Proceedings of the Standing Senate Committee on
Science and Technology
Issue 2 - Evidence
OTTAWA, Monday, November 29, 1999
The Standing Senate Committee on Social Affairs, Science and Technology, to which was referred the subject matter of Bill C-6, to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act, met this day at 1:00 p.m. to give consideration to the subject matter of the bill.
Senator Michael Kirby (Chairman) in the Chair.
The Chairman: Honourable senators, we will do something relatively unusual today. We have an extraordinarily large number of witnesses, so we will actually need to stay on time. I will try to enforce time limits as rigidly as I can.
Our first set of witnesses is a panel consisting of representatives from the British Columbia Civil Liberties Association, the B.C. Freedom of Information and Privacy Association, the Public Interest Advocacy Centre and the Canadian Health Coalition. Consistent with decisions made by the steering committee last week, each of the witnesses has been asked to state their views succinctly, which means approximately five minutes each. I will ask Mr. Mollard to start.
Mr. Murray Mollard, Policy Director, British Columbia Civil Liberties Association: Thank you for inviting me to speak with you about Bill C-6. I should briefly introduce you to the association. We have been in the business of protecting the civil liberties of British Columbians in the context of B.C. and in Canada for the last 35 years. From personal experience, having worked there for over five years, I can say that the privacy file is consuming more and more of our resources. We are receiving more and more calls from individuals concerned about privacy intrusions.
The British Columbia Civil Liberties Association is a strong supporter of Bill C-6. We testified before the House of Commons Industry Committee and made suggestions on amendments. We are happy to see some of those amendments, as we feel the bill has been strengthened from a privacy point of view. We, like others, think there could be more improvements; however, the bill as it stands represents a good compromise, one that has been forged after significant consultations with organizations that represent privacy interests as well as organizations and associations of groups that will be subject to the law. In the tradition of democracy, this is an example of a bill that has been put together with a great deal of consultation and compromise. For that reason, we support the bill.
The federal government, of course, will sell this bill to various interests as being good for e-commerce and good for preventing problems with international trade, but our organization thinks that the moral justification for Bill C-6 has to do with the importance of protecting Canadians' privacy. Privacy is important and critical to the autonomy and integrity of Canadians, and it is an important value for democracy.
There may be objections to the law from various interests in the health sector. We are ready to answer those. I put some of those objections and responses in our written brief and will not touch on those any further. However, I would say that there is an urgency to pass Bill C-6. I know you have a responsibility to consider carefully legislation that comes before you. However, we say it is urgent, not because of some legislative timetable restrictions or politicians' personal agenda, but, rather, because another day without Bill C-6 in force is another day of demeaning and intrusive privacy practice that Canadians must endure, and must endure without recourse, quite frankly.
Our organization regularly receives calls from individuals concerned about practices that they are having to undergo, for example. This is an interesting aspect of the bill, touching on the health information exemption for which some are arguing. We receive calls from employees and potential employees of organizations where, as a condition of employment, the employer wants to obtain very sensitive personal health information -- things such as your family's medical history, your psychiatric history and, indeed, even at times your sexual history. We are astounded that those kinds of questions are asked and made part of the employment application process. When people call us, we can say that we could write to the organization, but potential employees are reluctant to do so because they do not want to be singled out and cause trouble even before they get a job.
My point here is that people are left really without anything that they can do. The urgency for you as the Senate is to consider how this bill affects Canadians in a very personal way. Our organization cannot do much about it, but you can, and we urge you to do so.
Mr. Darrell Evans, Executive Director, BC Freedom of Information and Privacy Association: My group, FIPA for short, was created in 1991 as a public interest advocacy group for freedom of information and privacy issues. That is our exclusive focus. We are currently the only society in Canada devoted to that, but we are hoping to change that shortly by developing, along with some other people at this table, a group called the National Privacy Coalition and actually forming a real privacy group for Canada.
I should like to talk a bit about Bill C-6 in the larger social context of privacy today. There is a battle going on in the Western World over access to and control of personal information. This battle is being fought in both the public sector and the private sector. At stake is how much privacy individual citizens will be able to preserve in the face of the growth of government and of information technology. The question Canadians must resolve is how much access the state and corporations should have to information about us.
The legislation that is before you today is one result of the battle over personal information. Bill C-6 represents a victory for the movement to guarantee citizens some privacy rights and a recognition by the Canadian government that citizens fervently desire and should have these results.
The most controversial part of Bill C-6 turned out to be the inclusion of personal health information under the bill. I will devote my remarks to that. It is my belief that the most serious, consequential and desperately fought battle over personal information in the western democracies will be the battle for control of health information. The debate over Bill C-6 has shown that to be true.
When the directors of my group heard that there was an intense lobbying effort by the Ontario Ministry of Health, the Canadian Pharmacists Association, the Ontario Association of Medical Laboratories and others to have the private health sector exempted from this bill, they asked that I do everything I could to appear before you today.
Provincial governments, the private health care sector and much of the public heath sector desperately want access to and control of personal health information, and they do not want to ask the permission of individual Canadians to get it. In other words, they do not want to have to ask you and me for our consent as to what will be done with that information.
What does the Canadian public think about that? I have not seen much good research on that, with the exception perhaps of a Canadian Medical Association study, which I found to be excellent. However, our group, like Mr. Mollard's, receives hundreds of complaints on privacy each year, and I have reached some conclusions.
Most Canadians have confidence that their physicians will not betray their privacy. That is, a physician will share information only for the purposes of immediate care and with the patient's consent. That is what patients expect, and that is what they assume is the reality. They have this trust because they assume that physicians abide by a strict code that guarantees patients' confidentiality. Moreover, patients still assume that they will be consulted over disclosure, even with that guarantee.
Patients have no such trust relationship with pharmacists, laboratories or other private health care providers, or even with hospitals or health researchers for that matter. However, I believe that people expect the same standard of conduct from those groups.
One indication of this is a U.S. survey that asked the following question: "Even if you are not personally identified, should your permission be required before your medical records are used for research, or is that not necessary?" The response from 64 per cent was "Yes, permission should be asked." That was for research with de-identified information. That gives you an idea how strongly the public feels.
The part of Bill C-6 that most offends the Ontario Ministry of Health and the private health care sector is the requirement that patient consent be obtained for the sharing of personal information. Most of us would be shocked or offended if a physician gave our medical records to someone for a purpose we did not approve. Yet, that is exactly what many provincial governments and health care interests are proposing by asking that Bill C-6 exempt health information.
Legislation is currently being developed in Ontario and other provinces that will expropriate personal health information from all existing sources to create an electronic health record for every Canadian. The federal government, together with the provinces, is planning to create what is called "the national health info structure" on which these electronic health records will flow, along with other information, under the control of whomever they designate as custodians. It is because Bill C-6 threatens to interfere with these plans that the Senate and the other place have received such determined representations from health interests.
The Ontario Ministry of Health assures us that information sharing would be permitted without consent but with strong safeguards to ensure that information is shared only in very limited circumstances. However, consent is the essence of health privacy. It is not a side issue. It is the core issue.
If I leave anything with this committee, I hope it is the opinion of my organization that the "strong safeguards" that the Ontario ministry refers to do not constitute privacy rights. They may be confidentiality. They may be called security. But they are not privacy rights. Personal consent and control are privacy rights.
Ms Philippa Lawson, Public Interest Advocacy Centre: Thank you very much for the opportunity to speak on this important bill. I should like to address briefly four points: one, why the matter is an urgent one; two, why the bill is a good one; three, why amending it is not advisable; and four, why you should not succumb to pressures for a health carve-out.
I will speak first to the urgency. We are all aware of the tremendous ease with which personal information is now being collected, stored and traded in the marketplace without the individual's knowledge or consent. A whole new industry has developed for data collection, data warehousing, data mining. It is growing by leaps and bounds. The problem is that there is nothing to ensure that this industry develops in accordance with the principles of privacy and human dignity on which our civil society is based.
Some of you may recall the case a few years ago of a Montreal woman who been diagnosed with cancer. No sooner did she get home from the hospital than she received a telephone solicitation from a funeral home. New mothers who give birth at hospitals are frequently inundated with the marketing of baby products. While this may seem harmless, it is not appreciated when the baby has died. In one reported case, a man who had consulted a medical clinic for sexual dysfunction later received direct mail advertising cures for impotence. He felt terribly exposed and humiliated.
A few years ago, a bank in Maryland was found to have recalled loans from a number of individuals whose names it obtained from a list of cancer patients. Not too long ago, a number of American states compiled a list of African-American men at risk for sickle-cell anemia. Once insurance companies obtained this list, many of those men were not able to get medical insurance and some were turned down for jobs. A recent survey of Fortune 500 companies indicated that over half admitted to using medical information in employment decisions, often without the individual's knowledge or consent.
Honourable senators, we have allowed technology and market forces to get ahead of our laws and our social expectations. It is time to act. The longer we delay this bill, the more business cases will be built on the unrestricted sharing of personal information, the more vested interest in opposition to fair information practices will have been created, and the more difficult it will be for you to put in place a fair and sensible regime for data protection in Canada.
Why is this particular bill a good one on which to move forward? Bill C-6 represents a reasonable set of fair information practices. It has the broad support of businesses precisely because it is not too onerous. It has the strong support of consumer and public interest groups because it gives us some protection where now we have none. It is based on the fundamental principle of informed consent, but it provides exceptions in appropriate cases. It takes a common sense approach to the question of when such consent needs to be explicit.
Some say that this bill is not good enough, that we need stronger protection, especially for medical records. We agree. But we do not think that Bill C-6 should be held up in order to for these sector-specific protections to be put in place.
Why is amending this bill a bad idea? This bill represents a very delicate compromise reached among a number of competing interests. If you take it apart now, there is a good chance you will not succeed in reconstructing it. Sending it back to the House could be fatal for data protection in the private sector. Yet we need these protections and we need them now.
Finally, why should you reject the arguments that Bill C-6 is unworkable in the health care sector? First, there is widespread misunderstanding of the consent requirement in Bill C-6. The bill in fact takes a common sense approach. It is based on reasonable expectations and it does not require explicit consent for every use or disclosure.
Second, the fact that it is limited in application to commercial activities is perhaps regrettable, but it is a constitutional necessity. It is a far cry better than no protection at all, and it captures the bulk of the mischief we are seeking to address.
If the health care sector is as integrated as its advocates' claim, then the application of the bill should not be such an issue. All health care organizations potentially subject to it should comply. However, that is not the real complaint of those calling for a health carve-out. When you peel away the various arguments you will find that what the pharmacists, hospitals, administrators and others want is a regime based on their determination of what is consistent use or what they think is in the best interests of the patient. Bill C-6, on the other hand, gives some measure of control to the patient, recognizing that the paternalistic model of "provider knows best" is no longer appropriate in the increasingly commercialized environment.
Honourable senators, let us not delay these badly needed protections any longer. Let us get on with building a society that puts human dignity first, ahead of commercial interests.
Mr. Michael McBane, National Co-ordinator, Canadian Health Coalition: The Canadian Health Coalition strongly supports the purpose of Bill C-6, which is it to provide Canadians with the right of privacy with respect to their personal information. We support the guardian leadership of Industry Canada.
Our big question is this: Where is the Minister of Health on the question of selling personal health information without consent? Surely there is a guardian role for the Department of Health. Yet, in the debate around Bill C-6, we see ministries of health arguing the case for exclusion from privacy protection on behalf of pharmaceutical companies. That, to me, is a symptom of what Jane Jacobs calls "mixing your guardian role with a trader role." When governments get into that kind of scenario, it is a very dangerous situation. We applaud Industry Canada for their guardian role in introducing this privacy bill.
The application of the legislation, as you know, is much wider than the health sector, but obviously it has direct implications on commercial activities in the health sector. We would remind you that the business of drug stores selling information on prescribing practices, gleaned from physicians and then sold to multinational pharmaceutical information companies, is not a charitable educational exercise. Those companies have fiduciary duties to maximize profits. They are not benevolent health charities and they should be subject to commercial legislation, such as Bill C-6.
Health care industries must not be exempt from the privacy rules. Fear about the misuse of health information technology, as Ms Lawson has laid out, is well documented. This is happening now. These are not theoretical concerns. What has been surprising in the debate around Bill C-6 is the revelation of the lack of protection for medical records. I believe Canadians assumed that the records were, in fact, protected from commercial use and from hospitals selling their records. This, of course, is not the case. We are now seeing the health institutions intervene and try to argue for a carve-out.
One argument they are using, which you will probably be hearing about, is that if we were to go ahead with this, Canadians might lose their confidence in the current business practices. Therefore, it is better to leave Canadians in the dark, and not let them know how this information is being sold and traded. That is very bizarre reasoning.
I should point out, too, that at this very moment, in Seattle, the Minister of International Trade has put health services on the trade table. It is a peculiar logic that this same health services industry argues for non-application of commercial legislation, yet is commercial enough to be part of international trade negotiations. That is incredibly inconsistent and does not stand the test of any examination on behalf of the public interest.
Where are the guardians of the medical records? That is the big question. Where is the Department of Health on the question of distinguishing between commercial use and use in the public interest for public health? I would hope that you would pursue those questions with the appropriate authorities at Health Canada. The debate on Bill C-6 has revealed the lack of protection and the intervention on behalf of business interests who are currently not subject to any regulations and rules on privacy.
You should be aware, too, that the federal government is currently planning to set up a national health information system. The Department of Health has a health advisory committee which has a number of health information companies on the board, and they do not distinguish between commercial use and public interest use in health information. That should be cause for concern. It would be another argument as to why Bill C-6 would apply in this area. If the industry does not distinguish and Health Canada does not distinguish in health information, then surely this bill would apply to them.
We should remind you that one of the largest interests in the carve-out for health information in Bill C-6 is the IMS Canada, which purchases customer and physician information from 4,000 retail pharmacies in Canada. This same firm has a detailed database on daily activities and the prescribing practices of 1200 Canadian physicians. The client is not the provincial ministry of health. These pharmaceutical companies are not registered charities, they are commercial businesses with a duty to maximize profits for shareholders.
We would argue that the ambitious plans of Health Canada for electronic patient records and the national health information system should not go ahead without stringent and strict privacy legislation and other measures to protect citizens from inappropriate disclosure without consent. When the guardian of Canada's health care system fails to distinguish between public and private interests in health information technology, alarm bells should ring. In essence, health industry critics argue that because the lines between public and private are so blurred in these private-public partnerships, the entire sector should be excluded from commercial rules. That is simply not a credible argument.
We would argue that Bill C-6 is an important first step in establishing privacy rights for personal information, but it is only a first step. Other legislative measures are also required. For example, Canada is one of the only countries in the developed world without a legislated code of ethics and privacy for health research.
Finally, I would add that the Minister of Industry is to be commended for guiding leadership in the health privacy field, and we would urge that the government see that the Privacy Commissioner is given the adequate resources to fulfil this important new mandate that will be given to them in this legislation.
Senator Murray: Mr. Mollard, as a matter of principle, what is your view of the exemption for personal information collected for journalistic, literary and artistic purposes?
Mr. Mollard: This is when freedoms collide. The association does a great deal of work with respect to freedom of expression and also with respect to privacy. That exemption is a perfect example where those freedoms collide. In our Charter of Rights and Freedoms, freedom of expression is protected and freedom of the press is made to be a specific example of freedom of expression. We go along with that exemption, recognizing that there is a tension between the two.
Senator Murray: What would you say to a right of privacy entrenched in the Charter of Rights and Freedoms?
Mr. Mollard: In the Charter, section 7 and section 8 have some aspects of privacy. Therefore, it is not as if it were non-existent. Nevertheless, I believe the association would certainly welcome further enhancements, further protections, because, of course, search and seizure is a narrow parameter and life, liberty and security of the person does not focus specifically on privacy but has many elements. It would be unique, and I know that some interests have called for an actual protection of privacy in the Charter. I believe that the referendum proposed back in 1992-93 may have included a right to privacy, or there was some call for that, anyway.
Senator Murray: On this issue, where these freedoms collide, do you come down on the side of freedom of expression?
Mr. Mollard: Yes.
Senator Murray: As a matter of principle, what is your view of paragraph 7(3)(h)? I referred to it the other day. It is the provision that personal information collected for commercial purposes may be disclosed 20 years after the death of the person about whom the information has been collected.
Mr. Mollard: I do not think we have an official position on your question. It may have something to do with the ongoing census debate.
Senator Murray: No, it has nothing to do with the census. You understand the ambit of the bill. It has to do with the personal information collected for commercial reasons. It relates to your mortgage, your credit card applications and your business with the bank. This clause says that 20 years after you die, if a case can be made that that information should be disclosed to the public, then that would legally be possible.
Mr. Mollard: My intuitive response is that 20 years is not a long time. Why 20 years was chosen, I do not know.
Senator Murray: Why should that information ever be disclosed? As you know, reasons like the investigation of a crime or some overriding purpose of national security are covered by the bill. We are talking here about some day in the future 20 years after you have gone, when someone doing a history of the British Columbia Civil Liberties Association might want to know what credit cards you held or the amount of your mortgage, if you had one. This proposed legislation relates to personal information collected for commercial purposes. I am asking for someone to defend it in principle.
The Chairman: I am not attempting to defend it in principle. The question is where the 20 years came from. The 20 years is the same figure that appears in the archive rule and in history. That is not to defend it, it is just to explain why it is there.
Senator Murray: I know what you say is true. I think it is irrelevant.
The Chairman: I was clarifying the figure of 20 years for the witness.
Mr. Mollard: Perhaps my colleagues have something to add. I do not understand the justification for that. The figure of 20 years strikes me as being not a long time.
Senator Murray: I do not wish to hold things up. You and other witnesses have argued against the exemption for the health care sector. It is not for me to speak for colleagues, but I have not detected any support around the table for the proposition that the health care sector should be exempted. However, some of the organizations that you have referenced have made quite an argument, coming from quite different perspectives, about the impact of this bill on their sector. We must take that seriously, and they will have an opportunity to speak for themselves.
What do you have to say about organizations like the Canadian Medical Association and the Canadian Dental Association, whose position is that this bill will weaken privacy protections? They say that rather more stringent requirements, based essentially on the Canadian Medical Association's own code, ought to be written into the law. What is your view of that?
Mr. Mollard: Again, they must speak for themselves, but I would be surprised if they would say that this bill would weaken existing protections. Quite frankly, in the commercial field, there are no protections right now. I do not see how the proposed legislation would weaken the present state of affairs. My understanding is that they are calling for further protections based on secondary and tertiary uses. For that reason they wish to see improvements in the bill. Obviously, you must hear from them to determine their points of view.
I am glad you made a distinction between those organizations and the organizations such as the Ontario Ministry of Health that speak about a two-tier system. When they talk about a two-tier system, as if two tiers were a bogeyman, the assumption, which they perhaps do not make explicit, is that protections that might be there for organizations involved in commercial activity will be stronger than protections for the public health institutions. From our point of view, that is a good thing, not a bad thing.
Senator Murray: The CMA and the dentists have a series of draft amendments.
Mr. Mollard: I am sure they do. Indeed, we could have made suggestions here today about a bunch of amendments as well. We pursued that in the Industry Committee, we saw some of our concerns responded to. However, we are aware of the reality of give and take in the creation of legislation.
Senator Murray: I should like to turn to Ms Lawson on this subject as we have had this conversation before. Your position has been that you got the amendments that you could get out of the House of Commons, and that the Senate really ought not to amend; is that not it?
Mr. Mollard: Not necessarily. However, I have spoken about the urgency involved, and I will repeat that.
This also gives me an opportunity to say something that I did not have time to say in the opening statement. The leadership role that the federal government is showing here in terms of a national standard is very important and it is making a difference. It is making a difference in this way: In British Columbia, in October of this year, our minister, Andrew Petter, introduced a discussion paper involving extending protections of privacy to the private sector. In my opinion, without Bill C-6, we would not necessarily have seen the political will and impetus to do that. That is very important and that leadership role needs to be shown by the Senate as well.
Senator Murray: I agree with that. I turn now to Ms Lawson. You have told us that we really must not amend, we must not send the bill back to the House of Commons, because it might get lost. There might not be enough legislative time, et cetera.
I have been listening to that argument for 20 years in various governments and I may have made it myself, on occasion, but I wish to tell you that, if there were a consensus in this committee that an amendment or several amendments were needed, that would be it. We would do everything we could, in the committee and in the Senate, to accommodate the schedule of the House of Commons. We would try to get the amendments over there in good time so that they could deal with them, yes or no, before Christmas. I think we could do that.
I ask you not to be carried along by these strategic considerations. There are always ways to achieve an end. If this is a priority of the government, and I have every reason to believe it is, then improvements to the bill suggested by the Senate would not cause the loss of the bill, I assure you.
Ms Lawson: Thank you, Senator Murray, for that reassurance. The point I was trying to make earlier was more that this bill really is a delicate compromise. I was part of the process of drafting the Canadian Standards Association code on which the bill is based. I can tell you that the extent to which you try to fiddle with that and change that may lead to other interests popping up and saying, "Wait a minute. We supported this bill before, but we do not now." That is just a warning.
Senator Murray: It is a seamless web, is it? Around this table, we know about political trade-offs and we understand that. We may take different views on whether a particular trade-off is necessary and desirable, but we all understand the phenomenon and the process.
Mr. Mollard: Put it this way: If you think you can make improvements to protect privacy better and you are assured that this bill will get through the House again, we would like to see that.
Senator Murray: That is the only kind of improvement that senators on this committee would be interested in.
Senator Carstairs: As you know, the Canadian Medical Association has developed what they call the health information privacy code. They would argue strenuously that their privacy code is tougher than the code that is in this bill. That is a concern to me. If by this bill we are going to be asking physicians actually to weaken the code that they have already bought into, then I say privacy is not adequately protected. I want all of the privacy I can possibly get for that information. I have no truck with the other groups who are arguing for weakening exemptions and so on. However, I do have genuine concern that we may not have adequate amounts of privacy control in this bill.
You have all spoken eloquently saying that this is the best we could get. However, the CMA is saying: "Give us time. Do not give us an exemption." There are already provisions in the bill that give them almost four years -- one year after the introduction and three years after that.
Would you object to the same kind of stipulation for the medical community?
Ms Lawson: I agree that the CMA's code is stronger than this bill, but I would not agree that that means that doctors will provide less privacy protection to their patients. They will abide by their code which sets a stronger standard.
The code sets out minimum standards that apply across all sectors. It is clear that within health we need stronger protections. We expect our health care professionals to adopt codes, like that of the CMA, which set out stronger protections. We will expect provinces to establish legislation that is at least as strong as this but, unfortunately, we are currently seeing provincial legislation that is weaker than what Bill C-6 proposes.
Mr. Evans: I agree with that. We believe that we will not get better legislation than this in the House of Commons. We are looking forward to lobbying at the provincial level for stronger legislation, because we believe that there will be sector-specific privacy legislation for the health sector; although, as they have been developing these bills, they have taken the word "privacy" out of them. They are now calling them "data protection" or "health information" acts. That has happened gradually over the years.
Citizens' groups have an inferiority complex. We think that groups like the Ontario Ministry of Health and the Canadian Pharmaceutical Association have more clout in Ottawa than we have. That is why we scrambled across Canada in order to present our position. If we thought there was a chance of getting stronger legislation, you can bet that we would be there, but we have already been through this fight. Provincial governments have a strong interest in getting more access to personal information without consent. That is what we must fight and where we hope to make some gains.
Senator Carstairs: You were obviously participants in the process in the House of Commons. Do you honestly think that members of the House of Commons would object to tightening restrictions on the privacy of health care and only health care?
We are talking about a political dynamic. Senator Murray has outlined it very clearly. If we amend this bill, it will be in very narrow areas and it will be tougher, not weaker.
Do you believe that members in the other place would put up an argument about greater protection of health care records?
Mr. McBane: We would all support any move by you to improve privacy provisions in Bill C-6, with the condition that its passage is not delayed beyond this session. Time is one thing we do not have. I disagree with the CMA that we have time. We do not have time.
The Manitoba department of health has already contracted health information management to the Royal Bank, which turned around and sold a 51 per cent share to a Texas-based company. This health information is now being managed outside the country. We do not even really know who owns it, and we have no federal leadership. We do not have time.
I should like the Privacy Commissioner to seek a process for stronger protections. Bill C-6 is much better than ongoing debate without any protections.
Mr. Mollard: We must remember that there is a five-year legislative review built into the proposed act. You referred to the three-year exemption. There was some discussion about a year-long delay in the application in order that organizations could comply. Be it a three-year, a four-year or a five-year legislative review, there is not much difference. However, I am tired of telling people who call our office that there is not much that our organization can do. We can write to employers or to organizations, but often people are reluctant to have us do that because they are fearful that they will draw the wrath of an organization for having blown the whistle. I do not want to tell people that any more. I want protections now.
Ms Lawson: The Reform Party did introduce some amendments in the House to strengthen protection for personal health information. We supported those amendments, but they did not pass. I understand that one problem is the limitations of our Constitution, and I caution you on that point.
Senator Beaudoin: Obviously, this matter is partly provincial. What do you expect from the provinces: legislation or compliance with federal legislation?
Mr. Mollard: In British Columbia, Minister Petter has introduced a discussion paper. Bill C-6 will apply only to employees of federally regulated organizations. We will be pushing hard in the province for legislation, rather than just a code or some guidelines, to protect employees in the provincially regulated sphere.
We tried the CSA code as a guideline. There has been some disappointment because there has not been enough buy-in, and that is why we want to have legislation.
Senator Beaudoin: Sometimes the problem with federalism is that some provinces use their powers and others do not. The temptation is great for the federal authority to invade that field. I am the first to understand that it is not easy and that we must legislate. I have no objection to legislating in that field, but obviously privacy is not only federal; it is provincial. If a province is occupying the field in the right way, we are thankful. If they do not do that, what can we do and what do you intend to do?
Mr. McBane: Bill C-6 gives the provinces three years to come up to standard and, if they do not, the federal legislation applies. If Quebec has a higher standard, obviously their legislation will reign.
There is a strong constitutional responsibility of the federal government, especially in cross-border trade in information. That is not a provincial jurisdiction. With this technology, that is increasingly what we are dealing with.
Under the Canada Health Act, only the Government of Canada has the national guardianship responsibilities for the national health system. No group of premiers has the ability to guard the national system. We still have a national country and we should have a national government protecting beyond just provincial legislation. The federal government has an essential role, even in health privacy, which would ideally be supplemental to and compatible with provincial legislation. When it is not, there is a fundamental duty on the part of the federal government to ensure that the standards are maintained.
Senator Beaudoin: I am not worried about Quebec. I am sure that they will occupy that field. However, other provinces may think otherwise. We always have that problem and we have to solve it.
The federal Parliament may try to cure the non-occupancy of the provinces in that field. However, that is not always possible. In other words, if the provinces do not do their jobs, how can Parliament do it on their behalf?
Mr. Mollard: Obviously, one is limited by constitutional restrictions. I am sure there will be some debate among some constitutional lawyers who will suggest that there is not enough power in this bill. The commerce power is significantly large for the federal government to do what they are doing here. It is somewhat restricted. It is restricted to commercial activity and employees in the federal field.
In British Columbia, we now have discussions about extending privacy protections into the private sector. I believe this has a lot to do with the political will and impetus set out by the leadership role the federal government has played in terms of Bill C-6. We urge you to endorse that.
Mr. Evans: The federal government is setting a standard here. Once the standard is set, there will be a real desire and drive on the part of commercial enterprises and other organizations to be consistent. That is because information flows across borders in the nation and outside the nation. An international desire for consistent standards is growing.
The European Union set the first standard, which Canada has picked up on. The U.S. now has thousands of pieces of privacy legislation at different levels of government. There is an incredible explosion of privacy legislation. The federal government has taken the leadership here. B.C. has followed. Other provinces will have to fall into line.
Senator Beaudoin: Do you think they will?
Mr. Evans: Yes, they will. It is a tidal wave. It is not a short-term trend. It is made inevitable by the growth of technology.
Senator Finestone: This is a very ambitious and challenging undertaking, one that I think is courageous on the part of the Government of Canada and the minister. Are you aware of any promise to put enough financial commitment behind this bill so that the Privacy Commissioner, in his role as ombudsman whose workload will be more than doubled, will have the kind of financial clout that he needs not only to follow up on the complaints but to undertake the more important role as educator of the public? Members of the public will have to learn how to maintain and control their right to privacy.
Ms Lawson: No, we are not aware of any such public commitments. We feel strongly that this bill must be made meaningful. The only way that will happen is by giving the Privacy Commissioner's office the resources they need to administer it.
Mr. McBane: As a member of caucus, you would have a lot of influence in terms of encouraging the allocation of resources to meet these duties. If we do not do it, the health information system will fail. It will crash, and for good reason. The British Medical Association has called for a boycott of any national health computer system that does not adequately protect privacy. That will be the same in this country. There are no short cuts here. There should be no race to the bottom. We should follow the lead of the European Union. Governments have a big role to play in setting standards, including in health. Resources are required to police them.
Senator Finestone: There is an area in the bill with regard to which legislation will be required to define public property and public lists. There are millions of lists. Who owns them? How do we use them and to what do we have access? Do you have any observations in that regard?
Mr. Mollard: A big issue popped up in British Columbia a year or two ago with the assessment rolls, that is, lists that set out the assessed value of real property, along with addresses. The Information and Privacy Commissioner wrote an investigative paper on the issue. There will be some debate about what is a legitimate public list and what is not because, of course, people are required, by legislation, to provide certain personal information. By law, they are required to do so, and for some legitimate reasons.
Technology is driving this. Inherent protections come into play when one goes to the assessment office to look up this type of information. However, with technology, one can sit at home and search that on a database.
Senator Finestone: I wish to turn to Quebec. I heard Senator Beaudoin on the subject, who is our expert in this area. In terms of Quebec, are those matters not covered under paragraph 26(2)(b) and clause 31? Those clauses concern those provinces that have legislation in place dealing with this issue. Paragraph 26(2)(b) states:
The Governor in Council may, by order,
(b) if satisfied that legislation of a province that is substantially similar to this Part applies to an organization, a class of organizations, an activity or a class of activities, exempt the organization, activity or class from the application of this Part in respect of the collection, use or disclosure of personal information that occurs within that province.
Subclause 30(1) states:
This Part does not apply to any organization in respect of personal information that it collects, uses or discloses within a province whose legislature has the power to regulate the collection, use or disclosure of the information, unless the organization does it in connection with the operation of a federal work, undertaking or business or the organization discloses the information outside the province for consideration.
That makes it clear that it would be in the interest of the provinces to develop legislation that, in many ways, would be a mirror image of the legislation that is before us. In effect, such legislation would cover those institutions, organizations, professional associations and agencies that are concerned. Would you agree with that assessment?
Mr. Mollard: Absolutely.
Ms Lawson: Yes.
Mr. Mollard: It is a great example of the federal government taking a role but allowing room for the provinces to buy in.
Senator Finestone: With regard to the Heenan Blaikie opinion and paragraph 7(3)(f) concerning health care and Health Canada, do you have any observations to make?
Ms Lawson: The clause to which you refer permits the use of data, without consent, for research when anonymous data cannot be used. In those cases, the organization still has to inform the commissioner.
One of the amendments made by the House committee, and we certainly recommended it, was to add the requirement that researchers should have to use anonymous data where it will suffice. Only where they really need personal information should they be using it. We were happy to see that amendment. Because of it, we are now supportive.
However, we still have concerns about research, particularly medical research in the commercial sphere. I am not sure what is driving the Heenan Blaikie opinion. We think this is an absolute minimum protection which should be in place.
Mr. Evans: Some of us wish that provision were much stronger. We feel that they should not have access to your personal information without consent, even for research purposes, unless it is anonymous.
Senator Finestone: I have examined this closely. I have an abiding concern about privacy and privacy rights and my personal rights.
If researchers can show reasonable justification for why they need personal information, what holds them back? Why is there this abiding concern? An avenue has been presented, and that is the Privacy Commissioner. He can give an opinion and, frankly, if the Privacy Commissioner thinks that a certain request for personal information is out of order, that reasonable justification has not been disclosed, he can deny the request. Therefore, what is the problem?
Mr. Evans: There is research and then there is research. For instance, the Ontario Ministry of Health says that one reason for their research would be for management purposes. What are we talking about? Are we talking about pure scientific research? They do not make that clear.
Ms Lawson: I think I should try to clarify this. We do not have a big problem with the clause as it is presently drafted. We certainly do not have the problem that the Heenan Blaikie opinion expresses. You will have to ask them why they are taking that position.
Senator Gill: If it is not a problem, I will speak in the other language. My concern is for those who cannot manage their own affairs, that is persons under public trusteeship as well as those who depend on the national health care system, such as First Nations. Do you feel that the proposed legislation adequately safeguards the privacy of these individuals? The department is in fact administered by the federal government and the legislation will be managed and administered by the federal government as well.
Mr. Mollard: Can I get a clarification? You were concerned about people of the First Nations, and what was the other category?
Senator Gill: Those who are not capable of managing their own affairs.
Senator Finestone: Those who are under public trusteeship.
Mr. Mollard: By reason of mental disorder and so on?
Senator Finestone: Yes.
Mr. Evans: In the case of disabled people who cannot exercise their own rights, they will have people to exercise their rights for them. I would think native citizens would have the same rights as anyone else under this bill.
Mr. Mollard: This bill applies only to commercial activity, so I am not sure how far it goes. There may be other questions. I think that is what you are asking. The issue of infirmity or mental disorder is probably an area of provincial jurisdiction. This is again why we need the leadership role of the federal government to create a baseline and to try to pull the provinces along.
Mr. McBane: Because there are areas of exclusive federal jurisdiction, if there was a health carve-out, then there would be no protection for aboriginal people. There would be no protection for employees covered by the federal jurisdiction. There are more implications of a carve-out, because the federal government is an employer and has fiduciary duties directly with Canadians. You will not hear about those from the health industry lobby.
The Chairman: I thank you all for coming, particularly Mr. Evans and Mr. Mollard, who took the trouble to come from British Columbia.
Senator Murray: Mr. Chairman, before these witnesses leave the table I want to draw the attention of the committee to page 6 of the brief from the British Columbia Civil Liberties Association. That organization, which one might have thought would have some concerns for fairness and objectivity, does not hesitate to attribute motives of partisan political interests rather than any real concern for the good administration of the laws of Canada.
Some of us have argued that this is really two bills and ought to be split. I will not take the time of the committee to try to explain to the witness why it is that, in the Westminster and Canadian systems, Parliaments have insisted that there be one clear principle to a bill. If you want to go to the other extreme, you can look at the United States congressional system where every congressman gets to tag on his own favourite project to every appropriations bill going through. We have been through this. It is a rather arcane subject for outsiders but it is very important. We cannot have governments putting all their projects into one bill. That is what we are afraid this is leading to, unless we insist on a clear principle in a given bill.
The proof of what I had to say in the Senate about this being two bills is the fact that we have not heard a syllable from any of these witnesses about the e-commerce issue. They came here to discuss their bill.
Mr. Mollard: Fair enough. Perhaps I could respond to that briefly. Senator Murray has raised a good point about the bill involving two distinct concepts. Again, our concern here is about the delay and all the problems with that, and the fact that I have to go back to Canadians who call us and say to them, "No, sorry, we cannot help you yet because the bill has not been passed."
In this circumstance, the test would have to be this: Would having the various parts under this one bill prevent the good administration of those various parts? Our submission is that it will not. That is why we urge you not to recommend or suggest an amendment to split the bill and cause all sorts of difficulties with getting the privacy protections in place.
Senator Murray: That is not the test, but this is not place for that argument.
The Chairman: Honourable senators, our next witnesses are from the insurance industry.
Welcome, and please proceed.
Mr. George D. Anderson, President and Chief Executive Office, Insurance Bureau of Canada: It is a pleasure to be here. In all the years I have been coming to committees of this kind, this is one of the more difficult subjects that I can recall a parliamentary committee having to deal with. The ramifications are extensive, and the problems are not simple of resolution. We will try to be helpful, if we can, in moving through this process.
I want to restrict my comments on the question of the protection of personal information of individual Canadians in the private sector. I am speaking on behalf of the property and casualty insurance industry. I think many of you know we are the people who provide auto, home and business insurance. There are 230 companies operating in Canada in this field. It is a highly competitive environment. We employ about 100,000 people directly and indirectly across the country.
I want to say at the outset, as did the previous witnesses, that we support efforts to protect privacy rights of Canadians. In our opinion, the bill that you are in the process of studying represents a reasonable balance of the legitimate interests of the groups who have come to the table around this very difficult question.
In particular, we support the provisions of the bill that will enable us to continue to fight insurance fraud. This is essential to us, as many of you know, and to Canadian consumers, because insurance fraud has been estimated to cost about $1.3 billion per year in premium leakage. That cost is paid by all honest policyholders in extra premiums.
Our support, however, is not unqualified, as one might expect of a bill this complex. We do have two key concerns with the bill.
Our first concern is the failure of the bill to assign a clear role to what I will call "tailored" versions of the model privacy code, that is the code that is appended to Schedule 1. By "tailored", I mean a privacy code that is certified as being in compliance with the model code, but which has been modified to take into account the realities of conducting business in a particular sector of the economy, such as property and casualty insurance.
We are very proud of the role that our industry's tailored code has played. I am referring to the Insurance Bureau of Canada's model personal information code. However, we are disappointed that there appears to be no clearly defined recognition in Bill C-6 to codes like ours. At the government's request, we actively participated in the development of a national standard model privacy code and were the first financial institution to receive certification that our code is in compliance with the national standard. Yet, the only mention of industry codes in the bill is in clause 24 which says that the privacy commissioner shall "encourage organizations to develop detailed policies and practices, including organizational codes of practice, to comply with sections 5 to 10" of the bill.
However, there is no indication of the use or the weight to be given to such codes by the privacy commissioner. That is a problem. We would like to see an obligation on the part of the commissioner to recognize that, in the making of decisions, compliance with a tailored industry code constitutes compliance with the provisions of the bill. I would think that would make his or her job a lot easier than the daunting task facing the commissioner now.
Our disappointment is greater because the property and casualty insurance industry has a solid track record in guarding the confidentiality of customers' personal information. We do not sell customer information.
The most sensitive personal information, the information related to health and financial affairs, is obtained by property and casualty insurers only in the process of settling a claim. It is obtained with the explicit consent of the customer under applicable provincial laws. It is used only in resolving a claim, and it is destroyed seven years after the claim file is closed.
In effect, Mr. Chairman, as I said before, confidentiality is the coin and the currency of the insurance business. Insurers would not survive for very long, if customers felt we were treating their information in a cavalier or offhanded way.
Our second concern with Bill C-6 is the failure to address the need for consistency and harmonization. You had a long talk about that with the previous witnesses. Obviously, we are concerned with the possible proliferation of bills which may occur as a result of the process triggered by Bill C-6. To have a different privacy law in each province and, furthermore, to have a "carve-out", with health care being treated separately, could leave us with as many as 23 or 24 separate acts dealing with the privacy of personal information.
In that context, it would be very difficult to know, if, when and how one was complying with any particular piece of legislation. It would certainly be expensive to do business under a regime of that kind. The possible inconsistencies in privacy laws, from one jurisdiction to the next, could mean that Canadians could not necessarily rely on the protection afforded by a uniform law applicable right across the country.
We have heard that there are four years to consider the implementation of this legislation. I would urge those in government to take that time to work with the provinces to try to get the most consistent set of legislative provisions we can across the country.
Mr. Chairman, I would end by saying that we do support the broad provisions of this bill.
Ms Mary Lou O'Reilly, Executive Director, Canadian Coalition Against Insurance Fraud: Our organization was founded in 1994 with a mandate to curb the growing cost of home, car and business insurance fraud for honest policyholders in this country.
At that juncture, we defined insurance fraud in three ways. You may already know, of course, that lying on an application for insurance is considered to be fraudulent behaviour. Submitting an entirely false claim to an insurer is also identified as insurance fraud. Lastly, exaggerating on an otherwise legitimate claim for the purpose of securing funds that are not contractually held is also described by our organization as insurance fraud.
When we faced this daunting problem, which was illustrated in these three ways, we brought to the table, understandably, the insurance community, that being insurance companies, brokers, and adjusters. However, more to the point, we brought to the table the other stakeholders who were dramatically affected by insurance fraud. We include the Canadian Association of Chiefs of Police and the Canadian Fire Marshals Association on our board of directors. The Consumers' Association of Canada is also represented, and even the Canadian Cycling Association is a member of our organization. We have also, since our inception, cobbled together, community by community, alliances with Crime Stoppers organizations in more than 150 communities across the country.
We did all of this to solidify the message that we have been repeating now for five years, which is that insurance fraud is a very costly crime in this country. As a matter of fact, it costs honest policyholders $1.3 billion annually.
In addition, there are societal costs, such as a fire fighter risking his life rushing to a fire that may have been set by an arsonist; medical costs of administering care to a person who is not injured; and costs of police investigating a crime that never occurred. Another $1 billion in societal costs per year should be added to the $1.3 billion annual costs.
As an organization, we have brought together the stakeholders who are well aware of this costly crime. Fighting this crime, in other words the investigation and prosecution of insurance fraud, relies on the collection, use, and disclosure of information among insurers.
We support Bill C-6 because it will provide for the use, collection and disclosure of this information, so central to the fight against insurance fraud. Insurance fraud is a crime that thrives on misinformation, and, of course, on lack of information.
I will give you an example of what I mean. When I first joined the coalition, the first individual I met was an adjuster who was working for an insurance company. That adjuster was ready, at that point, to pay out $35,000 on a claim for a ring that had been stolen. The insurance adjuster recalled having seen a similar claim when working for another insurance company five months earlier. He decided to investigate a bit further only because of that happenstance. As it turned out, senators, five brothers had made five claims for $35,000 to five different insurance companies for the same ring that had been lost. Without the capacity to use, collect and disclose information, that fraud would have gone undetected. The claims would have been paid, and they would have been paid by honest policyholders who would never think of committing such a crime.
In the course of our work, we have been successful in raising the awareness of insurance fraud, which is the purpose of my presentation to you today. When we began, 20 per cent of all Canadians, or one in five, told us that they thought insurance fraud -- that is, specifically, home, car, and business insurance fraud -- was perfectly acceptable behaviour. Through our efforts and, I assume, the efforts of other diligent organizations, only 4 per cent of the population now believes that this is acceptable.
We need your help in continuing our fight against insurance fraud, and we applaud the drafters of the bill before you today.
Mr. Charles Black, Senior Advisor, Insurance Operations, Canadian Life and Health Insurance Association: It is a privilege to be with you today and contribute to the committee's study of the subject matter of Part 1 of Bill C-6. Let me begin by saying that I read with great interest the thoughtful and informed interventions made by the honourable senators during the second reading debate of this bill in the Senate chamber. This is an important and complex bill. In this context, we hope that our participation today will provide a constructive contribution to the Senate's study of this bill.
Part 1 of Bill C-6 is relevant and important to life and health insurance companies. In many ways, personal information is the raw material that makes it possible to provide life and health insurance services of various types to Canadians. We cover life insurance, income replacement in the event of disability, retirement income, and reimbursement for the cost of prescription drugs, dental services and other health care which is not covered under provincial health care plans.That varies from province to province.
The need to protect the confidentiality of that personal information has been recognized by insurers for many years. Some 20 years ago, life and health insurers became the first industry to introduce a privacy code at the industry level. The industry has also actively participated in the development of the CSA model code, much of which appears in Schedule 1 of this legislation.
Mr. Chairman and honourable senators, I am pleased to say that CLHIA strongly supports this legislation with respect to the principles of privacy protection which it embodies. This framework reflects the long consensus-building exercise that led to the unanimous adoption of the CSA code, and is closely linked to the OECD principles that underlie our industry's privacy code, that underlie Quebec's legislation for the private sector, and that underlie much other legislation in this area. We believe that these principles provide an excellent basis for protecting the personal information of all Canadians.
The submission we have presented to you today reviews the industry's long and active background in this area, and the results of its review of the subject matter of Part 1 of Bill C-6 on the basis of that background. As indicated, we are very supportive of the bill in general.
Unfortunately, however, we do have numerous questions regarding the detailed provisions of the bill, and our submission contains a number of constructive recommendations to improve the proposed legislation. Many of our recommendations are very detailed. However, when one considers that this legislation will, potentially, affect millions of insurance consumers, and several tens of thousands of insurance transactions each and every week, I believe it is clear that the details are important and that it is most desirable to get them right to the extent possible.
Our submission also expresses concerns about several broader issues, such as the lack of clarity in many provisions of the bill, which make it difficult to understand how the legislation will apply and which could complicate the implementation process. In many instances, the necessary clarification could be provided without modifying the text of the bill through open, effective communication and an effort to continue to work together, given the effort that was made on the CSA process with all stakeholders. Certainly CLHIA is willing to participate in this process.
Chapter III of our submission attempts to provide an overview of the review we conducted, and it highlights three areas of concern: the detection and deterrence of fraud; health care; and the harmonization of legislation with other jurisdictions. These three topics were discussed at considerable length this afternoon.
With respect to efforts to control fraud, the amendments already made to clauses 7 and 9 of the bill represent substantial improvements. However, as noted in chapter III, some troublesome inconsistencies and gaps remain. For example, four provisions in clause 7 deal with investigations, but only two of them are applicable if the investigation involves the law of a foreign jurisdiction, as could be the case with travel health insurance, for example, which affects many Canadians. These inconsistencies could invalidate an effort to control fraud. We believe these inconsistencies and gaps should be corrected.
You are hearing and have heard many concerns with regard to health care and health information. I submit that it is helpful to separate those two areas: the health care sector, and personal health information. Let me assure you that such information is and will be protected fully to the extent that it is in the custody of life and health insurers. Personal health insurance is collected by insurers, used by insurers, and disclosed by insurers only with the consent of the individual, in the vast majority of cases. We are concerned, however, that legitimate transfers of information from one sector to another could be complicated unnecessarily and unproductively if the concerns that are being raised currently are allowed to continue without resolution.
The need for harmonization of legislation in various jurisdictions is somewhat related, indeed closely related to the health care area. If, as appears likely, some sectors such as health care and human resources will be largely outside the scope of Bill C-6 but are subject to other privacy legislation at the provincial level, the need for national organizations such as life and health insurers to have that legislation closely coordinated is critical. In CLHIA's view, substantially more attention needs to be paid to this issue, and we encourage that focus.
In closing, let me repeat that life and health insurers strongly support the objectives of this important bill. However, we do hope that further improvements can be made to some details. In any event, I assure you that insurers will continue to protect the personal information that is entrusted to them, and will work with all interested parties to successfully implement this legislation.
The Chairman: I have one question. You state a few times in your brief and in your opening statement how supportive you are of the bill in general. You then proceed to provide a significant number of pages of complaints, including a recommendation on page 17 which suggests that, before proceeding with the bill, there be further consultations with provincial governments and the private sector to develop a more satisfactory approach to coordinating alternative systems of protecting information in order it avoid duplication and confusion.
You will pardon me if I wonder if you are making this statement of principle about being supportive because that is the politically correct thing to do, and then suggesting, in particular, a whole series of changes that would be designed to delay the bill sufficiently that it would never come into force. I say that particularly with respect to your comments in relation to attempting to seek federal-provincial agreement on a subject -- indeed, in your case, federal, provincial and industry agreement -- which has been the subject of a massive number of consultations.
Pardon my cynicism, but it reflects the fact that I ran federal-provincial relations in this country for a while from the federal point of view. I know it is unbelievably difficult to achieve agreement on anything. I cannot tell whether or not to accept at face value your statement on how important you think it is, or to accept your criticisms which would lead me to quite a different conclusion. Can you assist me?
Mr. Black: I shall try. Honourable senators, it is not our intention to delay passage of this bill. Indeed, this bill has been delayed for too long already. There has been a long process since the introduction of this bill. It has been a longer process since the deliberations to develop the CSA code began.
The members of our association realize that this is a complex process, but we strongly believe it is worth the effort. Those efforts must be continued and they can be continued during the implementation period of the legislation.
Senator Murray: Mr. Black, I need more time than I have this afternoon to go through your brief and the recommendations that you have made.
However, eyeballing it quickly, I believe some of these matters have been covered already, perhaps in amendments by the House of Commons. There is reference to detection and prevention of fraud. I am sure there is a provision that provides an exemption for the investigation of a crime. In that instance, the right to privacy of personal information is lifted.
Mr. Black: Senator Murray, I would be pleased to be proven wrong on any of these points, believe me. These recommendations reflect many questions that we have raised and have not had answered.
On that point, my understanding is that there is protection to the extent that the information is obtained through collection without the individual's consent. That is only a small part of the information that would be used. I do not believe there is any protection for other information in the private sector.
Senator Murray: I will stand corrected if that is the case.
Mr. Black: As I say, I would be delighted to be proven wrong.
Senator Murray: Let me turn now to a point that I think you share with Mr. Anderson. I invite one or both of you to comment on it. You suggest that the committee recommend that provision be made for a greater role for sectoral and organizational codes of practice. In Mr. Anderson's case, he spoke of the need to clarify the role of organizational codes of practice and criticized the bill because it makes no provision for a privacy code that would be in conformity with the CSA code, but modified to the circumstances of the particular industry.
It strikes me, unless I am missing something, that what you are suggesting is an entirely different approach from the one the government has taken in the bill. If we were to amend the bill to incorporate your recommendation, namely, that compliance with various industry codes that are in conformity with the CSA code would be considered compliance with the bill, we could write a one-page bill consisting of two or three clauses, could we not?
Mr. Anderson: I do not know. I have never seen a three-clause bill, senator. We do think that leaving the question of what is an acceptable code up to the privacy commissioner without some form of guidance leaves too much in the hands of a small group of people to decide.
Senator Murray: Where is that done, Mr. Anderson?
Mr. Anderson: It is done through the lack of specificity on the basis that the Privacy Commissioner is to decide whether or not you are in compliance with the code.
Senator Finestone: Just on that very point, I should like you to address clause 23 (1). Senator Murray has asked a pertinent question. Clause 24 indicates the role and importance of the commissioner. Clause 23(1) states:
If the Commissioner considers it appropriate to do so, or on the request of an interested person, the Commissioner may, in order to ensure that personal information is protected in as consistent a manner as possible, consult with any person who, under provincial legislation that is substantially similar to this Part, has powers and duties similar to those of the Commissioner.
Why are we not given a sense that the commissioner will certainly follow through to ensure that the other codes that are being presented, like the medical and dental codes, are not in conformity with this bill which will be basic law?
Mr. Anderson: Senator, this clause deals with how the commissioner is to consult with provinces.
Senator Finestone: It also deals with persons.
Mr. Anderson: My point is that we have a code that exceeds the basic code in the proposed legislation. Why can we not get the commissioner to say that it does and move on and look at other sectors of the economy?
Senator Murray: Even if he says it is, I do not think he has any authority to say that a code is in conformity with or even better than the act and, therefore, can deem it to be in conformity with the act. I do not think he can do that.
The Chairman: Mr. Anderson, you seem to be saying that you have a higher bar. If you have a higher bar, why do you care about federal legislation that has a lower bar since your own association is presumably committed to sticking to the higher bar? Regardless of what the Privacy Commissioner says, why do you have a problem?
Mr. Anderson: In some sense we do not. I am only impressing upon you that we have a higher bar. We have completed a process of working with the CSA for over three years, and having our code approved by an independent certification body. We have no assurance now that this code -- other than our own assertion that it is acceptable -- is acceptable.
The Chairman: Who is your certification body?
Mr. Anderson: The Quality Assurance Institute. That body works with the CSA to independently certify CSA programs.
Senator Murray: What you seem to be suggesting is an entirely different concept, which would mean drafting an entirely different bill. You are suggesting that the federal government would state some principles, and that various sectors such as yours would table their privacy codes and the commissioner would decide that, since those are in conformity with the principles in the act, and so long as you stay within those codes, you would be in conformity with the law.
It is an entirely different concept from the concept in this bill.
Mr. Anderson: I do not deny that.
Senator Murray: You talk of the failure to deal with consistency and harmonization and the danger that we could be looking at 28 different regimes.
The federal government has introduced a bill which, after it receives Royal Assent, one year will pass before it is effective in the federal jurisdiction. Three years after that date, it will be effective for intraprovincial commerce, commerce within the borders of a province in provinces that have not enacted a law that is substantially similar to this law. How could that create 28 different regimes?
Those provinces that have enacted a law substantially similar to this will be in substantial conformity with this law. Intraprovincial commerce in those provinces that have not will be subject to this law.
Mr. Anderson: It does not prevent provinces from adopting legislation that is not substantially similar and then insisting that businesses within their jurisdiction adhere to it. We have seen this many times in federal-provincial regulation. Our plea is straightforward and practical. We have four years after this bill passes to work out some issues. Our appeal to the politicians is to make this legislation, which is important and necessary, as effective as possible for those of us who have businesses in every jurisdiction across the country and must comply with it.
Senator Murray: I readily take your word that that could happen, and there is some experience to demonstrate that it could. However, let us get down to cases.
Perhaps Mr. Bernier would like to join us at the table.
I believe that the position of the federal government is that the Quebec law is substantially similar. Therefore, there is no question of this bill, when it becomes law, ever becoming effective in respect of intraprovincial commerce in Quebec. At the same time, I believe I read somewhere in the deliberations of the other place that the government has indicated that the Ontario law, certainly as it affects health care information, will not pass muster. Am I correct in that?
Mr. Black: Ontario has not even introduced a bill yet. They do have a consultation paper available that relates only to health information.
Senator Murray: I stand to be corrected, but I believe that government officials or the minister has taken the position that it will not.
The Chairman: I believe that is correct in relation to the draft Ontario bill.
Senator Murray: What about the Quebec act? I understand that there is the Civil Code and another privacy act. Do you agree that their laws are substantially similar to what is contained in this bill?
Mr. Jean-Pierre Bernier, Vice-President and General Counsel, Canadian Life and Health Insurance Association: They are, indeed, very similar. There are six motherhood provisions in the Quebec Civil Code and the bulk of the privacy legislation in Quebec is in an act better known as "Bill 68". It covers consent, notice, redress and access; all the same principles.
Senator Murray: Yes, but I believe that there is something quite different about the approach. There must be. When this bill, under a former number, was at the Commons committee, I heard it said that the Quebec act was greatly superior to this. I had a conversation with representatives of an organization, from which we will be hearing later, who are greatly opposed to this bill and in favour of an exemption for the health care sector. They represented to me that they get along just fine with the supposedly superior and more stringent Quebec legislation.
Is there a different approach in the Quebec legislation? Is disclosure the focus?
Mr. Bernier: Disclosure is one of many focuses of the Quebec privacy legislation.
Senator Murray: Is collection not the focus?
Mr. Bernier: Collection is part of the focus of the Quebec legislation, as are consent, redress and access to information to correct wrongful information.
Senator Murray: Before we finish here, I want someone to compare the Quebec law with this bill, if that can be done, Mr. Chairman.
The Chairman: Mr. Bernier, have you made a comparison of the two bills?
Mr. Bernier: We have done so only with respect to the broad principles of the legislation, not with respect to the details. We will do that when this legislation is enacted.
The Chairman: Would you share with us your information on broad principles?
Mr. Bernier: Yes, we will.
Mr. Black: The Quebec legislation is more comprehensive in that it applies to all personal information within the province. It applies to health care information, within the health care sector and elsewhere, and it applies to employer-employee records of provincial employers.
It is my understanding that the bill is substantially similar, although the wording is different and the implications are different. We believe that it will be relatively easy to comply with both the Quebec legislation and Bill C-6.
The difficulty comes when information crosses the provincial border. Some claims may be administered in Ottawa or in Winnipeg, whereas others may be administered in Montreal. It is difficult for both consumers and the organizations to know which legislation applies in all cases.
I believe that we can bridge two pieces of legislation. If there were 23 or 24, that would be a much bigger challenge.
Senator LeBreton: Mr. Anderson, in layman's terms, what do you mean by "premium leakage"?
Mr. Anderson: Premium leakage is when people claim a premium to which they are not entitled: for example, losing a Timex and claiming for a Rolex; or losing a Timex and claiming for a slightly more expensive Timex.
Senator LeBreton: How do insurance companies know that the person did not in fact have a Rolex?
Mr. Anderson: Many times we do not, and therefore many times that type of representation succeeds. We are trying to tighten that up. In fact, surveys have shown that a few years ago a substantial proportion of the population believed that that was acceptable behaviour. We are now working very hard to produce documents to help claims managers recognize suspicious claims.
A good example is when someone backs up all the information on their computer and removes all his or her valuables from a place of employment the night before a fire. You would be surprised how many people do that. That would be an indication that perhaps you should look further.We have begun to develop ways in which we can stem the leakage in order to keep more premium money for people who are entitled to it.
Senator LeBreton: I recognize the enormous cost to honest citizens. You used the figure $1.3 billion with another $1 billion in related societal costs. Your membership includes the insurance industry, consumers' associations, fire marshals, police chiefs, et cetera.
How is the information disseminated? The person who committed fraud will not consent to share this information. How do you protect the right of the individual to privacy while, at the same time, sharing information about fraudulent claims made on an insurance policy?
Is there a time limitation after which this information can no longer be shared without the consent of the person who committed the fraud?
Ms O'Reilly: In point of fact, I may not be the right person to whom to direct the question. The Canadian Coalition Against Insurance Fraud raises awareness and provides tools to the industry and does work in other areas analyzing the legal and regulatory environment in which fraud is fought. However, we do not actually investigate fraud. There are industry organizations, such as the Insurance Crime Prevention Bureaus, which do.
Perhaps Mr. Anderson would be in a better position to talk about how the organizations in the Canadian association of special investigative units investigate fraud.
Senator LeBreton: I was thinking of a situation where someone, years ago, committed some type of insurance fraud. If that is discovered 20 years later, they may be denied a credit card or a mortgage or a job because of it. What protections are there for the individual in a case like that?
Mr. Anderson: Under the notes and interpretations related to the model code which is appended to Schedule 1, explanatory issues deal with how to handle the question of fraud. Obviously, you cannot ask the permission of someone you are investigating. Asking someone for permission to investigate them may not be very productive.
In the case of an allegedly fraudulent application, you are not required to reveal that information except at the point at which it becomes a civil litigation matter; then the rules of civil litigation take over. Under discovery rules, there are provisions for information to be shared. In one way or another, most of the time, if the case goes forward, the person would know they had been investigated and would know what evidence had been gathered.
In our industry -- and some of our companies would like to do this sooner rather than later -- once a claim is dealt with and closed, the file is destroyed seven years later. The Superintendent of Financial Institutions requires us to keep the information for that length of time.
We have a set of provisions which define the purposes for which one can ask for information. We do not collect financial information on our customers. We do not collect medical information on our customers except in the course of paying a claim. In a situation, for example, where someone wants an income-replacement benefit, we need to know what they are earning. To cover medical treatment, we need to get information on the extent of their injuries. Those would be the only cases in our industry where that information would be collected.
Senator LeBreton: I was referring to investigated but unproven information which may be on someone's file. Because of this whole new territory of electronic data communication, that information may still follow that person. What rights would that person have?
Mr. Anderson: In our code, everyone has a specific right to challenge what is on his or her file and have it amended if it is incorrect.
Senator LeBreton: Is the onus on the customer to do it?
Mr. Anderson: The onus is on the individual.
Senator LeBreton: You expressed concern about consistency and harmonization on this issue. You envisaged a proliferation of bills. You mentioned a figure of 23 or 24 separate acts which made me think of the small, independent entrepreneurs who may not be able to implement even the provisions of this bill, let alone the other 23 or 24. How great is the risk that personal information they hold will slip through without consent?
Mr. Anderson: There will always be exceptions. Despite our best efforts, we have government documents showing up in dumpsters in the back of Maple Leaf Gardens. In the track record of our industry, not one single case has occurred in the eight years that I have headed this association. That is the best answer I can give you.
Will it ever happen? There are no guarantees in this complex world in which we now live. We cannot even contemplate the next evolution of e-commerce and what that might do to privacy. It is hard to give assurance. This bill, however, gives some guidance which is badly needed, and it is an excellent basis on which to proceed.
Senator Finestone: There has been much concern about the merging of insurance companies, banks and trust companies. What kind of encryption is used so that data is not shared in these mergers? You say it does not happen. The Privacy Commissioner was here and told us some horrible stories about data-matching. What steps do you take in that regard?
Mr. Black: Currently, the regulation of financial services is conducted on a functional basis. Banking functions are regulated under the Bank Act and insurance is regulated under the Insurance Companies Act at the federal level and under various pieces of provincial legislation.
Each of those acts contains prescriptions on what can and cannot be done with personal information. To date, I think some of the tightest restrictions on the use and transfer of personal information exist in the financial services sector.
Senator Finestone: Mr. Black, we have heard testimony about a merger of an insurance company, a trust company and a bank. It was not long before the bank suddenly called in the loan of everyone who had a heart concern.
The Chairman: In fairness, that was an American example.
Senator Finestone: Canada does not do that?
Mr. Black: No.
Mr. Anderson: We came through a long battle on financial services legislation to prevent banks, in particular, from mining information from other parts of their business.
Senator Finestone: There no mining, no data-matching, and no data-tracking that we should concern ourselves with.
Mr. Black: That is correct.
Senator Finestone: Mr. Eugène Bellemare is a colleague of mine in the other house. He recently showed to Mr. Bruce Phillips, the Privacy Commissioner, an insurance form from his insurance agent in which he was asked to sign away his privacy rights. He asked Mr. Phillips to speak to the insurance company.
Have you checked all your forms to ensure that people are not being asked to sign away their privacy rights in the course of signing an application? Practically no one can really understand the legalese contained in those forms. Are customers asked to allow the company to transfer and share information? If someone applies for insurance coverage, is there an implied consent that the company can do whatever it pleases with the information that is provided on that form? Where does that information go?
Mr. Anderson: Instances where that has happened probably apply to bank insurance companies.
The Chairman: At least you are true to form, Mr. Anderson. You have returned to a topic on which we have been arguing for decades.
Mr. Anderson: It is hard to let go.
Senator Finestone: I am the new girl on the block so I want answers.
Mr. Anderson: I would be surprised in respect of property and casualty if such a form existed at all. Certainly, when you apply for auto insurance in Ontario, as an example, the form is prescribed by the government and not by the insurance company.
Senator Finestone: We will send you Mr. Bellemare's form and the Privacy Commissioner's answer. Perhaps you will find one little mistake sneaked into the record.
Mr. Anderson: Perhaps it is a travel insurance application. He has already spoken to me about it.
Senator Finestone: Yes, one of you was at that hearing. You will know what it was.
Senator Beaudoin: My question is addressed to Mr. Bernier. I am glad to hear that, in your opinion, the bill before us is flexible enough to allow a province -- let us say Quebec -- to occupy its own field in the law of privacy. Is that what you said?
Mr. Bernier: Yes.
Senator Beaudoin: This domain is not very different in the other provinces. To a certain extent, there are no problems, but some questions still remain. If you say that this will be reconciled in the provisions in the bill, that is a good enough answer for me. How do you reach such a conclusion?
Mr. Bernier: Quebec is the only province with privacy legislation which is applicable to the private sector. When the Quebec privacy legislation was enacted, it was not tailored to insurance; it was tailored to be a general piece of legislation. We had many questions as to its application and implications on the insurance business. As a result, we collected a number of questions from our member companies across Canada who do business in the Province of Quebec. We formed two groups of lawyers, an anglophone group in Ontario and a francophone group in Quebec, to answer all the questions. When an answer from both groups was the same, obviously, we had a consensus on the answer to be given to member companies and their staff across the country doing business in Quebec. Where we had a conflict of views, we tried to settle the matter among ourselves. We had a great deal of consultation with the Quebec privacy people. We came up with a little guide, which we called "Guide 68", which is based on the name of the law in Quebec. This guide for Quebec can be easily applied to the new federal privacy legislation.
In some areas, privacy legislation goes a little bit further, which is not a bad thing, particularly in the area of compliance. For example, you have to have a designated compliance officer to ensure that the law is complied with. There are duties and functions imposed on the compliance officer to do certain things. However, that is a part of compliance with all general laws. As a matter of fact, recently, the Office of the Superintendent of Financial Institutions at the federal level, approached the insurance industry to have a compliance program in place by December 31, 2000. This is to ensure that insurance companies are in compliance with all laws and regulations applicable to them and their operations in any jurisdiction. Thus, we will be able to tailor the application of Bill C-6 to the compliance program that insurance companies must have in place by year end 2000.
Senator Beaudoin: It may be reconciled.
Mr. Bernier: Yes, in my view it will.
The Chairman: Mr. Bernier, when I hear your relatively enthusiastic support for the bill, I have difficulty dealing with that and the much more negative spin that is in the brief presented by Mr. Black. Can you help me understand the difference? I do not hear any negative tone or complaints from you. Indeed, I hear a significant degree of enthusiasm. Mr. Black's position is somewhat different.
Mr. Bernier: There are many uncertainties with respect to this bill, and I could draw up a list in that regard. We have outlined some of them in our submission, but more has to be defined to ensure that we are fully in compliance with the intent of the legislation. At times, it will be difficult to define "commercial activity". What is "commercial information" as opposed to "personal information"?
The Chairman: Having been through so many other pieces of legislation, I cannot believe you are suggesting that there could be a piece of legislation which has no uncertainty. Your profession would not do nearly as well as it does if all uncertainty were eliminated. It is the reality that most pieces of legislation have significant degrees of uncertainty, particularly in new areas such as this. I think you have to live with uncertainty just as we do.
Mr. Bernier: The greater the uncertainty, the greater is my job as it relates to security.
The Chairman: I take that to be a ringing endorsement of the bill. I thank you very much for attending this afternoon.
Our next panel is composed of Dr. Peter Vaughn, Secretary General and CEO of the Canadian Medical Association; Dr. John Diggens, President of the Canadian Dental Association; and Dr. Winston Dykeman, Co-Chair of the Committee on Health Information, Privacy and Security, College of Family Physicians of Canada.
Thank you all for attending. You may proceed.
Dr. Peter Vaughan, Secretary General and CEO, Canadian Medical Association: Thank you, Mr. Chairman.
The Chairman: I would like to know why the Ontario Medical Association and your organization have such conflicting views on this issue.
Dr. Vaughan: Mr. Chairman, would you like me to answer that question now or later?
The Chairman: Later is fine.
Dr. Vaughan: The CMA is the national voice representing physicians in Canada. The OMA recognizes that and will not be making any representations on this issue.
The CMA welcomes the opportunity provided us today to offer our comments and concerns in regard to Bill C-6. It is our hope that our comments will persuade the committee to strengthen Bill C-6 to ensure that patient privacy and the confidentiality of medical records are adequately protected.
Bill C-6 appears to give greater emphasis to promoting commerce than to ensuring privacy. Because it was written with commerce in mind, it fails to address and do justice to the special nature of health information. In consequence, there is confusion and uncertainty about its application to health care.
More seriously, the bill does not recognize that health information requires stronger and greater privacy protection than other types of information. The world of health care is very different from that of commerce. Confiding information to your physician is not on par with giving your address to a sales clerk when you purchase a toaster or rent a movie video. This information, as Canadians have told us loudly and clearly in a recent survey, is especially sensitive. It is also important to remember that patients confide their information in trust for the purpose of receiving care and in the expectation that it will be held in the strictest confidence.
Computerization of health information poses unique challenges to patient privacy and trust. On the one hand, it facilitates easy transfer, duplication, linkage and centralization of health information. Captured in electronic form, information about patients is potentially more useful for the purposes of providing care to them. On the other hand, electronically captured, the information also becomes much more valuable and technically accessible to various third parties, private and public, governmental and commercial, wishing to use this information for other purposes unrelated to patient care.
Today, we are seeing a growing "data lust" for health information and a "function creep" whereby information collected for one purpose is used for another, often without the consent or even the knowledge of the individual concerned, and without public knowledge or scrutiny. As we move further into the information age, there is a danger that we will become so spellbound by the promise of information centralization and databased linkages that we lose sight of the patients who confided this information or reduce them to impersonal data subjects.
We need to remember that, ultimately, health information technology is not about bits and bytes or data or even data subjects but about people. People deserve to be treated with respect and dignity and to have their wishes and choices valued and respected. To put people first is to give primacy to privacy. Putting privacy first comes down to the same thing as putting people first. It does not mean that privacy is absolute. What it does mean is that the burden of proof must rest with those whose purposes, however compelling they may be, encroach upon the right of privacy. For health care, it means we value patient privacy at least enough to demand explicit justification for any proposal that would diminish privacy.
Putting privacy first also does not mean that secondary use of health information should not be permitted. The use of health information for medical research and evidence-based medicine is vital to a quality-driven health care system, and ultimately helps physicians provide better care. However, not all secondary purposes -- marketing, for example -- are equally meritorious, and, for the most part, these purposes can be accomplished with patient consent.
Bill C-6 permits the collection, use and disclosure of information, without knowledge or consent, on grounds such as expediency, practicality, public good, research, offence investigation, historic importance, and artistic purpose. The laxness and breadth of these exemptions, as applied to health information, is unacceptable to us.
Consistent with what we have found in surveying Canadians, I would refer committee members to the press release on this polling data conducted for the CMA by the Angus Reid Group, which is attached to the transcript of my remarks. The CMA believes that, in all but exceptional and justifiable circumstances, patient information should be used only under the strict control of the patient. The patient must be able to exercise control through voluntary, informed consent.
The CMA has developed and adopted a health information privacy code in recognition of the special nature of health information and to give primacy to patients and to the right of privacy. In light of the clear deficits in Bill C-6, and the inadequate protection of patient privacy and health information confidentiality, the CMA urges this committee to accept the recommendations put forward in its brief and accept the amendments the CMA has prepared to give effect to these recommendations.
Canadians desire, and deserve, no less than this as concerns the right of privacy with respect to health information. Thank you.
Dr. John Diggens, President, Canadian Dental Association: Honourable senators, it is a pleasure to appear before you in my capacity as President of the Canadian Dental Association to speak on Bill C-6. The Canadian Dental Association is the national voice for the profession of dentistry and is dedicated to meeting the needs of its members and, probably more importantly, to the promotion of optimal oral health for Canadians.
Our members have collected sensitive health information from Canadians, and protected it, for well over 100 years. The CDA has recognized the importance of our participation to date on patient privacy and protection of confidential health information. We participated in the implementation committee of the CSA model privacy code, and have submitted numerous briefs to government consultations on the privacy issue.
You received our position brief earlier this month. I want to compliment you on your active role on this issue. Our staff in Ottawa have spoken with many of you and your staff, and it is encouraging to see the Senate performing its role on this very important piece of legislation. Recognizing your understanding of the issues, I will keep my remarks brief so that we will have plenty of time for questions and answers.
The CDA argues that Bill C-6 fails to satisfy the basic requirements to protect individual Canadians from the misuse of health information by secondary or tertiary users of this information. The Canadian Dental Association has long been on record as opposing consent provisions in the CSA model privacy code as they relate to personal health data. Bill C-6 may achieve many government priorities in the area of electronic commerce, but the CDA believes that the bill must be clarified and strengthened as it relates to personal health data.
The model privacy code upon which Bill C-6 is based was drafted largely without any input from primary health care providers charged with custodial responsibility to protect confidential patient information. The Canadian Dental Association was admitted into the implementation committee after the code had been drafted. The CDA was uncomfortable with the concept in the code of the collection of health information with knowledge of patients. We have argued that the collection of health information for secondary purposes must be with the informed consent of the patient, a concept with which clinicians and dentists are very familiar. To that end, the Canadian Dental Association board of governors approved our formal guidelines on personal data protection in September of 1997, and they form the foundation of our presentation today.
We were successful in having amendments based on our guidelines introduced when the legislation was at the report stage debate in the House of Commons. These amendments are included in our position document brief, and I urge you to adopt them.
As to the timing issue, we would propose six relatively simple or straightforward amendments, so incorporating them would not lead to a delay in the implementation of the legislation.
It is important to note the support these amendments received in the House of Commons. They were supported by the Official Opposition, the Progressive Conservative Party and the New Democratic Party. With respect, we continue to be upset at the partisan treatment our interventions have received from the Liberal government. Let me be clear: We are supportive of legislative action on this issue. The CDA believes the Senate has an opportunity to provide Canadians with strong privacy rights and health information rather than settle for the uncertainty and unease that has been created by Bill C-6 in its current form.
Let me now take a moment to address the concerns of other health associations, organizations, and special interest groups that have been calling for a "health carve-out". We want to be perfectly clear in our strong opposition to any such move. Of all information, personal health records are among the most private, sensitive and vulnerable to abuse by secondary and tertiary users. There must be no exemptions in this bill for personal health information. This would be a wrong message to send at a time when Canadians are seeking assurance from governments that their information is being protected in a new, computerized environment.
Health privacy is a foremost concern of Canadians. Surveys have shown clearly that Canadians want to control their own personal information. Citizens are willing to share the most intimate details of their lives with their caregivers to ensure continued good health care, but they do not want to see such information inappropriately used by others without their informed consent. Canadians deserve to know and to control who has access to their personal records and for what purposes such access is granted. That is why we want to see Bill C-6 amended and passed with the protection of health records specifically addressed in the legislation.
We understand that much of health information comes under the jurisdiction of provincial law. However, federally regulated organizations that deal with personal health information also need to be covered. Moreover, there is no guarantee that all provinces will enact an appropriate protection for health information without the incentive that a strong, amended Bill C-6 would provide.
There is one other issue I would address before concluding. When the Canadian Dental Association appeared as a witness before the House of Commons Standing Committee on Industry during its study of Bill C-54, our role in the consultation process leading up to the drafting of that bill was questioned. I am certain that, in your preparation for this meeting, many of you reviewed the transcripts of the March 18 meeting and the exchange between the government member Stan Keyes and our presenter. Again last week, when the Industry Canada officials appeared before you, Assistant Deputy Minister Michael Binder, in response to a question on health issues, spoke of the extensive consultation process leading up to the introduction of the bill and questioned the participation of health groups and associations. Mr. Chairman, I want to be perfectly clear, and I want the record to show that the Canadian Dental Association took part in good faith in the formal consultation leading up to the introduction of Bill C-54 in October of 1998. We responded to the January 24, 1998 notice in the Canada Gazette with respect to the public discussion paper entitled: "The Protection of Personal Information: Building Canada's Information Economy and Society". Our position was clearly on record at that time and, in our response, we stated that the CDA recognizes the basic right of patients to exercise positive control over their health information and to advise our members that patients have a right to informed consent in the release of their personal data.
In conclusion, I want to reinforce our basic support for strong privacy legislation for protection of personal information based on informed consent. We recommend that Bill C-6 be amended and passed with protection of health records specifically addressed in the legislation. Thank you for inviting us to present this brief today.
Dr. Winston Dykeman, Co-Chair of Committee on Health Information, Privacy and Security, College of Family Physicians of Canada: The College of Family Physicians of Canada welcomes the opportunity to express our concerns and make recommendations about Bill C-6 this afternoon. We represent over 15,000 Canadian family physicians and we are involved directly in patient care on a one-on-one basis.
As a practising family physician. I have an interest in this bill. I write computer application programs for my clinical practice. I am the chairman of the security committee of our health region; one that oversees the use of computer applications in health care. I have also served on the New Brunswick Medical Society team in assessing the provincial privacy health act that was introduced last year. I have an interest across the spectrum on this issue.
Confidentiality and privacy are not new concepts to those in the practice of medicine. These concepts are part of the Hippocratic oath and a tradition that goes back 2400 years. This tradition was recognized in the medical code of the Declaration of Geneva in 1948, and again in modern versions of the oath that retain the view of transcendence.
We must remember and learn from the serious violations of privacy and confidentiality that occurred in the first half of this century. In Canada, the area of eugenics and mandatory sterilization is a dark chapter in our history that we would sooner forget. Some of those cases are still before the courts in Alberta.
In Europe, the horrors of the medical databases of the Third Reich, which defined and identified persons of a lesser value and then exterminated them, has taught us that the medical profession, the medical ethos, is not immutable. When its principles are violated or ignored, it can soon collapse, therefore, privacy and confidentiality are not renewal resources. Once broken, the harm is done and the damage can never be repaired.
We commend the government for introducing legislation that will begin to control the gathering and use of personal information. That includes personal health information on the electronic highway.
Two concepts in Bill C-6 attract our attention. They involve consent and the secondary uses of health information. Although the bill was not exactly a masterpiece of clarity in its definitions, it appears from debates and discussions thus far that the bill now does include personal information in the commercial setting. There is a great need for clear definitions of "privacy", "privacy violation", "consent" and "secondary uses" of personal health information, and these must be established and protected in law.
The concepts of privacy that were developed by the Canadian Standards Association's team uses the terms in the context of commerce, and its interpretation of principles of privacy reflect that. The words "consent" and "secondary uses" suggest one thing in the realm of the discourse of commerce, of buying and selling goods and services. The same words mean an entirely different thing in the realm of medical work in the patient-physician relationship which involves an element of deep trust.
Based on the OECD guidelines, the CSA privacy code was developed with commercial input from a commercial perspective. The Canadian medical profession was not involved, and our perspectives were not embodied in the document. While Bill C-6 with its Schedule 1 privacy principles may work well enough in the realm of the commercial sale of dog food, toothpaste, travel, donor mailing lists, and financial services, it is not precise and specific enough to protect personal health information. The reasons for this are elaborated in the CMA privacy code. We, therefore, strongly recommend that the CMA privacy code be considered as a sectoral code to Bill C-6, or appended as a Schedule 2 for the safe handling of personal health information in Canada.
Our patient medical records are "linear time" documents: they begin in one province and move to another, then to another. Each time they pass from one realm of jurisprudence to another, from privacy code to privacy act and with varying degrees of protection, some of that information passes to the national databases of insurance companies and financial institutions. Some of that crosses international borders to bigger databases, from private to public, from public to private, and mostly without patient knowledge or informed consent. Clearly, the time has come for uniform legislation for personal health information in both the public and private sectors that must include the provincial and federal arenas.
Ultimately, the College of Family Physicians of Canada advocates the development of a national health information privacy and security act which would define a minimum set of standards for all provinces and territories, and include both the private and public sectors. Since this crosses different constitutional jurisdictions, we will ask that this be referred to the Uniform Law Commission for further consideration on an urgent basis. We would prefer to see the exercise of legislative vision and leadership in this area from our First Ministers, in lieu of a fragmented, piecemeal approach by court cases in defining the standards.
Bill C-6, with an appended CMA privacy code, for more precise definition of consent and secondary uses, would go a long way in starting us in that direction. The college has already submitted background documents, a declaration of concern on Bill C-6, and our college's statement on confidentiality, privacy and security of personal information. I would be happy to answer any questions from those documents.
Senator Carstairs: I must say that reading the brief presented by your representatives caused my hackles to rise. Like every other Canadian, including physicians and dentists, I have privacy concerns about my health care records.
Last week we talked about how much consultation had taken place. I believe consultation is pivotal and, clearly there was some. I believe Dr. Diggens acknowledged that. Dr. Vaughan, what is your view on the degree of consultation that took place? Has your position changed in any way from the moment the consultation process began, to the drafting of the legislation, to where we are today? Have you maintained a steady concern about this?
Dr. Diggens: We have maintained exactly the same position throughout the whole process. The only part in which we did not participate was the initial development of the code. We did get a seat on the implementation committee, but by then the code had already been developed and defined. Through our participation on the implementation committee, we tried to bring some guidelines forward. Those guidelines are being used, but they are not enshrined in the code because it is too late for that. Our position has not changed from the beginning of that process up to now.
Dr. Vaughan: We have been very impressed with the health industry and with Industry Canada in bringing forward an e-commerce bill which is needed to deal with the issue of privacy of information. However, we were given five minutes at the House of Commons Industry Committee, and the health groups themselves, as a collective, were given just over an hour. The insurance groups were given, I believe, seven hours of time.
We have not changed our views. In fact, we brought forward our health information privacy code because Bill C-54 came forward. We believed we needed to develop, in the information age, a piece of legislation, at least for the profession, that addressed the important issues of privacy in health information.
Senator Carstairs: In your debate and discussion, what has been the stumbling block? Why have they been unwilling to incorporate the needs that you have expressed for your patients in this legislation?
Dr. Diggens: Our sense is that -- and it is still a view held by some people -- this legislation does not involve the commercial side of health care in the initial part of the bill. However, I think a very persuasive point has been made. Any time fees are involved, which are certainly a substantial part of the dentist's relationship with his patient, this legislation would prevail because of that commercial relationship between a patient and a physician. If you held the view that it does not involve health care, then I do not think that having health care incorporated into it would be seen to be a serious problem.
We came in late in the game and, of course, once we started making presentations a certain amount of accommodation was attempted after the code had been put in place.
Dr. Vaughan: I would agree with those comments. There has been no public debate about this issue, as there has been in the United States and as is going on there right now. The relationship of the e-commerce world to health information is appreciated much more in other jurisdictions than it is here. The bill was brought forward to deal with commerce. Health issues would be dealt with separately. However, people are now beginning to appreciate that health is very much a part of the information that is out there.
As we go forward into the future, we must understand that the convergence of information and biotechnology is rapidly at hand. The ability to be able to transmit your personal biological material over the internet is at hand. There is no sense talking about identifiable or anonymous information when dealing with genetic codes. This is not fiction; this is very close at hand. We are concerned that we have the correct principles upon which to base the transmission of information. That is to say, we want to get it right.
Senator Carstairs: I think it is clear that dentists engage in a commercial activity. However, it has been less clear that physicians engage in a commercial activity. Something that has concerned me for a great number of years, particularly when I was a provincial politician, was the number of doctors who had ownership in either x-ray clinics or in labs, if they were pathologists. Clearly, there is a commercial side to many physicians' practices. Does that cause you concern? Do you think it has in any way been adequately addressed in this piece of legislation?
Dr. Vaughan: We believe it has not been adequately addressed. The intent was to treat health information separately. That is why we are here; and that is why we find ourselves in this situation today. At least one-third of health care is delivered within the confines of commerce or by the private sector in this country. You cannot separate those two sectors. Detailed information was brought to you concerning them. To ignore health information is to try to separate an area that cannot be separated -- that is, commercial information versus health information.
The Chairman: Dr. Vaughan, given the position you have all taken about the desire to strengthen the bill by including a number of amendments, I should like to know your reaction to three options.
The first option would be to delay the bill until all your amendments are in place. That is doable but, given their complicated nature, it would take some time, which would delay the application of the bill to other sectors.
A second option would be to pass the bill but amend it so that the applications to the health care sector would be delayed for the same period of time as the applications to the intraprovincial sector would be delayed.
The third option might be to pass the bill without amendment but to proceed immediately to try to agree upon a detailed set of amendments that had been negotiated with all the various health care interests -- that is, yourselves and others.
I did not put on the table the option that we do nothing. Given your position, I am assuming that is the worst option. What is your sense of the other three options, all of which would at some point achieve your objective? I say that because a few of you were in the room when the first group of witnesses pressed on us the importance of moving quickly.
Dr. Diggens: With great respect for those presentators -- and, we are comfortable with the information they put forward -- we would argue strongly to delay the bill until the health considerations are incorporated. With respect to the code, we are concerned about the use of information based on the knowledge of the patient and not on informed consent. If the bill is passed and becomes part of the Canadian scene, dentists will not know whether they are operating under their current code -- and, that is administered by their regulatory body -- their ethics or their CDA ethics, or under new legislation. I am not saying that dentists at large would do so but, under certain circumstances, we can see this either being taken advantage of as a new standard for the profession in Canada or influencing the profession in Canada to believe that things have changed. With great respect for the arguments that were put forward this morning, we do not think that risk should be taken. There should be no signal to the professions in Canada that there has been a change in the level at which they must deal with patients' confidential information. That kind of signal is being sent with this profound piece of proposed legislation which was drafted by the federal government. However, that risk does not provide a justifiable reason not to delay the bill.
Dr. Vaughan: We think it is important to get it right. In this case, getting it right is probably more important than expediency. Certainly, lots of public discussion should take place. There has been no public discussion, yet we know from our polling that Canadians are telling us that the security of health information, privacy, and confidentiality are very important to them. A debate is ongoing in the U.S. on this very subject. If we do not get it right now, a lot of legislation will be developed around the country in response to it.
Senator Keon: Dr. Vaughan, I have had the privilege of having your suggested amendments for some time. They are extensive. The briefs you have submitted have been excellent in the way they have dissected and analyzed the bill.
I am revert to what Senator Kirby said about the real world. It has been suggested by some that the CMA privacy code be appended to the bill. Today, Dr. Dykeman also made that suggestion. There are others who believe that all or most of your amendments, which are extensive, should be included in the bill before it proceeds further.
There appears to be no priority attached to the amendments as they are listed. Are they all of equal importance?
Dr. Vaughan: They follow one from the other. It is a bit like taking a piece of an airplane apart and expecting the plane to fly. Someone would have to select which parts are unimportant. We think the whole plane needs to fly.
Ms Carole Lucock, Legal Counsel, Canadian Medical Association: The amendments are set up in such a way that they would form another schedule to the bill which would cover health information. That would more or less follow the CMA privacy code, with certain portions removed, so that it would properly be a schedule.
Senator Keon: Would you be satisfied if the CMA privacy code were formally appended to the bill without a number of amendments occurring at this time, and if some of the arrangements Senator Kirby suggested were made to conduct a detailed study of the bill and amendments to it at some later date?
Dr. Vaughan: We appreciate the complexity of our code and the amendments. We would be very supportive of that.
Dr. Dykeman: I would concur with that. As Dr. Vaughan has said, it is extremely important to get this right. What is at stake here is crucial. Day by day, we struggle with what we write and record in our medical reports because what appears today to be confidential medical information tomorrow enters the commercial scene. I must decide on the weakest link in the chain, which means that affects what I record and how I record it. I am sad to say that is now a factor in recording medical information.
I would be pleased to see the CMA privacy code appended as a reference document and given high priority, particularly in the area of secondary uses. I cannot emphasize that enough. In order to give intelligent consent, you must know what purpose your information is being put to. We obtain it under one set of circumstances, and then a day, a week, or a month later, it is in a different set of circumstances and both the patient and the physician have lost control.
Senator Keon: Some of the technical people associated with health information are insisting that they are not having sufficient input. They say that we are writing legislation and having philosophical discussions while what is needed is for someone to talk about what is technically possible at this time with regard to fire walls, barriers and pockets of information.
Has this subject come up in your deliberations? Do you believe that we would benefit from hearing someone from the technical field on the way information is protected by the military, for example?
Dr. Vaughan: We believe it is important to get the principles right. Privacy in a free and democratic society is an important principle. As well, privacy is a public good, as the Supreme Court reiterated in a recent judgment.
To ask technical people to solve principle problems is not the way to go. We need to define the principles and then build a system that allows us to do what we must.
Dr. Diggens: I agree.The technological situation is constantly changing and that is why we are standing on the terminology "informed consent". It is traditional and well understood by all professionals involved, and is part of our daily practice. It must be the centrepiece as a principle of the privacy aspects.
I would be very interested in participating in the technological changes in that, over time, but we must enshrine the principle that protection of the individual is above protection of material.
It is not only a matter of "informed consent" permission. If someone refuses to participate, there should be no penalty. We are not into coercion. The principles we adopt must lay these things out very carefully, then we can take advantage of people who have expertise in technology and how it is changing to ensure that we retain those fundamental principles.
Dr. Dykeman: I concur with those remarks. I am confident in and prepared to work with the development of the technology of encryption and the capability of data security. In fact, I have piloted some of these applications in our area, and I am familiar and comfortable with them.
The biggest problem, though, is not technological but sociological and psychological. It is ensuring that the people who use the technology use it properly. This involves the proper use of passwords, IDs, and keeping track of who is doing what. That is the major area and we need legislation and guidelines within which to develop that.
Senator Murray: Dr. Diggens, do you agree with the suggestion of appending the CMA code to the bill?
Dr. Diggens: Yes, we developed these positions together and we understood each other. We believe that our suggestions and those of the CMA lead to the same end point.
Senator Murray: The CMA charges that the bill permits the collection, use and disclosure of information without knowledge or consent on grounds such as expediency, practicality, public good, research, offence investigation, historic importance and artistic purpose. They say that the laxness and breadth of these exemptions as applied to health information is unacceptable.
Would the CMA code solve those problems?
Dr. Vaughan: We believe that it would.
Senator Murray: Mr. Chairman, do you agree that, if we were to do this there would be required, at a minimum, an amendment to the bill to indicate the purpose of this new schedule?
The Chairman: Yes, in the same way as it is difficult to have a bill for which there is a schedule that is not referred to in the bill. Even the non-lawyers in the room realize that.
Senator Murray: You were talking earlier about passing the bill without amendment.
The Chairman: If we were to append the CMA schedule, we would need an amendment, yes.
Senator Murray: There is a schedule to the present bill. You will know that parts of that schedule are mandatory, that is, things that shall be done; and parts of the scheduled are not mandatory, that is, things that should be done, things that may be done. I am unsure as to whether this schedule, as it stands, has the same force as the bill itself. We will have to get some advice on that matter. I presume that your position is that appending the CMA code to this bill would give the code the force of law. Am I right?
Dr. Vaughan: That is right.
Senator Murray: I wanted to clear that up so there is no misunderstanding later.
Senator Finestone: I believe an observation was made that the bill would have to be amended to make it concur.
Ms Lucock: Yes. In fact, at the end of our proposed amendment there is a recommended Schedule 2, which is more or less the CMA code with pieces which apply to governments removed, because it would be inappropriate to include that. However, to the greatest extent possible, it is the code.
Senator Murray: Dr. Vaughan, you said that the bill as now drafted does not apply to patient records that you would have as a physician.
Dr. Vaughan: We must understand this is an e-commerce type of bill and in the world in which we live it is difficult to separate the commercial from the non-commercial.
For example, on a house call, there may be items related to a physiotherapy visit which are private. There may be items related to nursing care which may be considered public or private depending on the context. Depending upon where prescriptions are filled, they could be public or private. It is impossible to separate this out.
Senator Murray: A few minutes ago, Senator Carstairs said that the physician-patient relationship is not commercial but that the dentist-patient relationship is.
Senator Carstairs: I then added instances in which the doctor-patient relationship was also commercial.
Senator Murray: I thought your point was that the doctor-patient relationship in this country is part of the public health sector.
Senator Carstairs: No. To my knowledge, anywhere from 30 to 40 per cent of the activity conducted by physicians in this country is in fact commercial.
Dr. Vaughan: That is correct.
Senator Murray: Your analysis, Dr. Vaughan, about the difficulty of disentangling commercial from non-commercial is almost identical to that offered by the Canadian Health Care Association, the organization which, as you know, represents regional health authorities, hospitals, and health care agencies. You differ very considerably, however, on the question of consent. The CMA and the Canadian Dental Association take the position that the provisions are far too weak and flexible and subject to exemption, and they have taken the position that the provisions are far too onerous. They go on to ask for an exemption for the entire health care sector from the provisions of this bill.
I am puzzled why the organizations of physicians and dentists -- and I include there Dr. Dykeman and his organization -- should adopt such different perspectives on this bill as compared to the hospitals. I will also ask this question of the Canadian health care associations when they come before us. What are they doing now that they could not be doing under the provisions of this bill?
Dr. Vaughan: I cannot speak for the health associations.
Ms Lucock: It would be very difficult to answer with respect to their position. One difference between the CMA code and Bill C-6 is that the CMA code recognizes a distinction between the flow of information in the therapeutic context from information for secondary purposes. The CMA code contemplates collecting as much information as necessary to fulfil therapeutic purposes. Doctors will have the necessary information to provide care, and that information will flow to other providers as needed. A very different regime is set up for secondary purposes.
Bill C-6 treats all information more or less the same. It gives some recognition to the fact that some information is more sensitive and, in those cases, it asks for express consent. That may have something to do with the inhibition of the flow of information, within the therapeutic context, in Bill C-6. That is all I can see. It is a different regime, depending on the sector involved.
Senator Murray: I am still puzzled. Why should they take a position different from yours? You are all part of what might be called the public health care sector. One of their criticisms is the insufficient provision for disclosure of information for purposes -- I think this is their phrase -- consistent with the purposes for which it was originally collected.
Ms Lucock: It may be that we differ philosophically; I am not sure. The CMA's question has been that, to the extent a patient's consent is not required, who gets to decide whether it can be collected, used or disclosed. Our answer has been: Government.
Senator Murray: To your knowledge, are hospitals and regional health authorities and other health care agencies involved in any exchange of information on a commercial basis?
Dr. Vaughan: Once again, it depends how you define "commercial". That is a very vague term.
Senator Murray: It entails money changing hands.
Dr. Vaughan: There are private rooms and semi-private rooms and fees associated with those.
Dr. Diggens: Our association also represents dental researchers and epidemiologists. We do not have quite the same argument as hospitals versus physicians, but we had to struggle in preparing our brief to balance the research interests with the public's or the patient's interests. We are persuaded that, in balancing those two, the favour must go to the individual patient and their privacy. To refer to something softer than informed consent, such as providing knowledge that information is being transferred, we do not think is in the patient's best interests. We are coming down on the side of the patient, even at the expense of the researcher and the epidemiologist whose best interests are in easier access to information for input to their studies.
It is not the same argument as hospitals versus physicians but, in all of our worlds, that is a part of our consideration. We have decided where we stand on that particular balance.
Senator Finestone: I thought the Chair clearly outlined the choices which were amending, passing, or delaying the bill. However, I believe that this bill is about individual personal information. It matters not whether the information comes under the heading of health, financial, financial, mortgage or dental information. My personal information is my business and I do not care for anyone to interfere with that information unless I agree, and unless there is justifiable reason.
We live in a democratic society which should respect privacy as a personal right, as a human right. It is not an inalienable right but it is close to that. No matter what the source of the information -- be it a hospital or group home or nursing home -- this bill says no one should get my information unless they have my informed consent.
Dr. Diggens: That is what the bill should say.
Senator Finestone: Frankly, I am not interested in the basis for your opinions. Many medical people in my background may be upset with me. This is a generic bill which puts the platform at a midpoint. The Canadian Medical Association has its own excellent code which I have read from cover to cover. The dentists and pharmacists also have excellent codes. Why can this generic CSA code not be branched out in terms of its application whenever a professional organization has set a higher bar?
You referred to the Hippocratic oath. Never mind who killed who in Germany and the research and all that stuff that was done. It turns everyone's stomach, particularly Canadians who do not go that route.
The point is that the bill sets out a basic minimum. The CSA code will direct the basic minimum. Added to that, you have very strong codes of personal practice. You have within your codes the right to fire or get rid of a doctor or dentist and to take him to court.
Frankly, I can find no reason for grafting one code to another code. The CSA code is appropriate, but the others are important. They must be applied directly to the use of my personal information. If my doctor sends information to my pharmacist or my psychiatrist -- or my geriatric specialist soon -- I take that as being done with my informed consent because I trust my doctor. I also trust my dentist. If I did not, why would I go there? The consultations down the line are by informed consent. Practitioners are guided by ethical practices, by their Hippocratic oaths, all of which are very important.
I am sorry that this is a speech but I am having a difficult time with your proposition.
Senator LeBreton: I am glad you apologized for the speech.
Senator Finestone: You described the perceptions of Canadians, 68 per cent of whom feel that the personal information contained on plastic cards issued by financial institutions is the most important, most sensitive information. Do we need a financial code, along with the CSA code, the CMA code, and the dentists' code?
Let us be practical. I agree with my colleagues that, from a personal perspective, a public service perspective and a societal perspective, we all have the best interests of Canadians at heart in legislating our health care sector. However, we must be practical. How do we cover all the information regarding financial institutions, medical records, financial records, PIN numbers, social insurance numbers?
The Chairman: Thank you for the speech.
Dr. Vaughan: That is an excellent point. The issue of trust is crucial in banking and people conveying their personal information to banks. The banking industry has done a great deal in this area, and there are regulations governing it. I refer you to the current situation related to banking information.
Concerning health information on the Internet, last night 60 minutes aired a program which detailed how data mining is taking place. Health information is among the information being mined right now. It is being used to pre-screen people for employment, which is why we need health protection in this e-commerce bill.
We think this is a good bill which needs to be strengthened.
Dr. Diggens: Our main problem with the bill is not the knowledge requirement in order to do commerce but the fact that it says nothing about informed consent on the health record side. If it did say that, we would be very comfortable with the bill. There are commercial aspects to medicine and dentistry. Practitioners, patients and those judging these aspects will say that, because of the commercial aspect of dentistry and medicine, the bill applies in those areas with a standard lower than that which we are used to operating under. That is what this legislation would signal. It is not a good signal to send out. It is not a signal which should be sent out for a short period of time and corrected later. At the moment, we have physicians, dentists and other professionals operating under a code in which you have confidence.We are very particular about protecting that. That is why we believe the bill should be passed. We are in favour of the bill. However, it needs to be amended to make it clear that, when it comes to health records and personal information, the standard is informed consent, not just knowledge that it is happening.
Ms Lucock: The CMA code does not have the force of law at all. CMA has no regulatory authority. While it is certainly being used, in particular to influence legislation at this point, its compliance is not mandatory. CMA cannot require that. Only the law can do that.
The Chairman: Do you mean that the current code is essentially a set of guidelines?
Ms Lucock: That is correct.
The Chairman: Does that mean that the CMA itself, in its professional disciplinary capacity --
Ms Lucock: It has no professional disciplinary capacity.
The Chairman: The provincial associations have such capacity, do they not?
Ms Lucock: That is correct.
The Chairman: Do they regard a violation of the privacy code that you have described as something which is subject to discipline?
Ms Lucock: To my knowledge, in terms of physicians, I do not think any of the regulatory colleges have adopted the code as a basis for discipline. There are certainly confidentiality requirements.
The Chairman: Are you saying that the national association has a privacy code?
Ms Lucock: Yes.
The Chairman: To the best of your knowledge, has that not been adopted by any of the provincial professional regulatory groups?
Ms Lucock: That is right. They must be distinguished from our divisions, which would be the Ontario Medical Association and the Alberta Medical Association. They are not regulators either.
The Chairman: What is the relevance of a national code which everyone can proceed to ignore simply because you have not adopted it at the relevant disciplinary level? It has an element of smoke and mirrors to it.
Dr. Diggens: Mr. Chairman, I was the president of the B.C. regulatory authority for two years and was involved in the discipline of dentists in British Columbia. The code of ethics of the Canadian Dental Association mirrors the code of ethics of the British Columbia College of Dental Surgeons. It was a basis for regulating dentists. Under our rules, they were obligated to conform to that code of ethics and that code of standards. That is why I am so concerned that the passage of this legislation will send a message to all of those regulatory bodies that something is changing. Currently, there is substantial protection of informed consent under the code of ethics of each provincial regulatory body.
The Chairman: I have a dilemma with the logic of your position, which is what I am trying to understand. By definition, the bill before us must be better than the status quo because it imposes additional restraints. Assuming for a minute that all the professional codes do not change, then the bill as drafted clearly imposes additional privacy constraints. Therefore, by definition, it must be better than the status quo. It cannot be worse than the status quo, unless you people are planning to weaken your professional codes as a result of the passage of the bill. If your codes stay in place and there are now additional legal constraints, how will the situation be worse for the individual?
Dr. Diggens: When you are the president of a regulatory authority over a group of practising dentists, for example, the some 2,500 in British Columbia, there is a certain expectation of professionalism that starts in dental school. It is set out in the code of ethics and in the message given to those whom the regulatory authorities discipline. People obey it. They live up to it. Even though it is not enshrined in legislation, it is enshrined in the rules of the college. Therefore, the standard is there.
When you discipline people, they are very tough about it. They engage lawyers. They take any advantage they can. I would hate to be setting in place a legal situation in British Columbia, for instance, where a disgruntled dentist would hire a lawyer who would say, "But Bill C-6 is not consistent with your code. " I am worried that it will destabilize the confidence a patient has in his or her dentist or doctor who are operating under informed consent.
The Chairman: I do not know how you can destabilize it if you as a profession in British Columbia say that your code must apply to all members of the profession. If you continue to say that, how can it possibly be destabilizing?
Dr. Diggens: By creating a constant court battle situation between those regulatory authorities and people who wish to challenge that premise.
The Chairman: I did not say it would be easy.
Dr. Vaughn: Mr. Chair, the issue has to do with the secondary and tertiary uses of the data. It is not an issue of the doctor-patient relationship, which is what the provincial licensing authorities are concerned about. What concerns us is the secondary use of information, as the story on CBS' 60 minutes last night related. It is the mining and secondary use of data that concerns us.
The Chairman: Do you agree that, at the moment, there are no rules governing that?
Dr. Vaughn: This will not make it better.
The Chairman: It will not make it worse, will it?
Dr. Vaughn: It will make it worse in that it is an open forum to continue the use of data mining in health if we do not address this at all.
The Chairman: I always have difficulty understanding how adding additional constraints can make a situation worse. Mathematically, I do not think it is possible.
Ms Lucock: It is not so much the adding of constraints but the legitimization of certain practices that is of concern. To the extent that certain things are exempt in the bill, for example, research as a broad category, then research and the use of information without knowledge or consent for that purpose now becomes legitimate.
Senator Finestone: I do not think you can do anything like that. You must have reasonable justification. You must seek that reasonable justification before or at the time of use. You must define why you wish to do it that way, and you must obtain permission from the commissioner.
Ms Lucock: With respect, I think all you have to do is notify the Privacy Commissioner.
Senator Finestone: Yes, and if it is not right, you are not going to be able to do it because you have not given him reasonable justification.
Dr. Vaughn: I believe that the collection in paragraph 7(1)(a) of the bill is without knowledge or consent. It is very different, with all due respect, senator, from what you were saying, if the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way. I would put it back to you: Are you content to have others make that decision for you?
Senator Finestone: It depends on who is making that decision. If it is you as the researcher and it is in your interest, then no. If it is the office of the ombudsman whose responsibility it is to say "yea" or "nay", then yes. It is a question of how you interpret it. I have gone through clause 7 sentence by sentence and, while I could be wrong, I think I am right.
The Chairman: I thank the witnesses for their testimony.
Honourable senators, our next witnesses are from the Information Technology Association of Canada, from AOL Canada, from Microsoft and from Equifax.
Welcome, and please proceed.
Mr. Gaylen Duncan, President and CEO, Information Technology Association of Canada: Honourable senators, ITAC is the voice of Canada's information technology industry. We represent almost 300 of the largest information communications technology companies in Canada -- 1300 companies if we include those belonging to our nine provincial affiliates. Together, the 300 companies that belong to the national ITAC represent 70 per cent of the 500,000 jobs, $100 billion in annual revenue, $3.6 billion in annual R&D expenditures, and $27 billion in exports that IT contributes to the Canadian economy. We work hard to achieve a policy framework in Canada that protects and promotes these enormous contributions.
Our members and the clients they serve are pioneering the new frontiers of electronic commerce and electronic service delivery. In Canada, it is certainly off to a good start. ITAC believes that, if we get the formula right, Canada has the potential to take a strong leadership position in the emerging knowledge industry.
Business in Canada and around the world understands that electronic commerce will never achieve its tremendous potential without a shared set of principles that establish consumer trust. Customers venturing into the virtual marketplace need assurances that their interests will be as carefully protected as possible. One of the most fundamental of those interests is privacy and the protection of personal information. Therefore, independent of legislation, there is a growing awareness among private-sector organizations, certainly among those in our industry, that personal information should not be seen or treated as a commercial commodity. Bill C-6 provides a valuable complement to that new awareness.
Here I should like to stress that among Canada's industry associations, ITAC has been in the forefront on privacy issues. We called for privacy legislation as far back as October 1994, in a submission to the federal government's Information Highway Advisory Council. We have consistently advocated that legislation be passed based on the CSA Model Code for the Protection of Personal Information. That code was developed by a committee of industry, consumer, labour and government representatives, ITAC among them. The broad cross-sectoral representation on the CSA privacy committee gives great moral strength to the CSA model code -- and also to Bill C-6, which is, as you know, founded on the model code.
While people around the CSA table had different views, our dialogue was fruitful and, as you have heard in your hearings, lively. At the end of a long, generative process of give and take, the committee felt we had achieved a strong and workable compromise that adequately addresses the range of interests represented.
ITAC, therefore, applauds the introduction of Bill C-6 and recommends its expeditious passage through the Senate for three fundamental reasons. First, as I have just said, the bill is based on the hard-won compromise that the CSA model code represents.
Second, the bill positions the Privacy Commissioner as a positive force for compliance. Adopting the ombudsman model, where the Privacy Commissioner acts as an arbiter rather than as police, judge and jury, is commendable. This positions the Privacy Commissioner as a positive force to work with rather than as an enforcer to defend against.
Third, the government is attempting through this bill to create uniform law applying to all companies in Canada, wherever they are located across the country. In fact, I believe it is a bold step for the federal government to move on privacy legislation through its trade and commerce power.
We would also point out that industry groups that want what they may call tougher or higher standards are in no way restrained by the bill from introducing additional measures into their own practices.
I would also note that ITAC fully supports Parts 2 to 5 of the bill, which perhaps have not had much debate at this committee. They address the housekeeping issues, such as the need to modernize existing statutes so as to recognize electronic documents.
I thank the Standing Senate Committee on Social Affairs, Science and Technology for allowing us to speak today. In closing, may I remind you of the breadth and commitment of the impressive consensus of public interest and industry groups that has brought us this far, and may I urge you to recognize the urgency with which these groups, including ITAC, view the passage of Bill C-6. In our opinion, you have got it right after years of work. It is now time to get going.
My company offers the AOL Canada and CompuServe branded Internet on-line services throughout Canada, serving over 180,000 households with our uniquely Canadian content and services. Using our Internet on-line services, our members can work on-line, conduct banking transactions, pay bills, communicate with friends through electronic mail or instant messaging capabilities, complete all of their holiday shopping and find information on virtually any topic that you can think of.
The electronic marketplace is here and Canadians are increasingly enjoying its benefits. Along with those benefits come risks, such as the risks attendant to providing personal data over electronic networks. AOL Canada is aware of those risks and works diligently to protect the personal data of its members. Our company is an active member of the industry trade association, the Canadian Association of Internet Providers, or CAIP, and has been a leader in the privacy field, working to encourage responsible data protection practices. The CAIP privacy code is modelled on the Canadian Standards Association's Model Code for the Protection of Personal Information.
The CAIP code, however, tailored the CSA code to match the realities of the on-line medium, and that is the crux of my testimony today. We should like to see Bill C-6 amended to provide our industry the flexibility it needs to continue to flourish while protecting the personal data of its customers. AOL Canada is concerned about the prospect of drafting rigid restrictions and mandatory enforcement mechanisms onto the flexible and evolving framework envisioned in the CSA model code and adapted by the Internet industry in the CAIP code.
As Senator Kirby has noted, Canada's success in the 21st century will depend on the ability of all Canadians to participate and succeed in the global, knowledge-based economy. If regulatory barriers slow the development of e-commerce in Canada, the country's consumers will lose the benefit of rapid access to innovative services at the lowest prices.
In our written comments, we have identified a number of areas requiring clarity and amending language from our industry's perspective. I should like to highlight a few of those areas in my remaining time.
Our fundamental concern is that the tenets of the CSA model code should not be rigidly applied in identical fashion to all sectors of all industries. As its name suggests, the model code was intended to provide an example for trade associations and other industry groups to guide the development of sector-specific privacy rules. Some sector codes, including the CAIP privacy code, closely follow the outlines of the CSA model code but streamline and simplify its provisions to make them suitable for the particular industry.
In the area of electronic commerce, where many businesses are experimenting with new business models, the need for flexibility to permit experimentation is especially strong. Subclause 7(2) of the bill provides an example. It prohibits the use of personal information by the collecting organization except in prescribed circumstances. Those circumstances do not include a threat to the property or viability of the business enterprise. In the on-line world, a disgruntled consumer can wreak havoc on networks, Internet service providers and other customers. The ISP should have the ability to use information about their identity to prevent a shutdown of the network and the disruption of service to thousands of other individuals. Likewise, it should be able to use personal information to prevent the on-line harassment of other members or other types of service disruption.
We therefore support an amendment to paragraph 7(2)(b) to add an additional situation in which personal information can be used by the collecting organization without the prior consent of the individual to cover threats to property or the viability of an organization's business, or a violation of its rules.
Another way in which the bill does not anticipate or address the Internet or other new media is its repeated references to written consents. In the world of electronic communication, e-mail or electronic requests are the norm, and the legislation should reflect this.
The clauses pertaining to an individual's right of access to personal information are a third example. Those provisions do not anticipate some of the technical limitations that electronic communications present. For example, an individual using an ISP to search for a particular Web site must, in order to retrieve that Web site, type in a URL address or search terms that he or she is seeking. The search engine, that is, the company providing the technology that scans the web for sites that match the individual's search request, must collect that information as well as the screen name or on-line address of the requesting party in order to be able to fulfil the search request and provide the information the individual requested.
Organizations should not be required in any circumstances to create records that would not otherwise exist. In addition, they should not be required to sever information if doing so would be technically impractical or expensive.
AOL Canada believes the best way to ensure that Canada continues to play a leading role in the new economy is to allow Internet ventures to experiment and innovate. In order to do so, these businesses must be free to adopt innovative marketing techniques while continuing to protect consumer privacy. With appropriate changes, Bill C-6 can strike a balance between the privacy interests of individuals and the legitimate needs of Internet-related businesses for flexibility and experimentation to develop new ways of reaching consumers.
Mr. Michael Eisen, Canadian Director, Law and Corporate Affairs, Microsoft: Honourable senators, Microsoft recognizes the importance of privacy protection to the continued growth of electronic commerce. Accordingly, it has consistently supported efforts to increase consumer confidence in the privacy practices of on-line businesses. As an example, Microsoft is an advisory board member and premier corporate sponsor of TRUSTe, a widely known certification program designed to promote on-line privacy protection.
As regards Bill C-6 in particular, however, Microsoft is concerned that clause 7 as presently worded could hinder the ability of software publishers and other rights holders to combat software piracy. It has been estimated that in 1998 Canada had a software piracy rate of 40 per cent and that the revenue lost as a result of that piracy exceeded $450 million. Those losses represent hundreds of potential jobs at software publishers' Canadian subsidiaries. In addition, hundreds more jobs could have been created in the distribution channels had those losses been turned into purchases. Support providers suffer as well since, with fewer legitimate sales, fewer users are legally entitled to support, meaning fewer opportunities for support providers. Decreased legitimate software sales also result in lost tax revenue. Finally, a high degree of piracy hinders the growth of an indigenous software publishing community since potential Canadian software publishers will be deterred from attempting to establish themselves, as piracy will make it impossible for them to recover their development costs.
Microsoft's anti-piracy efforts include investigating reports of the unauthorized duplication, use and distribution of software and, in appropriate circumstances, initiating legal action. Those efforts could be frustrated by the language of subclause 7(3) of Bill C-6, which identifies those circumstances when personal information may be disclosed without the knowledge or consent of an individual. Specifically, subclause 7(1), which deals with the collection of personal information without knowledge or consent, provides in part:
For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may collect personal information without the knowledge or consent of the individual only if
(b) it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province;
Similarly, subclause 7(2), which deals with use -- so we have moved from collection to use -- of personal information without knowledge or consent provides in part:
For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may, without the knowledge or consent of the individual, use personal information only if
(d) it was collected under paragraph 1(a) or (b).
I referred to those clauses a moment ago.
Subclause 7(3), however, which, as already indicated, deals with disclosure of personal information without knowledge or consent, is for no apparent reason much more restrictive since it is limited to disclosure to an investigative body, a government institution or part of a government institution in connection with the investigation of breaches of an agreement and contraventions of law. Otherwise stated, Bill C-6 could be interpreted to prevent Microsoft or other software vendors from disclosing information gathered in connection with their anti-piracy activities to private investigators, potential witnesses or other cooperating software companies, none of which come within the apparent meaning of investigative body or government institution or any conceivable regulation defining those terms.
This flaw in Bill C-6 could be remedied relatively easily by adding a paragraph to subclause 7(3) permitting disclosure of personal information without knowledge or consent where it is made for a purpose directly related to its collection or use pursuant to paragraphs 7(1)(b) or 7(2)(d) which, as I noted previously, permit collection and use of personal information without knowledge or consent in the relevant circumstances where it is reasonable to expect that collection with knowledge or consent would compromise the availability or accuracy of the information.
Mr. Jackson L. Chercover, Equifax Canada Inc.: Honourable senators, let me begin by joining the deluge of political correctness by saying that Equifax Canada also supports this legislation. Equifax was a private-sector supporter of the principles of the CSA code and participated in its development. It has also, as indicated in the written submission, participated in all of the consultations leading up to the bill. In those submissions, both in the other place and here, we have tried to show the unique nature of the credit reporting industry which faces the spectre of a second level of regulatory compliance. We have also attempted to demonstrate that a single, simple amendment would relieve the industry of that costly burden without depriving a single Canadian consumer of the privacy and confidentiality provisions of the provincial constitutional regulatory regimes under which we operate.
The simple amendment we suggest is to subclause 7(3). Equifax has no difficulty with subclause 7(1), the collection, because all information that is collected by consumer reporting agencies is collected with direct consent to the credit granter to whom the information was given. Equifax has no difficulty with subclause 7(2) simply because Equifax is a repository of that information and does not use that information.
Subclause 7(3), however, is the area of unique difficulty because there is no contractual nexus between the consumer and a credit reporting agency. It is possible to argue that in the absence of a direct consent to disclosure, Equifax might well be in breach of the legislation. Therefore, the simple amendment recommended in my written submission, which would go into subclause 7(3), would be that an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is in compliance with the credit reporting legislation of the province in which the individual resides. By enacting that type of simple amendment, a multi-staged regulatory compliance problem would disappear.
Of course, the Privacy Commissioner has the discretion, granted in clause 13, to decline to report on any complaint that could properly be dealt with, in his or her view, at the provincial level. However, that is a discretion, and the amendment we have recommended would relieve the Privacy Commissioner of the investigation in order to make the decision as to whether or not to report.
The industry I represent is mature. It serves the interests of Canadian consumers and businesses in the purchase and sale of services, and it is a source of negligible complaints. Accordingly, I respectfully recommend that this simple amendment would avoid any disruption to that continuing service.
Senator Callbeck: One question I should like to put to Microsoft, Mr. Eisen, concerns my understanding that there is a way to track Web sites and the pages of a Web site that are visited. For example, if Ms Jones visits 20 Web sites this afternoon at certain pages, that information can be stored. I believe the term applied to this is "cookies". I understand this function is used by Microsoft's Internet Explorer. Therefore, this results in the collecting of personal information without the computer user's consent or knowledge.Is that right?
Mr. Eisen: Let me answer your question as directly as I can. My area of expertise is not the technology of our products. I am an attorney; I specialize in other areas, specifically intellectual property law, and I am not capable of effectively answering your question. I attended today in order to make a request for a specific amendment to which I feel capable and qualified to speak. I would be happy to refer you to people who are expert in that area, but I would prefer not to speculate.
That said, there are also technologies available from AOL and from Microsoft that give the consumers the choice not to receive "cookies". That is a part of Microsoft's Internet Explorer technology. It is also a part of AOL Canada's "preferences". We give the member the opportunity to define the preferences, marketing and otherwise. Therefore, they can choose whether or not they receive those cookies.
That technology is used to give consumers the opportunity to provide very limited information, as I mentioned in my oral briefing, like screen name or e-mail address and, if the consumer chooses, preferences of what types of information they would like to receive. That is good news for consumers because when they go to a specific Web site, that Web site knows what information to deliver. Again, just to be clear, the consumer has the choice to turn that technology off.
Senator Callbeck: How will Bill C-6 affect cookies?
Mr. Bartkiw: Clearly, because of consumer choice, it should not have any impact on it whatsoever. The contractual relationship we have with our members addresses the issue, and consumers are able to take advantage of the technology to ensure, if they so choose, that they do not receive the cookies.
The Chairman: Could you explain the term "cookie"?
Senator Finestone: Actually, Mr. Chairman, I should like to point out that among the many complaints we receive about the Internet is the fact that it is an unconscionable service that uses our children, who are learning to be communication wise and sound, by sneaking these little cookies here, there and everywhere, thereby identifying where mommy works, what daddy does, the level of income, whether they have a car, the type of car, how many times you go out with mommy and whether you go to the movies. If that is not accurate, I should like you to tell me please what a cookie is.
Mr. Bartkiw: In the technology world cookies are pieces of information that are, for lack of a better word, provided when a consumer visits a Web site. As I mentioned earlier, that can be an e-mail address to let the Web site know specifically the identity of that consumer.
Senator Finestone: What if you are 12 years old? Start there.
Mr. Bartkiw: First of all, I will speak specifically about AOL Canada. Our terms of service state that you must be 18 years of age or older to register with what we call a master account. That master account designation is important because it allows the master account holder, typically the parent, to define tools that we call "parental controls". Those parental controls allow the consumer to determine specifically what their children do on line, where they go, if they choose to designate where they go, and with whom they communicate.
I do not want you to get the impression that cookies are out there gathering information that consumers have not provided. That is not the case. The consumer can set up their on-line experience and choose the level of information that they wish to share with either a Web site or a merchant. I hope I have answered your question.
Senator Finestone: That is clear on the part of AOL. Can you speak for all the delivery services that are on the Internet? I have heard from Microsoft about some leakage. I do not know what the leakage is, exactly, but we have heard that not everyone is as straightforward. Are you the service of choice because you have the trustworthiness and the confidentiality and because you go by age and stage? Are there others who need to be covered more carefully?
Mr. Bartkiw: I will answer generally on behalf of the industry. The Canadian Association of Internet Providers has devised guidelines, specifically privacy guidelines, to which all members must adhere.
Senator Finestone: What does the word "must" mean?
Senator Callbeck: I have one more question on cookies. I understand that while Europe has data protection safeguards in place, somehow cookies are able to bypass those.
Mr. Bartkiw: I cannot speak to that specifically. I am not aware of that being the case. However, we would be pleased to gather more information and report back.
Senator Callbeck: There is one other area I should like to cover with Mr. Chercover: credit bureaus and the credit reporting agencies that provide consumer credit information as well as a significant amount of personal information. I should like to know exactly what is collected and how you obtain that information personally.
Mr. Chercover: A number of the provincial statutes draw a distinction between credit information and personal information. I cannot speak for other consumer reporting agencies, but I can speak for Equifax Canada. We do not collect or disseminate personal information. Credit information is only name, age, address, place of employment, previous places of employment and payment history. Where do we get the information? The information comes from our members, which are financial institutions, major merchants, credit card issuers and, in some instances -- since many government agencies are also members of the Equifax network -- unless specifically forbidden by statutes such as Revenue Canada, we also obtain information from government agencies.
The Chairman: Mr. Chercover, pardon me for not being a lawyer here, but you prefaced the list of facts you collect by saying that you do not collect personal information, yet everything you listed was a piece of personal information.
Mr. Chercover: No. "Personal information", as defined in the various provincial statutes, includes such things as race, religion and so on.
Senator Murray: Look at the information in this bill, Mr. Chercover.
The Chairman: I have no problem with interjections but it is difficult for the television audience to hear you if you do not put your microphone on.
Any normal person would have difficulty accepting the notion that the things you listed, including credit rating and so on, are not personal information. They are absolutely what most people believe to be personal information. I understand what you said was technically, legally correct; I just thought it was incredibly misleading and I was trying to correct the record.
Mr. Chercover: I understand. If it is misleading, I would be happy to express that to those responsible.
The Chairman: I do not think you were trying to be misleading but for anyone listening to this it would certainly appear to be misleading.
Mr. Chercover: I am offering to take your complaint to the various provincial legislatures who enacted the legislation, but the fact is that there is this distinction in most cases. Let us take "personal information", as defined here. It is very similar to Quebec's Bill 68. It is any information that relates to an identifiable individual.
The Chairman: That is the more normal interpretation.
Mr. Chercover: That is the federal interpretation.
The Chairman: Under that definition you do collect information.
Mr. Chercover: Absolutely. You must draw the distinction between determining whether an individual is credit worthy and looking into what I call "investigative information" -- what are his or her habits apart from credit worthiness. We simply do not deal in that.
Senator LeBreton: To what kind of habits are you referring?
Mr. Chercover: Sexual orientation.
Senator LeBreton: That would be personal?
Mr. Chercover: I would think that would be more personal.
Senator LeBreton: No, but in terms of your definition --
The Chairman: He does not do that.
Senator LeBreton: That is not there?
Mr. Chercover: No. When you walk into your bank and say, "I want to buy a car. I need a loan," your banker will go click, click on a system to system, and he will see your credit history. If he sees R1s, he will say on the spot, "Yes, ma'am, you have been approved for your loan." If he sees R7s or R9s or judgments against you in the local courts, he may say, "I am sorry. You are declined." If he does decline you, you are entitled to know why. By provincial law, you are entitled to the identity of the consumer reporting agency -- that is us. You are also entitled to come to us to see your information or to receive it by mail at no cost. There are provisions for correcting any errors in the event that there is an error. The information as corrected must, at no cost to you, be distributed to anyone who has received it in the previous six months.
Senator LeBreton: What difference is there between your organization and a credit bureau?
Mr. Chercover: We are a credit bureau.
Senator LeBreton: Are you the Credit Bureau of Ottawa-Hull?
Mr. Chercover: The Credit Bureau of Ottawa-Hull is an affiliate.
Senator Oliver: I wish to return directly to the bill before us, Bill C-6. There have now been four presentations. One of them was from Mr. Duncan, who gave a glowing support of the bill; the other three are not from an organization but from companies. Each of the three has proposed an amendment or two.
Some witnesses come before Senate committees and tell us that it is important for them and their organizations to put their views forward to the committee, to get it onto the record and off of their chests and, having done so, they can go home and have a good night's sleep. It is my impression that the three of you who have proposed amendments have done just that here today. You made your proposal for an amendment, but then you side with Mr. Gaylen Duncan that the bill can now be passed because you have said what you came to say. This is my question: Are you serious about these amendments, or are you just here to make a statement?
Mr. Eisen: I can genuinely state to you, senator, that we are extremely serious about this amendment. I have been pursuing this amendment for more than a year. Perhaps my inability to get it is testimony to my shortcomings as an advocate, but this is a serious matter. I am not here to make a statement for the sake of the record. Software piracy in this country is a staggering problem and there is an urgent need to address it. I have serious concerns about this flaw in the bill. It can potentially cause problems not only for Microsoft but for other software publishers and for other sorts of rights-holders. My statement was made in all seriousness. It was a genuine request for assistance. It is not the first time I have raised this issue.
Senator Oliver: Did you take the matter to the department itself? Did you discuss it there at the higher levels?
Mr. Eisen: Yes, sir.
Mr. Bartkiw: I would echo Mr. Eisen's comments. Our visit here today is not just to be clearly on the record. The amendments we requested will have a significant impact not only on our business but on our industry and on the growth of e-commerce. E-commerce in Canada today is significantly behind the U.S. market, somewhere between 18 months to 24 months behind. We must work diligently to grow the industry in Canada. We must insure that we do not have any burdensome regulatory framework which prevents it from growing and which adversely affects the industry. We are serious about the amendments suggested today. Going forward, we will work to see them implemented.
The Chairman: What was the reaction of the department when you made this pitch?
Mr. Eisen: The department did not agree with me that the term "investigative body" and the related regulations would fail to address the specific concerns that I have identified for you today.
Mr. Duncan: Mr. Chairman, this is the result of years of intense negotiations between groups and individuals, industry associations, government members, privacy commissioners and consumer protection associations. With trade-offs all along the way, we finally reached a consensus. It is not perfect, but through years of intense discussions between individual vested interests -- as you have seen in the testimony before you -- we have come up with a compromise.
The issue of concern is frequently translated into, "I am not sure how this will work but if you put my language in, then I will be sure." As far as possible, through the negotiating process we have put our language on the table. Both of these points came up during the original negotiations and were part of the discussions that led to the CSA wording. Fundamentally, the CSA model code is now being incorporated into this.
Senator Oliver: All three proposals suggest an amendment to clause 7, the same clause 7 about which the medical witnesses here had grievous concerns. This clause seems to be causing the most pain to various groups.
Mr. Duncan: That is the case for a variety of reasons. In sum, intense amounts of detail are required. The position of the industry association was "Great idea; do that in your sectoral codes but not by legislation." At that level of detail, another bill and hearings before this committee may be required to respond if technology changes one of those details. That is the wrong approach. The bill should contain principles; the sectoral codes should contain details.
Senator Oliver: Mr. Bartkiw's view, though, is just the opposite. We are now involved in the Internet. Canada is way behind in e-commerce, as I said in my statement in the Senate. His hands are now tied. The hands of Internet service providers are tied by this legislation.
Mr. Duncan: My third point is that solutions are following in other legislation. For example, changes regarding hackers, viruses and piracy are coming to the Criminal Code and to the prosecution and court systems. Those are not privacy issues. There are associated problems and I do not disagree with AOL's position on that point, but we are looking to other pieces of legislation to solve them. We will not tie every solution in the technology world to this one bill.
Mr. Bartkiw: Mr. Chairman, if this bill is enacted as currently written, significant issues will arise immediately in our business and in our industry, again relating to clause 7 and how we are treating information and how that might be interpreted based on the language in the bill is it written today. That is the reason for our suggested amendments. We want clarity so that, when the bill is enacted, there are no questions or handcuffs on the industry with respect to growing the e-commerce industry in Canada.
The Chairman: Returning to Mr. Duncan's point, are there handcuffs or is there uncertainty? There is a big difference between the two. To what extent is this an issue raised by lawyers who worry about every potential little nuance and who look for a level of certainty that is very difficult to achieve in the first legislation?
As Senator Oliver said, all the amendments proposed this afternoon have dealt with the same clause. Witnesses say they do not mind the broad principles contained in the CSA. The CSA does not have hard and fast rules. The act says explicitly that the word "should" need not be interpreted as being absolutely obligatory. A law based on principles has more flexibility than one built on a complete set of details.
To what extent are your problems, and those of other witnesses heard here this afternoon, driven by lawyers who find it more difficult to deal with legislation that sets out general principles? I know they would infinitely prefer something that includes every conceivable detail so they can accurately advise their clients. I understand that desire for certainty; it would make your lives easier. However, I must understand whether we are facing a real problem or a discomfort with the lack of absolute legal certainty and your need to learn to live with some uncertainty.
Mr. Chercover: The answer is both, Mr. Chairman. Yes, a lawyer's function is to clarify the interpretation of legislation that will affect his client, but it would be wrong to suggest that we do not share with honourable senators the same concerns for our country and our public.
The Chairman: I was not suggesting that. I am trying to understand whether the problem lies with the structure of the bill. The bill sets out principles by which businesses ought to abide. That is not the normal way of writing legislation. Usually legislation sets out the hard, fast rules. The Criminal Code, for example, does not set out a principle against drunk driving: it states that it is illegal to drive with a blood alcohol level exceeding .08 per cent.
In my 30 years of experience around here, Bill C-6 is unusual in that sense. I am picking up on Mr. Duncan's point. To what degree are we addressing problems inherent in the structure of the bill versus addressing other very specific problems? That is what I am having difficulty with. When everyone zeros in on the same section, as Senator Oliver said, and everyone says, "My problem would be solved if you were to include my specific amendment," I am inclined to think that the dilemma is more with the structure of the bill, as Mr. Duncan pointed out, which you are finding unsettling, as opposed to there being a real problem.
Mr. Eisen: With all due respect, sir, it is certainly reasonable to expect parties, particularly in the case of new legislation, to live with an acceptable amount of uncertainty. On the other hand, it is equally reasonable to eliminate clear and visible flaws to the extent that you identify them prior to the bill becoming law. In my view, while I cannot give a blanket answer to your question regarding the several concerns, I suggest that they fall into different categories. I certainly think that a number of those concerns are not driven by an inability to live with the accepted uncertainty that surrounds new legislation. I think they are driven by an earnest attempt to better the legislation by eliminating visible flaws that can be relatively easily remedied.
Mr. Bartkiw: Mr. Chairman, I should like to provide a couple of concrete examples. First, in subclause 7(3), there is reference to the use or collecting of information with respect to making it available to third parties. Today, many Internet service providers across the country rely on third parties to provide customer support. That would include the provision of technical and billing support. We provide our customer information via our tools, namely, our customer service tools, to that third party. If the bill were enacted today as written, we would be in contravention of it. Clearly, we need to provide that third party the information in order for them to support properly our customers.
A second example is the provision of information to an affiliated organization. AOL is made up of a community of over 19 million members in 14 countries around the globe. All those members can communicate with each other. There is nothing from preventing an AOL Canada member from going off to AOL France and enjoying the content of AOL France and communicating with its members. As the bill is drafted today, the provision of such information would not be acceptable.
Senator Murray: Mr. Duncan, one of your reasons for urging us to give expeditious passage to this bill is the government's initiative in attempting, through this bill, to create uniform law applying to all companies in Canada wherever they are located across the country. I agree with that, with emphasis on the word "attempting". That is what the government is trying to do. Nevertheless, we must take note of the statement of the Insurance Council of Canada to the effect that if this bill goes through there will be the possibility that its members will have to comply with as many as 28 different privacy laws, if serious efforts are not made to promote consistency and harmonization of privacy laws between Canada and the provinces and territories. I take it you do not share that concern.
Mr. Duncan: I do, deeply, yes. In our view, Mr. Chairman, this is a step that sets out some principles that the provinces must now have as an absolute minimum in whatever legislation they produce. I do not know if the number will be 28; however, there will certainly be the new 13 provincial and territorial privacy laws that will come out. Several of the provinces have indicated that their health privacy information is being held in abeyance until this bill clears, in whatever language it finally clears, because they intend to hang their health privacy legislation off the principles of this bill. We will see multiple pieces of legislation. This sets a common base.
Senator Murray: Mr. Duncan, a province that enacts a law that is deemed by the federal government not to be substantially similar will still have a law on its books with which the citizens or organizations of that province will have to comply. They will, therefore, have to comply with two laws, the federal law and the provincial law. They will also have the difficulty of trying to sort out, for the purposes of the legislation, what is interprovincial and what is intraprovincial. It is, perhaps, not as clear-cut as we would all like to think.
Mr. Duncan: Mr. Chairman, this bill as it now stands is the minimum. A province can pass a piece of legislation that provides less protection, in which case the courts will not sustain it. They can pass legislation that provides more protection. I think the fear of the insurance industry is that there will be ten-plus different and overly onerous pieces of legislation compared with this bill.
Senator Murray: It may not be a question of more or less but a question of different sets of processes with which an organization must comply. That may be burdensome.
The Chairman: If the federal government does nothing, it will have the same problem.
Mr. Duncan: That is correct.
The Chairman: I do not see how the federal situation compounds the problem. If the fear is that you will have 13 different sets of rules, this does not really compound the problem. I am not arguing that it is a desirable situation in which to be.
Mr. Duncan: If we can get out of the knowledge economy and return to the physical economy, Mr. Chairman, there are 12 motor vehicle regimes in this country. There is a process to ensure that when you are going 60 kilometres an hour while crossing a provincial border the speed limit is the same. We believe this sets a framework for a set of principles, the details of which will take years to sort out.
Senator Murray: Let me move to Mr. Chercover and his suggestion that we have to amend this bill to add a provision that would exempt the situation where the disclosure of personal information is "in compliance with the credit reporting legislation of the province." Credit reporting legislation must vary from province to province, does it not?
Mr. Chercover: It varies, but not in principle. There are three principles. They are accuracy and timeliness of information, disclosure of information only for permissible purposes, and the rights of disclosure to the consumer and amendment and correction as I spoke of before. This is a very closely regulated industry provincially.
Senator Murray: I do not understand why the amendment is necessary. I will not invite you to repeat what you said. I will give it close attention when I get a chance to read it over again.
I turn now to Mr. Bartkiw and Mr. Eisen. My question is with respect to the provisions of the bill in paragraph 7(1)(b), where the collection would be reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province, or again in paragraph 7(2)(a), where an organization becomes aware of information that it has reasonable grounds to believe would be useful in the investigation of a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being, or is about to be committed and the information is being used for the purpose of investigating that contravention.
Senator Finestone: Where are you getting that?
Senator Murray: Page 5. I went down to paragraph 7(2)(a), senator. Do you see that? Again, it deals with a situation where a contravention is being, has been or is about to be committed, and the information is being used for the purpose of investigating that real or hypothetical contravention. I fail to see why that is not sufficient for your purposes, Mr. Eisen and Mr. Bartkiw.
That being said, let me say something to Mr. Bartkiw with respect to his suggestion that a threat to the viability of the business enterprise ought to be included. I mean, that is not necessarily a crime. A threat to the viability of the business enterprise could be almost anything, including a lazy executive.
Mr. Bartkiw: That is a valid point, Mr. Chairman.
Senator Murray: It is far too broad for the committee or anyone else to accept.
Mr. Bartkiw: If I might say, there are means with which a consumer or an individual can, for lack of a better term, attack an on-line service -- for example, by sending massive amounts of e-mail that have not been authorized or requested by any of the providers. I do not think that that type of activity would fall underneath this language, and that can have a severe impact on the business of an Internet service provider. It can literally cripple a service and take it down. In our case, in excess of 200,000 people may not have access to the service as a result of that type of act. That is what we are trying to get at.
Senator Murray: Are you telling us that existing law does not cover that situation?
Mr. Bartkiw: That is correct.
Senator Murray: What would you do with the personal information involved in that?
Mr. Bartkiw: First, with the personal information we would be able to identify the individuals in order to contact them.
Senator Murray: You can do that now. We are talking about disclosing. You can contact them now, I presume, if they are using your service, and ask them what in the name of heavens they are up to.
Senator Oliver: And cut them off.
Mr. Bartkiw: Obviously that is one opportunity. There is also an opportunity for them to have access to other consumers on our service without our authorization. That is to say, you do not necessarily need to be an AOL member to send e-mail to AOL, and our members can receive e-mail from non-AOL members, as you would expect. This would potentially give us the opportunity to share information with another Internet service provider who may actually have this individual as a customer, so that we could, in fact, stop this individual from attacking our on-line system and our members.
Mr. Duncan: Mr. Chairman, that is precisely the concern of the consumers' group. We are opposed to two private companies, both involved in the act of collecting information, then sharing that information because they are irritated about a user. AOL could provide that information to the cable company that provide my Internet service access, and then the cable company will be under pressure to disconnect me. The belief expressed by the consumers' groups during these intense negotiations was that the situation Mr. Bartkiw described sure sounds like mischief, and mischief is something that the police can investigate. We have no problem with you wanting to cut someone off because your system is starting to come down. That is a service issue. If you want to provide that information to the police to allow them to conduct an investigation, and that investigation results in a regulatory order cutting someone off, then we have no problem.
Mr. Bartkiw: That would be great if there were some form of legislation that specifically prevented consumers from sending massive amounts of e-mail, but that does not exist today. Therefore, it is far more expeditious, less onerous and less expensive for all involved.
Senator Oliver: Unless, of course, it is mischief as defined by the Criminal Code, in which case there is a remedy.
Mr. Bartkiw: Point taken.
Senator Murray: Mr. Eisen, could we get an answer from you?
Mr. Eisen: My concern does not focus on the language relating to collection found in subclause 7(1), or the language relating to use found in subclause 7(2), which you referred to, but rather to the language concerning disclosure in subclause 7(3), which does not parallel the language relating to collection and use and which is much more restrictive.
My only concern is that the legislation be internally consistent. Surely, if you are allowed to collect for a certain purpose and allowed to use for a certain purpose, you should be permitted to disclose for that same purpose. I am perplexed that while you can collect information, pursuant to subclause 7(1), in certain circumstances relating to the investigation of a breach of a law, and while you can use that information, under subclause 7(2), you can not disclose it except as provided.
Senator Murray: I remember you were speaking about private detectives. Could you read your amendment again?
Mr. Eisen: I am suggesting that subclause 7(3) be drafted in such a way as to parallel subclause 7(2), by adding the simple language permitting disclosure of personal information, without knowledge or consent, where it is made for a purpose directly related to its collection or use pursuant to paragraphs, et cetera.
Senator Finestone: Where would you put that in, Mr. Eisen? Would it be directly under 7(3) before you move to 7(3)(a)?
Mr. Eisen: It would become a part of subclause 7(3), wherever you wish. I do not know if you have a copy of my submission.
Senator Murray: No.
Senator Carstairs: I have a supplementary question on this. To me, there is a hierarchy, and the hierarchy is to collect, to use and then to disclose. Surely there is a greater burden of responsibility to disclose. That leads us to the issue of the medical situation, where the doctor can certainly collect and certainly use, but God forbid if the doctor discloses that information.
Mr. Eisen: It is important to realize that we are dealing here not with medical situations, but with investigations of breaches of the law. We are dealing only with breaches of contract and contraventions of Canadian law.
Senator Carstairs: With the greatest of respect, we are dealing with subclause 7(3), of which medical information is an intrinsic part.
Mr. Eisen: I apologize for not being as clear as I should be. I am focusing on the fact that the provision relating to the disclosure of personal information, solely in connection with investigations of breaches of contract and contraventions of law, is narrower than the provisions relating to collection and use. I am suggesting to you that there would not be any of the abuses that you have highlighted associated with allowing information, collected and used when investigating contraventions of Canadian law or breaches of contract, to be disclosed to private investigators who are assisting you, to witnesses who are assisting you, or to other like-minded organizations with whom you are working in tandem to eliminate software piracy. It is a very narrow and focused request aimed at allowing software publishers not only to collect information relating to the theft of their property and to use information relating to the theft of their property, but also to disclose it so that, at the end of the day, there can be civil proceedings, criminal proceedings or reasonable redress.
Mr. Duncan: Mr. Chairman, I do not wish to put words in Mr. Eisen's mouth, but my recollection of paragraph 7(3)(d) is that disclosure may occur on the initiative of the organization to an investigative body. The concern is that the investigative body will include by definition only police forces, security forces, et cetera, and not a private investigative body.
Mr. Eisen: Even more to the point, I do not think "investigative body" could conceivably be defined to include a single private investigator with whom you are working, a witness with whom you are working or, perhaps most importantly, a like-minded software company with whom you are working. If, for example, Microsoft and Autodesk were together investigating the infringement of their copyrights by an organization that was manufacturing and distributing CD-ROMs that contained bogus Autodesk and Microsoft products, conceivably this legislation could be interpreted to prevent a sharing of personal information between the two companies in connection with that investigation because neither of them would be an investigative body.
Senator Finestone: It would seem to me that you are talking about intellectual property law, which covers theft of intellectual property. The interpretation is with respect to the disclosure being requested for the purpose of administering any law of Canada. If you believe that the fraud is being committed or the intellectual property theft is taking place, you have subclause 7(3). There is plenty of room for interpretation in that section in order to deal with fraud, theft and misdemeanours in many different ways.
Mr. Eisen: I am attempting to ensure that privacy law does not unnecessarily intrude on intellectual property law and make it impossible to effectively police your intellectual property.
Senator Finestone: Mr. Eisen, did you approach Industry Canada? With all due respect, our minister is quite a techie and would like to see this area move forward more quickly. Did you approach him, or did you deal strictly with Mr. Duncan in the negotiations to have this whole section put together?
Mr. Eisen: I dealt directly with officials from Industry Canada. I will concede to you that I was not able to persuade them of the merits of my position. I am attempting to do so in another forum.
The Chairman: We have the minister here on Thursday, so we can ask him why you were unsuccessful.
Senator LeBreton: Mr. Duncan, you were talking about consensus and not having a perfect document and having a floor or a base from which to work. What happened with the health people? There seems to be conflicting views as to whether they were brought into the process or whether they came in late in the game. How do you address their concerns? I believe you were in the room when the representatives of the doctors and the dentists were here. From your perspective, in hindsight, is there a way that this could have been addressed better?
Mr. Duncan: As the chair well knows, over 30 years ago, privacy conferences started to be held in the medical, legal and technical worlds. There has been huge consultation at the broad level for over 30 years. I have given thousands of speeches on this topic.
For anyone to say that they have not been consulted on the principles I think would be misleading the committee. On this particular project, I think they were brought in late. I also think the consumer groups, the individuals about whose files the medical people were talking, basically said this is the framework. We look to provincial legislation on details that will then set the framework for the governing bodies of the various professions to then set specific sectoral policies. Now we have an enforcement mechanism. It is not a privacy commissioner or an ombudsman or an individual going to court. We now have an individual's licence at risk. I do not think it is appropriate for the federal government to be intervening in that piece of property and civil rights. Check the master framework and then see it cascade down until it becomes a sectoral set of rules as to how patient information will be handled by a doctor. If he breaches that, his licence is at risk.
Senator LeBreton: What are your views on their suggestion that their code be added as an addendum to this bill?
Mr. Duncan: From a legal point of view, I do not think that is technically what you want to do. The next time they wish to modify their code, they require a bill that must go through the House. The House will rise and prorogue and they will have to start over again. You will get caught in Senate hearings and Christmas recesses coming, all because they want to change one line of their code.
Senator Murray: With respect, again, Mr. Duncan, that is not the case. We could append their code to our bill by an amendment, and they are still free to do what they wish with their own code as time goes on.
Mr. Duncan: Why append it?
Senator Murray: What do we do if the CSA changes its code? We have that, in effect, appended to the bill.
Mr. Duncan: This is the version that will become the rule. This is the law. The CSA can say they want to propose an amendment, and that is all they can do. We see the licensing body in Ontario looking at this to ensure that the detailed rules for the treatment of personal information are consistent with these principles and probably much harsher. They will apply that, and it will be part of the licensing process.
The Chairman: Under provincial credit reporting legislation, you can provide credit information without consent from the consumer.
Mr. Chercover: No, you need the consumer's consent to collect the information, and the consent is usually on a form that you sign when you apply for a loan.
The Chairman: Which allows you to distribute it.
Mr. Chercover: Exchange of credit information.
Mr. Bartkiw: To clarify the previous misleading statement I made, paragraph 7(3)(j) is the suggested amendment language we have made in our written submission.
The Chairman: We just wanted to show you that we read the bill.
Mr. Bartkiw: That deals with prohibiting information to third parties without consent.
The Chairman: I thank the four of you for attending.
Senators, our final witnesses for today are from the Canadian Bankers Association and the Canadian Marketing Association. Gentlemen, it has been a long afternoon, so the briefer you are and the quicker we get into questions, the happier members of the committee will be.
Mr. Alan Young, Vice-President, Policy, Canadian Bankers Association: Mr. Chairman and senators, we have provided you with our rather lengthy submission on the bill. We have also given you a two-page summary. In my brief remarks I will focus on our key issues and commend to you for your consideration our more fulsome submission. Given our time constraints, I will not give you our usual preamble on the importance of privacy to the banking industry. Suffice it to say that the banks take great pride in the leadership position they have taken in the protection of customer information.
The first issue I will focus on is the exemptions built into subclause 7(3) of the bill. I understand that this has been the subject of considerable discussion and we will be extending that discussion, Mr. Chairman. We believe that the circumstances under which an organization can disclose personal information without consent are not comprehensive enough.
Bill C-6 does not include many situations in which disclosure without consent is currently allowed under the law today. For example, the common-law case of Tournier allows banks to disclose personal information where there is a duty to protect the public interest. One example would be where a banker suspects elder abuse when a customer withdraws money from his or her account under pressure from a family member or an acquaintance. Elder financial abuse, I believe, is a significant public policy issue.
We believe that under this bill banks would be prohibited from disclosing the suspicion of elder financial abuse unless they met the standard of having reasonable grounds to believe that a crime has been or is about to be committed. We are concerned that this test may be too high and that it places bank staff in the difficult position of trying to determine if a crime has been or is about to be committed.
We are also deeply concerned about financial fraud. Fraud targeted at financial institutions is a multi-million dollar business. In order to thwart those activities, and to protect the funds of depositors and shareholders, banks need systems that share information among members within a financial group of companies and they need to communicate with other financial institutions and authorities about such fraud. We propose a simple solution to these concerns in order to ensure that existing rights of our banks to disclose information without consent are not eroded. We strongly recommend that paragraph 7(3)(i) be amended to read "required or permitted by law." We think that the addition of the two words would address our concerns.
Our second concern is with the role and powers accorded to the Privacy Commissioner. We believe that they far exceed what is necessary to meet the stated purposes of this act. These powers cannot be described as light and flexible, which was supposed to characterize this bill when it was first being considered. The investigative powers of the commissioner include the ability to enter premises and to examine and extract records without a warrant. In addition, the commissioner can speak to individuals without benefit of legal counsel. We suggest that these may be contrary to sections 7 and 8 of the Charter.
Our recommended solution is to curtail the powers of the commissioner or have the bill operate on a complaints-driven basis, at least until the first review of the act in five years. At the time of the first review there would be a clear track record, and whether or not a stronger oversight mechanism is needed could be determined. We believe that this approach would recognize the progress being made with sectoral codes and complaint resolution mechanisms that are already apparent in the private sector. We also believe that the investigation and publicity of complaints, combined with the Privacy Commissioner's role in educating the public, would effectively highlight and discourage any unacceptable personal information handling practices by organizations.
Our third concern is with the reasonable person requirement under subclause 5(3). This introduces yet another test before disclosure is permissible, in addition to those already imposed by the bill. In the experience of the banks, privacy protection is best achieved when it is based primarily on a policy of customer control of information embodied in the right to give one's consent and the right to withdraw that consent at any time. Banks are concerned that the inclusion of this provision adds an overriding requirement of reasonableness to all provisions, notwithstanding that consent has already been obtained. This could negate consent already given to uses of information, thereby giving rise to some uncertainty.
The final issue that I wish to highlight concerns the possible effect of this bill on an organization's ability to restructure. The federal government proposed in its June 25 policy paper that financial institutions should be able to organize themselves under a holding company structure. I will demonstrate our concern with a practical example. Let us say that a bank's credit card operation, which under law today must be done within a bank, is being spun out of the bank into an affiliate of the bank under a common holding company parent. In order for the bark's credit card operations to be moved effectively from the bank to the new credit card affiliate, the personal information regarding the bank's credit card customers must be transferred to the new affiliate. It is not clear whether the proposed exemptions under subclause 7(3) contemplate such disclosure of information by the bank to the credit card company affiliate. The same concern applies in cases of corporate restructuring and acquisitions, whether within or outside of a holding company.
For the sake of clarity and to ensure that the government's desire to give financial institutions greater flexibility can be fulfilled, we suggest that the bill specifically provide an exemption permitting the transfer and use of personal information for such corporate restructuring.
In conclusion, I will make a few remarks about Part II and Part III of the bill, which deal with electronic commerce and the use of electronic signatures. We believe that these will be valuable tools to assist the continued development of electronic commerce in Canada, and we wish to stress today the importance of wide consultation in the development of regulations that are contemplated under these sections. Open and early consultation will ensure that the concerns of industry, consumers and other stakeholders regarding any proposed technological standards are taken into account. It is critical that we get these technological standards right. This can only be done in the spirit of cooperation and consultation.
Mr. John Gustavson, President and Chief Executive Officer, Canadian Marketing Association: The Canadian Marketing Association is Canada's largest marketing association. We have some 750 members representing some of the largest marketers in the country who use customer information to make most of their major marketing decisions. That generated over $13.5 billion in sales last year and generated employment for over 230,000 Canadians. Today we appear in support of the bill.
As you know, in 1991 Industry Canada put together a group of privacy advocates, consumer representatives and business representatives to come up with some sort of voluntary privacy code. I was at the first meeting and I can tell you that when I heard the views around that table, especially from what I then thought of as wild-eyed privacy radicals, I would have bet a large amount of money that there would never be any consensus out of that group. Therefore, no one was more surprised than I to find myself, four years later, voting as part of a unanimous vote on a consensus document.
That document was the product of much research, much arduous debate and a considerable amount of compromise. I would describe that consensus document as a very delicate compromise. That is the document that subsequently became a national standard published by the Canadian Standards Association. It also may help explain why it does not necessarily look, feel or smell like ordinary legislation. It is a set of principles and there are many words in there like "should" rather than "shall" and "ought to" rather than "must", but that is very much a product of that compromise.
When we approved that document in 1995, my association decided to call on the government to put it into legislation. We have been working on that for a long time. If our economy is to grow, especially an information-based economy, consumers must have confidence that their information will be held securely, that it will be used properly and that they will still have control over their personal information. Survey after survey shows Canadians reluctant to embrace some of the new technologies and new ways of doing business because of their fears over what is happening to their personal information.
With more and more businesses engaging in the field of acquiring personal information and using it in various new and different ways, it is important to have a common set of rules, some guidelines, some guides to best practices. Finally, we believe it is important to do it now, when we have a consensus document, before we have the privacy abuses that might lead to excesses in legislation and regulation.
I do not know how many of you saw 60 Minutes last night, but they did a section on Internet privacy or e-commerce privacy. One of the people interviewed said, "If you asked Henry Ford 75 years ago what he thought of people regulating his marketplace, he would probably would have said, `Speed limits are a good idea. Stop signs are a great idea. Anything that helps my customer feel safer and more comfortable buying and using my product is good for the economy.'" That is what we think about this bill. We think it is an excellent step. It may not be perfect and it may need some refinement -- in fact, there is a five-year review built into it -- but it is a great start to giving us a leg up on building the economy in this country. We would ask you to pass it and to pass it expeditiously.
Finally, I hope that you will not be too disappointed that we do not have a single amendment to offer you today.
Senator Murray: In the folder that you have left with us -- admittedly, it was dated February 1999 and dealt with this bill when it was before the Industry Committee of the House of Commons -- you lobbied for amendments that would exempt certain types of public-domain data, specifically business information, et cetera. I presume you got that amendment through at the report stage, did you?
Mr. Gustavson: Yes.
Senator Murray: Mr. Young, your suggestion that the additional powers proposed for the Privacy Commissioner might be an infringement of the Charter is a matter that we will be able to take up when we have some constitutional experts with us, among whom will be Roger Tassé, who was the Deputy Minister of Justice when the Charter of Rights and Freedoms went through and had overall responsibility for drafting it. We will raise that with him and with the other constitutional experts when they get here.
You suggest that this should be amended where disclosure is permitted under existing common and statutory law. Furthermore, you want Bill C-6 amended in paragraph 7(3)(i) to read, "required or permitted by law." Perhaps the officials will tell us, but you can also tell us if you know: What else would be caught under that? How broad an exemption would it be if we added the words "or permitted by law"?
Mr. Young: I can speak to the Tournier case. There were four grounds on which a bank could disclose information: first, if it was with the customer's consent; second, if it was required by law; third if it was in the public interest; and fourth, if it was in the best interests of the bank. The courts have very narrowly circumscribed those circumstances. I do not believe that it would be opening the floodgates to disclosure of information. That might be a concern that you would have by adding that amendment.
Senator Murray: I wish to address the question of routine operations, such as cheque printing, when these are contracted out to third parties, where information will not be used for any purpose other than its originally stated purpose. For what information would the bank have to get my permission to disclose? My name, address and the number of my account?
Mr. Young: Your account number, yes.
Senator Murray: Is my consent not implicit in the fact that I have applied for a new book of cheques?
Mr. Young: We would want to ensure that we obtained your consent when you opened your account. It is not clear what happens to third parties with respect to this bill.
Senator Murray: As of now, I fill in a form to get a new box of cheques.
Mr. Young: If you have consented, then it is not a problem.
Senator Murray: But the consent is implicit, is it not? I do not suppose that the manager of my bank has in his office a printing press which is printing my cheques. I assume that someone in the printing business is doing that.
Mr. Young: That is correct.
Senator Oliver: It will be moot anyway, as people get used to doing their banking.
Senator Murray: I will leave it at that.
Senator Oliver: I have a question for Mr. Young, but it is ultimately a question for you, Mr. Chairman. Mr. Young was talking about the legislative framework for electronic commerce and you said that, in relation to Part II, you hoped that there would be broad consultation on the regulations that will come from this. One of my big concerns is that often we find that bureaucrats legislate by regulation and they regulate in such a way that we never get to see the real rules pushing something. When these regulations are finally drafted, will you ensure that they come before your committee for a careful review before they become law? Otherwise, we will have another grand example of bureaucrats legislating by regulation.
The Chairman: Senator Oliver, that is a subject that the committee will have to discuss when it considers its report. In all the years you and I have served on the Banking Committee, we have done things like that on more than one occasion and have, ultimately, had changes made in the regulations as a result. On a personal level, I have no difficulty with that process, but we would have to consult the committee when considering what is contained in our report. However, you are quite right that there is certainly precedent for doing it.
Mr. Young: We wanted to bring it to your attention because it is vitally important.
Senator Oliver: Yes, it is.
Senator Carstairs: I was interested in your comment about senior abuse. In the one case with which I am familiar, it was actually a bank teller who abused the senior to the tune of $77,000. That senior happened to be my father-in-law.
What makes you concerned that this present section 7 does not adequately protect? It uses the word "reasonable". Do you not think that it is reasonable for a bank teller to report, as I know happens frequently, when a senior has come in and withdrawn $10,000 and then $10,000 another day and $10,000 another day, particularly if they ask for it in cash? The tellers are going to the police and saying, "I think there is reasonable grounds that something is being violated here and that there may be an incident of abuse." What makes you think this bill will prohibit that?
Mr. Young: We believe that today, under common law, it is clear that that sort of thing could be reported. However, it is not entirely clear that such an incident would meet the standard of "a crime is about to be or has been committed." That may be too high a threshold and I do not think we can expect bank tellers to know what the Criminal Code says. Our concern is that it is not certain that tellers would continue to have that authority under this bill.
Senator Carstairs: Let us be reasonable. I cannot imagine a situation in which a teller calls the police without having contacted the bank manager, who has access to the bank's lawyers. Those lawyers can indicate whether or not they think this is reasonable. You cannot tell me that there are tellers out there who are calling up their local police officers without talking to any other official in the bank.
Mr. Andrew Finlay, Senior Counsel, Employment Law Group, The Bank of Nova Scotia: There are two thresholds here. One is that they must have reasonable grounds, which is somewhat established as a threshold at law. It is a fairly high threshold. The second one is whether or not a contravention of the laws of Canada has been or is about to be committed. That suggests imminence. There is also the scenario where you are suspicious -- that is, where there is something smelly and you want to find out a bit more, but how far can you go? That is where there must be a bit more room for the use of the information.
Senator Callbeck: Mr. Chairman, I wish to ask about the definition of "commercial activity" in Bill C-6. It has been suggested that that definition is not precise enough, that it is too vague. Have you any comments on that?
Mr. Young: We have looked at the bill and we are largely supportive of the legislation. We had no comments with respect to this definition.
Mr. Gustavson: I share that view. The chairman of this committee articulated an important idea with the previous witnesses. Many people are very nervous about this bill because it is new, and they are uncertain how it will work.
Since 1991, the groups of people who have come together representing privacy advocates, consumer groups and businesses have come to know each other and they can now work together. They are behind this bill. They want to make this bill work. There is a provision for five-year review if we get into trouble.
As Senator Kirby quite rightly said, this is something new and unfamiliar and that causes discomfort. However, that definition is fine by us.
Senator Murray: Mr. Young, I suppose we should know this, but how long do the banks keep personal information on their clients?
Mr. Young: Various statutes, federal and provincial, require records to be kept. They differ in their provisions. My recollection is that the Income Tax Act requires retention for seven years. Other statutes provide for five years, seven years, and maybe as long as 10 years.
Senator Murray: I am interested in this subject because of a particular clause in this bill that I discussed a few days ago, and again today, which would make it legal to disclose personal information collected for commercial purposes 20 years after the person in respect of whom it was collected has died. I presume that would apply, therefore, to a bank. Would you have personal information about individuals after that length of time?
Mr. Young: It would be highly doubtful. If the information did exist, the request for information would have to disclose the purposes for which it was to be obtained. Therefore, it is difficult to conceive of how it would be disclosed for a purpose other than which it was obtained.
Senator Murray: The bill is silent on that. It may be disclosed 20 years after your death.
Mr. Young: There are requirements in the schedule.
Senator Murray: I do not want to pick on Senator Callbeck again, but a historian doing a political history of Prince Edward Island might wish to get some information about Senator Callbeck's business career and how successful or unsuccessful she was and what her relations with the bank or mortgage company or whomever were, all of which is personal.
I see no justification ever for disclosing personal information that had been collected for commercial reasons unless there has been a contravention of a law.
Mr. Young: We would not object if that clause that you are referring to were eliminated from the bill. We do not think it applies to us.
The Chairman: First, in your section on the role and powers of the commissioner, you say that it should be complaints driven. It will be a complaints-driven process. The only way the Privacy Commissioner will know there is a problem is if someone complains.
Second, you do talk about whether the powers exceed what is necessary to implement the legislation. I should tell you, I had that same concern and, I obtained from the Justice Department a list of 8 or 10 other federal agencies from farm inspectors to other kinds of agencies where exactly the same conditions exist. My initial personal reaction was that the provisions in this proposed legislation were very similar to the search and seizures provisions of the old Combines Investigation Act.
It turns out that the legal distinction is between investigatory powers when you are attempting to establish a crime has been committed, and investigatory powers under a civil action. At least 8 or 10 other federal statutes on the list I was given have exactly the same powers as proposed here.
Mr. Young: To suggest that it is a complaint-driven process is not entirely correct. The commissioner can initiate an audit of an organization on his own account.
The Chairman: Logically, how will he choose one organization out of more than 100,000? He will pick one because some group or a series of people have complained.
Mr. Young: That is possible. However, the legislation gives him the power to initiate an audit.
The Chairman: I trust we will keep him busy enough.
Mr. Young: Hopefully the banks will not be keeping him busy.
Mr. Finlay: In regard to the powers of the commissioner, you mentioned that there is other legislation where the powers are similar. Some of that legislation would not entail a complaint-based process.
Under the Income Tax Act, for instance, I will not complain that Mr. Young did not pay his taxes. Revenue Canada has its own interest in whether Mr. Young has paid his taxes. Under the privacy scheme, though, there could be a complaint that Mr. Young misused information about me. That is a different framework.
In the framework of the Human Rights Act there are greater limitations on the power of an investigator and the commissioner. I think more appropriate to the privacy situation, where we are talking about rights in a sense, human rights and privacy rights are analogous.
You must look at other legislative frameworks and compare the purpose, not just the fact that an agency may have powers. For instance, I cannot compare the job of farm inspectors to the job of the Privacy Commissioner. I see a large distinction there. In other legislation there may not be as much of a distinction. Then the question is: Is it appropriate?
Earlier Senator Murray mentioned the fact that there is a constitutional Charter question around the powers of the commissioner. There are also basic questions of procedural fairness and natural justice quite apart from the Charter arguments. The powers of this commissioner in the case of a complaint are quite excessive. I do not know that you can say that the respondent, typically a business or an employer, is being afforded the basic natural justice, procedural fairness rights that we have come to expect. I do believe it is more than just a Charter issue.
Senator Finestone: Your answers to the chairman indicate that there is an important role for the Privacy Commissioner. Could insufficient funding of the commissioner's office and insufficient staff have a negative impact on your businesses, banks and marketing institutions, given that the commissioner may not have the kind of funds to hire the kind of staff that he would require? What would be the impact for all of you?
Mr. Young: I would think that the banking industry would not require the attention of the Privacy Commissioner because of the long-standing practice in the industry and the concern we have for customer information. Therefore, I would not think that we would be a heavy drawer of the time and effort of the Privacy Commissioner.
Senator Finestone: The question came to me as you were discussing this with our chairman.
Mr. Finlay: I must say something because our experience with the Human Rights Commission has been very positive over the years.
Unfortunately, I have come to know them better than I would like. With a good quality of staff and investigative function, the whole system runs better. Everyone is served, including the complainant, the respondent and the commission.
The quality of the people is important. How do you fund that quality? I cannot comment on that.
Senator Finestone: He would need sufficient staff and quality staff to make this work?
Mr. Finlay: Certainly quality is important, yes.
Mr. Gustavson: If this does not work, we shudder to think of the alternative. This is a basic set of principles. It must be properly funded to work efficiently. If it does not work, we will need legislation which is more detailed and which will be more intrusive in the marketplace. That will be far worse for business.
There is always the danger of fishing expeditions because of the enforcement provisions, and that does worry us. The commissioner will probably be more busy with other complaints and not have the time or money for such fishing expeditions, but we want to ensure that the system works and is properly funded.
Senator Gill: Mr. Young, are you representing the caisses populaires in Quebec?
Mr. Young: No, the caisses are separately represented. They are not members of the Canadian Bankers Association.
Senator Gill: Do they come under the Bank Act, even though they are not members of the association?
Mr. Young: No, they have their own legislation.
The Chairman: I should explain. Credit unions, which effectively include caisses populaires, are under provincial legislation. The only part of federal law which governs credit unions is that in relation to the provincial credit union centrals, which are the overseeing bodies, and the Canadian Credit Union Central. Individual credit unions, of which the caisse is by far the biggest in the country, are covered by provincial legislation.
Senator Gill: Will Bill C-6 apply to them?
The Chairman: This law will ultimately apply when the four years have expired. The caisses now do business interprovincially. They have at least one branch in Ontario, so they will be covered.
Honourable senators, we have one last item of business before we adjourn. You have before you a motion which relates to the decision of the Senate, last week, to authorize this committee to do a five-year update on the final report of the Special Senate Committee on Euthanasia and Assisted Suicide, entitled; "Of Life and Death." The intention is to complete this work by June 2000, the five-year anniversary of the tabling of the report.
Senator Carstairs: Honourable senators, I move:
That a Subcommittee to update Of Life and Death be established, comprising five members, including the Honourable Senators Carstairs, Pépin, Beaudoin, Keon and Kirby; and
That the Order of Reference adopted by the Senate on Thursday, November 25, 1999
That the Standing Senate Committee on Social Affairs, Science and Technology be authorized to examine and report upon developments since the tabling in June 1995 of the final report of the Special Senate Committee on Euthanasia and Assisted Suicide, entitled: Of Life and Death. In particular, the Committee shall be authorized to examine:
1. The progress on the implementation of the unanimous recommendations made in the report;
2. Developments in Canada respecting the issues dealt with in the report;
3. Developments in foreign jurisdictions respecting the issues dealt with in the report; and
That the Committee submit its final report no later than June 6, 2000;
be referred to the Subcommittee.
That the Subcommittee be authorized to send for persons, papers and records, whenever required, and to print from day to day such papers and evidence as may be ordered by it;
That, pursuant to Section 32 of the Financial Administration Act, the Committee's authority to commit funds be conferred on the Subcommittee;
That pursuant to Section 34 of the Financial Administration Act and Guideline 3:05 of Appendix II of the Rules of the Senate, the Committee's authority for certifying accounts payable be conferred on the Subcommittee; and
That the Committee's power to permit coverage by electronic media of meetings be conferred on the Subcommittee.
The Chairman: I have also distributed to you a suggested work plan which has been developed by Senator Carstairs. After five hours of hearings today, we may not want to do that. We will come back subsequently in an in camera session to discuss the work plan in detail.
Is it your pleasure to adopt the motion?
Hon. Senators: Agreed.
The Chairman: Carried.
Senator Carstairs: To clarify, now that the subcommittee has been established, the subcommittee will determine its own work plan.
The Chairman: There you go, getting me stuck on the rules again. The subcommittee will meet tomorrow at 11:00 a.m. in room 172-E.
The committee adjourned.