GOVERNMENT RESPONSE TO THE FOURTH REPORT OF THE STANDING COMMITTEE ON ACCESS TO INFORMATION, PRIVACY AND ETHICS
Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)
Detailed Responses to the Recommendations
In May 2007, the Standing Committee on Access to Information, Privacy and Ethics (“the Committee”) concluded its review of the Personal Information Protection and Electronic Documents Act (“PIPEDA”), pursuant to section 29 of the Act. During the process of the review, the Committee heard from 67 witnesses and considered 34 submissions from individual Canadians and Canadian organizations. In its Report, the Committee presented 25 recommendations to the government, addressing key issues raised during the review. The government has taken full account of the Committee’s Report and its recommendations, as well as the full range of opinion presented as part of the Parliamentary Review, in considering what actions might be taken in relation to the Act and its implementation.
The Report of the Parliamentary Committee, consistent with the submissions it received, has underlined the critical importance of an effective legal framework for the protection of personal information in Canada. As the Committee points out, privacy represents a fundamental value for Canadians, and the management and use of personal data is crucial to the conduct of business, trade and commerce in a modern, information-driven global economy.
Moreover, the importance of privacy protection has dramatically increased in recent years with the emergence of the Internet and online commerce. As of 2005, 68% of Canadians use the Internet, and more than 82% of Canadian businesses are now online. According to Statistics Canada, the total value of online commerce in Canada in 2006 was $49.9 billion. These developments have thus greatly enlarged the capacity to collect, transfer, and process large quantities of personal information, creating new challenges for both industry and governments. Consequently, more than ever before, consumers and businesses can benefit from clear and effective safeguards for protecting and securing personal data, especially in relation to online business and electronic commerce.
Canada has responded well to these challenges. Internationally, Canada’s privacy regime is recognized as one of the best in the world. In 2001, the European Commission recognized PIPEDA as providing “adequate” privacy protections for the purposes of the EU Data Protection Directive, thereby allowing the personal information of Europeans to enter into Canada without restrictions. In a 2006 study by Privacy International, a privacy advocacy group located in Great Britain, Canada’s privacy regime was ranked second only to Germany in a survey of 37 countries. In particular, PIPEDA, alongside related federal and provincial legislation, has achieved an appropriate balance between privacy protection and the efficient management and use of information in a business environment.
We agree with the Committee that radical changes to the legislation are not warranted at this time, especially in light of the relatively short period of time the Act has been fully in force. The government further agrees with the Committee on the need and value of “fine tuning” the legislation and its implementation in a manner that strengthens the overall effectiveness of privacy protection in Canada. In this respect, the Committee’s proposals for selective legislative changes and other actions are extremely helpful. In particular, the government commends those recommendations that are especially designed to:
- improve clarity and certainty with respect to key definitions and provisions in the Act;
- increase education and awareness of privacy protection measures among individual Canadians and organizations, especially small businesses; and
- maintain a flexible, “light-handed” approach to privacy regulation and oversight.
The government is committed to protecting the privacy of Canadians and, in concert with other interested parties, will take whatever steps are necessary to ensure Canada’s laws and policies are meeting the highest possible standard of privacy protection. To this end, the government has reviewed the Committee’s general findings and each individual recommendation of the Committee, noting below those which it believes merit priority attention in future work.
RESPONSE TO RECOMMENDATIONS
The following section addresses each of the Committee’s recommendations individually, pointing to where the government agrees with the Committee’s conclusions either in whole or in part, and to those issues where further work or consultation is required.
Business Contact Information
“The Committee recommends that a definition of ‘business contact information’ be added to PIPEDA, and that the definition and relevant restrictive provision found in the Alberta Personal Information Protection Act be considered for this purpose.”
This recommendation reflects the widespread view expressed to the Committee that the current approach to “business contact information” in PIPEDA is too narrow and is, therefore, inadequate in meeting the requirements for business communications in the information age. The government agrees that an amended definition of “business contact information”, which is inclusive of business email and fax numbers, and which is sufficiently broad to account for changes in communications technologies, could provide more certainty about the business use of this type of data without detracting from the protections given to other types of personal information.
In this regard, the government will explore ways in which the protections established in the Alberta Personal Information Protection Act for business contact information can be incorporated into PIPEDA in such a way as to ensure that business contact information is excluded only if collected, used or disclosed for the purposes of contacting an individual in their business capacity.
Work Product Information
“The Committee recommends that PIPEDA be amended to include a definition of ‘work product’ that is explicitly recognized as not constituting personal information for the purposes of the Act. In formulating this definition, reference should be made to the definition of ‘work product information’ in the British Columbia Personal Information Protection Act, the definition proposed to this Committee by IMS Canada, and the approach taken to professional information in Quebec’s An Act Respecting the Protection of Personal Information in the Private Sector.”
The government recognizes that the issue of work product information is of great significance to a number of stakeholders. In its Report, the Committee has acknowledged the call from private sector interests to provide more clarity and certainty to PIPEDA in this area in order to facilitate business planning and to assist them in their efforts to comply with the Act.
At the same time, the government must consider the concerns expressed by the Privacy Commissioner and others regarding the risk of any unintended negative consequences to privacy that may result from an exemption of work product information.
In keeping with the general approach of PIPEDA, it is important to balance the need for a business-friendly privacy regime with the need for maintaining the existing level of privacy protection currently provided by the Act. In light of this, the government will commit to consult further and consider how organizational needs respecting collection, use, and disclosure of work product information can be accommodated in a manner that poses the least degree of risk to privacy protection.
As proposed by the Committee, consideration will be given to various approaches, including those proposed in submissions to the Committee and those contained in provincial privacy laws.
Destruction of Data
“The Committee recommends that a definition of ‘destruction’ that would provide guidance to organizations on how to properly destroy both paper records and electronic media be added to PIPEDA.”
The government notes the Committee’s recommendation to include a definition of “destruction” in PIPEDA. Recognizing a need for greater clarity in this area, a variety of provisions already exist within PIPEDA that provide direction pertaining to the destruction of personal information.
Consequently, it may be sufficient to develop non-legislative guidance to further assist organizations in disposing of personal information in accordance with PIPEDA’s existing requirements. The government will work with the private sector and with other stakeholders to develop tools that can provide organizations with further clarity in this area.
Consent: General Principles
“The Committee recommends that PIPEDA be amended to clarify the form and adequacy of consent required by it, distinguishing between express, implied and deemed/opt-out consent. Reference should be made in this regard to the Alberta and British Columbia Personal Information Protection Acts.”
The Government of Canada fully acknowledges the importance of meaningful consent to effective privacy protection. To this end, PIPEDA establishes a flexible legislative approach that takes into account the divergent needs and practices of the many organizations it captures.
In accordance with her mandate to develop information products to educate the public on the Act and its purposes, the Privacy Commissioner of Canada has produced guidance material that aims to assist organizations in better understanding and implementing PIPEDA’s consent requirements.
To supplement these valuable tools, the government commits to consulting with stakeholders to identify possible areas where further guidance may be necessary, and develop tools in this respect. The government would welcome the participation of the Privacy Commissioner of Canada and her provincial counterparts in these and similar efforts.
Consent: Employee/Employer Relationship
“The Committee recommends that the Quebec, Alberta and British Columbia private sector data protection legislation be considered for the purposes of developing and incorporating into PIPEDA an amendment to address the unique context experienced by federally regulated employers and employees.”
The government agrees with the Committee’s recommendation and with a number of stakeholders, including the Privacy Commissioner of Canada, regarding the need to better account for the unique circumstances regarding consent in employee/employer relationships.
In studying privacy protection for employees of federally regulated organizations, consideration should be given to the provisions in the laws of Quebec, British Columbia and Alberta, as well as the recommendations of the Privacy Commissioner, to ensure that the privacy rights of employees continue to be protected under PIPEDA.
“The Committee recommends that PIPEDA be amended to replace the ‘investigative bodies’ designation process with a definition of ‘investigation’ similar to that found in the Alberta and British Columbia Personal Information Protection Acts thereby allowing for the collection, use and disclosure of personal information without consent for that purpose.”
The government recognizes that the current process for designating investigative bodies has proven to be lengthy and cumbersome for applicants who need this designation under the Act to conduct investigations. The government also agrees with the Committee that the lack of consistency in s. 7 of PIPEDA with respect to exemptions for collection, use and disclosure of personal information is a source of frustration for some organizations in their efforts to detect and prevent fraud, particularly within the financial sector. However, consideration must also be given to the support expressed by the Privacy Commissioner and privacy advocates for the transparency of the current process, which provides for a public listing of designated organizations.
However, further consideration is required on the best alternative to the current process of designation. The government agrees that there is merit in examining the approaches taken by Alberta and British Columbia, which define the term “investigation” and allows collection, use and disclosure without consent for that purpose. In addition to making the process more efficient, and in accordance with the Government of Canada’s Paperwork Burden Reduction Initiative, this approach would allow greater harmonization with the provinces. Therefore, the government will give further consideration the issue of how best to streamline the Act’s provisions in respect of private sector investigative activity.
“The Committee recommends that PIPEDA be amended to include a provision permitting organizations to collect, use and disclose personal information without consent, for the purposes of a business transaction. This amendment should be modelled on the Alberta Personal Information Protection Act in conjunction with enhancements recommended by the Privacy Commissioner of Canada.”
The government agrees with the recommendation, which reflects a general consensus among those who appeared before the Committee that PIPEDA should be modified to allow organizations to collect, use and disclose personal information as necessary for the conduct of business transactions, such as mergers and acquisitions.
The Alberta and British Columbia Personal Information Protection Acts provide models that can be drawn upon to accommodate the information needs of organizations engaged in business transactions while ensuring that individuals’ personal information continues to be protected.
“The Committee recommends that an amendment to PIPEDA be considered to address the issue of principal-agent relationships. Reference to section 12(2) of the British Columbia Personal Information Protection Act should be made with respect to such an amendment.”
Recognizing the Committee’s observation that there may be confusion regarding the application of PIPEDA to situations where organizations engage third parties for activities that involve the collection, use and disclosure of personal information, the government proposes education and guidance as an alternative to legislative amendments. Therefore, the government will work with the Privacy Commissioner and other stakeholders to develop tools to provide further clarity on this matter.
Litigation Process / Legal Proceedings
“The Committee recommends that PIPEDA be amended to create an exception to the consent requirement for information legally available to a party to a legal proceeding, in a manner similar to the provisions of the Alberta and British Columbia Personal Information Protection Acts.”
The government notes the Committee’s recommendation and acknowledges that it was made in response to concerns expressed by certain stakeholders regarding the need to ensure that PIPEDA does not impede litigation procedures. However, the government does not share the Committee’s view that such an amendment is necessary at this time.
“The Committee recommends that the government consult with the Privacy Commissioner of Canada with respect to determining whether there is a need for further amendments to PIPEDA to address the issue of witness statements and the rights of persons whose personal information is contained therein.”
The government agrees with the Committee’s recommendation to consult with the Privacy Commissioner, the legal community, as well as other relevant stakeholders, to determine whether an amendment to PIPEDA is needed to address issues of witness statements.
Individual, Family and Public Interest Exceptions
“The Committee recommends that PIPEDA be amended to add other individual, family or public interest exemptions in order to harmonize its approach with that taken by the Quebec, Alberta and British Columbia private sector data protection Acts.”
The government agrees with the Committee’s view that certain limited exceptions to PIPEDA’s consent requirements may be warranted in order to address the concerns expressed by stakeholders regarding the disclosure of personal information in cases of natural disasters, elder abuse and other similar circumstances. However, in the interest of maintaining strong privacy protection, any amendment to PIPEDA should be narrowly defined to ensure that it will be used only for the intended purposes.
In considering options, the government will study the approaches taken in the Alberta and British Columbia Personal Information Protection Acts, as well as Quebec’s legislation, An Act Respecting the Protection of Personal Information in the Private Sector.
Law Enforcement / National Security Interests
Recommendation 12 contains two related, but distinct, proposals for legislative amendment. The first pertains to the definition of lawful authority, and the second pertains to s. 7(3) and its exceptions from consent for disclosures of personal information.
“The Committee recommends that consideration be given to clarifying what is meant by ‘lawful authority’ in section 7(3)(c.1) of PIPEDA[.]”
The government considers the safety and security of Canadian citizens to be of utmost importance. In meeting this objective, it firmly believes that the information needs of law enforcement and security agencies can be met while respecting the right of privacy of Canadians.
The government wishes to confirm that the purpose of s. 7(3)(c.1) is to allow organizations to collaborate with law enforcement and national security agencies without a subpoena, warrant or court order. Organizations who share information with government institutions, including law enforcement and national security agencies, in accordance with the requirements of this provision, are doing so in compliance with PIPEDA.
The government acknowledges the concerns expressed by those engaged in protecting the safety of Canadians, regarding the current interpretation of s. 7(3)(c.1) by the certain private sector organizations, and the challenges that this has at times caused to the investigation and prevention of criminal activity in Canada.
The government therefore agrees with the Committee that there is a need to clarify the concept of “lawful authority” for the purposes of s.7(3)(c.1) of the Act.
“[The Committee recommends that] the opening paragraph of section 7(3) be amended to read as follows: ‘For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization shall disclose personal information without the knowledge or consent of the individual but only if the disclosure is [...]’”
As noted above, a clearer definition and understanding of what constitutes “lawful authority” would address the current ambiguity regarding organizations’ right under PIPEDA to disclose personal information for the purpose of law enforcement or national security. The proposal to include in PIPEDA a further provision designed to require organizations to disclose personal information would be difficult to implement, given that the purpose of PIPEDA is not well-suited to such a requirement. For this reason, the government does not propose to implement this aspect of the Committee’s recommendation.
Definition of “Government Institution”
“The committee recommends that the term ‘government institution’ in sections 7(3)(c.1) and (d) be clarified in PIPEDA to specify whether it is intended to encompass municipal, provincial, territorial, federal and non-Canadian entities.”
The government recognizes the benefits of providing clarity on the term “government institutions” and notes that a provision already exists in PIPEDA to grant the Governor-in-Council the power to make regulations in relation to such matters. As such, it would be possible to define “government institution” in the Act through regulation.
Industry Canada will examine the possibility of proceeding with a regulation that will further define the term “government institution” for the purposes of the Act.
“The Committee recommends the removal of section 7(1)(e) from PIPEDA.”
The Government of Canada notes the recommendation of PIPEDA arising from the Public Safety Act, 2002 (s.7(1e)), and acknowledges the concerns expressed by the Privacy Commissioner and others respecting the potential impact of this provision on the privacy of Canadians. However, given the important public safety interests it is designed to address, the government is not prepared to remove s. 7(1)(e) from PIPEDA at this time.
Personal Information of Minors
“The Committee recommends that the government examine the issue of consent by minors with respect to the collection, use and disclosure of their personal information in a commercial context with a view to amendments to PIPEDA in this regard.”
The government recognizes that the privacy of minors can be vulnerable, particularly in an online environment. In support of the Committee’s recommendation, the government will consult with relevant stakeholders to examine the issue of consent by minors, and to consider the necessity and feasibility of amending PIPEDA in this respect.
Transborder Data Flows
“The Committee recommends that no amendments be made to PIPEDA with respect to transborder flows of personal information.”
While the government agrees with the Committee’s recommendation that legislative amendments are not necessary, it is also important to recognize the privacy concerns raised by transborder data flows and the importance of addressing these challenges through international cooperation. As such, the government has long been committed to working with its international counterparts on these matters, and continues to do so. For example, Canada was involved in the conception of the Organisation for Economic Co-operation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, adopted in 1980. More recently, Canada participated in the development of the Asia-Pacific Economic Cooperation (APEC) Privacy Framework and continues to be actively engaged in cooperative efforts to develop cross-border privacy rules in compliance with the Framework. Finally, the government is currently working with Mexico and the United States to address issues of transborder data flows in a North American context through the Security and Prosperity Partnership (SPP).
Personal Health Information
“The Committee recommends that the government consult with members of the health care sector, as well as the Privacy Commissioner of Canada, to determine the extent to which elements contained in the PIPEDA Awareness Raising Tools document may be set out in legislative form.”
The government welcomes the support expressed by the health care community and other stakeholders for the PIPEDA Awareness Raising Tools (PARTs) document. In concurrence with the Committee’s recommendation, Industry Canada will work with Health Canada, the Privacy Commissioner of Canada, the health care community, as well as provincial and territorial governments to discuss the possible options for according the PARTs document more formal status.
“The Committee recommends that the Federal Privacy Commissioner not be granted order-making powers at this time.”
The government agrees that the Privacy Commissioner should not be granted order-making powers at this time. This position is supported by the general view expressed throughout oral and written submissions to the Committee that PIPEDA is working quite well. In addition, the relatively short time for which the Act has been in existence warrants a cautionary approach to making significant amendments to the enforcement powers of the Privacy Commissioner. Rather, the Commissioner should be given additional time to make full use of the enforcement powers that are currently at her disposal.
“The Committee recommends that no amendment be made to section 20(2) of PIPEDA with respect to the Privacy Commissioner’s discretionary power to publicly name organizations in the public interest.”
The government agrees with the Committee’s recommendation that no legislative change is required in this regard. The Privacy Commissioner currently possesses the ability under PIPEDA to publicly name organizations that are subject to complaints, and should retain the discretion to determine when it is in the public interest to use this power.
Sharing Information with Other Data Authorities
Recommendations 20 and 21
“The Committee recommends that the Federal Privacy Commissioner be granted the authority under PIPEDA to share personal information and cooperate in investigations of mutual interest with provincial counterparts that do not have substantially similar private sector legislation, as well as international data protection authorities.”
“The Committee recommends that any extra-jurisdictional information sharing, particularly to the United States, be adequately protected from disclosure to a foreign court or other government authority for purposes other than those for which it was shared.”
Response (to Recommendations 20 and 21)
The government agrees with the need for the Privacy Commissioner to cooperate in multi-jurisdictional investigations. The global nature of the modern economy requires that the Privacy Commissioner be able to work with other authorities responsible for the protection of personal information, both in Canada and abroad, in order to fulfill her mandate under PIPEDA.
It further agrees that the Privacy Commissioner’s current power to share information with her counterparts is too limited and therefore constrains her ability to work effectively in this manner. However, any agreements to share information with foreign authorities should include appropriate constraints to stipulate that information only be used in fulfilment of the purposes for which it is shared. This Committee recommendation is directly related to ongoing work within the Organisation for Economic Co-operation and Development (OECD), the Asia-Pacific Economic Cooperation (APEC) and the Security and Prosperity Partnership (SPP) directed at improving cross-border enforcement of privacy rules. The federal government and the Privacy Commissioner of Canada are both actively involved in these initiatives.
“The Committee recommends that PIPEDA be amended to permit the Privacy Commissioner to apply to the Federal Court for an expedited review of a claim of solicitor-client privilege in respect of the denial of access to personal information (s.9(3)(a)) where the Commissioner has sought, and been denied, production of the information in the course of an investigation.”
The government acknowledges the Committee’s recommendation in respect of the ability of the Privacy Commissioner of Canada to verify claims of solicitor-client privilege. The government also notes that in October 2006, the Federal Court of Appeal ruled on this matter in Blood Tribe Department of Health v. the Privacy Commissioner of Canada. Given that in March 2007, the Privacy Commissioner was granted leave to appeal before the Supreme Court of Canada, the government would submit that any legislative action to address the issue of solicitor-client privilege would be inappropriate at this time and that it will await the decision of the Supreme Court on the matter.
Data Breach Notification
Recommendations 23, 24 and 25
“The Committee recommends that PIPEDA be amended to include a breach notification provision requiring organizations to report certain defined breaches of their personal information holdings to the Privacy Commissioner.”
The government recognizes that identity theft is a significant and growing problem and that the increasing frequency of large data breaches involving personal information is a contributing factor. It is also recognized that the majority of businesses act in good faith, and notify those affected in the event of breaches as a matter of course. Some, however, do not. In this light, the government agrees with the Committee that a legislative requirement for notification of data breaches would establish a consistent approach across the marketplace and encourage all organizations to take the security of personal information seriously.
As the Committee’s Report acknowledges, public notification of data breaches is a complex issue with significant implications for organizations and individuals. There is a general recognition of the need in certain circumstances for notification to individuals or organizations who are impacted by a breach so that they can take steps to mitigate their risk of harm. However, as many breaches pose no real threat to the personal information of individuals, a requirement for public notification in all cases would be burdensome and costly to organizations and might even diminish its value to the public (through notification “fatigue”). Therefore, in the case of certain defined breaches, where a high risk of significant harm to individuals or organizations exists, the government supports a legislative requirement for the prompt notification of those affected by the loss or theft of personal information.
In addition, as the Committee recommends, a requirement to report any major loss or theft of personal information to the Privacy Commissioner of Canada within a specified time-frame, including the details of the incident and steps taken by the organization to notify individuals (or justification for not doing so), would allow for oversight of organizational practices. This will allow the Privacy Commissioner an opportunity to track the volume and nature of breaches, and the steps taken by organizations respecting the notification process when required. This would be particularly useful to small and medium-size enterprises (SMEs) that may lack the internal resources necessary to make notification assessments.
“The Committee recommends that upon being notified of a breach of an organization’s personal information holdings, the Privacy Commissioner shall make a determination as to whether or not affected individuals and others should be notified and if so, in what manner.”
The decision as to whether or not individual notification is required in the event of a breach must be based on an analysis of the level of risk of harm on a case-by-case basis. Assuming appropriate oversight by the Privacy Commissioner of Canada, the organization experiencing the breach is well positioned to understand and assess the risks involved and to make a prompt determination regarding whether and how to proceed with notification of their customers, business partners, and/or the general public. Assigning the Privacy Commissioner the responsibility to decide on notification, as proposed by the Committee, would be a less effective alternative, as well as more burdensome for that Office from a resource perspective.
“The Committee recommends that in determining the specifics of an appropriate notification model, consideration should be given to questions of timing, manner of notification, penalties for failure to notify, and the need for a ‘without consent’ power to notify credit bureaus in order to help protect consumers from identity theft and fraud.”
The government recognizes that the determination of the specifics of the model, including “triggers” and “thresholds” for notification (to both the Privacy Commissioner and affected individuals) will be a critical element in the breach notification provision. Research, analysis and consultation will be required to arrive at the best model for Canada.
An important part of consultations will pertain to specifics for the purpose of developing effective and practical notification parameters as well as for the purpose of determining whether specific offences are appropriate. The issues considered will include the timing, form, content and mode of notification to individuals, and in addition, identification of which organizations, such as credit bureaus, should be notified in addition to the Privacy Commissioner. Clearly defined, industry-wide guidelines and standards would be particularly useful to SMEs that may lack the internal resources necessary to make notification assessments.
CONCLUSIONS AND NEXT STEPS
In a modern, information-based economy, a solid, efficient regime for the protection of personal information is vitally important for both consumers and businesses. For this reason, the government is committed to ensuring that Canadians continue to benefit from one of the highest standards of privacy protection in the world. It further recognizes the valuable role of PIPEDA in meeting this objective, and the importance of fine-tuning the Act where necessary.
The ETHI Report underlines the complexity and sensitivity surrounding many of the issues that relate to Canada’s laws and policies for the protection of personal information. The government appreciates the efforts of the Committee in developing proposals for consideration which will significantly advance the goal of improving the legislation and its implementation. While stating its position on many of the ETHI recommendations, the government believes further work and consultation is needed in several critical areas before a full range of legislative and policy proposals can be presented for parliamentary consideration.
In moving forward, the government intends to conduct further consultations to ensure that any changes to PIPEDA and its implementation are the most effective possible. The government will consult with the Canadian public, other government departments and agencies, as well as provincial and territorial governments, and will take special note of the views of the federal Privacy Commissioner.
Further consultations will help establish a consensus with respect to issues where disagreement exists. In areas where a general consensus exists, consultations can help determine how they could be most effectively implemented. This process will also provide a final opportunity to raise any issues not reflected in the Committee’s Report, and seek to address concerns expressed by law enforcement and national security agencies with respect to provisions in PIPEDA designed to protect their investigations.
Lastly, the public consultations will allow provincial and territorial governments to provide input into the review process, as changes to PIPEDA will have implications for the protection of privacy in all provinces and territories.
On the basis of the views received, the government will return to Parliament in the near future with specific proposals for both legislative and non-legislative action.