberta's PIPA. I can't speak for PIPEDA or B.C.'s PIPA. I think any legislation of a requirement to have a privacy management program does require that some mindfulness be given to scaling such a program to the organization. I'm not sure that these small organizations shouldn't be concerned about privacy, because it could be a very small organization with only two employees collecting, say, credit card information. As a consumer, I would want to know that if I'm giving my credit card information to this very small organization, they have an obligation to safeguard that information. I do think it's scalable.
4:40 p.m.
Conservative
The Chair Conservative Blaine Calkins
Thank you very much, Mr. Kelly. We're at five minutes.
Mr. Erskine-Smith, you now have five minutes.
4:40 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
Thanks very much.
I wanted to start by asking about enforcement powers. One model is order making. Another model is fining powers, administrative monetary penalties, and/or a combination of the two.
We heard testimony the other day that in the EU there are significant fining powers. I think it's up to 4% of company revenue.
What are your comments on whether we should empower the Office of the Privacy Commissioner with such administrative monetary penalty powers? Would that be a good idea?
4:40 p.m.
Acting Commissioner, Office of the Information and Privacy Commissioner of British Columbia
In the B.C. act, there are fines, but they've never been imposed.
In terms of the adequacy of compliance or alignment with the GDPR, I think both Canada and the provinces are going to have to examine the amount of their fines, and to bring them more in line with what the GDPR is looking at in order to be considered adequate.
4:40 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
With respect to transparency, the previous privacy commissioner suggested that there be public reporting requirements. Under PIPEDA, law enforcement agencies and institutions can obtain personal information from companies without consent or a warrant for a relatively wide range of purposes. The previous commissioner recommended ensuring that the public be made aware of how often this occurs. Do you think that's fair?
Does anyone have objections to that idea? Maybe that's a better way of phrasing it.
4:40 p.m.
Acting Commissioner, Office of the Information and Privacy Commissioner of British Columbia
I think it's important that the public be made aware of when or how often law enforcement agencies are approaching certain organizations. We're now seeing organizations taking the opportunity to voluntarily publish transparency reports that indicate how many times they've been approached.
There may be times when an organization may be prohibited from doing so, and the laws currently recognize that. The organization may be prohibited from disclosing the fact that they've been approached, either by a national security organization or a law enforcement agency, but for the most part, I think it's important that Canadians be made aware of how many times their personal information is being requested under lawful access.
4:40 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
So you favour openness by default, subject to national security or other overriding public interest concerns?
4:40 p.m.
Acting Commissioner, Office of the Information and Privacy Commissioner of British Columbia
Correct.
4:40 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
With respect to a further question on accountability, the previous privacy commissioner spoke of enforceable agreements. Where there has been an audit per se, and the OPC has issued recommendations for compliance to organizations that there would be enforceable agreements that would be entered into. He further recommended that the accountability-related principals in the act, from schedule 1, section 4.1, be reviewable by a federal court.
I don't know if there's a view from your three offices on that. Would there be any opposition to those recommendations?
4:45 p.m.
Commissioner, Office of the Information and Privacy Commissioner of Alberta
I wouldn't have any objection to that, but I think you would want to look at it within the entire toolbox of enforcement powers. For example, I did not go to the committee that was reviewing PIPA, to talk about the need for enforceable agreements, because I have order-making power.
If you're looking at something like order-making power, you might not be in a position where enforceable agreements—
4:45 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
That makes sense.
We had the commissioner before us the other day, and he talked about the potential need for alternatives to a consent model under PIPEDA. That struck me as odd, in part because I understand the consent model under PIPEDA to be quite flexible and that it can grow over time with different technologies. Should we be looking at alternatives to consent?
4:45 p.m.
Acting Commissioner, Office of the Information and Privacy Commissioner of British Columbia
In the case of the B.C. act, I've indicated already that we haven't seen challenges, but where technology is taking us in the analysis of big data, there is a large amount of discussion around the analytics that can be unleashed upon information that was not originally collected for a purpose that might become apparent upon the running of those analytics.
The challenge that exists now is the ability of organizations to innovate with the data that they have within the context of consent when they don't necessarily understand what might be unveiled at the end of the analytic process.
We see technology now allowing for greater possibilities. At the end of the day, we believe there needs to be protection. People should be aware that their information is going to be analyzed. If it's going to be de-identified, there need to be protections built in so that it's not re-identified.
4:45 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
I've run out of time, but if your offices have different models or alternatives to consent that you think this committee should consider, I would appreciate it if you would submit those ideas in writing.
Thanks very much.
4:45 p.m.
Conservative
The Chair Conservative Blaine Calkins
Thank you very much.
We now go to Mr. Jeneroux for five more minutes, please.
4:45 p.m.
Conservative
Matt Jeneroux Conservative Edmonton Riverbend, AB
Great. Thanks again, Mr. Chair.
Your offices deal with businesses and in the context of people's relationships with businesses. I'm curious to know if you have any performance indicators, satisfaction metrics, or public consultation information you've done, which you can point to, that support or don't support some of your comments.
We'll start again with Ms. Clayton.
4:45 p.m.
Commissioner, Office of the Information and Privacy Commissioner of Alberta
It depends on which topics you might be looking for performance metrics. We did a general population survey back in 2015 to get a sense of how individuals feel about privacy. We asked if they think it's important, if they feel their information is protected, if they are aware of our office, and if they think this is an important issue. That's on our website.
We also did a survey of the stakeholders that we regulate in all three sectors, and asked them questions about their privacy management programs. Do they do training? Do they have written policies? Do they have incident reporting mechanisms? Do they do privacy impact assessments? We asked a whole lot of questions around those sorts of issues, as well as our own processes and things like that.
Those documents and reports are both available on our website. The plan is to have a five-year interval, so probably it will be next year that we'll do it again and see whether or not there's been any movement.
4:45 p.m.
Conservative
4:45 p.m.
Acting Commissioner, Office of the Information and Privacy Commissioner of British Columbia
First of all, we publish—as do other commissioners—annual reports on how our legislation is being enforced and our enforcement activities. We've just undertaken our first public awareness survey to assess people's awareness of the functions of our office and their privacy rights, whether in relation to the public or private sector.
We do not have any information to add to the mix that says whether or not people are comfortable or happy with how businesses are performing under that.
4:45 p.m.
Conservative
Matt Jeneroux Conservative Edmonton Riverbend, AB
Sorry, I just want it to be clear: is that also in the context of the businesses, and not just the individuals? You do go out and ask, as Ms. Clayton said, the usual suspects, for lack of a better term....
4:50 p.m.
Acting Commissioner, Office of the Information and Privacy Commissioner of British Columbia
Our public awareness survey surveyed about 1,000 citizens. It was more about their awareness of the functions of our office and their rights. It was not related to specific businesses, or whether or not they were comfortable with business practices.
4:50 p.m.
Administrative Judge, Surveillance, Commission d'accès à l'information du Québec
It's the same thing in Quebec. We also publish annual reports on the number of files, the number of complaints submitted to the Commission d'accès à l'information and the resolved complaints.
I don't think a satisfaction survey has been conducted recently. There may have been one already, but I would need to check. I have been at the Commission d'accès à l'information for six years, and I don't remember any satisfaction survey being conducted with individuals, businesses or public agencies. I know that awareness campaigns are conducted to inform individuals, businesses and public agencies of the commission's existence and role.
At the moment, I can't answer this question. However, I could check and send the information to the committee.