:
I will call the meeting to order.
Good morning, everyone.
This is meeting number 27, and pursuant to the order of reference of Tuesday, April 25, 2006, and section 29 of PIPEDA, we're conducting a statutory review of a section of the act, in particular.
Today we have witnesses from the Canadian Life and Health Insurance Association Inc., and the Canadian Chamber of Commerce. Welcome.
I guess you know the procedure. Each group will have an opportunity to make a presentation, one following the other, and then we'll have questions from the committee. I'll ask the person who is making the presentation to introduce the people who are with him.
We'll start with the Canadian Life and Health Insurance Association. Will it be Mr. Millette?
:
Thank you, Mr. Chairman and members of the committee.
I would like to thank the committee very much for giving us this opportunity to contribute to your review of the Personal Information Protection and Electronic Documents Act.
My name is, as indicated, Frank Zinatelli, and I am vice-president and associate general counsel of the Canadian Life and Health Insurance Association Inc., CLHIA.
I'd like to begin by saying a word or two about my colleagues who are seated with me at the table.
Dale Philp is assistant vice-president and senior counsel with Sun Life Financial, where she focuses on products and distribution group insurance issues. She is deeply involved with privacy issues in the life and health insurance industry, both within her own company and as chair of the CLHIA's privacy committee, where industry issues of common interest relating to the protection of personal information are discussed.
Yves Millette is the CLHIA's senior vice-president, Quebec affairs. Mr. Millette's lengthy experience in Quebec matters affecting our industry has given him a good familiarity with Quebec's privacy legislation. And of course, as you know, Quebec was the first Canadian jurisdiction to introduce private sector privacy legislation.
We welcome this opportunity to make constructive contributions to the committee as you seek to develop your report to Parliament on this sensitive, complex, and vitally important area.
With your permission, Chairman, we would like to make a few introductory comments. Together with Ms. Philp and Mr. Millette, we will provide the committee with the industry's views pertaining to the PIPEDA review.
By way of background, the CLHIA represents life and health insurance companies accounting for 99% of the life and health insurance in force across Canada. The industry protects about 24 million Canadians and some 20 million people internationally.
For over 100 years, Canada's life and health insurers have been handling the personal information of Canadians. The very nature of the insurance product requires that a large portion of the information exchanged between companies and their clients is personal in nature, and protecting its confidentiality has long been recognized by the industry as an absolute necessity for maintaining access to such information.
Indeed, our industry would not have survived if it were not able to have the trust placed in it by Canadians. Correspondingly, chairman, life and health insurers have taken a leadership role in developing standards and practices for the proper stewardship of personal information.
In 1980 we adopted right-to-privacy guidelines which represented, as far as I know, the first privacy code to be adopted by any industry group in Canada. Those guidelines served the industry and its customers well for 23 years, until they were superseded by personal information protection statutes across Canada in 2004.
In 1991 the industry included a provision in its consumer code of ethics which requires members to respect the privacy of individuals by using personal information only for the purposes authorized, and not revealing it to any unauthorized person.
And a commitment to this provision, by the way, is one of the requirements for membership in the CLHIA.
The committee should also be aware that the life and health insurance industry participated actively in the development of personal information protection rules across Canada such as, for example, Quebec's private sector privacy legislation in 1994.
The CSA model code is now schedule 1 of PIPEDA. The development of PIPEDA itself.... We worked also on the personal information protection acts of Alberta and B.C. and of course on the health information legislation in Alberta, Saskatchewan, Manitoba, and Ontario.
I will now turn it over to my colleague, Dale Philp, to continue our remarks.
Thank you, Mr. Chairman and members of the committee. I would like to provide you with a brief background in the next few minutes to the various issues that we have discussed in part IV of the CLHIA's written submission.
Life and health insurers operate on a national basis and deal with a very large number of Canadians, as Frank indicated. In addition, Canadian insurers also carry on their business operations internationally in locations including the U.S., China, India, and the U.K. The operations of life and health insurers cover a variety of personal situations, including financial planning for a potential death, the processing of a disability claim, reimbursing the costs of prescription drugs and other health care expenses, and administration of savings plans or employer pension plans.
These insurance, pension, group benefit operations involve thousands of transactions each day. As these transactions vary in nature, so do the insurers' needs for personal information. We believe a brief description of the parties and individuals involved in our life and health insurance industry might be helpful as context for our issues.
In the group environment, the insurer may insure the benefit plan or only administer an employer's group benefit plan or group pension plan. That's where the employer self-insures its plan.
As well in the group environment, the players then involve the employer, the employee, the employee's dependants, which would be spouse or children, and of course the insurer. It also involves a possible third-party administrator who's retained by the employer to help administer premium payments, etc., and also likely a consultant or advisor to help the employer decide on what should go in their benefit plan.
In the individual insurance world, the players would include the individual policyholder; perhaps a life insured, different from the policy holder; an adviser; and the insurer. In all types of life insurance--individual, group, or pensions--there are also beneficiaries. So you can appreciate the different types of information that would be required to be collected from each of those individual players in the insurance world.
As for the type of information we collect and use under an individual life insurance policy, detailed medical and financial information may be collected when the individual applies for insurance. This is then used to assess the applicant's eligibility for coverage. That file, then, may be relatively dormant for several decades until a death occurs and then a claim is made. In contrast, under most group employee benefit plans, whether insured or just administered by insurers, the insurer is required to collect a small amount of personal information initially, such as name, date of birth, beneficiary designation, and dependents' names. Additional information is collected when a claim actually occurs for the cost of a prescription drug or at the time of a disability, for example. At that time, sufficient additional information must be collected and used to process the claim.
In contrast to the banks, national or international organizations that are provincially regulated are required to contend with an array of privacy legislation across Canada. A transaction that involves the transfer of information from an individual or organization subject to one protective regime--for example, a physician complying with Alberta's Health Information Act--to an individual or organization subject to a different regime, such as an insurer subject to Quebec's private sector legislation or to PIPEDA, will have to meet the requirements of both regimes with respect to consent to disclose under one and consent to collect and use under the other. An employee resident in B.C. may expect that B.C. privacy legislation will apply, but if her employer is located in Ottawa and the insurer processes claims in Toronto, PIPEDA will apply.
In this environment a lack of clarity, gaps, overlaps, or inconsistencies in the legislation can create confusion and unnecessary administrative complexity for life and health insurers, and confusion for their customers. We believe that the coordination or harmonization of the provisions of PIPEDA with privacy legislation at the provincial level would help to avoid such confusion for consumers, organizations, and regulators alike. To appropriately balance the need to protect information privacy with the need to conduct efficient commercial activities, such as providing life and insurance products to Canadians, it is essential that harmonization be given high priority.
While the life and health insurance industry's experience during the three years it has been subject to PIPEDA has been that the current rules are generally workable, a large portion of our specific comments in part 4 of our submission fall under the category of harmonization, with a view to making the provisions under PIPEDA “more practical and more predictable”, to use the words of the Privacy Commissioner.
One of those specific comments relates to the detection and deterrence of fraud. The impact of fraudulent and deceptive conduct on insurance and other financial services can be extremely costly and damaging. Efforts to minimize them are essential. Fraudulent and deceptive conduct can involve a small number of consumers, service providers, and other parties not directly involved with the contract.
Our efforts to control the incidence of fraud in our industry are not in conflict with our protection of personal information, but the current provisions need to be adjusted to make our efforts work better. Specifically, there is a gap in PIPEDA that restricts our ability to disclose information without the consent of an individual for the purpose of conducting an investigation into a breach of an agreement or a law of Canada.
It is the industry's view that instead of, or in addition to, a system of investigative bodies, PIPEDA should be amended to adopt the model used in both Alberta and B.C.'s PIPAs, which allow collection, use, and disclosure of personal information without consent for the purpose of an investigation. In this way, the range of acceptable circumstances as to when personal information can be collected, used, and disclosed during an investigation can be more clearly set out and understood by all parties.
:
No. My intervention will be quite short. I will develop only one point, concerning the situation in Quebec.
[Translation]
Thank you very much.
Another topic of importance, for the industry, relates to the provisions on individuals’ right to access information that concerns them. It is clear that they must have the right to access it, to determine the use being made of it and, if necessary, to correct any inaccurate information.
However, experience shows us more and more cases where access rights are used for purposes that the legislature could never have thought of when the Act was promulgated. Increasingly, companies are receiving detailed, identical access requests, most likely prepared by lawyers, that seem to be “fishing expeditions” to obtain information that would not otherwise be available except through the process of discovery, as it should be.
At present, Quebec’s An Act Respecting the Protection of Personal Information in the Private Sector includes a provision covering this type of situation. The second paragraph of section 39 of the Quebec act stipulates that:
39. A person carrying on an enterprise may refuse to communicate personal information to the person it concerns where disclosure of the information would be likely to:
(2) affect judicial proceedings in which either person has an interest.
Under this provision, it must be clear that the legal proceeding would be instituted in light of the facts at issue. The industry recommends that the Quebec precedent be used to amend the Canadian act in a similar fashion.
Thank you.
:
Thank you, Mr. Chairman and honourable members. It's a pleasure to be here.
My name is Michael Murphy, and I'm executive vice-president, policy, with the Canadian Chamber. Also appearing with me today is Chris Gray, who's a policy analyst with us at the chamber, along with David Elder, who's vice-president, regulatory law, with Bell Canada--a chamber member. Importantly, Mr. Elder is also Bell's privacy ombudsman.
[Translation]
As an advocate for Canadian businesses, the Canadian Chamber of Commerce speaks on behalf of a network of 350 chambers of commerce and other business associations representing over 170,000 member businesses.
[English]
The chamber is pleased to provide its input on the five-year statutory review of the act. Since PIPEDA was enacted, we have worked closely with our members, local chambers, and boards of trade to ensure that businesses of all sizes understand their roles and responsibilities under the act.
The majority of our members have been subjected to complying with the act since only 2004. We communicate with our members regarding their obligations through a variety of vehicles, and we are always considering how we can continue to better educate all businesses, particularly small and medium enterprises.
To assist our members with PIPEDA, the chamber developed a privacy policy template, modelled contractual clauses, and informed them on how to conduct a privacy audit.
My remarks today will be based on our submission to the commissioner's consultation on the act last fall. We've met with the Privacy Commissioner's office on a number of occasions since the legislation came into force, and we've brought additional copies of that particular submission for your reference today.
[Translation]
In general, the Canadian Chamber of Commerce’s position on the review of the PIPEDA, the Personal Information Protection and Electronic Documents Act, is similar to the one that other business organizations, such as ITAC and the CMA, expressed to you during previous meetings. The protection of privacy and personal information is a primordial issue for consumers and companies. It is particularly important nowadays because of new technologies that increase the risk that personal information will be compromised.
The adoption of best practices for the protection of personal information is an element of sound business management. A company that uses effective practices in this area increases consumer confidence, and both benefit. From the trade and industry perspective, the Act functions well and requires no amendments at this time. Moreover, most of the industrial sectors and individual companies have just started working within the current framework.
[English]
Both business and the Privacy Commissioner's office have demonstrated a solid cooperative working relationship. The structure of the act allows for an effective and workable balance between the interests of protecting an individual's personal information and allowing for business to operate effectively.
In addition, there is a flexibility built into the act that is an important factor in allowing industry to efficiently respond to any privacy issues. PIPEDA, as it currently exists, also has relatively low associated costs and a very efficient complaint mechanism. By maintaining technological neutrality, this legislation also transcends technology change.
I'd now like to turn it over to Mr. Elder to get into some more specific comments from the chamber's perspective that we believe members should consider when discussing the principles of the act.
David.
The Canadian Chamber and its members believe that Canadian privacy legislation should continue to strike the correct balance between the privacy rights of individuals and the legitimate needs of business to collect and disclose customer information. The flexibility built into PIPEDA has been very beneficial to consumers and business alike during the five years since its implementation.
With regard to the Privacy Commissioner's order-making powers, the current ombudsman model provides an effective manner, in our view, in which to best protect an individual's need for privacy and at the same time address the interests of businesses. This mechanism for resolving privacy issues is critical for consumers, and it is cost-effective. Implementation of an order-making process would require a complete review and overhaul of the role of the Office of the Privacy Commissioner and the Federal Court. Since any such orders would be subject to appeals, this could potentially result in a less timely resolution of issues.
In 2004, under the existing ombudsman model, the OPC increased its emphasis on settling complaints, settling 45% of them without a formal investigation. Changes to the current ombudsman model could significantly adversely impact the ability of the OPC to effect such early settlement. The current model provides the commissioner with a wide range of powers, including complaint investigation and audit powers.
Turning now to the issue of duty to notify, in the Canadian Chamber's view, the current model, again, is operating successfully. I would note that there already exist significant reputational, financial, and legal incentives for businesses to notify customers when there have been serious breaches. Moreover, we believe that the OPC already has the tools to require notification where circumstances warrant it.
Instituting a duty to notify could create a more adversarial relationship between business and the OPC. In addition, imposing a duty to notify on every potential breach could well do a disservice to the very consumers it is meant to protect. This kind of requirement could result in a flood of notices being sent to consumers, desensitizing them to the gravity of a truly serious privacy breach. I believe we've seen this occurring in the U.S.
Given this, the Canadian Chamber does not believe that mandatory breach notification is necessary in the legislation. We would encourage businesses to continue to work closely with the Privacy Commissioner's office in order to identify breaches and to notify those who could be affected by a possible breach in privacy. This flexibility enables notice where appropriate in the circumstances, with no adverse impact on consumers.
I'd also like to note that it would be beneficial for the Canadian Chamber and other business associations to develop a best practices set of guidelines that could be used when breaches in privacy occur. To that end, business groups, including the Canadian Chamber, ITAC, the CMA, and others, are currently developing breach notification guidelines in conjunction with the Office of the Privacy Commissioner. Details on these best practices guidelines should be available later this spring.
With regard to the power to name names, the Canadian Chamber believes that reputation is key for business, and therefore the naming power that currently exists with PIPEDA should not be used lightly. Any proposed changes to the Privacy Commissioner's powers in this regard would represent a fundamental shift in the structure of PIPEDA and would be opposed by the Canadian Chamber.
Take the retail sector, for instance. It is extremely competitive, which is good for consumers, but the naming of names could do serious damage to a company's brand, damage that would possibly be wholly disproportionate to the severity of the breach. Therefore, this power should be reserved for those parties who demonstrate a clear pattern of non-compliance.
If there were to be a routine naming of names, it would not help the relationship between business and the OPC. The Privacy Commissioner herself has stated that she does not require naming powers nor desire them. Most cases can be adequately mediated between business and the OPC.
Given this, it is essential that businesses in all sectors are educated about PIPEDA and their responsibilities as businesses in handling personal information. There needs to be a good balance between enforcement of the law and ensuring businesses, especially small and medium-sized businesses, have a good understanding of PIPEDA so that inadvertent infractions are minimized.
On the issue of transborder data flow, international data flow is an economic reality, and any restrictions on this flow could hinder Canada's competitiveness in the global economy. Companies understand that their business reputations are on the line, and they do not take that responsibility lightly. They remain accountable when information is transferred to a third party for processing.
Policy consistency is essential for efficient transborder data flow, as was illustrated in the APEC privacy framework and the security and prosperity partnership initiatives. The accountability principle that is built into PIPEDA is an effective means of ensuring that Canadian businesses communicate their privacy practices to the public in an open and transparent manner. The accountability principle also requires businesses to enter into contractual agreements with any third-party providers, regardless of where the third party is located. This provides an added level of protection to consumers.
Mike.
I'll just wrap up, Mr. Chair, with a quick overview of our conclusions today.
The first one is that there be no changes made to the act at this time and that the commissioner be given the additional time—she talked about five years—she has requested to work with the current act.
Ensure a proper balance is maintained so that the interests of both consumers and businesses are considered.
Maintain the current ombudsman model to effectively protect privacy. With this model in place, mandatory privacy breach notification is not required.
Make no changes to the commissioner's powers with regard to naming power.
Do not place restrictions on transborder data flow that could impede trade and competitiveness.
And we recommend that the Privacy Commissioner's office and other business groups continue to play a strong leadership role in educating and informing firms—and particularly here, small and medium-sized enterprises—and individuals of their rights and obligations under the act.
Thank you, Mr. Chair, for the opportunity to be here today.
:
Thank you very much. You're right on time.
The usual course of action is to proceed with the first round of seven minutes, in the usual order we've agreed to, and then move from there. But before we do, I have one question I'd like to throw out to both of you, as I'm rather curious about it.
Both associations call for harmonization—that makes eminent sense—but you don't think there should be breach notification in certain instances. Just recently, the Ontario and B.C. privacy commissioners jointly released a breach notification assessment tool as a guide for the public and private sector organizations in responding to a breach. Direct notification is the preferred method in the guide whenever the identities of the individuals are known and current contact information is available. That's what the Ontario and B.C. privacy commissioners are recommending.
Do I take it that, because you want harmonization with the other jurisdictions, you're in agreement with this? I'll start with the insurers.
With respect to breach notification, our position is that there should be a risk-based approach to when notification should be made. In that regard, one looks at the circumstances of the particular breach to determine whether a breach has in fact occurred and whether the event requires notification. In doing that, certainly in the financial services industry, one notifies the Privacy Commissioner; one also notifies our financial regulators to bring them into the picture; and one looks at the particular circumstances of the information that may be exposed.
For example, you do a risk assessment. You determine whether that information can be accessed. If it's in a disk and it's encrypted in such a way that your forensic consultants tell you that the risk is really, really minute, then in consultation with the Privacy Commissioner and in consultation with the financial regulator, you can determine, you can assess whether you should reach out or not.
So we believe that's an approach that works.
In fact, if you look at our submission, a number of the changes we recommend are aimed at bringing PIPEDA in line with what has been put in place, if you like, in the third generation privacy legislation that is in place in B.C. and Alberta. As I indicated earlier, Quebec was the first one, in 1994, then PIPEDA in 2001. For our sector, though, it started in 2004. That's when the act began applying to us. But since then Alberta and B.C. have developed what PIPEDA had put in place. So our suggestion is that you look at those newer provisions where perhaps more thought has gone into it, given time and given the experience that they saw from PIPEDA.
One of the areas Dale spoke about is adjusting the provisions dealing with fraud and defining investigation in such a way so that it brings clarity to what the rules are for everybody, because I must confess, I looked at section 7 of PIPEDA, and it's pretty complicated stuff to get your head around. So that's one area.
Another area where the provinces are third generation again is in the area of access. They've gone on to clarify some of the rules in that area, and we have those again in our submission.
Another area that has been talked about and I know this committee has heard about before is when there is a sale of assets or of a business and the purchaser, in doing the due diligence, needs to look at personal information contained by the buyer. So there are provisions in B.C. and Alberta in this regard that may be useful for this committee to look at to determine whether they should be included in PIPEDA, for the purpose of making that area clear.
Another area, and again you've heard about this one, is looking at the B.C. model for their definition of work product and considering whether that should be included in PIPEDA as well.
:
Sure. As I mentioned in my remarks, we have somewhere in the order of about 350 local chambers across the country that are our members, and they're everywhere in all the provinces and territories. As you can appreciate, when you get into the size of an organization like that, you have some pretty significant differences in the size of chambers as well. Some of them have a lot more capability than others.
One of the reasons we focused on this area is that in terms of some of the practical things we tried to do, we actually put information together for our members directly. We did a couple of rounds on this with respect to our members, both corporate and principally chamber, and through them our small business network across the country, to provide them with tools they could use to deal with the act.
We actually put model clauses, contractual clauses, together that we could have inserted into contractual arrangements they may have had with suppliers or customers. We also told them how to go about doing an audit of their own organizations. We also tried to give some basic information.
One of the great strengths of the organization is having access not only to companies like Mr. Elder's in our membership but to Sun Life and many other companies that are very actively engaged. We use some of our bigger members to help in the educational process with smaller members.
The only other thing I'd add is this, and this is not only true of this particular piece of legislation. There's never enough to do or there's never enough that's been done, and there's always more to do in terms of dealing with the small-business community. They have so many challenges, and they form the heart of our economy. You all know the numbers: 95% plus of businesses in Canada are small. They all have lots of challenges in terms of meeting day-to-day requirements. Our goal was to try to tell them through our network what they needed to know about this.
One of the great opportunities about coming here today, quite frankly, is that in the recent weeks we alerted our network that we were coming here. It will give us another chance to put another package together for our members, and we're going to do that.
It's been an effort. We'll never get all the way there.
We're also working with the Privacy Commissioner. She says there's a wonderful need here to keep educating on that side. We agree with that, and working with SMEs is going to continue to be a priority for us.
:
Mr. Chair, I'll answer the question this way. In terms of the importance of the issue and dealing with small and medium enterprises in Canada, particularly companies—as Mr. Vincent's question points out and I mentioned earlier—as small as five employees, they have lots of challenges.
Regarding the funding of training for companies across the country, I would say not. Through the Office of the Privacy Commissioner, what we have is an opportunity to think about doing a better job. We agree with her that together we can do a better job of getting useful information into the hands of small companies, and there are lots of ways we can do that.
Technology, for us.... Remembering that these companies are all over the country, not just in the big cities.... From our standpoint, we're only three years into a very difficult area with these enterprises that's not unique in terms of the only thing they're thinking about, as I said earlier.
So I wouldn't go so far as to say let's think about a major federal program to start sending people out into companies. I don't know whether you were going that far, but I would say that using the office of the commissioner to think about more outreach for SMEs would be constructive.
I'd like you to talk more about the international aspect the chamber had referred to. I think you didn't want to hinder the economy and transborder transactions, and I couldn't agree more. But there are an awful lot of international transactions that go on with the United States, and other countries around the world, all over the world with computers and outsourcing of information. It's quite remarkable how it's expanded, actually. I quite concur with your observation. We have international insurance companies, companies whose head offices are in other countries. I'm not knowledgeable about that, but there's no question that there are insurance companies that cross borderlines.
On the issue of notification, of course different countries have different laws. Many of the states have different laws about notification. We had some witnesses here on Monday or Tuesday, the bank people. They said that unless there was some reasonable evidence of fraudulent activity, there didn't need to be any notification. There was a story a couple of years ago or a year ago, about some faxes from a bank ending up in a scrapyard in West Virginia. You may recall that story. There were social insurance numbers, home addresses, phone numbers, etc., and detailed banking information. We had a story just a few days ago about a whole bunch of information that just got lost. There's no evidence that it was stolen or used. But again, it included the same detailed information. Then we had the case of HomeSense and Winners--and I'm not criticizing those people--in which information was stolen. Hackers got in.
So my question to you is whether you agree with that philosophy of the banks who say that unless there's evidence of fraudulent activity, people don't need to be notified, or whether you think we need to go further than that. I appreciate that to notify a million people, the postage alone would drive a company crazy. Could both groups comment on that issue?
I might be duplicating some of what my friends with the chamber said, but we believe it has to a risk-based approach. You have to look at whether you're dealing with an incident that has some materiality attached to it. I think you have to have some reasonable grounds to believe that the disclosure has in fact taken place. You're saying something went missing. Well, under what circumstances? Could it still be within the company somewhere and it hasn't gone out of the office? You have to make that determination.
And you have to look at whether there's a significant risk that the individuals whose information you're dealing with could suffer some harm from this. I think you do that by analyzing the sensitivity of the information, whether that information was encrypted and in what form, and by consulting with your regulators to ensure they're aware of the situation and to get some good advice from people who can look at this from perhaps a broader perspective than the company itself. You look at all those factors to determine whether notification should be made.
We discussed this morning that there are a number of guidelines being developed across the country. One of the advantages of not mandating very specific rules in this area is that you can develop guidelines that are similar, apply across the board across Canada, and retain that flexibility to deal with the variety of incidents you could have.
In your introduction to that question, you indicated there were different instances, different possible breaches, etc. They were all different in type, so I think you have to look at all those factors.
My question is for Mr. Murphy, if you don't mind.
As a follow-up to Mr. Dhaliwal's question, I understood you have a communication challenge with having to communicate these aspects of PIPEDA to all these various businesses. I would like to look at the communication as it comes the other way. I realize you have to communicate, but if I had a business and I had five employees, for example, my head would be swimming with all this stuff. I don't necessarily have the legal background, and I don't have the legal resources to help me to understand it. I realize you're trying to give tool kits and other things.
I am interested, though, because they are important players in the economy and in the Canadian makeup. Did you provide a venue for information to come the other way? How did they feel about PIPEDA? Did they give insights or ideas as to how they thought it might be improved? I guess the second part to my question would be whether you honestly think they will be able to maintain the focus on PIPEDA and apply it properly, given all the other challenges they have to face.
:
Yes, it's a very good question, because it is part of the challenge of not only our organization, but all, in terms of dealing with a majority of the members of our group.
One of the good things about being at the chamber and being the policy guy is that I never have to wonder whether I'm going to get feedback from my members on a variety of issues. It's usually coming to me at a rapid rate. It's interesting that this is true regardless of the size of business. That's because of what I said earlier, in terms of the impact--and I'll just deal with the federal level, because that's where we deal at the Canadian Chamber--how much of the day-to-day activity of business government affects in so many ways.
We're not here to discuss the broad principle, but just with respect to this particular legislation--of course, we are just three years in when we're talking about most small companies--we did hear from members on this particular issue as we put information in their hands. We heard it in two ways: not only directly from some of those companies that we get to talk to, direct members of ours, but also through the local chamber network where many of these folks are members.
I won't get into the details of the variety of our communications vehicles, but we initiate feedback ourselves by holding calls with local chambers and others to actually have an opportunity to test the waters on various things that we've done. We put a package together on this particular piece of legislation, and we did that more than once, by the way, because there were different phasings here in terms of implementation. We tried to test the waters.
We don't overburden our members with surveys, the kinds of things where you would mail something out and say, “Could you fill this in, please”, but when we do--we try to do them maybe once or twice a year--we try to capture a bit of an omnibus approach. This is an area that we've tested in the past as well.
The feedback I got, quite frankly, was “You've given us useful tools.” One of the most useful was the contractual clauses that we actually were able to draft with some help from some of the legal members of the chamber, which was very useful stuff. We got very good feedback on that generally.
So is there more to get? There always is, absolutely.
Welcome to our panel here this morning. It's great to have you with us.
My question is directed to the Canadian life and health insurers. On this issue of fraud detection that you mentioned in your brief, the section you're referring to is paragraph 3(d) of the act, which talks in terms of your ability to essentially disclose, without knowledge or consent, personal information when you see that there might be a potential for fraud or a breach of covenant or a breach of agreement with an insured, in this case.
You talk in terms of there being a gap currently with PIPEDA. I suspect that pertains to the fact that there isn't the term “investigative body”. Are you saying that there is no investigative body to which you could, in fact, disclose?
I wonder if you could give us a practical example to illustrate what this gap is in terms of being able to investigate fraud.
:
It's a good question, and I'm happy to work through it with you.
If we step back, under PIPEDA we have the ability to collect and use without consent when we have reasonable grounds to believe it would be useful in the investigation of a contravention of law of Canada and the information is used or collected for the purpose of that investigation.
Then we move to subsection 7(3), which is disclosure without knowledge or consent, and in this section there is no ability for an insurance company to disclose to anyone other than to a government institution or an investigative body. And yes, you're correct, the life and health insurance companies do not have an investigative body.
The CBA has an investigative body. The Insurance Bureau of Canada may have an investigative body. But the life and health insurance industry does not.
I would like to go to page 13 of your submission. It says:
A question that has been much discussed in recent times is whether organizations that suffer loss or theft of personal information should have a legal duty to report the loss or theft. It is worth noting that the openness principle (Principle 8 of Schedule 1) already suggests that an organization has responsibilities along these lines. Consequently, the industry is of the view that no specific legislative provision is needed at this time.
Here is my first question. Does this mean that if you lost information or had it stolen, it would not be necessary to tell anyone at all, that the industry would decide what to do about it?
Continuing on:
The industry supports a risk-based approach to notification, where the need to notify and the method of notifying the individual are proportional to the risk of harm that may be experienced by those whose personal information has been compromised
My interpretation is that if you lose my personal information or have it stolen, you are going to decide for me whether I am going to be harmed by it. And reading on:
Where the breach is material; where the organization has reasonable grounds to believe that disclosure of personal information to unauthorized individuals has taken place; and, where the disclosure presents a significant risk of harm to individuals (e.g., identity theft or fraud).
In applying such parameters, an organization would perform an analysis (taking into consideration the sensitivity of the information, whether that data was encrypted, etc.) with a view to determining whether notification should occur and, if so, how notification should take place.
If I understand correctly, regardless of the situation, it is you who will decide if it is necessary to advise me if personal information is lost or stolen.
I am of the opinion—and I said this yesterday too—that the insurance industry probably could have written a book on privacy. I think you have done a good job. I think there is always room for improvement. We've heard some great questions and we need some direction in certain areas.
I am concerned about one thing, though. I stated yesterday that most of this has come about because of the information age and things that none of us expected or anticipated.
I want to direct a question, and I think I should direct this question to you, Ms. Philp. With Sun Life, for instance, or the insurance industry generally, when you have overseas ventures like in China.... I understand in that particular case that the advantage you have over other companies is that you have an integrated system. In a case like China, where they take 50% ownership or the government is a partner, what kinds of safeguards do you have if you have an integrated system? For instance, in the government here, I think Sun Life has our insurance policy. What do we have for safeguards that some of that information isn't going to get out?
:
The thoughts we've expressed here stem from a fundamental belief that in coping with legislation like this.... I make two points. First of all, for most of our members, and that would certainly include the smaller members, we're only three years in, and in the scheme of legislative enactment in Canada that's very young.
I would couple that with the Office of the Privacy Commissioner's own comments about...and I think the arrival of the current commissioner was almost coincident with that phase, in January, 2004, where the bulk of companies in Canada got captured by the act.
As the commissioner herself has indicated to you, there are lots of preoccupations there for her, to do things in the office other than get on with the core work of implementing the act.
So it's early days, and I think that's the philosophy behind the recommendations.
As to our view on whether this is something that's shared across our membership, I would say it is, very strongly. This is a case where three years in on any bill, and particularly one that affects so many of our members, is really early days.
To change it today, when you're still in the educational phase for a lot of them in terms of their building themselves up to deal with the important elements of the act, I think is going to complicate life a lot more than we need to at this stage.
:
Thank you, Mr. Chairman.
I am going to continue in the same vein as just now. I am confused. If there is a theft or something happens in one of your organizations, you feel you have the leisure to reveal it or do something, be it at the level of the Canadian Chamber of Commerce, businesses, or, as I understood it, insurance companies.
Could the Act not state that, as soon as a party realizes there has been a theft or something of the sort, it must advise the commissioner, who conducts an investigation to determine the repercussions of such an event on the personal information of people who deal with your organizations?
Should there not be a section in the Act that encompasses this type of problem, rather than leaving it to the organization to judge the appropriateness of revealing it?
:
Okay, that's a good place to leave it in completion.
Madame Philp and gentlemen, I would like to thank you on behalf of the committee very much. I'm sure you can appreciate that there's a great deal of interest in this subject matter by the committee members, based on the questions you had to field today.
Good luck with your redesigning of the website, and good luck with your members. I know if I were in small business, this particular statute, among many others that governments impose on businesses, would be perplexing to me. So many thanks for appearing today and for giving us your advice.
Members, our next meeting will be on Tuesday, at 9 a.m. It's very likely I will not be here, so I've asked Mr. Tilson to take the chair on that day. Thank you.
I adjourn the meeting.