Evidence of meeting #34 for Industry, Science and Technology in the 41st Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was organizations.
A recording is available from Parliament.
NDP
Peggy Nash NDP Parkdale—High Park, ON
Do you mind if I clarify my question? What is the problem that this change in Bill S-4 is trying to fix?
Special Digital Privacy Counsel, Canadian Marketing Association
I think that is probably one that's better put to the drafters who know the law, frankly.
NDP
Peggy Nash NDP Parkdale—High Park, ON
Mr. Smith, of the people you represent, have any businesses been saying this is a change they want?
Director, Intellectual Property and Innovation Policy, Canadian Chamber of Commerce
As far as I understand it, there is an interest from the insurance industry on this with respect to cases of fraud. It makes it easier for them, and as you heard this morning, it changes the investigative bodies regime, which allows them to go through the process without going through the process.
Conservative
Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB
I want to follow up on some comments from the original opening statements.
We have this threshold of real risk of significant harm and, Mr. Smith, you referred to that: an organization determines that there's a breach that poses a real risk of significant harm, and they have to report it to their clients, the people who are affected by it, but you would suggest that they need not notify the Privacy Commissioner. You don't think they should have to notify the Privacy Commissioner.
Why, if it is a breach that is significant enough to pose a real risk of significant harm, significant enough that they would take the step of notifying their own clients, people who are affected by it, would they not have to notify the Privacy Commissioner?
Director, Intellectual Property and Innovation Policy, Canadian Chamber of Commerce
The process to date has always been a two-step threshold. There were several examples mentioned this morning. There could be a name wrong on a letter in an envelope, or there could be a phone number posted somewhere that wasn't supposed to have been posted. The decision often gets made at the front-line staff or the customer service staff, that you deal with the individual. You let people know what happened and let them know what you're doing about it, but is there—
Conservative
Director, Intellectual Property and Innovation Policy, Canadian Chamber of Commerce
Right. We're concerned that the way the bill is drafted, that from the over-reporting perspective, if you have to send every single one of those to the OPC, it significantly changes the number of records that you're going to have, the number of records that the OPC is going to have.
Is there any real value in reporting that? Probably not.
February 17th, 2015 / 12:50 p.m.
Conservative
Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB
Most Canadians would say probably and disagree with that when there's a real risk of significant harm.
When there's not a real risk of significant harm, though, the legislation says we're not going to make you report everyone to the commissioner, but we are going to make sure that you track the error.
Again, when I look at proposed section 10.3—everybody's brought up issues with this—it's pretty straightforward. It says that you have to “in accordance with any prescribed requirements, keep and maintain a record”. But you only have to keep and maintain a record for every breach of security safeguards involving personal information under your control.
Basically, you're only keeping records when you make a mistake that involves someone's personal information. The amount of information that you have to track, the amount of cost associated with this is in direct correlation with the number of mistakes you make in tracking people's personal information. Is that a problem?
Senior Vice President, Government and Consumer Affairs, Canadian Marketing Association
Because of the language in the bill, there is not really a threshold established. It just says, “any breach of security safeguards involving personal information”. That could be something as minor as a list of addresses being left out, something very, very minor in the historical context of personal information under PIPEDA. The law appears to indicate that those pieces of information will then have to be logged, recorded, and kept for an unspecified period of time.
Conservative
Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB
Actually no, there's a consultation process. You guys know that there's a consultation process that you'll be able to weigh in on to say what that's going to look like.
Who knows, in the end it might be as simple as an e-mail trail saying what happened filed electronically to ensure that in the future it can be looked at. It doesn't seem that onerous to me in this day and age of computer technology
Senior Vice President, Government and Consumer Affairs, Canadian Marketing Association
Our concern is that it could be taken to extremes and we haven't seen the regulations. You're correct. We'll have an opportunity to sit down in that process and one would hope the outcome would be a reasonable framework that wouldn't impose too great a burden.
Our concern was simply that there could have been some mention of threshold in the law and that would have given reassurance to business.
