Evidence of meeting #37 for Industry, Science and Technology in the 41st Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was s-4.
A recording is available from Parliament.
12:45 p.m.
Conservative
Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB
Interestingly, you're not the first ones to say that.
Those folks who are kind of speaking with one voice on the other side would say that it's the opposite, that we need more reporting and more notification.
Would you disagree with that?
12:45 p.m.
Vice-President, Public Affairs, Retail Council of Canada
No. Let's make a distinction here between recording and reporting.
We have a concern about the recording burden. The section on recording is very strictly worded, which essentially means every breach of security safeguards. We can envisage a world in which that creates the burden to record breaches for which there's no foreseeable harm, and to create unlimited obligations—
12:50 p.m.
Conservative
Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB
I only have a short period of time, but I want to ask you if the breaches that we're talking about, in your view, are things that should be avoided? Do you have no problem defining them as things we should avoid? Leaving a screen open with private information on it, I think was your example.
12:50 p.m.
Vice-President, Public Affairs, Retail Council of Canada
For somebody stepping away from their desk to get a coffee, while some party is in the same room who may or may not have actually passed by that desk but with no certainty that the individual has done so, I think you have to have a materiality threshold.
12:50 p.m.
Conservative
Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB
But it would probably be a good practice when you have personal information on your screen to close down your screen, right?
12:50 p.m.
Vice-President, Public Affairs, Retail Council of Canada
Sure, it is a good practice.
12:50 p.m.
Conservative
Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB
So as we try to establish that as a common practice across the board, to have some mechanism that simply records that it happened, as a reminder that we ought not do that—of course there's consultation going on in terms of what that's going to look like, and I'm sure you'll weigh in on that—might not be that onerous really. Eventually we shouldn't be doing that, right?
12:50 p.m.
Vice-President, Public Affairs, Retail Council of Canada
I think we would differ.
I think that there probably is a threshold level below which—whether it's the period for which a filing drawer was open or a screen was left unattended—it actually might fall below a material level for the necessity of maintaining records, and in particular, one that also does not appear to have any time limitation on the requirement to maintain those records.
12:50 p.m.
Conservative
Mike Lake Conservative Edmonton—Mill Woods—Beaumont, AB
I anticipate that, like the Bankers Association and everyone else, all of the witnesses here, you'll weigh in on the consultation process to make sure that the steps taken are reasonable.
12:50 p.m.
Conservative
The Chair Conservative David Sweet
Thanks very much, Mr. Lake.
Thank you to the witnesses.
I usually hesitate to become involved at all, being the chair, but I want to ask the Bankers Association whether there is a regular relationship presently with the Privacy Commissioner such that—not, obviously, on a case-by-case but on an aggregated basis—there is a sharing of aggregate data on a quarter or half a year's investigations concerning how those have proceeded and how people's personal information has been safeguarded.
Do you have that kind of regular reporting aspect relationship with the Privacy Commissioner's office?
12:50 p.m.
Director, Consumer Affairs, Canadian Bankers Association
The banks' compliance divisions have a very close relationship with the Privacy Commissioner's office. Many times, when they have a question about compliance, they will talk to that office.
As an association, we host an annual meeting with the regulator so that we have the opportunity to exchange information with them. But the banks on a regular basis, as a breach may happen—in the rare instances when one does happen—are certainly in touch with the Privacy Commissioner's office so that they are aware of what is happening and are able to monitor what is going on and give advice as to how we can handle it.
We participated in the development of the Privacy Commissioner's guidance on breach reporting and notification. The banks certainly follow that guidance.
12:50 p.m.
Conservative
The Chair Conservative David Sweet
I ask the question because it's a substantial trust that you have, and I also know that you have a substantial responsibility because of the nature of crime these days and the innovation that those who want to perpetrate such acts come up with on a day-to-day basis. I just wanted the committee members to hear briefly about what that relationship is.
Thank you very much, colleagues.
To our witnesses, thank you very much. Again I extend to you the regrets of the committee that we were held up by the due process of democracy in the chamber.
We're adjourned.