:
Good morning, ladies and gentlemen.
Bonjour à tous.
Welcome to the 38th meeting of the Standing Committee on Industry, Science and Technology.
Thank you to the witnesses for coming today. I will introduce them: from the Public Guardian and Trustee of British Columbia, Catherine Romanko, public guardian and trustee; from the Public Guardian and Trustee of Manitoba, Douglas Brown; from the Canadian Pharmacists Association, Janet Cooper, vice-president, professional affairs; and as an individual, Avner Levin, associate professor and the director of the Privacy and Cyber Crime Institute at Ryerson University.
We will follow that order as far as opening remarks are concerned.
I just want to advise members that we have another committee coming in here after us, so we'll be targeting for five minutes before our usual time to complete.
We'll begin with opening remarks from Ms. Romanko.
Good morning. I am the public guardian and trustee of British Columbia. I thank you for the opportunity to comment on Bill today. In addition to my oral comments, I have provided a written submission. My comments today are restricted to subclause 6(10) of Bill S-4, and that is with respect to the proposed provision that will enable federally regulated organizations and in particular financial institutions to report concerns of potential financial abuse of a customer, without the knowledge or consent of the customer, to a government institution with authority to investigate and to take appropriate responsive action.
The jurisdiction to respond to suspected financial abuse typically falls to provincial authorities and territorial authorities with respect to civil investigation and in particular to public guardians and trustees across the country. The Public Guardian and Trustee of British Columbia has participated in the multi-year consultation process that led to the development of the anti-financial abuse provisions in subclause 6(10). My office supports the objective of the proposed anti-financial abuse amendment and offers three recommendations for refinement of the provision to ensure that the provision is effective, and secondly, to minimize the risk of harm to an individual who is the subject of a report and a potential victim of financial abuse.
My recommendations are based on the experience my office has in responding to financial abuse and I will provide those recommendations at the conclusion of my comments.
By way of background, the Public Guardian and Trustee of British Columbia is a statutory corporation sole created under the laws of the province. My office provides fiduciary and protective services to vulnerable adults, to persons who are mentally incapable, to minor children. We administer the estates of deceased and missing persons when there is no one else able and suitable to do that. We serve approximately 29,000 clients and administer almost $900 million in private client assets.
Among the various statutory functions given to the Public Guardian and Trustee under British Columbian law is the role of investigating allegations of financial abuse, including financial neglect and financial self-neglect of mentally incapable adults. The definitions of financial abuse, financial neglect, and financial self-neglect, which guide the investigations of the Public Guardian in British Columbia, are set out in legislation, but generally speaking, abuse is an action committed by a third party. Neglect is the failure of a third party to act, and self-neglect is an individual's own failure to manage his or her own affairs due usually to mental incapacity.
When my office receives information that an adult may be mentally incapable and may be a victim of financial abuse, the Public Guardian and Trustee of British Columbia has a legislative mandate to investigate the circumstances. My office has the powers to seek disclosure of financial information from legal representatives such as an attorney acting under an enduring power of attorney, and from financial institutions where an adult may hold assets. If my office has reason to believe that the adult's assets are in need of immediate protection, the Public Guardian and Trustee of British Columbia has the authority to instruct financial institutions to, in essence, freeze bank accounts to stop any withdrawals from the accounts or transactions with respect to those accounts, to halt the sale of property, and to take any other reasonable step necessary to protect the adult's assets from dissipation or misappropriation.
Each year, my office responds to approximately 1,600 allegations of suspected financial abuse. Approximately 1,200 of those cases result in a full investigation by my office, and of approximately 400 cases, the Public Guardian and Trustee is appointed committee of estate as a result of the investigation, and that is for the purpose of acting as property guardian to manage the financial and legal affairs of the adult on an ongoing basis.
The experience of my staff in responding to allegations of financial abuse has highlighted for us the critical role played by financial institutions in identifying issues of potential financial abuse and ensuring that vulnerable adults receive the support and assistance they need when it is required in order to curtail or end the financial abuse.
Employees of banks are often in the best position to observe potential financial abuse as a result of ongoing personal contact with their customers and with their knowledge of the customers' financial affairs. While it may be best practice for a bank employee to communicate with a customer directly about concerns of potential abuse, in many cases such communication is simply not practical, nor is it prudent. In some instances, bank customers may have diminished mental capacity due to mental illness or due to diseases of aging, making direct communication with a customer challenging and often ineffective.
In other cases, a customer may be unduly influenced by or subject to the control of another person, so that advising the customer of suspected financial abuse may in fact alert the abuser to the fact that the abuse has been discovered and put the customer at greater risk. Currently, PIPEDA permits financial institutions to report financial abuse to relevant authorities, such as the police, where the financial institution has reasonable grounds to believe that a law has been contravened.
However, if no law is contravened, federally regulated organizations are restricted by the act as to what actions they are permitted to take even if financial abuse is suspected, so my office of course is responding to allegations of abuse, not certainties. No crime has been committed as yet. Enabling financial institutions to proactively report concerns of potential financial abuse to an organization such as the Public Guardian and Trustee of British Columbia, with the legislative authority to investigate and to take steps to protect the assets of the vulnerable adult if necessary, is critical in the effort to reduce the incidents or continuation of financial abuse.
The Public Guardian and Trustee of British Columbia offers three recommendations for refinement of the proposed legislative amendment in proposed paragraph 7(3)(d.3) of PIPEDA. They are as follows.
One, specify that provincial authorities, and in particular public guardians and trustees, who are authorized to respond to financial abuse, are included in the term “government institution” to which an organization may report financial abuse. The term “government institution” is currently not defined in PIPEDA, nor is a definition proposed in Bill .
The difficulty here is that the act is a federal legislation governing federally regulated bodies. Public guardians and trustees fall under provincial jurisdiction. We want to ensure the legislation is clear that reports may be made to provincial bodies. The act contains regulation-making power, which would permit the creation of a regulation to define “government institution”.
Making it clear that organizations are authorized to report to provincial and territorial government institutions, and in particular public guardians and trustees across the country, will assist financial institutions in effectively reporting. Another alternative, of course, would be simply to provide the definition directly in the act. Either way, the definition would be very useful.
Two, delete the reference to “next of kin” from the list of individuals and government institutions to which organizations may report concerns of potential financial abuse. The perpetrators of financial abuse, particularly with respect to vulnerable adults, are often next of kin. Disclosure of concerns of potential financial abuse to next of kin may have the effect of alerting the abuser to the fact that the abuse has been discovered and may in fact end up putting the vulnerable adult at greater risk of harm—or at least the adult's assets at greater risk of harm.
Three, explicitly recognize financial neglect and financial self-neglect in proposed provisions, along with financial abuse. Many provincial authorities have statutory power to investigate and assist individuals who are victims not only of financial abuse but of financial neglect and financial self-neglect, the effects of which can be equally devastating. In fact, the indicators of potential financial difficulty are the same, whether it's abuse, neglect, or self-neglect. Permitting financial institutions to report concerns of financial abuse, neglect, and self-neglect of their customers, I submit, would protect the interests of vulnerable British Columbians.
Those are my comments. Thank you very much. I'd be pleased to answer questions.
:
Thank you for the opportunity to comment on Bill , the digital privacy act. I'm Douglas Brown, the public guardian and trustee of the Province of Manitoba.
My comments today will be limited to subclause 6(10) of the bill, which would amend the Personal Information Protection and Electronic Documents Act to permit the disclosure of personal information about an individual by an organization to a government institution in circumstances where there is a suspicion that the individual may be a victim of financial abuse. The Public Guardian and Trustee of Manitoba supports the amendment as a positive step that strikes the necessary balance between the need to maintain privacy of personal information and disclosure of that information to potentially identify and stop what are the devastating consequences of financial abuse.
The Public Guardian and Trustee of Manitoba, or PGT, is a corporation sole established under The Public Guardian and Trustee Act of Manitoba, that operates as a provincial government special operating agency. The PGT manages and protects the affairs of Manitobans who are unable to do so themselves and have no one else who is willing or able to act. This includes mentally incompetent and vulnerable adults, deceased estates, and children. The PGT manages approximately 5,800 clients, estates, and trusts, with approximately $230 million of assets under administration by our office.
The PGT becomes involved in the management of an individual’s financial affairs in a variety of ways. Most frequently, the PGT is appointed by the chief provincial psychiatrist under The Mental Health Act or by an order issued under The Vulnerable Persons Living with a Mental Disability Act, both Manitoba legislation. The PGT can also be appointed by a judge of the Court of Queen’s Bench of Manitoba to act in various circumstances. When the PGT does become involved, an investigation is conducted to gather and record the assets owned by the individual for whom we're now managing affairs. This includes all their property, investments, and any accounts at financial institutions. Unfortunately, in some situations our investigation will uncover evidence of possible financial abuse. In the worst of these situations, the financial abuse has resulted in all or a large part of the finances of that individual having been lost.
The impact of these losses caused by financial abuse cannot be overstated. As you or I choose to save, invest, or plan for our retirement and anticipate having the financial resources to be independent and exercise some level of control over our affairs in the future, people who have been the victim of financial abuse have lost that independence and have lost that control over their futures. Often we see that the health and well-being of the victim of financial abuse can be negatively impacted. More often than not, a victim of financial abuse has little chance of recovery. In many cases the money is gone, and there is little likelihood of recovering the money from the perpetrator of the abuse.
Organizations such as financial institutions can play an important role in detecting possible financial abuse through their ongoing contact with the public. My experience is that these institutions do want to cooperate with government institutions when they have a suspicion of financial abuse. While the privacy objectives of the existing legislation are clearly important, privacy laws should not become a tool used by perpetrators of financial abuse to avoid detection. Amendments that allow for a controlled disclosure of personal information in limited circumstances can still maintain privacy objectives while also providing an additional set of eyes out in the community to help identify and hopefully stop cases of financial abuse. I would strongly recommend to this committee that this is the right result.
In reviewing the amendments and the various submissions that have been made to the committee, there are a couple of recommendations that I would also support.
First is that the definition of “government institution” needs to be clear. The PGT or similar agencies in other provinces or territories have a role in these situations, and should be included in the definition. There should be caution taken not to apply the definition too narrowly, as this could discourage the reporting of information. A reasonable check and balance to apply could be to look at the role and use of the information that could be made by the institution that is receiving the information. In the case of the PGT, we're subject to provincial privacy laws. We also have specific statutory authority that allows us to collect information that would otherwise be private where it's required to carry out our duties, responsibilities, and powers. By having that control, you've put some control over how the information could be used once it's received by a government institution.
Second, in most cases the perpetrator of financial abuse has to gain the trust of the victim before the abuse can begin. This unfortunately means that relatives and family can often be the perpetrators of financial abuse. Any requirement to report suspected financial abuse in all circumstances to next of kin may place the victim at greater risk. Organizations that are contemplating making a report should have some discretion in those situations, and where appropriate, should make the report only to a government institution and not to the next of kin in circumstances where the next of kin may be involved in the abuse.
Third, in some cases an individual may not be a victim of financial abuse but is no longer capable of managing his or her affairs. The indicators of financial abuse and financial neglect can often be the same, so an organization that's contemplating whether to report should have the ability to report suspected financial abuse even though it may not be clear where the unusual financial activity originates, or whether the irregular financial activity is a result of a third party or the individual himself or herself. The organization should not be required to make this determination before it has the ability to make a report to a government institution. The loss of financial independence resulting from neglect is just as significant as a financial loss caused by a third party, so again, it's in everybody's interest that the matter be identified and dealt with as quickly as possible.
In conclusion, while the privacy objectives of the existing legislation are clearly important, the benefit of permitting disclosure of personal information in a limited and controlled manner would be a positive step in detecting and hopefully stopping cases of financial abuse.
Thank you.
Good morning. My name is Janet Cooper. I am a pharmacist and I am vice-president of professional affairs with the Canadian Pharmacists Association. I am pleased to be here today to discuss Bill , an act to amend PIPEDA.
CPhA, the Canadian Pharmacists Association, is the national voice for Canada's 39,000 pharmacists. Pharmacists practise in a range of settings, including community pharmacies, hospitals, academia, industry, and government.
CPhA and the pharmacy profession have a long history of speaking out for the interests of patient privacy and confidentiality, and as far back as 2001 CPhA was involved with a privacy working group of other health care provider organizations that provided advice to Health Canada on privacy matters related specifically to health care. Since then we've appeared before parliamentary committees on numerous occasions to offer our perspective on PIPEDA changes.
Today pharmacists' commitment to privacy is reflected in the professional codes of ethics and standards of practice that guide our profession, as well as CPhA's own privacy code for pharmacists. Given that pharmacists routinely dispense more than 11 million prescriptions each week and they're conducting a range of new, expanded services for patients in almost all jurisdictions, the need for ensuring confidentiality of patients' personal information has never been greater.
Community pharmacists were very early adopters of digital records, having maintained computerized medication profiles for more than three decades. Most of the 600 million prescriptions that are dispensed each year, which is close to $30 billion in spending, are actually sent electronically for claims adjudication by public drug plans or private insurers. So there is a lot of electronic transmission of patients' medication information.
Increasingly, Canadians' medical records are maintained electronically by other health care professionals as well, including physicians' records, lab test results, and diagnostic images. The goal of electronic health records is to increase accessibility and sharing of patient information by those providers who need access to inform patient care and to support interprofessional collaboration.
For example, in several jurisdictions, drug information systems, or DIS, are in place to allow access to a complete profile of medications regardless of which pharmacy dispensed the prescription. This improves safety and efficacy of medications, supports improved prescribing, supports detection of adverse drug events, and deters prescription drug abuse. We hope that in the near future all prescriptions will be electronically created and then transmitted to the patient's pharmacy of choice. With this change to electronic health records comes increased need to ensure that Canadians' private health and medication records are protected.
Let me state up front that CPhA supports the amendments in Bill as they relate to protecting personal health information. There are two amendments in particular that we want to address.
First, CPhA supports the amendment in the bill in which personal information may be obtained without consent for the purposes of communicating with the next of kin or authorized representative of an injured, ill, or deceased individual.
Pharmacists, as well as any health care provider, may find themselves in the difficult situation of having to deal with patients who may be severely ill, unconscious, or incapacitated for any number of reasons. In such circumstances it may be imperative for the pharmacist or other health professional to immediately contact family members or next of kin to inform them of the patient's condition, or to seek valuable information on the patients' medical history. But seeking permission or consent to contact those individuals in advance may simply not be reasonable nor in some cases possible. This clause would provide pharmacists and other health care providers with the comfort and knowledge that in the case of a severe health emergency they will not be in contravention of PIPEDA for acting in the best interests of their patients by contacting next of kin or authorized representatives.
Second, CPhA also supports the amendment in Bill requiring organizations that have encountered a privacy breach to report that breach to the Privacy Commissioner and notify individuals, if it is reasonable in the circumstances to believe that a breach creates a real risk of significant harm to an individual.
For pharmacists who access a significant amount of sensitive information related to the medication and health of their patients every day, a breach or disclosure of this information has the potential to put the patient at risk. Patients who are on medications for HIV, mental illness, or infectious diseases would certainly not want all of that information to be known. As defined in the legislation, this risk could include threats to employment, reputation, or relationships. As a result, CPhA believes that, should a privacy breach occur, reporting this breach to the individual concerned and the Privacy Commissioner are reasonable steps to take in order to mitigate any risk that may occur.
It's also reasonable for the organization in question to maintain proper records of these occurrences as stated in the bill.
Although not specifically related to this bill, I want to thank Health Canada for introducing a regulatory change this past summer that will better enable pharmacies to protect privacy. There's a requirement in the Food and Drugs Act that requires pharmacists to maintain up to two years' worth of prescription records, and until last summer the regulation required prescriptions to be maintained in hard copy format even though more and more prescription records are now retained in electronic format. Last July Health Canada reinterpreted that regulation to allow for electronic retention of prescriptions. In addition to being more efficient for pharmacies, electronic retention is safer and more secure from a privacy standpoint.
Thank you, Mr. Chair and committee members, for the opportunity to meet with you today to discuss Bill . I'd be pleased to respond to your questions.
:
Thank you, Mr. Chair. Thank you for the invitation to appear in front of the committee. I apologize that I'm not bilingual, so my comments will be in English. I'm an associate professor and the director of the Privacy and Cyber Crime Institute at Ryerson University and I'm appearing as an individual. I research privacy and I've been privileged to appear in front of the access to information, privacy and ethics committee as well.
I am not going to repeat comments that you heard from earlier witnesses in previous meetings. I take these hearings that the committee is conducting at this time as a sign that the government is interested in considering some amendments to the bill before it proceeds. I would like to reiterate what previous witnesses have said that I think the following amendments should be considered by the committee.
First, I think the committee should consider adding order-making powers to section 12.1 of PIPEDA for the commissioner. Section 52 of the B.C. or Alberta personal information protection act can certainly serve as a model. That does not preclude leaving in the provision for compliance agreements that is in the new proposed bill, which would be the new section 17.1. I'm happy to discuss the reasons for my thoughts on this if we have time for questions later, but other witnesses have already made this point.
Second, I would suggest to the committee that it delete proposed paragraph 7(3)(c.1). That would eliminate the possibility for government institutions to request personal information without judicial supervision. I think that point has also been made by previous witnesses, so I would leave that for questions as well if there's any interest.
Third, I would leave paragraph 7(3)(d) as is. In other words, I do not think the committee should proceed with allowing organizations to share information with other organizations. I think that the committee should leave the investigative body model that is currently in PIPEDA intact and that point has been made.
I would like to spend my time introducing a new point to the committee, as far as I know, and that is regarding the issue of workplace privacy that is in this proposed bill. To the best of my knowledge it has not yet been discussed. Under PIPEDA the personal information of employees of a federal work, undertaking, or business is protected and the collection, use and disclosure of it requires the consent of the employee. That's currently in PIPEDA in paragraph 4(1)(b).
Bill proposes a new section, section 7.3, that will govern such employment relationships, according to which employee consent will no longer be required. Employers will have to notify employees instead. That's going to be in the new paragraph 7.3(b), but they will be able following this notice to collect, use, and disclose information that, quoting from the bill, “is necessary to establish, manage or terminate an employment relationship.” That's the new paragraph 7.3(a).
In my opinion, as currently worded, this presents an unfortunate erosion of workplace privacy that ignores previous OPC findings as well as Federal Court decisions. I note to the committee there's a decision from the Federal Court for Eastmond and there's another one for Wansink. I can provide the full citations later. The implications are broader than just for federally regulated employees. Labour arbitrators for those employees who are unionized look to PIPEDA as a guidance and as a source, and to the OPC guidelines. Employers in provinces that do not have private sector legislation look to PIPEDA as guidance even though they do not fall under the jurisdiction of PIPEDA directly.
The proposed amendment appears to follow B.C.'s and Alberta's PIPA, but in my opinion it does not. In those provincial laws—and bear with me, please—the collection, use, and disclosure must be reasonable for the purposes that I've listed. For reference, in the British Columbia act, those are sections 13, 16, and 19. I quote from paragraph 13(2)(b) of the British Columbia Act:
the collection is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual.
The new section 7.3 does not refer to the reasonable standard at all. I imagine that's presumably because PIPEDA has built into it subsection 5(3) that says:
An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
I would hope the committee would follow me in seeing that existing subsection 5(3) refers to the purposes being appropriate to the reasonable person, and it does not refer to the collection or the use or the disclosure as being reasonable. If you want to follow the B.C. and Alberta model, of course the collection and use and disclosure should be reasonable. The purposes of managing, and so on, the employment relationship, needless to say, are reasonable already.
In my opinion the current wording in the bill would allow, to take perhaps a little bit of an extreme example, an employer to install closed-circuit television cameras inside washrooms at the workplace, for the purpose of managing the workplace as long as a notice was posted to that effect. I would argue that for the purpose of managing the workplace and wanting in that case to ensure that facilities are clean and well maintained, doing that is reasonable. But the collection of personal information would not be reasonable in that situation. That is the distinction that I wish to draw to the attention of committee members at this point in time, which I don't think has been articulated up to this point.
I would suggest two simple amendments as a result. One would be to simply add the word “reasonable” before “necessary” so that the amended clause, which would create the new paragraph 7.3(a) would read “the collection, use or disclosure is reasonable and necessary to establish, manage or terminate an employment relationship between the federal...business and the individual”. Alternatively you may wish to consider amending the clause by borrowing language used in Quebec's legislative framework. Section 2087 of Quebec's Civil Code requires employers to protect the dignity of employees, so the committee may wish to consider an alternative formulation such as, “the collection, use or disclosure protects the dignity of the individual and is necessary to establish, manage or terminate the employment relationship”.
I'll make one last point on this, Mr. Chair, before I end my comments. I do think that employees cannot meaningfully consent to their employers' practices in an employment relationship. In that sense I do think that it is useful to move to regulating employers' conduct in those circumstances. I could add more on the issue of consent, but again I think you've heard from earlier witnesses in previous meetings.
I will leave it at that regarding the point on privacy at work. I would be happy to answer questions if there is any time.
Thank you again for the invitation to appear today.
Thank you, witnesses, for being here.
I want to focus my questioning on how the digital industry has so dramatically changed since PIPEDA first became law in 2000. I believe that things have changed dramatically since it came into effect. It actually came into force from 2001 to 2004, over three years. Then, as is normal, there was a judicial review, a parliamentary review, and that started in 2006-07. I think some of you have been involved with that and have provided submissions or have testified.
Bill contains I think important updates that relate to what we saw when it was established in 2000. In regard to what's being proposed now in Bill , the world has changed. Technology has changed dramatically. That includes the number of people who are using digital technologies for emails, banking, and so on.
We've heard from you. We've created Bill . It provides important updates to current private sector privacy laws that will help protect consumers with regard to their personal information, whether it's been stolen or lost.
There is currently no legal requirement for a business to inform consumers when there has been a data security breach. A business could be hacked and decide right now not to inform customers, but the changes in Bill will compel businesses to report when hacked and will impose fines of up to $100,000 per individual if the business fails to notify the customer.
It also provides some very important focus on protecting the vulnerable, both the youth and our seniors.
Ms. Romanko, you touched on that, as did Mr. Brown, and that's the focus of your organizations.
The Bankers Association was one of the many that really supported Bill . They applauded the amendments in the bill that will allow banks and financial institutions to advise public guardians, law enforcement, or family members when they have evidence of financial abuse. I think you touched also on the abuse that may be coming from family members. The banks would now have the discretion in regard to how to deal with these serious situations and protect the vulnerable. That does not exist now.
We also heard from the Privacy Commissioner about the tools necessary for the commissioner to do their job. There was not adequate time for them to be able to act. Now, with the changes in Bill , that would change.
If you could, just touch on how things have changed and on these changes that have been now incorporated in Bill to update PIPEDA.
Ms. Romanko.
Yes, I would be happy to do that. Of course, my comments are very narrowly restricted to the ability of financial institutions to report.
The Public Guardian and Trustee of British Columbia was working closely with the Canadian Bankers Association back when these proposed amendments were first suggested. We were very much in support then of allowing an amendment that would enable financial institutions to report proactively, not just when there was an actual contravention of the law.
It is in that proactive measure that we think vulnerable persons are better protected. Then the responsibility for investigating falls to the provincial bodies, the public guardians and trustees, to do what they already are able to do under the law.
The missing piece was the proactive reporting. Bill , in the provision in proposed paragraph 7(3)(d.3), I believe will accomplish that. I believe that is a positive measure.
:
I can take that even a step further.
Prior to my appointment as public guardian and trustee, I was director of enforcement for the Manitoba Securities Commission for about 12 years. The trends you have seen over the last two generations are people becoming more involved in their financial management. It's not just simply savings accounts and bank accounts anymore. You have people who are investing in mutual funds and other investment products. You have a more complicated landscape out there, which, if you take the negative view, probably leads to more opportunities for abuse of an individual, for example, if an individual is trying to manage money in different ways than they have in the past.
The other thing—and we were briefly talking about it before we came in—is the change, particularly in the banking industry to electronic banking, Internet banking. There is a move away from direct physical contact at a branch, which you would have seen a generation or two ago. That also creates a complexity in the situation that you're not going to have.... Whereas 20 years ago you'd have your local branch manger, whom you probably saw every couple of weeks just because you would be visiting your branch, that sort of contact isn't there anymore.
As we go further and further, with younger generations it's going to even become more pronounced. That doesn't change the need for this legislation, the need for the reporting. I think it's going to force us to adapt to those situations in our various roles to try to figure out ways that we can still identify potential abuse and report it under these new ways of delivering the service.
:
Thank you very much for the question.
I think the real issue is what has been happening with the digital economy and with services, as you can see. Certainly, since PIPEDA came into force, the idea of consent has changed. Instead of protecting us as individuals, it provides companies with loopholes, these seven pages of legalese, to say that we as individuals have agreed to all further collection, use, and disclosure practices.
The idea that, in this day and age, we can provide meaningful consent is broken, and has been for quite some time. That's why, in the academic world, if we're talking about a privacy framework for the 21st century, there is a lot of thought as to whether we shouldn't be moving beyond just focusing on consent as a gateway, such as saying that if someone consents then everything is fine. We should really be restricting what companies do with the information they collect. We should see a lot more regulation of uses and disclosures, not enabling of organizations to say, “Well, I've got somebody ticking a box over here, therefore I can go ahead and do whatever I want.”
This is a serious concern, especially when you're talking about this new kind of big data analytics in which companies are trying to collect a lot of information, do what we call free-form analysis, look for correlations, and do the type of predictive analytics that then make the headlines. For example, Target sent a notice to the family of a teenager that their daughter was pregnant. The father didn't know, but Target staff knew because they punched the numbers.
Regulation of use is what is required in this day and age, not just focusing narrowly on consent. Organizations will find the loopholes. They'll use legalese and write long agreements. That has not been helpful so far.
Certainly as a professional association representing pharmacists, we find some of this discussion is outside of our mandate and my particular expertise, unlike Dr. Levin's. But I share those concerns, even more just as a Canadian, that we're signing off on a lot of stuff when we tick those things.
I look at the younger generation. I was recently at a Canada Health Infoway meeting, and they had some research done with Canadians and focus groups. I was surprised with the lack of concern that many Canadians have about their private information. For example, they just assume that every pharmacy in this province...you know, the Shoppers Drug Mart here shares it with the Shoppers Drug Mart three blocks over. They don't share it, but people assume it and they expect it.
I think societally we have some real challenges, and we're ticking off a lot of stuff. I would personally agree that we need to look at better regulating what companies can do with this data, because there's a lot of information that's coming in at point of sale, Internet sales, Google searches, and all that type of thing, which we need to be looking at.
I really couldn't comment on whether it should be within the legislation or regulations related to this, but I share the concerns.
:
If I understand the question correctly—and thank you for the question—it was asking what we need beyond the compliance agreements that are currently in the bill.
I think what we need is the power, at the end, for the commissioner to make an order and instruct those companies to comply with whatever it is that the commissioner has found. You have a process of discussion and you have findings and you have a compliance agreement, but what we have right now is that at the end of the day the commissioner can then go to court and request an order.
We have seen an excellent example with the research that was done by the commissioner with respect to Facebook a few years ago—very thorough research by the assistant privacy commissioner, currently the privacy commissioner of British Columbia, into Facebook—with lots of media attention, lots of findings, lots of recommendations. Then Facebook says that's wonderful and moves on and keeps doing business as usual. They disregard Canada and they disregard the regulator, because the regulator doesn't have the power to order them to comply with any of those, and the only option is maybe to take them to court.
In order for big businesses to take the Canadian environment seriously, the commissioner has to be able to tell them at the end of the day that they have to comply with a certain finding or a certain request. What is baffling to me is that this is very common in data protection regimes. You see that they treat Europe differently as a result, because the commissioners there have the ability to regulate and make orders. You can see how they treat even provincial commissioners differently, because they have within their provinces the ability. The only outlier is the Privacy Commissioner of Canada.
I don't understand what the compelling reasons are to make an exception in this case, so that the Privacy Commissioner of Canada cannot be given the powers of making orders that all the others have.
Thanks to the witnesses for being here today.
It's interesting that as we do legislation there always seem to be three categories of potential amendments. Everybody has suggested modifications to the legislation. You either have people who want to add something that isn't in it that they think should be in it; or you have people who take a look at changes that are being made and don't agree with them and want them not to be made; then, there are some technical changes, as almost always someone will suggest some kind of technical wording.
It's interesting that the first category in a sense seems to fit, Catherine, most of what you have had to say. You talk about some clarity around provincial authorities, but I would argue that the legislation, in I think proposed subsection 26(1), says:
The Governor in Council may make regulations for carrying out the purposes and provisions of this Part, including regulations
This includes, as it is written in the existing act:
(a) specifying, by name or by class, what is a government institution or part of a government institution for the purposes of any provision of this Part;
So we have the ability to do that through regulation and I think you would be satisfied with that as a mechanism. You just want to make us aware of the need for some clarification there, I believe. Is that right?
I was interested in your second recommendation, deleting “next of kin” as your number two area of refinement.
Why would you do that?
:
Right. I appreciate that, and in most instances, that....
I suppose one of the balances here is that if the language is left in the bill, the understanding then would be that the financial institution would have a broader range to exercise its discretion, and presumably would not report to someone they suspected was the abuser. I still think there is a risk there. I think there is a distinction, as you raised, with respect to the authorized representative, in the sense that an authorized representative would have legal authority—granted either by the individual themselves, when they made a power of attorney, or when they made a representation agreement under British Columbia law, or when they were appointed by the court to act.
In those instances, they're guided by law. They have a fiduciary relationship with the adult. There's an extra set of rules governing their behaviour. Yes, they too go off the rails. Yes, they too are sometimes the perpetrator. But I think at least there's greater.... Again, it's a question of balancing the right to privacy with the need to protect the adult who may be vulnerable. It seems to me there is greater justification to allow a reporting to someone who has legal authority than to someone who has no legal authority to receive the information about the adult.
That said, I think it is more important that this provision proceed than the amendment to next of kin be made. In other words, I wouldn't want to stop that section from being enacted simply because of the next of kin issue.
Of course, we always assume that businesses will act in good faith and be diligent. However, we are here to draft a bill, and a lot of time has gone by before it was referred to the committee.
The matters raised here were also raised at the Senate as well as in previous Parliaments. That is why it is important that we draft a ''2.0 bill'', that is to say a very current, very modern piece of legislation. We fear there may be some gaps in this regard.
I would like to ask the other witnesses if they think businesses would be concerned about potentially contravening the law, while assuming of course at the outset that everyone is going to act in good faith. We have to ensure that businesses are diligent and see whether this act might generate some fear. This is the right time and place to speak out on the matter.
Mr. Brown, Ms. Romanko and Ms. Cooper, would you like to speak to this?