Industry Committee on March 24th, 2015

Thank you, Mr. Chair.

Good morning. I am the public guardian and trustee of British Columbia. I thank you for the opportunity to comment on Bill S-4 today. In addition to my oral comments, I have provided a written submission. My comments today are restricted to subclause 6(10) of Bill S-4, and that is with respect to the proposed provision that will enable federally regulated organizations and in particular financial institutions to report concerns of potential financial abuse of a customer, without the knowledge or consent of the customer, to a government institution with authority to investigate and to take appropriate responsive action.

The jurisdiction to respond to suspected financial abuse typically falls to provincial authorities and territorial authorities with respect to civil investigation and in particular to public guardians and trustees across the country. The Public Guardian and Trustee of British Columbia has participated in the multi-year consultation process that led to the development of the anti-financial abuse provisions in subclause 6(10). My office supports the objective of the proposed anti-financial abuse amendment and offers three recommendations for refinement of the provision to ensure that the provision is effective, and secondly, to minimize the risk of harm to an individual who is the subject of a report and a potential victim of financial abuse.

My recommendations are based on the experience my office has in responding to financial abuse and I will provide those recommendations at the conclusion of my comments.

By way of background, the Public Guardian and Trustee of British Columbia is a statutory corporation sole created under the laws of the province. My office provides fiduciary and protective services to vulnerable adults, to persons who are mentally incapable, to minor children. We administer the estates of deceased and missing persons when there is no one else able and suitable to do that. We serve approximately 29,000 clients and administer almost $900 million in private client assets.

Among the various statutory functions given to the Public Guardian and Trustee under British Columbian law is the role of investigating allegations of financial abuse, including financial neglect and financial self-neglect of mentally incapable adults. The definitions of financial abuse, financial neglect, and financial self-neglect, which guide the investigations of the Public Guardian in British Columbia, are set out in legislation, but generally speaking, abuse is an action committed by a third party. Neglect is the failure of a third party to act, and self-neglect is an individual's own failure to manage his or her own affairs due usually to mental incapacity.

When my office receives information that an adult may be mentally incapable and may be a victim of financial abuse, the Public Guardian and Trustee of British Columbia has a legislative mandate to investigate the circumstances. My office has the powers to seek disclosure of financial information from legal representatives such as an attorney acting under an enduring power of attorney, and from financial institutions where an adult may hold assets. If my office has reason to believe that the adult's assets are in need of immediate protection, the Public Guardian and Trustee of British Columbia has the authority to instruct financial institutions to, in essence, freeze bank accounts to stop any withdrawals from the accounts or transactions with respect to those accounts, to halt the sale of property, and to take any other reasonable step necessary to protect the adult's assets from dissipation or misappropriation.

Each year, my office responds to approximately 1,600 allegations of suspected financial abuse. Approximately 1,200 of those cases result in a full investigation by my office, and of approximately 400 cases, the Public Guardian and Trustee is appointed committee of estate as a result of the investigation, and that is for the purpose of acting as property guardian to manage the financial and legal affairs of the adult on an ongoing basis.

The experience of my staff in responding to allegations of financial abuse has highlighted for us the critical role played by financial institutions in identifying issues of potential financial abuse and ensuring that vulnerable adults receive the support and assistance they need when it is required in order to curtail or end the financial abuse.

Employees of banks are often in the best position to observe potential financial abuse as a result of ongoing personal contact with their customers and with their knowledge of the customers' financial affairs. While it may be best practice for a bank employee to communicate with a customer directly about concerns of potential abuse, in many cases such communication is simply not practical, nor is it prudent. In some instances, bank customers may have diminished mental capacity due to mental illness or due to diseases of aging, making direct communication with a customer challenging and often ineffective.

In other cases, a customer may be unduly influenced by or subject to the control of another person, so that advising the customer of suspected financial abuse may in fact alert the abuser to the fact that the abuse has been discovered and put the customer at greater risk. Currently, PIPEDA permits financial institutions to report financial abuse to relevant authorities, such as the police, where the financial institution has reasonable grounds to believe that a law has been contravened.

However, if no law is contravened, federally regulated organizations are restricted by the act as to what actions they are permitted to take even if financial abuse is suspected, so my office of course is responding to allegations of abuse, not certainties. No crime has been committed as yet. Enabling financial institutions to proactively report concerns of potential financial abuse to an organization such as the Public Guardian and Trustee of British Columbia, with the legislative authority to investigate and to take steps to protect the assets of the vulnerable adult if necessary, is critical in the effort to reduce the incidents or continuation of financial abuse.

The Public Guardian and Trustee of British Columbia offers three recommendations for refinement of the proposed legislative amendment in proposed paragraph 7(3)(d.3) of PIPEDA. They are as follows.

One, specify that provincial authorities, and in particular public guardians and trustees, who are authorized to respond to financial abuse, are included in the term “government institution” to which an organization may report financial abuse. The term “government institution” is currently not defined in PIPEDA, nor is a definition proposed in Bill S-4.

The difficulty here is that the act is a federal legislation governing federally regulated bodies. Public guardians and trustees fall under provincial jurisdiction. We want to ensure the legislation is clear that reports may be made to provincial bodies. The act contains regulation-making power, which would permit the creation of a regulation to define “government institution”.

Making it clear that organizations are authorized to report to provincial and territorial government institutions, and in particular public guardians and trustees across the country, will assist financial institutions in effectively reporting. Another alternative, of course, would be simply to provide the definition directly in the act. Either way, the definition would be very useful.

Two, delete the reference to “next of kin” from the list of individuals and government institutions to which organizations may report concerns of potential financial abuse. The perpetrators of financial abuse, particularly with respect to vulnerable adults, are often next of kin. Disclosure of concerns of potential financial abuse to next of kin may have the effect of alerting the abuser to the fact that the abuse has been discovered and may in fact end up putting the vulnerable adult at greater risk of harm—or at least the adult's assets at greater risk of harm.

Three, explicitly recognize financial neglect and financial self-neglect in proposed provisions, along with financial abuse. Many provincial authorities have statutory power to investigate and assist individuals who are victims not only of financial abuse but of financial neglect and financial self-neglect, the effects of which can be equally devastating. In fact, the indicators of potential financial difficulty are the same, whether it's abuse, neglect, or self-neglect. Permitting financial institutions to report concerns of financial abuse, neglect, and self-neglect of their customers, I submit, would protect the interests of vulnerable British Columbians.

Those are my comments. Thank you very much. I'd be pleased to answer questions.

Thank you for the opportunity to comment on Bill S-4, the digital privacy act. I'm Douglas Brown, the public guardian and trustee of the Province of Manitoba.

My comments today will be limited to subclause 6(10) of the bill, which would amend the Personal Information Protection and Electronic Documents Act to permit the disclosure of personal information about an individual by an organization to a government institution in circumstances where there is a suspicion that the individual may be a victim of financial abuse. The Public Guardian and Trustee of Manitoba supports the amendment as a positive step that strikes the necessary balance between the need to maintain privacy of personal information and disclosure of that information to potentially identify and stop what are the devastating consequences of financial abuse.

The Public Guardian and Trustee of Manitoba, or PGT, is a corporation sole established under The Public Guardian and Trustee Act of Manitoba, that operates as a provincial government special operating agency. The PGT manages and protects the affairs of Manitobans who are unable to do so themselves and have no one else who is willing or able to act. This includes mentally incompetent and vulnerable adults, deceased estates, and children. The PGT manages approximately 5,800 clients, estates, and trusts, with approximately $230 million of assets under administration by our office.

The PGT becomes involved in the management of an individual’s financial affairs in a variety of ways. Most frequently, the PGT is appointed by the chief provincial psychiatrist under The Mental Health Act or by an order issued under The Vulnerable Persons Living with a Mental Disability Act, both Manitoba legislation. The PGT can also be appointed by a judge of the Court of Queen’s Bench of Manitoba to act in various circumstances. When the PGT does become involved, an investigation is conducted to gather and record the assets owned by the individual for whom we're now managing affairs. This includes all their property, investments, and any accounts at financial institutions. Unfortunately, in some situations our investigation will uncover evidence of possible financial abuse. In the worst of these situations, the financial abuse has resulted in all or a large part of the finances of that individual having been lost.

The impact of these losses caused by financial abuse cannot be overstated. As you or I choose to save, invest, or plan for our retirement and anticipate having the financial resources to be independent and exercise some level of control over our affairs in the future, people who have been the victim of financial abuse have lost that independence and have lost that control over their futures. Often we see that the health and well-being of the victim of financial abuse can be negatively impacted. More often than not, a victim of financial abuse has little chance of recovery. In many cases the money is gone, and there is little likelihood of recovering the money from the perpetrator of the abuse.

Organizations such as financial institutions can play an important role in detecting possible financial abuse through their ongoing contact with the public. My experience is that these institutions do want to cooperate with government institutions when they have a suspicion of financial abuse. While the privacy objectives of the existing legislation are clearly important, privacy laws should not become a tool used by perpetrators of financial abuse to avoid detection. Amendments that allow for a controlled disclosure of personal information in limited circumstances can still maintain privacy objectives while also providing an additional set of eyes out in the community to help identify and hopefully stop cases of financial abuse. I would strongly recommend to this committee that this is the right result.

In reviewing the amendments and the various submissions that have been made to the committee, there are a couple of recommendations that I would also support.

First is that the definition of “government institution” needs to be clear. The PGT or similar agencies in other provinces or territories have a role in these situations, and should be included in the definition. There should be caution taken not to apply the definition too narrowly, as this could discourage the reporting of information. A reasonable check and balance to apply could be to look at the role and use of the information that could be made by the institution that is receiving the information. In the case of the PGT, we're subject to provincial privacy laws. We also have specific statutory authority that allows us to collect information that would otherwise be private where it's required to carry out our duties, responsibilities, and powers. By having that control, you've put some control over how the information could be used once it's received by a government institution.

Second, in most cases the perpetrator of financial abuse has to gain the trust of the victim before the abuse can begin. This unfortunately means that relatives and family can often be the perpetrators of financial abuse. Any requirement to report suspected financial abuse in all circumstances to next of kin may place the victim at greater risk. Organizations that are contemplating making a report should have some discretion in those situations, and where appropriate, should make the report only to a government institution and not to the next of kin in circumstances where the next of kin may be involved in the abuse.

Third, in some cases an individual may not be a victim of financial abuse but is no longer capable of managing his or her affairs. The indicators of financial abuse and financial neglect can often be the same, so an organization that's contemplating whether to report should have the ability to report suspected financial abuse even though it may not be clear where the unusual financial activity originates, or whether the irregular financial activity is a result of a third party or the individual himself or herself. The organization should not be required to make this determination before it has the ability to make a report to a government institution. The loss of financial independence resulting from neglect is just as significant as a financial loss caused by a third party, so again, it's in everybody's interest that the matter be identified and dealt with as quickly as possible.

In conclusion, while the privacy objectives of the existing legislation are clearly important, the benefit of permitting disclosure of personal information in a limited and controlled manner would be a positive step in detecting and hopefully stopping cases of financial abuse.

Thank you.

Thank you.

Good morning. My name is Janet Cooper. I am a pharmacist and I am vice-president of professional affairs with the Canadian Pharmacists Association. I am pleased to be here today to discuss Bill S-4, an act to amend PIPEDA.

CPhA, the Canadian Pharmacists Association, is the national voice for Canada's 39,000 pharmacists. Pharmacists practise in a range of settings, including community pharmacies, hospitals, academia, industry, and government.

CPhA and the pharmacy profession have a long history of speaking out for the interests of patient privacy and confidentiality, and as far back as 2001 CPhA was involved with a privacy working group of other health care provider organizations that provided advice to Health Canada on privacy matters related specifically to health care. Since then we've appeared before parliamentary committees on numerous occasions to offer our perspective on PIPEDA changes.

Today pharmacists' commitment to privacy is reflected in the professional codes of ethics and standards of practice that guide our profession, as well as CPhA's own privacy code for pharmacists. Given that pharmacists routinely dispense more than 11 million prescriptions each week and they're conducting a range of new, expanded services for patients in almost all jurisdictions, the need for ensuring confidentiality of patients' personal information has never been greater.

Community pharmacists were very early adopters of digital records, having maintained computerized medication profiles for more than three decades. Most of the 600 million prescriptions that are dispensed each year, which is close to $30 billion in spending, are actually sent electronically for claims adjudication by public drug plans or private insurers. So there is a lot of electronic transmission of patients' medication information.

Increasingly, Canadians' medical records are maintained electronically by other health care professionals as well, including physicians' records, lab test results, and diagnostic images. The goal of electronic health records is to increase accessibility and sharing of patient information by those providers who need access to inform patient care and to support interprofessional collaboration.

For example, in several jurisdictions, drug information systems, or DIS, are in place to allow access to a complete profile of medications regardless of which pharmacy dispensed the prescription. This improves safety and efficacy of medications, supports improved prescribing, supports detection of adverse drug events, and deters prescription drug abuse. We hope that in the near future all prescriptions will be electronically created and then transmitted to the patient's pharmacy of choice. With this change to electronic health records comes increased need to ensure that Canadians' private health and medication records are protected.

Let me state up front that CPhA supports the amendments in Bill S-4 as they relate to protecting personal health information. There are two amendments in particular that we want to address.

First, CPhA supports the amendment in the bill in which personal information may be obtained without consent for the purposes of communicating with the next of kin or authorized representative of an injured, ill, or deceased individual.

Pharmacists, as well as any health care provider, may find themselves in the difficult situation of having to deal with patients who may be severely ill, unconscious, or incapacitated for any number of reasons. In such circumstances it may be imperative for the pharmacist or other health professional to immediately contact family members or next of kin to inform them of the patient's condition, or to seek valuable information on the patients' medical history. But seeking permission or consent to contact those individuals in advance may simply not be reasonable nor in some cases possible. This clause would provide pharmacists and other health care providers with the comfort and knowledge that in the case of a severe health emergency they will not be in contravention of PIPEDA for acting in the best interests of their patients by contacting next of kin or authorized representatives.

Second, CPhA also supports the amendment in Bill S-4 requiring organizations that have encountered a privacy breach to report that breach to the Privacy Commissioner and notify individuals, if it is reasonable in the circumstances to believe that a breach creates a real risk of significant harm to an individual.

For pharmacists who access a significant amount of sensitive information related to the medication and health of their patients every day, a breach or disclosure of this information has the potential to put the patient at risk. Patients who are on medications for HIV, mental illness, or infectious diseases would certainly not want all of that information to be known. As defined in the legislation, this risk could include threats to employment, reputation, or relationships. As a result, CPhA believes that, should a privacy breach occur, reporting this breach to the individual concerned and the Privacy Commissioner are reasonable steps to take in order to mitigate any risk that may occur.

It's also reasonable for the organization in question to maintain proper records of these occurrences as stated in the bill.

Although not specifically related to this bill, I want to thank Health Canada for introducing a regulatory change this past summer that will better enable pharmacies to protect privacy. There's a requirement in the Food and Drugs Act that requires pharmacists to maintain up to two years' worth of prescription records, and until last summer the regulation required prescriptions to be maintained in hard copy format even though more and more prescription records are now retained in electronic format. Last July Health Canada reinterpreted that regulation to allow for electronic retention of prescriptions. In addition to being more efficient for pharmacies, electronic retention is safer and more secure from a privacy standpoint.

Thank you, Mr. Chair and committee members, for the opportunity to meet with you today to discuss Bill S-4. I'd be pleased to respond to your questions.

Thank you, Mr. Chair. Thank you for the invitation to appear in front of the committee. I apologize that I'm not bilingual, so my comments will be in English. I'm an associate professor and the director of the Privacy and Cyber Crime Institute at Ryerson University and I'm appearing as an individual. I research privacy and I've been privileged to appear in front of the access to information, privacy and ethics committee as well.

I am not going to repeat comments that you heard from earlier witnesses in previous meetings. I take these hearings that the committee is conducting at this time as a sign that the government is interested in considering some amendments to the bill before it proceeds. I would like to reiterate what previous witnesses have said that I think the following amendments should be considered by the committee.

First, I think the committee should consider adding order-making powers to section 12.1 of PIPEDA for the commissioner. Section 52 of the B.C. or Alberta personal information protection act can certainly serve as a model. That does not preclude leaving in the provision for compliance agreements that is in the new proposed bill, which would be the new section 17.1. I'm happy to discuss the reasons for my thoughts on this if we have time for questions later, but other witnesses have already made this point.

Second, I would suggest to the committee that it delete proposed paragraph 7(3)(c.1). That would eliminate the possibility for government institutions to request personal information without judicial supervision. I think that point has also been made by previous witnesses, so I would leave that for questions as well if there's any interest.

Third, I would leave paragraph 7(3)(d) as is. In other words, I do not think the committee should proceed with allowing organizations to share information with other organizations. I think that the committee should leave the investigative body model that is currently in PIPEDA intact and that point has been made.

I would like to spend my time introducing a new point to the committee, as far as I know, and that is regarding the issue of workplace privacy that is in this proposed bill. To the best of my knowledge it has not yet been discussed. Under PIPEDA the personal information of employees of a federal work, undertaking, or business is protected and the collection, use and disclosure of it requires the consent of the employee. That's currently in PIPEDA in paragraph 4(1)(b).

Bill S-4 proposes a new section, section 7.3, that will govern such employment relationships, according to which employee consent will no longer be required. Employers will have to notify employees instead. That's going to be in the new paragraph 7.3(b), but they will be able following this notice to collect, use, and disclose information that, quoting from the bill, “is necessary to establish, manage or terminate an employment relationship.” That's the new paragraph 7.3(a).

In my opinion, as currently worded, this presents an unfortunate erosion of workplace privacy that ignores previous OPC findings as well as Federal Court decisions. I note to the committee there's a decision from the Federal Court for Eastmond and there's another one for Wansink. I can provide the full citations later. The implications are broader than just for federally regulated employees. Labour arbitrators for those employees who are unionized look to PIPEDA as a guidance and as a source, and to the OPC guidelines. Employers in provinces that do not have private sector legislation look to PIPEDA as guidance even though they do not fall under the jurisdiction of PIPEDA directly.

The proposed amendment appears to follow B.C.'s and Alberta's PIPA, but in my opinion it does not. In those provincial laws—and bear with me, please—the collection, use, and disclosure must be reasonable for the purposes that I've listed. For reference, in the British Columbia act, those are sections 13, 16, and 19. I quote from paragraph 13(2)(b) of the British Columbia Act:

the collection is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual.

The new section 7.3 does not refer to the reasonable standard at all. I imagine that's presumably because PIPEDA has built into it subsection 5(3) that says:

An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

I would hope the committee would follow me in seeing that existing subsection 5(3) refers to the purposes being appropriate to the reasonable person, and it does not refer to the collection or the use or the disclosure as being reasonable. If you want to follow the B.C. and Alberta model, of course the collection and use and disclosure should be reasonable. The purposes of managing, and so on, the employment relationship, needless to say, are reasonable already.

In my opinion the current wording in the bill would allow, to take perhaps a little bit of an extreme example, an employer to install closed-circuit television cameras inside washrooms at the workplace, for the purpose of managing the workplace as long as a notice was posted to that effect. I would argue that for the purpose of managing the workplace and wanting in that case to ensure that facilities are clean and well maintained, doing that is reasonable. But the collection of personal information would not be reasonable in that situation. That is the distinction that I wish to draw to the attention of committee members at this point in time, which I don't think has been articulated up to this point.

I would suggest two simple amendments as a result. One would be to simply add the word “reasonable” before “necessary” so that the amended clause, which would create the new paragraph 7.3(a) would read “the collection, use or disclosure is reasonable and necessary to establish, manage or terminate an employment relationship between the federal...business and the individual”. Alternatively you may wish to consider amending the clause by borrowing language used in Quebec's legislative framework. Section 2087 of Quebec's Civil Code requires employers to protect the dignity of employees, so the committee may wish to consider an alternative formulation such as, “the collection, use or disclosure protects the dignity of the individual and is necessary to establish, manage or terminate the employment relationship”.

I'll make one last point on this, Mr. Chair, before I end my comments. I do think that employees cannot meaningfully consent to their employers' practices in an employment relationship. In that sense I do think that it is useful to move to regulating employers' conduct in those circumstances. I could add more on the issue of consent, but again I think you've heard from earlier witnesses in previous meetings.

I will leave it at that regarding the point on privacy at work. I would be happy to answer questions if there is any time.

Thank you again for the invitation to appear today.

The mandating of breach reporting is, of course, a useful step that has been called for by privacy advocates for many years. I see it as a necessary step that in fact will bring us in line with other jurisdictions. In the investigations of the House committee on access to information and privacy and ethics, we also raised the point that eventually we would like organizations to see beyond the reporting of breaches that have actually occurred and we would like to have some transparency from organizations regarding attacks that they have suffered.

Obviously the intention is not to have organizations identify their own vulnerabilities but to have organizations in aggregate form, for example the banks through their body, the CBA, report on various attacks, how many have occurred, and where they came from. That is most important, I think, in order to develop public policy.

Without a doubt requiring organizations to start notifying individuals about breaches, as has been suggested in this bill, is a welcome and well-weighted amendment.

Thank you.

I think if it were possible to achieve that through legislation, then other places would have tried that. But I do think the committee might want to look at the obligations and responsibilities of major companies and major platform providers, which, in the United States, have already started undertaking some responsibility with respect to vulnerabilities in their area. Microsoft, for example, has a threat response centre that looks at and considers threats. Those are activities that I think are appropriate and for which they should take responsibility just because their software is so popular. It's not just Microsoft; you can talk about Facebook and the situations of social media and many other sorts of popular platforms.

Yes, I would. I think this bill will enable them to access information, and in particular, sometimes you want information that's across the jurisdictions, between the different provinces. Right now many of them are very restricted to only what's happening within their province. It's not just pharmacists. You could have physicians as well, so you have physicians perhaps in one province prescribing through Internet pharmacy, which is not appropriate. It doesn't meet the standards of care. But the pharmacy is dispensing that medication in another province, so it's very difficult to investigate and then to deal with. I think this would enable greater access to information if wrongdoing is expected.

We've been very involved in the whole Internet pharmacy issue for probably at least 15 years because of a lot of concerns. A lot of Internet pharmacies look like legitimate Canadian pharmacies and they're not. They're offshore somewhere and there's no guarantee that the drug you're ordering is going to have an active ingredient in it. It might be counterfeit. It might have chemicals in it that could harm. It is a very concerning situation, one that's difficult to monitor and enforce. Hopefully some of this legislation will make it easier for our regulatory bodies as well as policing agencies and staff to deal with it.

Back when PIPEDA was being introduced, there was a lot of concern of how that might impede the day-to-day ability of health care practitioners to work together and care for their patients. A lot was done. There was the whole PARTs tool kit. At the end of it, PIPEDA has not been a barrier. Care, with implied consent and all that, has moved forward.

In terms of the work product, our position has been for some time that de-identified data is really important for researchers to look at: prescribing patterns, prescription drug utilization, those types of things. That may have a prescriber's name attached to it but certainly wouldn't have a patient's name attached to it. It is important that you have access to drug utilization information and the national drug prescription utilization database that CIHI maintains that gets information coming in from the provinces on that as well.

We are not as an association but you have a lot of universities, agencies, that are looking at appropriate medication use and safety. So to get that data in on prescribing patterns and utilization is really important. We're spending over $30 billion and almost half of that is paid for through the public purse for prescription drugs. But there are lots of concerns: are medications being taken appropriately, prescribed appropriately, monitored, are they safe, as well as prescription drug abuse. We also have a lot of costs related to less than appropriate medication use. It's really important that there's research to look at safety, efficacy, those issues.

Thank you for the question.

I do think it's the tip of the iceberg. There are several factors to consider. Number one is that public awareness of financial abuse, or the risk of financial abuse, is growing. I think we've seen this on a national level and certainly provincially. Financial institutions are increasingly raising this issue and training their staff. I think that as public awareness grows, there will be more reporting.

The other factor, particularly in British Columbia, is the changing demographic that we see with an aging population. We know from statistics that the incidence of dementia once someone reaches the age of 85 is significantly increased. We know generally, without getting into statistics, that the aging population tends to become more vulnerable. Not everyone does but many do. It's the vulnerability, not necessarily incapacity, that can lead to potential abuse.

I think it is the tip of the iceberg. I don't think that even now we are receiving all the reports of abuse. I do expect that we'll see an upward trend.