Review the Personal Information Protection Act — Issue No. 2

Present: Mike Bernier, MLA (Chair); George Heyman, MLA (Deputy Chair); Dr. Doug Bing, MLA; Simon Gibson, MLA; Sue Hammell, MLA; Marvin Hunt, MLA

2. Resolved, that the Committee adopt the business plan as circulated. (George Heyman, MLA)

3. The following witnesses appeared before the Committee and answered questions regarding the Personal Information Protection Act.

• Bette-Jo Hughes, Government Chief Information Officer and Associate Deputy Minister

• Sharon Plater, Acting Executive Director, Legislation, Privacy and Policy Branch

The following electronic version is for informational purposes only.
The printed version remains the official version.

REPORT OF PROCEEDINGS
(Hansard)

SPECIAL COMMITTEE TO
REVIEW THE PERSONAL INFORMATION PROTECTION ACT


CONTENTS
Page
Committee Business Plan	5
Personal Information Protection Act Overview	5
B. Hughes
S. Plater
Other Business	17

M. Bernier (Chair): Good morning, everyone. Sorry for running a little bit behind. Thanks, everyone, for being here this morning. We'll do some introductions of some guests that we have in a moment.

M. Bernier (Chair): The first item we have on the agenda, though…. We circulated — and we have in front of everybody, I believe — the draft business plan. We circulated that out. We haven't heard too many comments back, but we will put a motion forward to accept the draft business plan, if there's any discussion on that.

M. Bernier (Chair): Thanks, everyone. We have our marching orders, and we know what we're doing now for the next year.

With that, again, I really want to thank everyone today. Our first formal meeting, and a lot of this is going to be around some information-gathering, for the most part. We have with us today Bette-Jo Hughes and Sharon Plater.

Maybe what I'll do is I'll turn things over to yourselves. Thank you very much for coming. I know we have the slide deck that we have circulated that we're going to run through. But in talking to you a little earlier, it would be great — before we get into that — if you could give a little bit of background even of yourselves.

B. Hughes: As the Chair has noted, my name is Bette-Jo Hughes, and I'm the associate deputy minister at the Ministry of Technology, Innovation and Citizens' Services as well as the government chief information officer.

It's our distinct pleasure to be here today, and I would like to take the opportunity to thank the committee for inviting us here to provide an overview of the Personal Information Protection Act.

Our ministry provides broad support to businesses, citizens, government ministries and the broader public sector. The ministry's mission is to grow B.C.'s technology sector, champion innovation and enable delivery of cost-effective, accessible and responsive services for all customers.

With respect to citizens, one of the ministry's key objectives is to make it easier for them to access government services and information, while at the same time ensuring that their privacy is protected and that their identity information is secured.

With me here today is Sharon Plater, and Sharon is going to be delivering the presentation. Sharon is the acting executive director with the legislation, privacy and policy branch within our ministry. As noted earlier, Sharon is an expert in this field.

The legislation, privacy and policy branch is responsible for the Personal Information Protection Act. In addition to managing change to the legislation, it provides tools, training and a help line to assist all businesses and not-for-profit organizations in British Columbia to meet their privacy and access obligations.

Our presentation today will serve to give you some historical context to the private sector privacy legislation, provide a basic overview of the Personal Information Protection Act principles, provide you with an update on what happened since the last special committee review in 2008 and bring you up to speed with some of the most recent and relevant developments respecting private sector privacy legislation.

S. Plater: Good morning. Bette-Jo has already gone over the goals of our presentation, so I'm going to move into the content, if there are no questions at this point.

You'd asked us for a little bit of background. I was asked to come back into government in 2001 to take on this project, to develop something along the lines of private sector privacy legislation, and I have to say it was one of the greatest projects I ever worked on. It was a lot of fun.

What I'm going to do is I'm going to walk through the slides and provide you with as much information as I can about what PIPA is all about.

What is PIPA? Before we focus specifically on PIPA, I think it's important to distinguish it from some other similar legislation. There's the Personal Information Protection and Electronic Documents Act, called PIPEDA. It's federal private sector privacy legislation that applies to federal works, undertakings and businesses — for example, banks, airlines and telecommunication companies. It applies to collection, use and disclosure of personal information in the course of a commercial activity that crosses borders.
[ Page 6 ]

Provincial private sector privacy laws, like B.C.'s PIPA, have to be declared by the federal government to be substantially similar to PIPEDA; otherwise, PIPEDA would apply to the businesses in the province.

The other act that's quite similar is the Freedom of Information and Protection of Privacy Act, which I know some of you are aware of. It is the public sector access and privacy legislation, and it applies to public bodies in B.C. So it applies to ministries, Crown corporations, municipalities, colleges, universities, schools, health authorities, municipal police and the governing bodies of professions. FOIPPA was used as a guidepost in developing PIPA, so there are a number of similarities between them.

PIPA is protection for personal information held by the non-government sector, so it covers businesses and the not-for-profit sector. It's a commonsense set of rules for the collection, use, disclosure, security and retention of personal information. When speaking with businesses, we would often state: "If you think about how you would like to have your own personal information managed, then you're probably on the right track."

PIPA recognizes the right of individuals to protect their personal information and the needs of organizations to collect, use and disclose personal information for reasonable business purposes. It strikes the right balance between these two interests. PIPA is based on the reasonable person test, which is out of British case law, and you will see this term used throughout the legislation.

The concept we were trying to get across with that is that businesses should consider: what would a reasonable person expect to happen in these circumstances? That's a guiding rule, and it's an element that the commissioner can review if there's a complaint against a company.

PIPA was also a response to PIPEDA and European Union directives that were coming out at that time. What PIPA is not is broad access rights within the private sector or a complicated set of rules or regulations that prevent business from getting on with what they need to do.

I'm going to move to the slide for historical background now. In 1984 the Organization for Economic Cooperation and Development, the OECD, produced guidelines on the protection of privacy and transborder flows of personal data, and Canada became a signatory to that document.

In 1996 the Canadian Standards Association, which is an independent, not-for-profit organization that serves both businesses and consumers, issued a model code for privacy that was based on the OECD guidelines. The CSA code, which is a voluntary standard, has been the basis for all private sector privacy legislation that's been developed in Canada since the code was issued. The code was developed in consultation with businesses, consumers and government representatives.

On October 28, 1998, the European Union passed a directive on data protection. The directive regulates all the data flows that go between the European states, but it also prevents the sharing of data with external jurisdictions which do not have an equal standard of data protection.

This meant that most countries that want to deal with the European Union had to determine how they could be compatible with these data protection laws so they would not impact their trade or the sharing of personal information for other reasons.

The Canadian government decided to address this head-on. They brought in private sector privacy legislation which, as I mentioned, is called PIPEDA. It was passed on April 13, 2000, and was implemented in three stages between January 1, 2001, and January 1, 2004. As I said, it's based on the CSA code.

Why B.C. chose PIPA. When PIPEDA was introduced, it included a clause that said if provinces didn't develop their own private sector privacy legislation within three years, the federal act would apply to all businesses operating within the province. This prompted B.C. to see whether or not it could develop a law that would be useful for businesses in the province.

The year before PIPEDA was passed, the B.C. government had struck an all-party special committee to look at information privacy in the private sector. In its report in 2001 it made a number of recommendations. One of those was that B.C. enact legislation to protect the privacy or the personal information of individuals held by the public sector. This was one of the factors that supported development of a B.C.-specific law.

In addition, businesses at the federal level had found PIPEDA very complex and difficult to interpret. Most were having to have legal advice in order to implement it. In addition, the federal government did not provide any implementation support.

It was felt that within the provincial setting, where you're dealing with a lot of businesses that are quite small — you've got corner stores; you've got single-owner operations — the regulatory structure had to be workable and easy to apply so that it wasn't going to create an administrative burden for those businesses.

As the federal government had to use its trade and commerce powers to bring in PIPEDA, it could not cover the not-for-profit sector in the province, nor could it cover employee information. They were both seen as very large gaps. The not-for-profit sector is very large and covers many youth organizations as well as health and counselling services, both of which hold very sensitive personal information. The lack of coverage for B.C. employees would have meant that they had less privacy protection than their federal counterparts, because PIPEDA was able to cover the employees of federal organizations.

Lastly, under PIPEDA the province would have been subject to the federal Privacy Commissioner, which has lesser powers than the commissioner in B.C. The B.C. commissioner has order-making power, where the fed-
[ Page 7 ]
eral commissioner can only make recommendations.

I'm going to move on to the slide for stakeholder support. There was strong stakeholder support for the introduction of the private sector privacy legislation. Seventeen information sessions were held throughout the province. There were also in-depth consultations with over 100 key stakeholders and stakeholder organizations.

We tried to find as many as we could that would represent all the different types of businesses and not-for-profits that are operating within B.C. We dealt with both provincial and national groups, including associations like the Insurance Bureau of Canada, the Business Council of B.C., the Retail Council of B.C., the United Way and the chambers of commerce in various locales around the province.

They told us, basically, that they viewed this kind of legislation as just good privacy practices. It would help them sell their businesses because they could say: "Look, we're following these practices. We're protecting your information. Therefore, we're a good company to deal with."

So there wasn't a lot of negative reaction when we were working with the businesses and not-for-profits. They preferred provincial legislation because they felt that it would address their needs — the province would better understand what those were — and that it had the provincial-based oversight.

They also wanted a plain-language statute. The federal statute is quite complex. It's written in legalese. There are various parts to it, and you have to go back and forth between the various parts. So it can make it hard to interpret.

A lot of organizations we spoke to also had companies across provinces, so they wanted the legislation to be harmonized as much as possible so they didn't have to juggle different regimes across the country. They also wanted implementation support, which was provided.

We found that support for PIPA remains high and that the legislation is working well. We base that on the fact that we don't have either not-for-profit organizations or businesses approaching government to complain about the legislation or to request that it be amended.

Over to cross-jurisdictional consistency. During the drafting of PIPA, our counterparts in Alberta asked if they could partner on the creation of the legislation. As a result, you have two pieces of legislation that are very similar.

Manitoba has introduced an act that's quite similar to PIPA. It uses a lot of the same premises. They did that last October, but it hasn't been implemented yet. We understand they're planning a public hearing and that this is yet to be scheduled. There are some differences. It has breach notification, as does Alberta. But there is no complaint or review process, and the not-for-profits are only partially covered.

There are enough similarities between PIPEDA and PIPA that PIPA was declared substantially similar to PIPEDA on October 12, 2004. This has meant that PIPEDA would have no application in B.C. other than where it applies to federal undertakings, and B.C. will continue to need to be substantially similar to PIPEDA. So if there are changes to PIPEDA, we would have to look at whether those need to be made in B.C.

We're looking at what PIPA applies to now. PIPA applies to a person. You'll see this term used throughout the legislation, and "person" is a term that's defined in the Interpretation Act. It includes a corporation, a partnership or a party, and the personal or legal representatives of that person who can apply through the context of law. It also is a sole proprietorship, a trade union, an incorporated association and all of the not-for-profit sector.

What it does not include is personal or domestic uses. If you're using personal information in your personal capacity in your home or with your family, it is not covered by this legislation. It also doesn't cover journalistic, artistic or literary purposes, the courts, a public body that's covered under the FOIPP Act or an organization that is captured by PIPEDA. Otherwise, virtually every organization in British Columbia is covered by PIPA.

What is personal information? The definition of "personal information" is based on the one used in the FOIPP Act. It's information about an identifiable individual. That can be a person's name, their age, their marital status, their sex, their education, their religion, their medical information, opinions, photos, video recordings. It's a broad definition. It includes an employee's personal information, and the definition of "employee" includes a volunteer.

What it does not include is information that allows an individual to be contacted at their place of business. If I'm operating a business called KLM Electronics and I have a business card that I use as a way of communicating with the public or potential customers, if my name is on there as proprietor and it has my business address, telephone number and fax number, those are not considered personal information. My home address on the other side would be considered personal information.

It also does not cover work product information. "Work product information" refers to the information that's generated by a person in the course of their work. So letters, information, notes and signed contracts do not qualify as personal information, even though they have a person's name on them. They are information that the employee prepares for the business. Having this carve-out in the legislation is meant to ensure that individuals don't consider the work that they generate while they're part of the business as their own personal information, and therefore, they can't access that under the access provisions in PIPA.

We're going to go to international fair information practices. As I mentioned in the historic backdrop, PIPA, as well as the other legislation in Canada, is based on the
[ Page 8 ]
Canadian Standards Association model code for privacy. The code and the legislation contain ten principles or rules, which I'm going to go over very briefly. They're listed on your slide in front of you, but each one is also listed on the following slides.

Accountability is the first one. In terms of PIPA, to meet the accountability principle an organization has to appoint a privacy officer or at least someone to fill that kind of role. The privacy officer has to be able to answer questions from the public about how that organization is managing personal information. They're responsible for the personal information that's held by the organization.

That's not just the information that's in the company's offices, in their custody, but it's also the information that's held by contractors. Most contractors would likely be covered by PIPA because they might be B.C. organizations, but if the contractors were outside the province, then the organization who's contracting them would have to ensure that they abide by the rules of PIPA. They also have to maintain the standards that are set out in PIPA. Really, they're the light in the organization that's guiding the information practices of that organization.

The next principle is identifying purposes. Under PIPA, an organization must either verbally or in writing indicate what the purposes for the collection of the personal information are and what they're going to use that information for and how they're going to disclose it. The customer or client needs to be provided this information prior to them giving their personal information to the company.

The purposes must be reasonable and appropriate in the circumstances. That's another one of the things that the commissioner can review. She can look at whether what the company is asking for is reasonable, given the services they are providing.

Examples of purposes might be when you're sending out membership information, when you're opening an account, when you're getting counselling services, when an employee is getting information or being enrolled in benefit plans, verifying credit worthiness. There's a large number of them, as you can imagine.

Customers and clients can expect that they're going to have to provide some information relevant to the services they're receiving. That information needs to be reasonable for what it is they're getting.

For a person becoming an employee, they have to provide information to their employer in order to receive benefit programs — to get income tax deducted, for example. Again, the information has to be reasonable to that relationship that you're entering into with the organization.

The next concept is consent. PIPA is consent-based. That's very different from the FOIPP Act. A business or not-for-profit organization must have consent to collect, use or disclose personal information unless PIPA specifically states that these activities do not require consent.

There are three forms of consent in PIPA. The first is explicit consent. There an organization will tell you exactly why they're collecting the information and get you to sign your consent to do that. They also have to tell you how they use or disclose it. An example would be when you go into a store and apply for a loyalty card, where you usually fill out a form and they tell you what they're going to do with that information. This is the most common kind of consent, and it's the strongest.

PIPA also has implied or deemed consent. In this type of consent, the purpose must be obvious, and the provision of the information must be voluntary.

This would be like if you were calling TicketMaster and you provide them with your credit card information and your address. You're assuming that they're going to use the credit card information to bill you for the tickets and that they're going to use your address in order to send the tickets to you. So it's very obvious why you're giving that information to them. It's often used in the medical field. When you go for a blood test, it's assumed that you want the results to go back to the physician who ordered those particular blood tests.

The third kind of consent is opt-out. You'll see this a lot when you're dealing on the Internet now and you're ordering things or you're joining a group. The organization provides you notice, and it has to be in a form that's understandable and that informs the customer of the purpose for the collection. You have to give the customer a reasonable amount of time and opportunity to decline.

Often what you'll see is little boxes. "Do you consent to your information being provided to our affiliates?" or "Do you consent to us using your information for marketing purposes?" If you don't check a box or you don't communicate with the company in some other way, they can assume that you don't mind that they engage in those activities.

There are also circumstances in PIPA where no consent is needed for the collection, use and disclosure of personal information. These kinds of circumstances might be where there's a medical emergency and the person can't give consent; if it's necessary for an organization to collect a debt; if it's in the customer's or client's best interests; if the information is publicly available through a telephone book or a professional registry, such as for physicians or lawyers and that sort of thing; or if it's for an investigation and getting the consent would impede that investigation.

Finally, with consent, it's not valid if it was collected using deceptive means. An organization can't lie about what they're going to do with the information and still expect the consent to be valid. It also can't be made a condition of providing the contract. I can't say to you: "I'm not going to let you have this cell phone contract unless you provide me with your medical information." It can't
[ Page 9 ]
be used for that kind of bartering.

It can be used to say to the person: "I need your bank information in order to charge you for this cell phone." If it's reasonable, they can say: "I can't give it to you unless you give me that information." If the information is not reasonable for that context, they cannot make it a condition of supplying the product.

Withdrawal of consent is also permitted. If at some point later on you decide that you no longer want this organization to use and disclose your information, you can withdraw that consent. But the organization has to tell you what the consequences of that withdrawal will be, and it can only be refused if it's going to frustrate a legal obligation.

If you were to go in to your doctor — a new doctor, say — and you wanted treatment, and you refused to provide the physician with any of your background medical history, refused to tell the physician what drugs you're on or anything else, that physician may say: "I cannot treat you under those conditions." That may be something that's valid under PIPA, because that information would hamper that individual from providing you with the treatment you need and would not allow them to use their expertise to the fullest extent.

Employee information. PIPA distinguishes between personal information and employee information. The act provides that organizations can collect, use and disclose employee personal information without the employee's consent if it's reasonable for the establishment, the management and the termination of the employment relationship. Other information about an employee that doesn't relate to those three activities cannot be collected without consent.

Even though consent is not required, the organization, however, has to notify the employee that these activities are taking place. This allows the employee to determine if the collection is reasonable and to question it if they don't believe it is. There will be some circumstances where even notification is not required, and that is in medical emergencies — again, where the person can't consent — or where there's an investigation and the consent or the notification would impede that investigation.

The next topic is sale or merger of a business. We met with many groups during the development of PIPA, and one of the things we learned about was the complexity of selling a business. The authority for a business to disclose information about their customers and their employees, directors, etc., to a prospective buyer is part of the awareness that we learned.

While it's recognized that the sharing of personal information during a sale or merger is necessary, it was also recognized that there needed to be really strict criteria around how that information could be used and disclosed and the length of time for which it could be retained. For example, if a sale doesn't go through, the information has to be returned or destroyed. It cannot be kept.

The information that's provided to a prospective buyer also can't be used for secondary purposes. It's just so they can evaluate the business and make a decision on whether or not they're going to purchase it.

A business can't just sell its customer list. They have to be selling a substantive part of the business, of which the customers may be a part. The new business can only use that information for the same purposes that the old business was using it. It's fairly tightly controlled.

The next provision is limiting collection, use and disclosure. Those are actually divided between two roles in the CSA, but I've lumped them together here. Collection and use and disclosure must be limited to identified purposes and must be based on consent. You can see how the earlier provisions tie in there. Organizations can only collect personal information that's reasonable in the circumstances.

Again, I'll go back to the cell phone example I used a few minutes ago. If the organization is asking for your income and your social insurance number, the customer can question whether that's reasonable or not and decide whether or not they're going to provide it. The thing with working in the public sector is that you can get up and you can walk down the street and go to another cell phone provider who may not be requesting that information.

The use and disclosure provisions in the legislation are almost identical to the collection provisions. When this was being developed, there were a lot of questions about why you have three separate sections when they seem quite repetitive. There were a couple of reasons for that.

One is that there are differences. There are some subtle differences. There are some different criteria in the three of them, and to lump them all together could have made it confusing.

Also, we try to write the act as if it was a story, so you could go through and follow it from one end to the other. Also, so that an organization…. If they were just dealing with one particular part, like disclosure, they could look at disclosure and see what they needed to do. Obviously, we'd like them to read and know the whole act, but we recognize that businesses are busy and that they might just need to go to the section that they want to address at that particular point.

If an organization is going to use personal information they collected for a secondary purpose or for a different disclosure, they're going to have to go back to the customer and obtain a new consent for that new use or disclosure. Once they've got a consent, they can't just use it for any other purpose.

The next category, or next rule, is accuracy. PIPA also requires that an organization take reasonable steps to ensure that the information they have or that they're collecting is accurate, especially if they're going to base a
[ Page 10 ]
decision on that information or they're going to share it with another organization.

PIPA also stipulates that information has to be kept for one year if the organization has made a decision based on that information about the individual. If information is no longer necessary for the purpose for which it was collected, it needs to be destroyed, unless there is another legal or business purpose, such as taxation or to comply with another piece of legislation.

The next topic is security safeguards. An organization has to make sure that it has appropriate security in place to protect the information it holds. The level of security should match the sensitivity of the information. While all information should be kept securely, medical information, financial information and other very sensitive information should have additional safeguards.

There are physical measures for protecting information, like locking your filing cabinet, having your screen turned away from the public, restricting access to offices, having a clean desk. There are technological measures — using IDs, passwords, encryption — and there are organizational measures, such as security clearances or the need-to-know principle.

The need-to-know principle is that each employee in the organization will only be able to access the personal information that they need to have in order to carry out their function. For example, an accountant may not need to know the medical information of employees who are returning to the workforce.

The next concept is openness. PIPA requires that an organization be open and transparent. This means that the public can understand what their information practices are. To do this, they have to have written policies of both privacy and access in place. These policies need to address the organization's obligation — collection, use, disclosure, security, retention. They need to be accessible to people if they want access to them. So the public has a right to request that this information be provided to them.

It would be helpful if organizations had collection notices that are visible so that customers can make decisions on whether or not they want to engage in a relationship with that organization.

The next concept is individual access. Under PIPA an individual can only request their own personal information, unless they're acting on behalf of another person, like a child, and that "acting on behalf of" is specified in the regulations.

PIPA does not contain a right of access to the business records of the organization. The request must be in writing. The organization has a duty to assist the applicant, and the response must be provided within 30 days, unless there is a high volume of records, a need for consultation with third parties or if the individual hasn't been clear enough in the original request to allow the organization to look for records being asked for. The organization also has to provide reasons that it has refused access if it is going to do that.

The next concept is exceptions to access. There are a limited number of exceptions to access. A person's own information must be withheld from them if that information would reveal personal information about another individual. You have to keep in mind that the main purpose of PIPA is privacy protection. It's not access.

They also have to withhold that information if it were to reveal the identity of a person who's provided an opinion about the person that requested the information. They have to withhold it if it could reasonably be expected that the disclosure would threaten the safety or the physical or mental health of another individual or if it will cause immediate or grave harm to the safety or physical or mental health of the person that requested the information.

In addition, the organization does not have to disclose personal information to an individual if the information is subject to solicitor-client privilege; if it's for confidential business purposes, such as if the disclosure would harm an organization's competitive process; or if the information was authorized to be collected or disclosed without consent for an investigation and that investigation hasn't been completed yet.

An organization cannot charge an employee who has requested their personal information, but it can charge an individual who's not an employee a minimal amount. They have to issue a fee estimate of what that amount will be.

Correction and annotation. An individual can ask to have their personal information corrected, and the organization must assess whether or not it's reasonable to correct it. If they do correct it, they must notify every other organization that they have provided that information to in the past year that a correction has been requested and what the correction was.

If they choose not to make the correction because they either don't have enough information to warrant it or they don't think it's appropriate, then they must annotate the records. One example where they may not believe it's appropriate is if they're asking for a doctor's diagnosis to be changed. An organization may not change it because they believe that the diagnosis was made by a professional and that that information can't be corrected by the individual.

If they don't correct it, then they have to annotate it. What that means is that you have your record, you've got the request from the individual, and you need to attach the two. So anybody that comes along later will be able to see both what the organization has recorded and what the customer or client had asked to have corrected.

The next concept is challenging compliance. An organization is required to have a process in place to respond to complaints. They are the first process in the complaint
[ Page 11 ]
process. They must document what their process is, and it needs to be transparent, straightforward and easy to use. In this legislation the commissioner can send a person back to the company to get their complaint resolved. It really is a crucial first step.

If an individual requests access to their records held by an organization and they don't receive the response they want, they can again go to the Information and Privacy Commissioner and ask them to review that decision. Again, the commissioner may send the person back to get it resolved with the organization.

The commissioner can appoint a mediator to resolve a matter that is brought before her. If the matter is not assigned to a mediator or it's not resolved through mediation, the commissioner may conduct an inquiry, which may result in an order. The intent of the complaint process in PIPA was to try and make sure that most matters were addressed before they got to the inquiry stage. I believe this is the case, and the commissioner will be able to tell you more about what percentage of mediation is successful at her office with respect to the number that go forward to an inquiry.

PIPA contains offence provisions for individuals or organizations that use deception or coercion when they're collecting personal information, that dispose of information in an attempt to try and evade an access request, that obstruct the commissioner or a delegate or make a false statement to the commissioner or that don't comply with an order. The fines range from up to $10,000 for an individual and up to $100,000 for an organization.

There was also whistle-blower protection in PIPA for an employee who makes a report to the commissioner's office, who refuses to contravene the act or who engages in avoidance tactics so that there won't be a contravention. An employer can't subject an employee who does these activities to dismissal, suspension, demotion, discipline or harassment.

Now we're going to move to the special committee, the report of the last special committee. That was the 2008 special committee. As you may well know, there are 31 recommendations that came from that committee. Fourteen of those recommendations were that no amendments be made in response to suggestions that had come before the committee, 15 recommendations were directed to government, and two were to the Office of the Information and Privacy Commissioner.

What government does when it's looking at the special committee recommendations is try and determine whether or not these will be put forward into amendments before the legislation. These recommendations that were made have been worked on by government, and all have been accepted. There are proposals that these would be put forward as possible amendments.

Preliminary consultations have taken place with proposed stakeholders. We met with a subgroup of that large group that we'd met with originally, and they are positive about the recommendations that have been put forward for amendment. These amendments will go forward to the appropriate authorities at the next available opportunity.

The next slide is about recent key developments. The federal government has proposed a Digital Privacy Act. I'm sure you have heard about that. It has received second reading and referral to the Standing Senate Committee on Transport and Communications on May 8, 2014. This act contains a number of suggested amendments to PIPEDA, including mandatory breach notification to both the commissioner and to individuals. Companies that fail to notify appropriately or that destroy such records may face up to $100,000 penalty.

As I mentioned earlier, PIPA has to remain consistent with PIPEDA. This is a very significant amendment, so government will be considering this new requirement and how it can best address it and when.

In addition, there were two provisions that are in PIPA that the federal government has decided to adopt. The provisions in PIPA that facilitate the transfer of personal information without the need of consent when selling or acquiring a business — the federal government is proposing that that be put in PIPEDA. And the exception for the collection, use and disclosure of an individual's contact information when used for the purposes of contacting that person at a business are also being proposed to be put in PIPEDA.

We are reviewing the remaining new provisions to determine how they will fit within the current B.C. legislation and what value they would add. These include a clarification that consent is not required for collection, use and disclosure of employee work product information.

There are also some new investigatory provisions for the commissioner, which at first look do not appear to be stronger than what the B.C. commissioner already has. You'll remember that I said that the B.C. commissioner has order-making power, and the federal commissioner can only make recommendations. So it doesn't look like these new provisions give the federal commissioner greater power, but we will be looking at those and making sure that that's the case.

The other new development that has resulted was a Supreme Court of Canada decision. On November 15, 2013, the Supreme Court of Canada released a ruling, and I'll read it out here. This is Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401, 2013, special committee of Canada No. 62. It invalidated Alberta's PIPA on constitutional grounds.

The Supreme Court of Canada decision acknowledged the importance of PIPA's restrictions on the collection, use and disclosure of personal information by organizations but said that they infringe on the union's freedom
[ Page 12 ]
of expression, which is a fundamental right in the context of labour disputes. The Supreme Court of Canada found that this infringement is disproportionate to PIPA's objective of giving individuals control over their own personal information. Alberta has been given one year from the date of this decision to amend its legislation.

The ruling obviously has implications for B.C., as Alberta's and B.C.'s PIPA were drafted with the goal of harmonization to provide consistency for individuals and organizations across provinces.

Unlike Alberta's PIPA, however, B.C. has a provision that allows organizations to collect and disclose personal information that was gained through observation at public events at which attendance is voluntary. While this provision was mentioned in a lower court discussion on the matter in Alberta, it may not be broad enough to prevent a similar ruling in B.C. Government will be consulting with Alberta on what action they are taking in regards to this decision and will also be working with legal counsel to determine an appropriate course of action.

Next, tools and supports. There were extensive training opportunities provided throughout the province when PIPA was implemented. This training, which was and is free, continues today to a smaller degree. What we do now is offer regional training, so the most recent training was in Cranbrook in February, Victoria in April and Vancouver yesterday.

We also do individualized training for organizations on request. Oftentimes one organization will ask us for training, and we will have already had a request from another organization in their area. So we'll suggest that they get together and amalgamate them. If the individualized training is outside of the Lower Mainland and Victoria and it requires travelling, we often ask them to reimburse the travel costs for that.

The training includes instant breach awareness. Participants are taught how to recognize a privacy breach and also the four key steps to addressing it, which are: reporting it; recover; remediation, which includes notification; and prevention.

There is also a designated PIPA webpage, which is on the office of the chief information officer's website. This contains guidelines and tools. They're set up as a step-by-step how-to-do for businesses, so they can walk through it themselves without having to get legal advice. They can help establish that they are going to be compliant. The topics include: how do I know if I'm covered? What is a privacy officer? What are the ten basic principles that I have to follow? How do I conduct a privacy audit?

A lot of organizations we spoke to didn't even know what personal information they collected. In these cases we would suggest that they do an internal privacy audit, so this tool helps them do that by themselves. There is a privacy compliance tool, where they can check off boxes when they've managed to become compliant with a provision in the act. There's a tool on how to set up a complaint handling process. There's a model privacy policy where they just need to fill in the blanks. Lastly, there's model contract language.

We also have a help line which organizations can either e-mail or phone. Over fiscal year 2013-2014 there were 365 PIPA calls; 128 of those related to privacy, and 72 were access. The others were different questions about the legislation.

M. Bernier (Chair): I think that's everything you wanted to know about PIPA but were afraid to ask — that kind of thing. Thank you for all that information. I know we have some questions already — some clarifications and stuff.

G. Heyman (Deputy Chair): Thank you for the presentation. I'm just wondering whether there is ample precedent for the reasonable person test specific to PIPA or if the general precedents are easily specifically applied to PIPA.

You also mentioned that opinions are covered by PIPA, and I'm wondering if you could elaborate a little bit more on that. Give me a couple of examples of that, whether there are any other significant changes in PIPEDA that you think will impact our deliberation.

Finally, it seems like a lengthy time lag for government to be consulting and considering implementation of recommendations with which it agreed from a review that took place a number of years ago. I'm just wondering if you can shed some light on why the time lag.

S. Plater: The reasonable person test was established in the 1800s in Britain, and it's a test that's very commonly used in common law. There is a lot of case law behind that particular test. It's also used in most of the private sector privacy legislation that has been developed. Basically, it's used because there is not a perception of perfection. There's a perception that it would be…. I don't like to say ordinary or average, because it's meant to be….

I think the example they used from British case law was what the average person riding on the Clapham bus would do if they encountered a situation like this. So it's very well recognized throughout the world as an international standard, and it was used in PIPA as a way that business and consumers could understand what the test was.

The commissioner really is the arbiter of that, so they will go forward to them and say: "Is this reasonable in these circumstances?" Then she will make a decision based on that.

The second one was the opinions. If I give an opinion about Bette-Jo, then that's Bette-Jo's information. If I give
[ Page 13 ]
an opinion about this presentation, if I give an opinion about the weather today, then that's my personal information, and that is protected under PIPA. It's very similar to the FOIPP Act; that same provision is in there.

You asked about PIPEDA too. At this present time we don't know. I think the ones I mentioned in the presentation were the only recommendations about changes to PIPEDA. Recommendations to the government of Canada about changing PIPEDA have been ongoing for many years, and it actually caught us by surprise that it came out in the Digital Privacy Act, because everybody has been waiting for a bill to come out around PIPEDA.

The ones I mentioned are the key ones in PIPEDA, but we will be going back to the Digital Privacy Act and scouring it to make sure that we've captured all of them and then be looking at them and evaluating whether or not they should be incorporated into PIPA.

The time lag. We spent time looking at the provisions, and we really wanted to go out and consult with the organizations. You have a wide range of organizations. As I said, we looked at both provincial and national organizations who have companies in all provinces.

The insurance bureaus were one, in particular, and there are quite a few of them. I can't remember all their names right at the moment, other than the Insurance Bureau of Canada.

They had questions about some of the recommendations that were put forward, so we wanted to make sure that we got it right. We went out and did those consultations. We then put…. As everybody does who's doing legislation in government, you put forward ideas for possible amendments, and those amendments get picked up when there's an opportunity within the legislative schedule for them to go forward.

We had looked at the special committee coming up. We knew it was happening, decided that we'd like to wait until the recommendations of this special committee came out, and then be able to incorporate those with the ones that came from the 2008 special committee and put it forward.

S. Gibson: Maybe just a general question. I'm new to this, so I beg your indulgence. What would be wrong with having a national policy where we all get together, as the provinces and federal government, on one policy so that everybody knows it across the country? Perhaps it's a naive question, but I would like to ask that question, if I may.

S. Plater: Well, I think what PIPEDA is, is that policy, but I think there were a number of reasons. PIPEDA, when it was written, was meant to deal with large organizations — like banks, telecommunications, airlines — so it didn't take in the particular context for smaller organizations, which are really the ones you're dealing with in the provincial spectrum. It's very complicated.

They were using lawyers. We'd heard that a lot from the organizations that were covered. They wanted something that was straightforward, simple, addressed the particular needs within B.C. and that covered the not-for-profit sector, covered employees within businesses, and had a commissioner that was local to the province and could understand the provincial context. That's why you've now got four provinces in total — B.C., Alberta, Quebec, and Manitoba has got one before the House — that have their own provincial legislation.

S. Gibson: My second question is…. There's always an element of the population that will use this kind of thing, like PIPA and others, to be argumentative or an irritant. How do we avoid those people that create disruptions and create a great deal of labour and irritation, at the same time protecting the overall citizens?

I come out of a local government background. You'll have people that will be quite assertive in the manner in which they deal with local government, largely for their own personal satisfaction — not really with any ideals in mind. How do we avoid those kinds of people or at least mitigate or diminish, perhaps, the opportunity to have those kinds of people who are disruptive and may not be helping the cause, if I might put it that way?

S. Plater: I think one of the big differences with PIPA is that individuals only have access to their own personal information. They don't have access to any other business information about the organization. So in a lot of instances, most companies aren't going to have a lot of personal information about an individual that they can request to access. If you're dealing with, say, a not-for-profit that's in the counselling area or drug and alcohol rehabilitation — that sort of thing — yes, they might have a lot more personal information.

This certainly wasn't why it was designed, but I think it's much harder for an individual to be disruptive, if that's what they're being, with a business when they can only request access to their own personal information.

S. Gibson: This is probably an obvious question, I suppose. In this age of the Internet, if you want to find out about me and you want to find out whether I drink coffee or not or what's my favourite colour, you can probably find out if you become very aggressive in your research. How do we resolve the fact that, to some extent, much of
[ Page 14 ]
what we feign as privacy or protect as privacy has largely been compromised by the growth of the Internet and the availability of information that's become so ubiquitous that the public is almost resigned to the fact that "I don't have much privacy anymore"?

Running against that — as a bulwark, I guess — is this kind of legislation. How do you comment on that?

S. Plater: Well, I think there are a couple of ways of maybe stemming the tide or continuing to protect individuals. One is legislation like PIPA. Organizations within B.C. cannot post information on the Internet or distribute it publicly unless it's reasonable to whatever services they're providing. They would have to have the consent of the individual to do that otherwise.

You also have legislation like the federal Digital Privacy Act, which is aimed more at the Internet and social media and those kinds of things.

Also, I think the public has to take some responsibility for protecting themselves. I don't use Facebook. I don't use Twitter. I don't use any of those kinds of things. That's my own personal choice. Everybody has to determine for themselves what they feel comfortable with and what risks they're willing to take. So I think there are both laws that can help, and there's also people taking responsibility for their own actions.

S. Gibson: May I ask…? Given that, I think, about 40 percent of the population has some problems with literacy, I think your comment earlier about plain language is laudable. If you ever take out a mortgage or a car loan and you look at the back of it, it's almost indecipherable, and you wonder what you're giving away when you sign up for a mortgage or a car loan.

I guess my concern is that sometimes the people who most need to be protected by government, if you will, are the people that have the least capacity to access the instruments that are available to them. You know what I mean? The people that most need to be protected are often the ones that are the least protected because they don't have the intellectual capacity or the understanding to access it.

I guess my, maybe, broad question, if I may, is: how do you do it with technology? How do you do it in such a way that…? Somebody feels compromised. Their privacy has been threatened. They feel hurt, perhaps, or even tormented by it, and it's troubling them, but they don't have the tools to do that. How can we, maybe as government, as MLAs, be involved to make it more approachable?

So many people see this kind of amorphous government. It's very staid and institutional, and they feel that they can't possibly access it. How do we make them more welcome? How do we make bureaucracy — I use that word in its best sense — like this more accessible to people who otherwise wouldn't know anything about it?

S. Plater: I think I'm just going to go back to PIPA for a second. One of the things that PIPA stipulates is that an organization has to be really clear in its communications. They have to make sure that they're understood by the public and that they know what that organization is doing.

I think encouraging organizations to use that plain language. The commissioner also has an oversight role in making sure that the types of policies, and that, that are out there are reasonable.

In addition, I think the commissioner herself does a really good job of outreach. Her website has got a lot of information on it, and I realize not everybody would use a website. But she also goes out and speaks at a lot of public forums, as does our office.

The libraries will put on events. Different public groups will put on events, and we'll be invited to go and speak at those. We try to reach out to the public as much as possible. I think one of the ways that you can help people that may be marginalized is reaching out to groups that they may come in contact with.

S. Gibson: My only other question…. Mr. Chairman, thank you for your indulgence. You mentioned earlier, anecdotally — I don't think it's in the material — on the whistle-blower. I teach HR, so of course, I'm particularly interested in the whistle-blower. It's a big phenomenon in the U.S., as you know, and it's spilled across into Canada. It's an important part of the way now we have business. People see something within constraints…. The security of their work is not threatened if they share some information. There's a benefit to the company in its aspirations.

My question is: do you see a disconnect between the desirability of contextual whistle-blowing and, at the same time, protecting privacy and the privacy of those who would seek to better the corporate goals or whatever — and at the same time have some level of accessibility? I guess it's a complicated question, but I thought I'd ask it.

S. Plater: In this particular instance…. The same with FOIPPA. FOIPPA has some whistle-blower protection as well. I think in both of these instances the whistle-blowing protection is really to protect an individual from violating the constraints within the act, so that person is trying to protect privacy. A company can't do anything to, I guess, discriminate against that individual for trying to protect privacy.

I don't think in this particular context it reduces privacy because what they're trying to do is protect it in the long term. So they're not disclosing personal information.

M. Hunt: First of all, thank you for your presentation. I really enjoyed hearing someone who has written legislation that says it's commonsense rules for a reasonable person. Unfortunately, too much legislation is done by those legally guys that nobody can figure out what is going, and it makes no sense whatsoever.

Having said that, I noticed that we have on our desk a letter from the Civil Liberties Association, which I'm not going to get into, because I imagine that will be done in due process. But it provokes two questions in my mind.

One is…. This refers to dealing with the police, in a broad generality, and secondly, it talks about "outside the vulnerable sector."

My question is — again, coming from local government: when we deal with police, most municipalities in B.C. use the RCMP. So that would be under the federal legislation. Would your legislation then be used for those municipalities with their own police force?

S. Plater: Actually, the RCMP would be under the federal privacy and access legislation, so different than PIPEDA. The municipal police in B.C. would be under the FOIPP Act, so the Freedom of Information and Protection of Privacy Act.

M. Hunt: Oh, I see. Okay. Then this concept of vulnerable sector…. Realizing it's a different act but trying to deal in a similar context, when we're dealing with the sharing of information for…. We use, for example…. Well, this is talking about mental health records and those kinds of consultation things. Where do we get the line as to what is vulnerable and what's reasonably vulnerable, or do we cop out to the reasonable person test?

S. Plater: If it was under PIPA, you would look at the reasonable person test, yes. Under FOIPPA there is no such test. It's a very complicated question as to where that line needs to be.

You could go from saying, "Well, absolutely no mental health information should be disclosed," and then you might get people saying: "Well, there are circumstances where if we didn't do that, then somebody else would be at risk." I think it's a very complicated question, and I don't have an answer to that yet. It's something we're going to have to be considering, given there was a recommendation from the commissioner in a report that she issued recently.

D. Bing: Thank you very much for your presentation. I really appreciated the fact that it was very clear and in plain English. That was much appreciated.

I was just thinking of some of the situations that could occur where an organization — it could be inadvertent, but it could be deliberate — releases personal information. I was thinking of Simon's point about social media and this sort of thing. Like, the RCMP now are not using newspapers; they're putting information directly onto the Internet and this sort of thing. Once it's out there, of course, it's hard to withdraw it.

What recourse does an individual have if something was released, say, about their situation on the Internet? Who do they complain to, and what would be the repercussions or consequences?

S. Plater: They would complain to the Office of the Information and Privacy Commissioner about what has occurred with the organization. The commissioner has, as I said, the ability to mediate a dispute or to do an inquiry and issue an order, and those orders are binding on the organizations. That, unfortunately, doesn't take back that information that's already out there.

There is a privacy tort in B.C., where a person can sue if their privacy has been violated. I understand there haven't been many cases that have actually gone through and won under that tort, but there is one there available.

The commissioner is the route, definitely, for anybody who feels their privacy has been violated by a not-for-profit organization or a business. The commissioner has the full powers to investigate how that occurred and to prevent future circumstances or the same thing happening again in the future.

As I mentioned, when we do our training, we look at the breach process. We try really hard to help organizations understand what a breach is, the implications it has for the individuals and how to go back and figure out how that breach occurred — hopefully, it wasn't deliberate — and how to have it not happen again in the future. So what kind of changes to put into their technological solutions or the way they're doing business or their policies — how can they make it not happen again in the future?

D. Bing: Just to follow up to that, do you know that number? How many complaints would the commissioner get in a month or a year?

S. Plater: I don't, sorry. No. It would be in her annual report for last year. I also understand she's coming to present to you, so hopefully she can provide you with that information.

D. Bing: One last thing. I was noticing when you mentioned the number of provinces that have this legislation that Ontario wasn't one of them.

S. Plater: No, it's not. Ontario drafted a legislation. I hope there's nobody from Ontario that's going to read this. We got a copy of their legislation when we were drafting PIPA. What we had was the federal legislation, PIPEDA, and we had Ontario's, so we started off knowing what we didn't want to do.

The Ontario legislation was about this thick. They had tried very hard to nail down every circumstance that might occur, which was admirable, but it really made it unusual, and they were never able to get momentum to get it forward. They did start out on that route but never got there.

G. Heyman (Deputy Chair): Just for clarity, with respect to…. I wasn't going to raise this, but seeing as Marvin did — the letter from the B.C. Civil Liberties Association. My assumption would be that the issue raised would be covered under FOIPPA, not PIPA, correct?

M. Bernier (Chair): I have a few questions. Again, thank you very much for all this information. It's a lot for us to digest and really try to get up to speed on.

My first one would be around PIPEDA. As we go forward with this committee, does the federal government…? I don't think "supersede" is the right word. But as long as our goals are ahead of theirs and the legislation is more enhanced than theirs, then they really have no jurisdiction, then. Is that clear — like we don't have to report; we don't have to do anything with the federal government?

S. Plater: That is correct, as long as we remain substantially similar. So it doesn't mean we have to be identical to theirs. I don't know what criteria…. When government developed PIPA, it submitted it to the federal government and then was issued a ruling by the federal government. We got a letter saying that it was declared to be substantially similar.

M. Bernier (Chair): As we go forward with recommendations and changes, do we have to do that same process?

S. Plater: I suspect, although it's not clear, that if we make amendments to PIPA, then we would want to submit it again to the federal government. My suspicion would be that as long as you are remaining equal to or greater than, then it's not an issue.

M. Bernier (Chair): My next question comes back to recommendations and how this committee is going to function over the next year. We have all the recommendations, the 31 recommendations from the last report five or six years ago, which have not been implemented. But you said we're at a point where they could be looked at. I'm trying to look at the logistics now for this committee.

Technically, we aren't going to have to now go back, I assume, and review those because we're going to be having to make a blanket recommendation either on those recommendations — say we endorse them…. Or in the last six years, have things changed? Maybe our recommendation will be to possibly say that some of those ones that were put forward before — maybe we don't want to see now. That's going to put a different lens on how we're going to address this, I think, because we're not going to be going out just generally looking for all new recommendations.

A point that was raised a little earlier, too, is around timing. You mentioned the legislative calendar. But I think for us, we have to be cognizant of the fact that we're going to be asking the same people, possibly, for the same recommendations which we haven't implemented. I just bring that forward because in a couple of weeks, when we have the commissioner here, I believe this will probably come out. I'm not sure if you want to maybe respond to that. I know we'll hear from the commissioner.

S. Plater: The only thing I would say is we have not had any information that indicates that the recommendations from the 2008 committee are no longer valid. When we consulted with our range of stakeholders, we received positive comments back — that if we made those amendments, that would be okay with them.

M. Bernier (Chair): Did you have another question, George? It looked like you had a question.

G. Heyman (Deputy Chair): Just for clarity, my assumption would be that it wouldn't be the committee that would refer recommendations to the federal government for review. We'd make the recommendations, and it would be the provincial government that would refer….

S. Plater: Yes, if the government was making amendments and those went through, we would forward that to the federal government to get a ruling.

M. Bernier (Chair): Thank you. I was trying to wrap my head around the process and where the jurisdictions are, I guess.

Do we have any further questions or comments? Well, thank you very much for that information and that presentation. Going forward, we're going to possibly have further questions on that, but I appreciate your openness and how candid you were with the responses. It really helps.

S. Plater: Thank you. If you have other questions, please feel free to contact us.

S. Gibson: So we're going to look at
[ Page 17 ]
all the deliberations, then, from the previous…. We're going to look at all the materials from the previous…. That's my understanding.

M. Bernier (Chair): So the next meeting — before we adjourn here — is on May 28 at 9 a.m. I believe we have scheduled to have the actual commissioner here. At that point we'll have kind of a better understanding from her side as well, and then we'll be talking…. If you look at the terms of reference we put forward, we'll also have some meetings and discuss some of that.

G. Heyman (Deputy Chair): Okay. I just wanted to note for the committee that I received an e-mail from Doug Routley extending his apologies. Something came up this morning that prevented him from being here.

Hansard Services publishes transcripts both in print and on the Internet.
Chamber debates are broadcast on television and webcast on the Internet.
Question Period podcasts are available on the Internet.

Chair:	* Mike Bernier (Peace River South BC Liberal)
Deputy Chair:	* George Heyman (Vancouver-Fairview NDP)
Members:	Donna Barnett (Cariboo-Chilcotin BC Liberal)
	* Dr. Doug Bing (Maple Ridge–Pitt Meadows BC Liberal)
	* Simon Gibson (Abbotsford-Mission BC Liberal)
	* Sue Hammell (Surrey–Green Timbers NDP)
	* Marvin Hunt (Surrey-Panorama BC Liberal)
	Doug Routley (Nanaimo–North Cowichan NDP)
	* denotes member present
Clerk:	Susan Sourial
Committee Staff:	Aaron Ellingsen (Committee Researcher)
	Byron Plant (Committee Research Analyst)

Witnesses:	Bette-Jo Hughes (Ministry of Technology, Innovation and Citizens' Services)
	Sharon Plater (Ministry of Technology, Innovation and Citizens' Services)

REPORT OF PROCEEDINGS(Hansard)

SPECIAL COMMITTEE TO REVIEW THE PERSONAL INFORMATION PROTECTION ACT

REPORT OF PROCEEDINGS
(Hansard)

SPECIAL COMMITTEE TO
REVIEW THE PERSONAL INFORMATION PROTECTION ACT