Industry Committee on March 24th, 2015

It is leaving the decision to industry itself but I think the more important issue is that the standard has been set at a certain level. I know there has been a lot of debate over the appropriate wording and the standard had been set finally at a level that is fairly high.

In my research I'm just as concerned with attempts of breaches as actual breaches. My concerns are also about organizations in aggregate form not disclosing information about attempted attacks that they have suffered and what we call attack vectors, where do the attacks come from. A lot of what we often tell people.... For example, the banks will often always tell customers that they have to protect their passwords, etc., but we don't have good information as to where the attacks are originating from. They could be originating from overseas, from hackers, and not from negligent customers.

Attacks are just as important as these actual notifications in my own research and my own work, and that's where for me in the system, at least as you see it in other countries, people do get notified. Whether that's going to offer the best protection for Canadians at the end of the day I think there may be further actions that are required perhaps down the line as you see if this system is working effectively or not. I am concerned that right now there's nothing about potential attacks but only actual breaches.

As I understand this clause, it was at the request of businesses in terms of mergers and acquisitions where they felt that to go and technically request the consent of each customer when a merger is contemplated or something of the sort would be cumbersome and the customer's information is not used in any kind of meaningful way. It's just handed over from one party to the other. That is a provision that exists in British Columbia and Alberta, in the same language, and it hasn't caused significant concerns in terms of how it applied over there.

For me that is not in itself a troubling proposition. It facilitates business. Hopefully people won't look and find some unexpected loopholes in it, because the purpose of it is pretty straightforward as I understand it.

It is a concern. We have a position that we support the collection of prescribing information but it should be de-identified of the prescriber as well as obviously the patient.

We hear some of those stories as well where it seems they get down to such a narrow postal code and there might only be two specialists so it's pretty obvious that these are the physicians who are prescribing. It is influencing the drug reps who are going in and talking to the physicians and the physicians are surprised that this much information is available.

It's really important that this information be collected to ensure that there's appropriate utilization of medications. What you have now are the representatives going in and they're prescribing usually their new products. There may be an equally effective and far less expensive generic product on the market that really should be used because it's been around longer and it has a lot more safety information about it, so you really don't want to have situations where that very targeted marketing and information is that widely available.

We certainly see that it's important to inform appropriate prescribing medication use and researchers to do that, but not for the marketing purposes that we hear about.

Thank you.

Yes, I would be happy to do that. Of course, my comments are very narrowly restricted to the ability of financial institutions to report.

The Public Guardian and Trustee of British Columbia was working closely with the Canadian Bankers Association back when these proposed amendments were first suggested. We were very much in support then of allowing an amendment that would enable financial institutions to report proactively, not just when there was an actual contravention of the law.

It is in that proactive measure that we think vulnerable persons are better protected. Then the responsibility for investigating falls to the provincial bodies, the public guardians and trustees, to do what they already are able to do under the law.

The missing piece was the proactive reporting. Bill S-4, in the provision in proposed paragraph 7(3)(d.3), I believe will accomplish that. I believe that is a positive measure.

I can take that even a step further.

Prior to my appointment as public guardian and trustee, I was director of enforcement for the Manitoba Securities Commission for about 12 years. The trends you have seen over the last two generations are people becoming more involved in their financial management. It's not just simply savings accounts and bank accounts anymore. You have people who are investing in mutual funds and other investment products. You have a more complicated landscape out there, which, if you take the negative view, probably leads to more opportunities for abuse of an individual, for example, if an individual is trying to manage money in different ways than they have in the past.

The other thing—and we were briefly talking about it before we came in—is the change, particularly in the banking industry to electronic banking, Internet banking. There is a move away from direct physical contact at a branch, which you would have seen a generation or two ago. That also creates a complexity in the situation that you're not going to have.... Whereas 20 years ago you'd have your local branch manger, whom you probably saw every couple of weeks just because you would be visiting your branch, that sort of contact isn't there anymore.

As we go further and further, with younger generations it's going to even become more pronounced. That doesn't change the need for this legislation, the need for the reporting. I think it's going to force us to adapt to those situations in our various roles to try to figure out ways that we can still identify potential abuse and report it under these new ways of delivering the service.

People are vulnerable by not passing it.

We have organizations, as defined in that legislation, that don't feel they have the legal ability to report situations where they themselves are identifying possibilities of abuse. In terms of public protection, I'm not sure why we would allow that to stand.

With regard to any of the comments I've read on the bill, I think they can be dealt with in regulations for the most part. Things like defining governments organizations or government institutions can be dealt with in the regulations.

I think this is an opportunity to at least take that first step, put some protections in place, and then, as in any piece of legislation, see how the actual utilization of the legislation rolls out. We could always decide on amendments in the future.

Thank you very much for the question.

I think the real issue is what has been happening with the digital economy and with services, as you can see. Certainly, since PIPEDA came into force, the idea of consent has changed. Instead of protecting us as individuals, it provides companies with loopholes, these seven pages of legalese, to say that we as individuals have agreed to all further collection, use, and disclosure practices.

The idea that, in this day and age, we can provide meaningful consent is broken, and has been for quite some time. That's why, in the academic world, if we're talking about a privacy framework for the 21st century, there is a lot of thought as to whether we shouldn't be moving beyond just focusing on consent as a gateway, such as saying that if someone consents then everything is fine. We should really be restricting what companies do with the information they collect. We should see a lot more regulation of uses and disclosures, not enabling of organizations to say, “Well, I've got somebody ticking a box over here, therefore I can go ahead and do whatever I want.”

This is a serious concern, especially when you're talking about this new kind of big data analytics in which companies are trying to collect a lot of information, do what we call free-form analysis, look for correlations, and do the type of predictive analytics that then make the headlines. For example, Target sent a notice to the family of a teenager that their daughter was pregnant. The father didn't know, but Target staff knew because they punched the numbers.

Regulation of use is what is required in this day and age, not just focusing narrowly on consent. Organizations will find the loopholes. They'll use legalese and write long agreements. That has not been helpful so far.

If not in this iteration of the bill, certainly I would want to see it in regulation, because the bill in its current form is still under the old model. Make no mistake, while I'm stating these opinions as an individual, privacy commissioners will tell you how important consent is. I don't disagree with the idea in principle. It is just to say that as a practice it's not working. We need to think about how we can bolster and support it. Maybe regulation is the proper tool for that.

Well, if you really wanted to contemplate that, I would introduce restrictions on how companies use and disclose information, so that it's not as if consent is the gateway to an agreement with you where you've agreed and anything goes. Rather, there would be only certain purposes that they would be allowed to use that information for.

There are many ways in which you could, maybe through regulation, ask companies to touch base with a customer at key points, and say, “I want to do this with your information now. Do you agree at this point in time, yes or no?” Technologically, these tools are all available, but we don't have the legal framework that will force companies to do that.

In terms of enforcement, part of the problem that we have concerns the role of the commissioner. The commissioner, who does not have the ability of other commissioners to issue orders to companies, is not viewed by companies, and typically by small businesses....

We see a lot of non-compliance simply because the consequences in their mind are not as real as, say, a health and safety violation for the municipality. We need to see more powers, so that the commissioner is actually treated like a regulator and not an ombudsperson. The old model was that the commissioner was an ombudsperson resolving disputes between customers and companies. I think we need to see the commissioner moved to regulator.

If we give the commissioner powers to enforce these things, large and small businesses will take that more seriously.

Yes.

Certainly as a professional association representing pharmacists, we find some of this discussion is outside of our mandate and my particular expertise, unlike Dr. Levin's. But I share those concerns, even more just as a Canadian, that we're signing off on a lot of stuff when we tick those things.

I look at the younger generation. I was recently at a Canada Health Infoway meeting, and they had some research done with Canadians and focus groups. I was surprised with the lack of concern that many Canadians have about their private information. For example, they just assume that every pharmacy in this province...you know, the Shoppers Drug Mart here shares it with the Shoppers Drug Mart three blocks over. They don't share it, but people assume it and they expect it.

I think societally we have some real challenges, and we're ticking off a lot of stuff. I would personally agree that we need to look at better regulating what companies can do with this data, because there's a lot of information that's coming in at point of sale, Internet sales, Google searches, and all that type of thing, which we need to be looking at.

I really couldn't comment on whether it should be within the legislation or regulations related to this, but I share the concerns.