The Privacy Commissioner of Canada’s Position at the Conclusion of the Hearings on the Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Submission Presented to the Standing Committee on Access to Information, Privacy and Ethics
February 22, 2007
Summary of the Position of the Privacy Commissioner of Canada
We are suggesting that the Committee should recommend changes to PIPEDA in the following nine areas (based on both our November 2006 submission and this document):
- solicitor-client privilege (Issue 1 – November submission);
- business contact information (Issue 2 – November submission);
- employee-employer relationship (Issue 4);
- collection and disclosure for law enforcement and national security purposes (Issue 5);
- attempted collection without consent (Issue 7);
- individual, family and public interest exceptions to consent requirements (Issue 8);
- disclosure of personal information before transfer of businesses (Issue 10);
- duty to notify (Issue 12); and
- cooperation with other enforcement authorities (Issue 14).
We are not recommending any changes to PIPEDA in the following areas:
- Commissioner’s powers (Issue 3);
- designating investigative bodies (Issue 6);
- blanket consent (Issue 9);
- work product (Issue 11);
- transborder flows of personal information (Issue 13) ; and
- addressing spam (Issue 15).
Introduction
As the OPC stated in its first submission to this Committee in November 2006, we believe that PIPEDA is working reasonably well, although deficiencies have come to light that were not anticipated when the Act was drafted several years ago.
We have followed the testimony before the Committee with great interest. We have observed in that testimony the fundamental tension between the needs of organizations and the rights of individuals. This tension is also inherent in PIPEDA’s purpose clause. The variety of witness positions was consistent with those we observed in the autumn of 2006 as various parties responded to our discussion paper on PIPEDA. Overall, this tension in the operation of PIPEDA is healthy, and it helps to establish the right balance among the competing interests.
In light of the various witness statements that the Committee has received since our first appearance, and in light of recent events touching on privacy, we wanted to clarify and refine some of our earlier positions. We are recommending changes to PIPEDA in nine areas at this time. Parliament adopted an ongoing five-year review of this relatively young legislation, so there will be opportunities for our Office and others to recommend additional changes after we have had more opportunities to work with its provisions. In the meantime, we are confident that the public education tools and guidance that we are developing will ensure that PIPEDA continues to achieve the right balance among different constituencies.
Please note that we are not reproducing in this document our views on issues addressed in our previous submission if we are not modifying or expanding on those views. Our previous submission is set out in Appendix I. We have followed the format of our previous submission, and added solicitor-client privilege and business contact information issues, which were dealt with only in the introduction to our November 2006 submission.
1. Solicitor-Client Privilege(Sections 9 and 12)
We recognize the importance of solicitor-client privilege as a fundamental legal principle. Our concern is that organizations could thwart our Office’s investigations by inappropriately asserting this privilege.
As the Privacy Commissioner indicated to the Committee during her first appearance, the Federal Court of Appeal’s October 2006 decision in the Blood TribeFootnote 1 case weakened the Commissioner’s investigative power by preventing her from reviewing the validity of a claim of solicitor-client privilege. This decision leaves a gap in the Commissioner’s powers and will potentially allow a broad claim of solicitor-client privilege over corporate-held documents to inhibit an OPC investigation, with no possibility of independent verification of the appropriateness of the solicitor-client claim other than by a formal application to court.
To understand why this decision so profoundly undermines the Commissioner’s authority in PIPEDA, it is important to go back to the fundamental right of access provided by the Act. PIPEDA provides individuals with a broad right of access to their own personal information held by an organization. The Act sets out a limited number of exceptions to this right of access, one of which permits an organization to refuse to provide an individual with access to information protected by solicitor-client privilege. In the face of such a claim, the Commissioner must investigate the claim and make an independent report of her findings and recommendations. If the Commissioner could not compel the production of the documents over which privilege is claimed to verify the claim, she would be severely limited in carrying out her mandate under the Act.
The Commissioner’s investigative powers – including the ability to verify the legitimacy of an organization’s claim of solicitor-client confidentiality – are fundamental to the strength of the ombuds model. The Commissioner needs all the facts and considerations to make findings that are of value to both parties.
The result of the Blood Tribe case causes our Office great concern. We are seeking leave to appeal this decision, but it would be remiss of us not to raise it with the Committee at this time.
2. Business Contact Information (Sections 2)
As we noted during our first appearance, the exception to the definition of personal information in PIPEDA should be expanded to include business contact information. We believe the definition in Alberta’s PIPA would be an appropriate model as it is sufficiently broad but places restrictions on the purposes for which business contact information may be collected, used or disclosed.
3. Commissioner’s Powers
We addressed this issue in our November 2006 submission. We did not recommend any change to PIPEDA in this area.
4. Employee-Employer Relationship
In the submission we presented during our November 2006 appearance, we stated that personal information about employees has been the source of some of the most challenging complaints OPC has encountered over the last five years and that, in some cases, we were forced to stretch PIPEDA to address employment issues.
We believe we have arrived at a workable solution, though settling on the specifics of this regime has not been easy. We invite the Committee to recommend that PIPEDA be amended to follow the approach in Alberta’s PIPA – the reasonable purposes-based employee code – as long as such an exemption for employee information is accompanied by a requirement to consider employee dignity and an assessment of whether there would be an undue intrusion into an employee’s personal life. In cases where obtaining consent is impractical, PIPEDA would be improved if the effects on the dignity of employees of all the potentially privacy-intrusive measures were considered in balancing the rights of the individual to privacy and the needs of organizations to collect, use or disclose personal information.
Section 7 of PIPEDA contains exceptions to the requirement to obtain consent for the collection, use or disclosure of personal information. We recommend adding a subsection that would allow collection, use or disclosure of employee information for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual, using a standard that combines reasonable purposes, dignity and an assessment of an undue intrusion into an employee’s personal life. We would also want PIPEDA to require sufficient advance notice of such collection, use or disclosure.
Dignity is an important notion that forms part of Quebec’s approach to protecting employees’ personal information. We believe that adopting this concept would enhance our Office’s ability to examine the context of a complaint. We think it would be valuable when investigating complaints to be able to contemplate broader consequences to more accurately assess the scope of the intrusion and the surveillance on employees. For example, instead of looking at a complaint relating to intrusions flowing from voice prints, location tracking or video surveillance, the OPC should have the authority to look beyond the specific application of the technology to make an effective assessment of the intrusion on the employee’s dignity in the work environment as a whole. It could also be argued that we would be more accurately assessing the balance that the legislators intended in the purpose clause if we were to assess these broader consequences.
5. Collection and Disclosure for Law Enforcement and National Security Purposes (Section 7(1)(e))
OPC addressed this issue in its November 2006 submission and asked that the Committee recommend an amendment to PIPEDA.
We stated that the broad wording of section 7(1)(e) continues to cause OPC serious concern. The provision applies to any organization subject to PIPEDA and has the undesirable effect of deputizing the private sector to carry out law enforcement activities without corresponding public accountability. It does not limit the amount of information that can be collected without consent, nor does it place any limits on the possible sources of information.
We asked for its removal at the time that the Public Safety Act, 2002 was debated. We continue to believe that it should be removed or that it should be made more restrictive.
6. Investigative Bodies
OPC addressed this issue in its November 2006 submission. We did not recommend any change to PIPEDA in this area.
7. Attempted Collection Without Consent
OPC addressed this issue in its November 2006 submission and asked that the Committee recommend an amendment to PIPEDA.
We stated that attempted collection remains an issue of concern for OPC and we would support efforts to close the gap in PIPEDA by addressing “wilful” attempted collection.
8. Individual, Family and Public Interest Exceptions to Consent Requirements
OPC addressed this issue in its November 2006 submission and asked that the Committee recommend an amendment.
We stated that some of the submissions we received identified legitimate concerns, and that the Committee may wish to consider some very limited exceptions in this area, such as disclosures to the family of an injured, ill or deceased individual and notification in case of an emergency in a community setting.
9. Blanket Consent
OPC addressed this issue in its November 2006 submission. We did not recommend any change to PIPEDA in this area.
10. Disclosure of Personal Information Before Transfer of Businesses
As we noted during our November 2006 appearance, PIPEDA contains no provision allowing an organization to disclose personal information (such as client lists) to prospective purchasers or business partners without the consent of the individual affected. Prospective purchasers or partners may need to review this information as part of their “due diligence” evaluation of whether to proceed with a transaction such as a merger, acquisition or sale of business.
An enhanced version of the model set out in the Alberta PIPA would be appropriate. We have included the relevant section of the Alberta legislation as Appendix II. In terms of enhancements we believe, for example, that the due diligence exercise should involve the least amount of personally-identifiable information possible. After a transfer of ownership, all individuals whose personal information is being transferred should be notified of the transfer as soon as possible. The new owner should be required to adhere to the selling organization’s policies respecting privacy until all individuals have had an opportunity to choose whether they want to have a relationship with the new owner.
The OPC continues to believe that the Committee should recommend amending PIPEDA by adopting the approach taken in the Alberta legislation, along with the enhancements outlined above.
11. Work Product
During our first appearance, we noted the complexity of this issue, and we continue to hold this view. In Appendix III, we have included extensive reasons for the importance of continuing to include work product as “personal information” in PIPEDA.
Some individuals have suggested that the work product issue can be easily resolved and that a general amendment would be an appropriate solution to remedy a particular situation. We do not believe that this is an easy fix or that there is a clear model to follow. For example, both Quebec and B.C. have addressed the work product issue of doctors’ prescribing habits but each has taken a different approach to this specific situation. We are very concerned that complex policy issues are involved that require a more extensive review. At the very least, determining whether to change the established definition of personal information – the lynchpin of PIPEDA – requires the input of experts, bodies responsible for health and drug expenditures, employees and public interest groups.
OPC’s current approach to dealing with these issues considers the reasonableness of the collection, use and disclosure of personal information in the context of the situation, including the needs of the organization and applicable industry standards. For example, we look at how information is used, and not where it is produced. The chief virtue of the current approach is that it enables the OPC to investigate the privacy implications of specific information practices case by case, so that it can provide guidance accordingly.
This is why we continue to believe that excluding work product from the definition of personal information could result in intrusive workplace monitoring and other abuses, since work product would no longer be protected by PIPEDA. We would prefer that work product issues under PIPEDA continue to be addressed case by case.
Moreover, we believe that including an employee code for PIPEDA, as discussed in Issue 4, would resolve several of the issues that a work product exclusion would seek to address, but in a way that does not threaten other workplace privacy rights.
12. Duty to Notify
In our first appearance before the Committee, we expressed support in principle for imposing a duty to notify where a security breach has resulted in a loss or theft of personal information. Since then, several major security breaches have been reported in the media. We launched investigations into two of them – that involving the CIBC’s Talvest Mutual Fund (see Appendix IV) and, in conjunction with the Information and Privacy Commissioner of Alberta, that involving the retailers Winners and HomeSense (see Appendix V).
These incidents have generated an urgency to resolve the data breach notification issue. Although several organizations have voluntarily informed our Office of security breaches, other organizations will likely inform us or the individuals affected only if obligated to do so. We note as well that the Canadian Internet Policy and Public Interest Clinic (CIPPIC) has released a thoughtful paper on breach notification Footnote 2 recommending that PIPEDA include a breach notification requirement similar to those found in some American state laws. We have included a summary of U.S. state laws in this area in Appendix VI.
We strongly encourage the Committee to recommend amending the Act to include a breach notification provision. We recognize that determining the appropriate model will require additional time and consultation, so we are working with stakeholders to develop voluntary guidelines to apply until the Act is amended. We will be drawing on helpful documents that have been written by the B.C. and Ontario Information and Privacy Commissioners.
13. Transborder Flows of Personal Information
OPC addressed this issue in its November 2006 submission. We did not recommend any change to PIPEDA in this area.
14. Cooperation with Other Enforcement Authorities (Section 23)
In our November 2006 submission to the Committee, we said that the OPC would like to have specific authority to share information and cooperate in investigations with privacy offices in other provinces and countries. Here we provide additional details about the scope of and necessity for such sharing.
In general, PIPEDA requires the Commissioner to treat as confidential any information that is obtained in the exercise of the Commissioner’s powers, although the Commissioner may publicize the information practices of an organization if the Commissioner considers it in the public interest to do so. Our Office does not share information about a complainant without that individual’s consent.
PIPEDA currently permits the Privacy Commissioner to enter agreements to coordinate activities, undertake and publish research, and develop model contracts with her counterparts in Ontario (only with respect to Ontario health information custodians), Alberta, British Columbia and Quebec. We have found this ability to share information with the privacy oversight offices in these jurisdictions to be very useful. For example, as mentioned earlier, our Office and that of the Alberta Information and Privacy Commissioner announced a joint investigation of a major security breach involving personal information (see Appendix V).
Entering arrangements with other enforcement and oversight bodies is a necessary part of our response to the jurisdictional challenges we face. We are not alone among data protection bodies in facing such challenges. The Commissioner chairs an OECD group that is exploring ways to encourage cooperation between data protection authorities and other enforcement bodies with respect to cross-border complaints and cases arising from transborder data flows. APEC has recently asked us to chair a working group to explain the Canadian approach in these areas.
As well, the recently adopted US SAFEWEB Act will help the Federal Trade Commission fight a range of practices that harm American consumers, including spam, spyware and privacy and security breaches. This Act gives the FTC the ability to share confidential information with foreign law enforcers, subject to appropriate confidentiality assurances.
We want to ensure that the OPC has a solid foundation for cooperating with consumer protection and other enforcement bodies, such as the FTC, to ensure that we are not duplicating efforts–and needlessly using our limited resources–in seeking solutions to these and other problems.
15. Addressing Spam
The OPC did not address spam directly in its previous comments to the Committee, but the issue deserves attention, particularly in light of the Committee’s mandate. Spam and spam-borne online threats (such as “spyware” and “phishing” attacks) are intruding on the privacy and threatening the security of Canadians. Beyond their privacy impact, these activities are undermining confidence in the Internet and even prompting some people to abandon electronic commerce.
Yet none of the recommendations of the Task Force on Spam– recommendations which our Office helped to develop – have been implemented. Canada still has no anti-spam legislation, and is now the only G-8 nation without specific anti-spam legislation. We have expressed our concern to the Minister of Industry and have provided a copy of our letter to Members of the Committee (see Appendix VII). We recognize, of course, that PIPEDA and other legislation are only part of the solution to spam. Nonetheless, we urge the Committee to make this a priority issue and to raise it with the Minister of Industry.
Conclusion
We thank the Committee for the opportunity to comment a second time on these important issues and for its strong commitment to the PIPEDA review process. If our Office can provide further assistance on these or any other issues, we will be pleased to do so.
We look forward to the Committee’s report and recommendations.
- Date modified: