:
Colleagues, we're here with regard to our order of the day, Privacy Act reform.
We do have a couple of witnesses today, but before we commence with the witnesses--we still have a couple of colleagues who have yet to come--it's been raised with me about the witnesses we have had.
As you know, when we started this process we wanted to consult with the Privacy Commissioner about what was possible for us to do in the timeframe leading up to the summer break. As a consequence of our realizing it was going to take three months or more to do the full review of the Privacy Act, we came to the conclusion that we would be better advised to use our time to look for the quick fix, the band-aid approach.
As a consequence, the commissioner provided us with ten suggestions--an excellent paper--to give us a start. We have been providing witnesses with that document, and asking them to provide us their input on the quick fixes or the band-aids that have been identified by the commissioner, as well as any other suggestions they may have.
The remaining witnesses that we've committed to are the justice department officials, the minister and officials; that will be a full meeting. We also have the bar association and the commissioner herself. Those are two meetings, and we are required to discharge those. For the rest of the period now, we have six meetings in total. I think I talked to Mr. Tilson about this earlier, that there were another four meetings in which we would hear witnesses. That would bring us, hopefully, to the end of the witness phase.
Then, during the summer break, the plan I had discussed with our research assistants and the clerk was that we would then provide a summary of the proposed band-aid solutions for consideration, a summary of the evidence on each of those items by the witnesses, and any other items that came up and were suggested, by whom, and the argument there. So you would basically have that summary of evidence document, which would be distributed to us and available to us so that when we return from the summer break we will be in a position to start to assess and discuss those.
When we started the commissioner provided us with a list of witnesses, which in the first instance were to review the entire act. This a much broader list; there's quite a large number of them. Most of them were before the committee with regard to its PIPEDA review.
Our researcher had also provided us with a list of witnesses, not on the band-aid approach, but rather on the full review. Some of these we have, in fact, heard. We have also received from Mr. Hiebert a list of another dozen or so witnesses for consideration. I have no more witnesses other than the ones that have now been submitted by Mr. Hiebert. I don't think we're going to be able to accommodate them all in the four meetings.
It's nice to have a list of the possibilities here, but I think we have to have a little bit of an assessment of where the gaps are that we need to fill in: the other side of the story; new items; new input; and where can we get this thing rounded off and have a good balance of argument, not only on the band-aid issues, but also on any other suggestions that people may have.
I'm going to seek some assistance from Mr. Hiebert or the Conservative members on prioritizing or rationalizing if we are going to fill the four meetings with people from this list--the approach. If we want to deal with them all we can have panels. That will reduce their time, but in fairness to witnesses coming in we want to be sure they have ample time to do their work. Some may be better.
That is the game plan. Then when we come back we can review all the recommendations and the input from the various witnesses. We can then do our diligence in making a critical assessment of which items we feel are most appropriate and why; which ones at this time should be stayed or tabled for future consideration, for whatever reasons; which ones will start to give us the skeleton we need to do a report. That is where I'm looking right now.
I'd like to hear from Mr. Tilson, Mr. Wallace, and Mr. Van Kesteren.
:
You've pretty well covered the issues I was interested in. I'm not privy to the different list you have, and I question whether or not the subcommittee or the overall committee should be privy to that. So far, with the exception of the police officer, everybody has pretty well agreed generally with the commissioner's recommendations.
Someone out there must have some opposing opinions. Everybody has opposing opinions on everything. Without looking at the overall list, I don't know who that would be. I'm interested in the possibility--maybe the clerk and Ms. Holmes can make some comments--of having groups, as opposed to one person. We have two hours in a day, so you could have groups for either the full two hours, or two different groups, depending on who they are.
One of my observations is that several witnesses have come here, with due respect, who didn't seem to be prepared. They didn't seem to know why they were here. They had no comments about anything. They said “Here we are. Fire away with questions.” That's okay, but normally people come with some observations. They've looked at the recommendations. I'm just throwing that out to the clerk for the future. Maybe they were briefed--or maybe they weren't--but I hope in the future, groups will come and tell us what they agree with, what they don't agree with, and give us their own observations. If they had something in writing it might be useful for committee members as well.
So my observation is that several witnesses--not all--came here unprepared. I'm sure the group here today will be very well prepared, absolutely.
I don't know who's on your list, but one name I have is Dr. Ann Cavoukian, the Information and Privacy Commissioner of Ontario. I know she's respected across the country as a privacy and information commissioner. If she's on your list and coming, that's fine; if she isn't, I hope we will consider her.
There's a group that Madam Lavallée might remember. I don't remember what it was called. It was a newspaper guild. Does anyone remember them? They were mainly an information group, but they might have some observations on privacy. They represented the newspaper people across the country.
Those are the only names, and they may well be on your list. I doubt if the newspaper people are, but hopefully Dr. Cavoukian is.
:
The commissioner's list to us was circulated to the members. It came in a package to us. They are experts, most of whom were involved in PIPEDA as well, but there were some others.
The second list was from the researchers. It was also circulated to all members on April 4, and included provincial privacy commissioners for B.C., Saskatchewan, Quebec, Ontario, and New Brunswick as possibilities, because you don't know about availabilities. There were 17 there, plus we have 14 here. I haven't checked to see whether there's any duplication here.
The important thing for us to do--and I want to hear from the other members--is to try to fill in where we feel it's necessary. I don't think I want to have everybody, just because they're on a list. Members should make recommendations based on need and propose them to the committee. We want to use that time wisely. I don't know the people, where they might be able to fit in, and some of the other concerns. Maybe we'll hear that from the other members.
Let's hear from Mr. Wallace, and then Mr. Van Kesteren.
Likely, most of the names you got from our parliamentary secretary came from me. I don't mind having them lumped together on a panel. I do take a little bit of exception. The Privacy Commissioner provided us a list of quick fixes, but we haven't looked at this for 25 years, as parliamentarians. I think we thought it was sort of an easy way to look at these ones first. It doesn't preclude us from looking at deeper things.
My thinking was that most of these fixes are for government agencies and government organizations that relate to the Privacy Act and are not necessarily third parties. But there are a number of third parties that deal with government that I'd like to hear from. For example, I had on the list the Canadian Association of Chiefs of Police; the RCMP, which we had heard from; and the Canadian Resource Centre for Victims of Crime. Those are the kinds of things.... I'm not sure what government information they have and whether the Privacy Act would affect their ability to do their work, or help them do their work.
There are two other areas I'm interested in. We have a heavily regulated banking industry in this country. Maybe that's coming from my finance committee. I'm not sure. We could hear from anyone in the banking insurance area--there doesn't have to be one meeting for each--to make sure that I have an understanding of whether what we're doing here for privacy has any effect on that industry and the private sector. It could be a panel group. Unless we invite them, we don't know whether they'll even come or not. Right? They could say “Look, it doesn't affect us, and we're not interested”, which is fair.
I had a few others, but the other group I'm particularly interested in is the Canadian Medical Association on medical records and anything to do with personal information that has to do with people's.... Hospitals aren't private sector and they're not public sector. The medical field is a little quasi.... I'm not sure exactly how you'd phrase that.
Those are the three areas, Mr. Chair, I'd be interested in. I may not have all the answers in terms of who those guests might be. Other lists may produce other, better guests, but the medical area, the banking and financial institutions area, and the crime and criminal side are the three I think we should try to see before we make any decisions.
And of course we haven't debated this as a group. We may agree or disagree with the quick-fix recommendations, as she calls them, or we may say this is obviously a bigger project than we thought, and we do need to take more time to do it properly. I just put that out for the record.
Thank you.
The group I want to specifically speak to would be the prison guards, correctional services.
I find that most of the recommendations are sound. I think we've had some good witnesses who have presented their cases. But I'm concerned about some of the flaws in the system now. And although we can improve on this act--and as Mr. Flaherty pointed out last week, there definitely is some room for improvement--there is also room for improvement of some of the flaws. It appears that is a very serious flaw.
I would like to know, too--and I don't know if we've studied that or asked enough questions--whether or not there are other flaws in the system. But that seems to be a glaring error, or there has to be something there so we avoid having this happen if we make amendments to the act. I want to know what, first of all, is going on. I really want to uncover that. We probably could devote one of the meetings just to the correctional services.
The other thing--and I mentioned his name too, and no disrespect to any of the witnesses--is that Mr. Flaherty was a wealth of information. And I wouldn't mind, once we compile this thing, if we want to look at him one more time. I don't know if we were finished. That particular day we went right to 5:30, and I think most of us had two hours of bombardment. That was the day you left. He pretty much socked it to us for two hours. There was mental fatigue, I think, more than anything else. And Mr. Tilson was the chair at the time and it was like, “Okay, we've heard enough for a while”, but I'm not sure if we heard everything we want to hear from Mr. Flaherty. I think his presentation was excellent. So those are the two I would suggest.
Most definitely we have to get to the bottom of the problem we're experiencing in the correctional services.
:
I agree. I just wanted to be sure, because we need to have some clarity here.
I've taken note of the input and that some of it really concerns PIPEDA more than the Privacy Act, but I think we have some direction. We're going to make some contacts. I think we've had some good input from members and nothing is going to preclude the committee from adding further witnesses to the extent they're needed to do the job properly. There's no time limit or deadline for this project, but we do want to make each and every meeting a constructive one that will add to our knowledge. So that will be our objective. I've taken the input from the members, and we will do our very best to make sure that we have good quality witnesses before you.
The Minister of Justice and the officials are coming the week of the 27th, so these witnesseswill not appear until June. We'll come back to you when we return, just to update you on what we've found available and have booked tentatively—to make sure everybody's comfortable.
Is that all right? Terrific.
[Translation]
Mr. Comeau, I'm sorry.
[English]
We're going to split the time equally between you and our subsequent witness. I want to be sure that you get all of the time you need. I thought this was also important for you to hear, because we have a little bit of experience with some witnesses who have tended to try to cover the whole Privacy Act with a general approach. At this point, I think we understand that we cannot do a full or comprehensive review of the Privacy Act. But the commissioner felt that it would be helpful if certain urgent matters that required remediation were considered, either a so-called band-aid solution or a quick fix to hold us over until the appropriate time could be dedicated to doing a full review of the Privacy Act—which, as you know, has gone 25 years without changes. Obviously, there's a great deal to do.
I'm not sure, but have you seen the list from the commissioner? You have. So you're generally familiar with the ballpark.
You have also provided us with your opening comments. Don't feel obligated to read all of them to us if you don't want to. If you want to just focus or target or highlight some points, that would be fine, or whatever you wish. But I'm going to invite you now to make your opening comments to the committee. The best and most productive part of the meeting, though, is the questions and the comments, so we want to move to those as quickly as we can.
Thank you. Please proceed.
:
Mr. Chairman, ladies and gentlemen members, thank you for your invitation. I am pleased to be here with you. For 10 years, I was used to appearing before the committees of the National Assembly. I've only been here once; so it's with some apprehension that I've come back. I won't read all my remarks, but I would simply like to make a twofold admission at the outset: I am a member of the Privacy Commissioner's external advisory committee, and I also wrote a study for the Commissioner on oversight agencies in the countries of La Francophonie. So I would like to avoid any idea of conflict of interest.
I would also like to say that I am not a theoretician. I will be addressing your topic from the viewpoint of a practitioner, which is what I was for 10 years during my term as chair of Quebec's access to information commission, which is concerned with both access to information and privacy.
I would like to draw your attention to three aspects, which are moreover quite directly related to the 10 proposals submitted by Commissioner Stoddart. The first is the reaffirmation of the fact that, with respect to your work, this is a study of a fundamental right, a right that is reaffirmed by the Constitution, or virtually so, by members of Parliament, the Supreme Court and doctrine on the subject. The consequence is very clear: with respect to a fundamental right, there cannot be two standards, one for the private sector, the other for the public sector. Citizens are entitled to the same respect for that fundamental right, regardless of which side of the fence they are on. That is why I have a practical suggestion to make on the subject, which is that you cheat the classic ombudsman model and, in certain areas, confer decision-making powers, concrete powers on the Commissioner to meet needs and to join the universal trend in this matter. If you have any questions on that, I can answer them.
My second point is the exemplary role that government must play in the implementation and respect of a fundamental right. In my view, it's unthinkable that government shouldn't have the same obligations and not be subject to the same restrictions as the private sector. And yet that's currently the case, when you take a close look at the two statutes, that concerning the private sector and the other concerning the public sector. In that sense, I think some of the Commissioner's recommendations are entirely consistent with this rebalancing of the two acts governing the same right.
Third, I would also like to encourage you to take a look ahead of or outside the problem that has brought us here today. Very simply put, the work, research and solutions in the privacy field are now being developed in large part in Europe, not the United States. The United States had the lead in this field. They innovated. They launched the Privacy Act, which was used as a model around the world, but they are now distinctly lagging behind and out of sync with a certain number of countries.
I would suggest that the Canadian government take advantage of its ties with the European Union to ensure that the Privacy Commissioner is, in one way or another, associated with the work of what's called in the language of Brussels the Article 29 Working Party, which consists of all the European commissioners in the field and which is the centre of research, innovation and especially dialogue with the United States. The Europeans have problems with the United States regarding personal information transactions and have structured a dialogue that I think could be helpful to us and wouldn't result in Canada being isolated in its dialogue with the United States. There will be a Canada-European Union summit in Quebec City in October. I think that could be an item on the agenda: how to involve the Commissioner in the business of that group? This is currently the fundamental international group in the area of privacy, especially, in the consideration of the impact of new technologies and inventions being deployed virtually everywhere which may constitute a threat to privacy.
Those are the three points I would like to raise. I think I've summarized them clearly. In any case, my brief is here, if you wish to use it.
I am ready to dialogue with you and to answer your questions at your convenience.
Welcome, Mr. Comeau. I'm glad you're here.
You mentioned the obvious discrepancy between privacy in the private sector and privacy in the public sector. Those of us who worked on PIPEDA a year ago definitely get that; we understand the difficulties there.
But when it comes to certain public sector practices, we've had witnesses here—for instance, from the RCMP, or the Treasury Board—who think the act, as it exists, is fine. It could be retooled a bit, but basically it's okay to them. So when I asked them specifically, why is it that you would fight against legislative changes to this act, and I gave them something of an answer—is it because you're looking for more flexibility in the things you do—they said yes.
I would like you to comment what you think are the reasons for the Treasury Board or the RCMP or others in the public sector having problems with changing this. Why are they hesitant about this change that the Privacy Commissioner has recommended?
:
You'll allow me to draw on my previous experience in the field. I think that public servants, government administrators, are the same everywhere, regardless of the type of government. An act such as this is clearly not a very pleasant thing that makes life easier. It confers rights solely on citizens, and it imposes obligations on them. That's already discouraging, especially when a framework is provided for those rights. I think you nevertheless have to be very realistic.
The Treasury Board Secretariat has already developed this entire technique and these privacy assessment forms, which are part of the directives. I would be very surprised to see those directives applied uniformly across government as a whole. If the privacy assessment becomes an obligation under the act, I think that avoids abuses and errors as well. When an administrative reform is launched, when you need personal information to administer that project, what do you do? You always go after computer engineers who have all the right answers in the world with regard to security, but, nine times out of 10, have no idea what privacy may be. That, at the outset, is where the problems start, and then it becomes extremely difficult to make corrections. When you've realized that there was a problem, it's extremely hard and costly to go back.
I'll give you an example of a Quebec company that, to make its computer system compliant with the Privacy Act, had to spend more money on the upgrade than the initial cost to build the system. You'll say that happened a few years ago.
The guides published by the Treasury Board Secretariat are extremely well done. I don't see why organizations like the Royal Canadian Mounted Police, CSIS and others wouldn't submit to that. It's something prudent and prevents abuses. That directive exists. I think that making it an act is a wise move.
I'll speed through this quickly. I apologize for not having submitted my remarks in advance, but I'm happy to distribute them now. Let me just go through this quickly.
My name is Michael Geist. As you heard, I'm a law professor at the University of Ottawa, where I hold the Canada Research Chair on Internet and E-Commerce Law. I'm also a syndicated columnist on law and technology issues for a number of papers, including the Toronto Star, Ottawa Citizen, and The Vancouver Sun. I served on the national task force on spam that was struck by the Minister of Industry in 2004. And like the prior witness, I currently sit on the Privacy Commissioner of Canada's expert advisory board. I am the editor of the Canadian Privacy Law Review , and last month I launched a website called iOptOut.ca, which has already been used by tens of thousands of Canadians to opt out of unwanted telemarketing.
I speak today in my own capacity or on my own behalf. I should note that my primary expertise is in technology and Internet law. For the most part, my focus on privacy has been on the private sector side, on PIPEDA and its effectiveness in light of a globalized Internet and emerging technologies. But I must say that since my appointment to the Privacy Commissioner's advisory board, both the importance and inadequacy of the Privacy Act have become glaringly clear. Those limitations have been a constant source of discussion, certainly among the commissioners and many of the task force's members.
As you may know, I'm very active in researching and speaking out on copyright-related matters. Last night I appeared before the parliamentary IP caucus, where we debated in part whether or not the Copyright Act was as outdated as some critics would claim. While a copyright bill appears imminent, it's noteworthy that since the release of the very first set of recommendations on reforming the Privacy Act in 1987, Canadian governments have passed two major bills reforming the Copyright Act, and multiple smaller bills. So if the Copyright Act is out of date, I think the Privacy Act is positively ancient by comparison.
In deference to the notion of drilling down, I want to focus on five primary areas of concern, and I'll pick up on the recommendations made by the Privacy Commissioner that I found to be most compelling.
First is the issue of education and the ability of the commissioner to respond. I think that part of the failure to engage in meaningful Privacy Act reform may be attributable to the lack of public awareness of the law and its importance. The Privacy Commissioner has played an important and, I have to say, increasingly innovative role in trying to raise awareness and educate the public about PIPEDA and broader privacy concerns. I think the Privacy Act deserves no less, in terms of the kind of educational role that we could have. Moreover, the notion of limiting reporting to an annual report I think clearly reflects a bygone era. We're in a 24-hour news cycle, and any restrictions on the ability to disseminate information, particularly information that might touch on the privacy of millions of Canadians, such that it remains out of the public eye until an annual report can be tabled, need to be reformed so there's power to disclose the information in a timely manner.
I'll also focus on the issue of strengthening protections. As this committee has already heard, I think there are few, if any, privacy experts out there who would argue that the current Privacy Act meets the standards of a modern privacy act. At a time when I think the government is expected to be a model role player in this, it is instead finding itself doing far less than the private sector.
You've heard of several areas for reform. I'll focus on just a couple. One is the issue of the limiting collection principle—this “necessity” provision that has been talked about. I think it's a hallmark of private sector privacy law. Government should similarly be subject to collecting only that information that's strictly necessary for its programs and activities. I think that could play a role in a range of issues--identity theft, for example, which has taken on a growing importance and a growing amount of concern within our communities. It's an issue where, if we limited the amount of information collected and disseminated, we could have a positive impact.
I'd also argue that Federal Court reform, which has been raised, is something that ought to be considered, broadening it to include complaints beyond refusal to provide information, and the power to award damages, which all weigh into the issue of order-making power here as well.
I believe that the commissioner ought to have order-making power. It may be that she currently feels that's not necessary. My position on PIPEDA reform is that the commissioner needs order-making power. It's my position in some ways to be consistent, and I think that order-making power is appropriate here as well—even if, at the moment, the Privacy Commissioner doesn't feel that power is necessary. I think it would be helpful.
The third issue is that around third-party disclosures. In this current globalized “flat world,” the Friedman term, data, as we all know, moves easily between jurisdictions. Governments at both the federal and provincial level will be, and are, increasingly outsourcing data for efficiency purposes and other means.
Our privacy law needs to keep pace. An accountability principle is essential that makes clear that with the collection of that data by government, the government then remains accountable, regardless of where that data may flow.
Moreover, I would agree with those who have recommended a formalized approach to transborder information sharing agreements. That is needed. While some of those agreements may already be in place on an informal basis, I think an approach similar to what we see in the European Union, with an adequacy standard, and making that more formalized, would be valuable.
The fourth issue, and one that has been raised, I believe, by this committee in the past, is the issue of security breach disclosure requirements. It's something that has become readily apparent as being necessary in the private sector world. As you well know, there is currently work under way to try to deal with that within the PIPEDA framework. I think a similar provision would be valuable within the Privacy Act as well. Indeed, one could make the argument that given the absence of strong security standards in the act, it's even more essential.
Finally, there is the issue of privacy impact assessments. Privacy, of course, touches us in many ways, and it's implicated in many pieces of legislation--sometimes where you least expect it. The Privacy Commissioner has regularly appeared before committees, but I think that leaving it to the point where it's already before a committee and having the privacy commissioner deal with it runs the risk of having privacy be little more than an afterthought within pieces of legislation. From my perspective, it's more important to ensure that there is some sort of impact assessment--frankly, before the legislation is even tabled.
To return to my concerns associated with copyright, this privacy commissioner, as well as several other provincial privacy commissioners, has already spoken out about the privacy impact of potential copyright reform. As legislation is imminent, we know there's no sense that those issues have been factored into the legislation. I think those kinds of things could be better addressed by raising them up front, as opposed to a later date.
I'll stop there, I think. I welcome any of your questions.
:
The short answer--and I think for some the rather depressing answer--is that there are no absolute assurances. I think the current environment, where our personal data does traverse national borders with ease, to the point that your information is in different parts of the world, often without your direct knowledge, is a reality of this current globalized world.
I don't think, though, that means we take the proverbial Scott McNealy approach. He's the former CEO of Sun Microsystems, who said you have no privacy, get over it. There are people who can choose to say they don't want that information shared, but in a sense they forfeit, or they are forced to surrender, some of the benefits the globalized world provides.
I think most Canadians are comfortable with a certain amount of risk. Sometimes they're aware of it; many times they're not. But they recognize that there are benefits to even some of the outsourcing you've just described. They're comfortable knowing that does create a certain risk. But I think that then creates an obligation, from a regulatory law perspective, to create as many safeguards as we can within the realm of ensuring that we maintain some of these efficiencies.
Law doesn't become irrelevant in the scenario you've just described; it becomes more relevant than ever. It becomes more important than ever to ensure that our privacy legislation, while not providing anyone with an absolute certainty about protection of their privacy, at least provides some measure of assurance that those who are good actors know they have certain obligations in order to ensure they're complying with the law. And we have to ensure that the law sets the right kinds of obligations.
:
Certainly you find in countries around the world that many of the standards of privacy legislation are derived from the same basic principles, many of them from the early 1980s with the OECD. The notion of the destruction of documents, that you're going to flush certain personal information at some point in time, is part of those standards.
The broader question you've asked is how you develop the kind of privacy culture within the federal government that provides at least a greater level of assurance that people's privacy is adequately protected. I note that I think our private sector companies face precisely some of the same kinds of challenges, with larger companies having data housed in subsidiaries and in different parts of the company. There is the front person, who is speaking to you on the phone. Are they going to respect the privacy appropriately, and are other people who have access to different pieces of information?
It starts in a number of ways. One is to prioritize, and make clear that privacy culture is something that matters, and that there is an expectation that no matter where you come from within that broader bureaucracy, whether you're the person providing call centre assistance or someone who is making larger decisions, those privacy obligations will be respected.
But how do you begin to even imbue that? It starts with the legislation. If the legislation itself is seen as somehow substandard, and it doesn't even come up to the same level that, as I mentioned, our private sector companies are facing, I would argue that sends a message in itself. It sends a message that somehow we're comfortable with decades-old out-of-date legislation, and perhaps those privacy interests simply aren't that important.
:
I don't think so. I didn't think we'd be talking copyright, although I'd be happy to do so. I got into a lengthy debate with your colleague Gord Brown, talking about some of those specific issues.
I actually think there is a consistency, both with the concern for appropriate protections of privacy and with concerns about where copyright legislation may go. A good example of that is the prospect that some technologies--to come back to the question about different kinds of technologies--can be used not only to lock down certain kinds of content but also to extract personal information without the knowledge of a particular individual.
We've had that in one case, the Sony rootkit case, in which hundreds of thousands of Canadians found themselves subject to both a security breach and fears that their personal information would be sucked out and sent, essentially, to the mother ship without their knowledge. One of the concerns is that to effectively provide appropriate protection, you have to provide someone with the ability to circumvent, to ensure that they can indeed protect their personal information.
So when I come before you to argue about the essential need for a strong privacy culture, both within the Privacy Act as well as, frankly, within PIPEDA, I think that's wholly consistent with calling for a copyright act that reflects a fair balance between the interests of users and creators.
I'd be happy to talk about that offline.
:
You've put your finger on what may be unquestionably one of the biggest issues, if not the biggest issue, that our private sector companies, global companies, and our government face. And that's the issue of outsourcing, particularly around sensitive data. The issue is particularly acute in a governmental context when you move towards that outsourcing. Where it was previously just the government that controlled the information subject to something like the Privacy Act, the concerns about what happens when it's in India or elsewhere in the hands of the private sector simply didn't arise.
As you likely know, in the context of British Columbia, we were talking about arguably the most sensitive information, or certainly one of them, when we talk about health information. There was very real concern that by outsourcing--in this instance, there was a choice between one of two U.S.-based organizations--that suddenly access to that information could fall into the hands of U.S. law enforcement or others. Previously, that simply wouldn't have been the case.
That presents an enormous challenge. On the one hand, there are efficiencies from outsourcing and value to the taxpayer to outsource in certain circumstances. At the same time, there are real concerns about some of the costs, not costs in terms of what you pay for it, but the broader costs in terms of privacy and other issues that arise in that context.
The B.C. government, and now some other provincial governments, tried to strike a balance of whether to establish a statute in that regard, or at least create a greater level of accountability so you can achieve some level of protection through contract. That's another potential avenue.
It's an issue that I think really needs to be at the forefront when you think about some of these outsourcing opportunities. On paper they look fabulous, until you realize there are some costs once you scratch below the surface.
:
Mr. Chairman, thank you.
I'd like to continue on this topic of outsourcing. I don't know whether you've had a chance to look at the recommendations, but outsourcing may be partially dealt with in recommendation 10.
There's a paragraph in the booklet that the commissioner provided to us that I find startling. It's on page 29:
However, the Privacy Act does not reflect this increase in international information sharing. The Privacy Act places only two restrictions on disclosures to foreign governments: an agreement or arrangement must exist; and the personal information must be used for administering or enforcing a law or conducting an investigation. The Privacy Act does not even require that the agreement or arrangement be in writing. The Privacy Act does not impose any duty on the disclosing institution to identify the precise purpose for which the data will be disclosed and limit its subsequent use by the foreign government to that purpose, limit the amount of personal information disclosed and restrict further disclosure to third parties. Moreover, the Privacy Act even fails to impose any basic obligations on the Canadian government institution itself to adequately safeguard personal information.
I just find that an incredible statement. The recommendation simply says that we strengthen the provisions governing the disclosure of personal information.
I'd like to know how to deal with this.
There was a book that I read, and I can't remember the name of it, but I think it was called The World Is Flat, by somebody called Friedman, which also scared the heck out of me. It dealt with the very things Mr. Pearson was talking about.
So then you start asking about what a government can abuse. They can abuse all kinds of things. They can abuse outsourcing. We don't even know what could be done. There's income tax. It could go on and on—police abuse, security abuse, and no-fly lists. People are gradually getting very concerned about this, because all of a sudden they try to get on a plane and they can't get on a plane.
So in regard to recommendation 10—and I don't know whether you have looked at it or not—how can we make the public feel better about all of these things? The wording that's on that page, or the two pages for recommendation 10, I don't think the average person in this country would really feel very confident about, with its general phrase, well, let's strengthen the provisions.
How are we going to deal with all of these things?
:
Well, in some ways that's the very question I was asked right off the bat. Do we have no privacy, and get over it, or are there solutions?
Unlike the environment we lived in when the Privacy Act was first introduced, where much of the privacy may well have been protected, because it was obscured or largely inaccessible, since it was, by and large, in paper form, the environment today is such—as Friedman talks about in his book and as I think is readily apparent to everyone around the table—that data really do traverse instantly around the world.
There's the story of the person with the credit card in India. I was at a hotel recently in Montreal where I couldn't get onto the Internet, and I called down to the hotel desk and they tried to help me and it didn't work. So they said, let us put you through to tech support. I spent five minutes with this person, who was literally looking at my computer, the IP address and the like; and then at the end, I asked, do you mind if I ask where you are? She was in Warsaw, literally able to look at my PC in real time in another part of the world. So that's an environment that I think in many ways is very scary, but at the same time, it obviously provides a great deal of opportunity.
Now, what the commissioner is recommending and what I think many people are saying is that we aren't going to take an approach where we're simply going to shut down and not take advantage of these technologies and move data across borders. It doesn't work in the private sector, and it doesn't work in the public sector; it doesn't even work from a government-to-government perspective. And if these are being labelled as quick fixes, there is no quick fix, as it were, to this issue. But what there is, I think, is a starting point to move us toward an environment where we have a greater level of accountability and a greater level of transparency about what some of these rules are, so that when we go in and begin to pass along that information in some instances, or recognize that the information may be put at risk in certain circumstances, we will do so with some sort of framework around that, taking whatever precautions are possible—albeit there is nothing that can provide people with an absolute assurance.
When you say this sort of stuff is scary, it speaks exactly to the question Mr. Pearson raised in British Columbia. The effect of knowing that people's health information was suddenly going to be elsewhere and subject to the U.S.A. Patriot Act, in an extreme circumstance, is what crystallized in the minds of many that, well, let's hold on a second and back up to see if we've taken all the precautions we need to. The answer in B.C. was no, we haven't; let's do something about it. If people were to ask those same questions in a federal context, I think the answer would again be no, and it's time to do something about it.
Obviously my personal information hasn't been disclosed, because Mr. Tilson said “Who's he?”, so I should be pretty safe then. I'm safe.
You made a couple of comments on security breach disclosure, and also on the timeliness of reporting. I just want to follow up on a couple of those.
Just about a month or so ago we got a letter from a company that my wife had been working for in the U.S. It indicated that a computer with a lot of personal information from a number of employees had been stolen. The letter detailed in infinite steps what happened, roughly when they thought it had happened, and the detailed steps that we needed to take to protect ourselves. While it was traumatic being told that, we were still able to know what the actions were.
So my question to you is, with something like that in this large government bureaucracy, given your experience, how long would you say it would take to implement something like a breach disclosure requirement? It wouldn't seem to me to be that easy to implement.