Information & Ethics committee  I would go at it a little differently, and the GDPR is pretty good on this. It's the privacy by design. You say, from the very first steps when we're collecting information, that we are designing the system around protecting that information. We think of the protection of that in

Information & Ethics committee  The GDPR that is coming in. “Privacy first” or “privacy by design” is what they call it.

Information & Ethics committee  It's coming this year.

Information & Ethics committee  I think that money is probably the easiest one. It's the easiest one to target. We've had “name and shame” for years, where the Privacy Commissioner can name you and publish your information. There is certainly some reputational risk there. There have been some teeth, but you hav

Information & Ethics committee  I'll just add that in 1990 when we passed PIPEDA, Canada was the forefront of privacy legislation. We moved the needle across the globe and in a lot of ways the GDPR is the next step of our initial legislation. It's just that we went to sleep on this for 20 years, so it's time.

Information & Ethics committee  I think we can have the policies in place to protect the consumer if their information is not destroyed properly, but I don't think you can protect people from bad actors who aren't handling the information properly. There's going to be those people out there. The question is, wh

Information & Ethics committee  I don't think it's significantly different from content that's sitting on a server in my office or in your office or here. The information is the information, where it resides I don't think makes that much difference.

Information & Ethics committee  Sure, I can be general on that. There are steps that good businesses take to protect the information of their customers and their employees, for example document destruction, shredding the paper documents that are in there, and dealing with their old electronic devices, their s

Information & Ethics committee  I just say good luck.

Information & Ethics committee  I think Canada has to make choices as to what will work for Canada. We don't have to take the United States model. I don't think that's necessary.

Information & Ethics committee  Or the GDPR model. We have different cohorts, different regulations and rules. We can set our own, but it should be meaningful and it should have enough teeth to make sure people comply with it. You can tier it, you can do all sorts of things there. It can be an absolutely “made

Information & Ethics committee  In lots of industries it's not subjective at all. Certainly, CRA has rules with regard to how long you're keeping.... Financial institutions, the doctors, the lawyers, all have governing bodies that assist them in developing document-retention policies. There's a reasonableness t

Information & Ethics committee  Sure. In our written submission, we listed several penalties. I don't think anybody wants to see penalties be punitive for a small business that has made a mistake, but when you have instances of systematic or egregious breaches, the penalties have to be significant enough to h

Information & Ethics committee  I'm not an expert on that part of it, for sure. With regard to youth, I think you need to have more than just consent. I think you have to have protection before consent. You have to have the mechanisms to protect people before saying, “Click here to agree with our sharing your i

Information & Ethics committee  That would not be my area of expertise, for sure. Our thought is that when the information is no longer needed, it should be destroyed regardless of how old the person is. When the purpose for which you've collected that information is no longer valid, you should have no need to