Review the Personal Information Protection Act — Issue No. 4

Present: Mike Bernier, MLA (Chair); George Heyman, MLA (Deputy Chair); Dr. Doug Bing, MLA; Simon Gibson, MLA; Sue Hammell, MLA; Marvin Hunt, MLA; Doug Routley, MLA

2. The following witnesses appeared before the Committee and answered questions regarding the Personal Information Protection Act.

The following electronic version is for informational purposes only.
The printed version remains the official version.

REPORT OF PROCEEDINGS
(Hansard)

SPECIAL COMMITTEE TO
REVIEW THE PERSONAL INFORMATION PROTECTION ACT


CONTENTS
Page
Presentations	33
V. Gogolek
D. Christopher
S. Olson
D. Jones
T. Hryb
A. Hardy

M. Bernier (Chair): Good morning, everybody. Thanks, everybody, for making it here and for coming. We're about to get started, but before we do, I just want to read a couple of things into Hansard here before we get going with our first presenter.

I'm Mike Bernier. I'm the member for Peace River South. I'm the Chair of this committee, the Special Committee to Review the Personal Information Protection Act. This committee was appointed by the Legislative Assembly last February to undertake a comprehensive review of the Personal Information Protection Act here in B.C., which of course, we refer to as PIPA.

PIPA governs how private sector organizations can collect, use and disclose personal information. It requires organizations to protect and secure personal information against unauthorized use or disclosure. The act also grants individuals the right to access their own personal information.

This committee has a mandate to review PIPA and to make recommendations to amend it or any other act. We will be doing this in a report to be submitted to the Legislative Assembly by February 25, 2015. The act was reviewed once before by a parliamentary committee in 2008.

Today's public hearing is the third meeting to be held as part of our review. In May we heard presentations from the Ministry of Technology, Innovation and Citizens' Services, and we also met with the Information and Privacy Commissioner here for British Columbia. In June we also launched public consultations to gather input. We did a provincewide news release, press release, for written submissions and oral submissions as well, which brings us to today.

We have seven presenters scheduled. We have approximately 20 minutes to speak, followed by around ten minutes for questions. The proceedings are being recorded, as I mentioned, by Hansard Services, and a transcript of the entire meeting will be made available on our website.

While I have the opportunity, I also want to remind everyone that we are going to look at continually accepting…. We're going to discuss this as a committee later on, but we want to encourage people that if there's more input, they will have a little bit more time, and we'll discuss that afterwards.

Before we go to our first presenter, I'll start with the co-Chair, and we'll just do some introductions of the panel up front.

G. Heyman (Deputy Chair): Thank you. I'm George Heyman, the MLA for Vancouver-Fairview and Deputy Chair of the committee.

M. Bernier (Chair): Excellent. So with that, without further ado, we'll get to our first presenter.

I want to welcome Vincent Gogolek. I'll let you start your presentation and do your introductions.

V. Gogolek: Well, thank you very much for having us here and agreeing to hear our submissions on the Personal Information Protection Act — a very important, and increasingly important, piece of legislation not just for privacy but also with important effects in terms of the economy, consumer rights as well as personal protection.

I will try and keep my remarks brief. You have our submission, which is fairly extensive. Some of it is going back to recommendations we made in 2008. Some of the recommendations reflect those you heard from the Information and Privacy Commissioner, Elizabeth Denham, in your earlier hearings, and a couple of them, I believe, will be brand new to you.

What I'd like to do is just go through those fairly quickly and then open up the floor to any questions you may have. I'm happy to answer anything that you have to say to us.

Some of these recommendations arise out of decisions from the Supreme Court of Canada, where cases have been decided and have brought about significant changes to the law and will have to be accommodated.

There are two of them. One you have already heard from the commissioner on the United Food and Commercial Workers case regarding video picketing. Our recommendation is similar, if not identical, to that of the commissioner.

We support her view that what is required in this situation in order to be compliant with the Supreme Court of Canada's decision is a very narrow amendment to the act governing video taping, recording, in the picketing situation. This is because of the importance that the court recognized in that decision regarding right of privacy. However, they also noted that there's freedom of expression weighing on the other side. In a nutshell, we agree with the commissioner on this one. The reason is set out in our submission.

I'll leave the other Supreme Court decision further down. The submission on that one is a little more complicated. That's the Spencer case regarding lawful authority, which you've heard from the commissioner on. I'll deal with in a little more depth later on.
[ Page 34 ]

The commissioner also recommended notification of individuals in the event of privacy breaches. This is something that we support. It's something that we recommended in 2008. It's something that the 2008 committee also recommended but which, for reasons unknown, has not been brought in.

It's also important to point out that unlike 2008, Alberta — which has a very similar piece of legislation to ours — has had a breach notification requirement since 2010. So in terms of things being substantially similar, it's important that we not be completely out of step. When you're talking about substantially similar, it doesn't mean identical. It means, well, substantially similar.

The other aspect to this is that the federal government's amendments to the federal legislation, PIPEDA, contained in Bill S-4, which I'll be coming back to again later, also contains breach notification provisions.

Here in British Columbia we're looking at a situation where Alberta has acted and has brought those provisions in and the federal government has introduced legislation which is now, I believe, in the House of Commons, or will be when the Commons comes back at the end of the month. They will be looking to amend the PIPEDA to do this — that part of it.

So if B.C. does not act to bring in breach notification at least to those levels, I think that there could be a problem with whether or not the PIPA here in this province would be considered to be still substantially similar. I raise that as a possibility. We don't know how that will play out.

The other aspect of federal Bill S-4 related to the Supreme Court of Canada decision in Spencer is the whole question of lawful authority, which you've also heard from the commissioner about in terms of section 18, various subsections in there. You've heard from her both before and after the Supreme Court handed down its decision.

In this case the way S-4, the federal legislation, is currently drafted — along with companion legislation C-13, related to lawful authority — there would be a serious difficulty. The consensus, I think, of expert opinion is that there would be a difficulty for the bill as currently drafted in Ottawa, that in its current form it would be unconstitutional under the reasoning of the Supreme Court in Spencer. Our view is that we want to have constitutional legislation in this province and in Canada as a whole.

Although the federal government has not said what they plan on doing — they have not said: "Yes, we will amend this to bring it into compliance with Spencer" — I don't think British Columbia can leave legislation that the Supreme Court of Canada has cast doubt on as is. It'll have to be brought into compliance with Spencer. We have our recommendations. The commissioner has made recommendations as well. Our recommendations are, shall I say, substantially similar.

There are three other issues I just want to deal with briefly. One is something that we dealt with in 2010 in a report which we issued called Culture of Care…or Culture of Surveillance? This is a problem with the interaction between this piece of legislation, the Personal Information Protection Act, and the public sector one, which deals with government and public sector bodies. This is in the context of contracted services.

The difficulty is that when you have a private sector provider, either for- or non-profit, which is under the PIPA, and somebody walks in the door and they're looking for whatever services are on offer…. The problem comes up when part of the services are contracted to the government of British Columbia and part of the contract requires the private sector body to use the integrated case management system, which I'm sure you're all sadly familiar with. Without getting into the merits or technical difficulties that that system has had, the difficulty that we see is that PIPA has a consent-based system. People come in to a private sector thing. They assume that they will be governed by this legislation.

What happens is, at some point…. This is where the obligation probably rests on the private sector body to inform people: "Okay, now you're here looking for this. I'm going to be entering your information into a system which turns it from consent to reasonableness, reasonable use for programs and activities of the government, and it may go to other places."

We have suggested amendments here. We also have the Culture of Care…or Culture of Surveillance? report, which is available on our website, which goes into it in much greater detail and which I would commend to you.

The last two recommendations that we have…. One relates to technological developments. We are currently in the middle of doing a study for the federal Privacy Commissioner, called "Connected Car: Who's Behind The Wheel?" This is going to be dealing with telematics. This is essentially the black box in the car that collects all kinds of information in terms of how fast you're going, how fast you're braking, cornering, the state of the car. This is something that we're seeing more and more of.

Our report for the federal Privacy Commissioner won't be finished until 2015, and our recommendations here are going to be somewhat conditional on that. But we do have to start thinking about situations. Unlike 2008, we're now living in a world where more and more of our technology is connected to the Internet and is reporting on us.

So if we have thermostats, fridges, what's called the Internet of things, where these devices are collecting information on us…. This is where the difficulty is in terms of how to amend the law. PIPA relates to the collection, use and disclosure of personal information. Can you say it's personal information if you have a thermostat and you have a house with five people in it? Or the car — how
[ Page 35 ]
can you tell who's driving? But this is something that we are going to have to deal with.

PIPA may or may not be the best vehicle for doing this, because it deals with personal information. But at the same time, I think that we, and you as a committee, have to be aware of the fact that we're having more and more surveillance going on, and it may be a whole lot of different people's personal information.

I guess if you're reporting back on February 25, 2015, our report won't be ready yet for you, but I would appreciate it if you could look at our tentative recommendations that we have here, just to highlight this as a potential issue, something that we will have to look at more and more in the future.

Finally, something else related to technology, something that was just starting to emerge when your predecessor committee met, was dealing with the whole question of algorithms and what private sector bodies — and public sector, but they're not on the table here today…. What happens with that information? Our submission deals with this.

There was a case that we were involved in with an insurance company that was using credit scores to set insurance premiums, and the person who found out that their financial information had been collected was puzzled because this person paid with a cheque. "You know, you don't need to know if I'm good for the money. My cheque cleared. So why are you doing this?" Well, it turns out there's an algorithm that they use to determine whether or not you are a risk.

We're seeing more and more of this, and we're seeing more and more personal information being used in ways that really does cause you to scratch your head. Part of the difficulty is that these are black boxes. They're proprietary with the credit agency or the insurance company or whatever body actually uses them, and it's very difficult to get the workings. Like: "How does my credit score turn into, 'I should pay more insurance'?"

There's a financial services company — in the U.K., I believe — that's using your Facebook friends. So they take a look, see who you're friends with, check them out and say: "Sorry, your friends are a little sketchy, so we're not giving you the loan" or "You're not getting the mortgage" or "You're paying a higher rate because you're a higher risk." Now, those two don't seem to go together. They say it works, so we offer this as something else for you to consider.

I think I've gone rather longer than I promised. I will leave it to you to…. I'll be happy to answer any questions you have.

M. Bernier (Chair): Excellent, thanks. And we definitely do have a few more minutes of your time.

S. Gibson: As a passive observer, a condition which we see accelerating in our society…. I think you expressed it well, sir. My question is…. Sometimes the defence is: "Well, you've signed off on that." All of us have bought a car or got a mortgage. We're anticipating being able to drive away in that shiny vehicle, and we just sign all the forms. But the forms contain a lot of provisions that we're signing away on when we get that mortgage — the old expression: "If you think no one cares about you, try missing a mortgage payment."

I guess my question is, is there a defence out there that is really indefensible, where people say: "Well, he signed off on it. He signed all these forms, so he's giving us the right to reveal information"? My question to you is kind of a systemic question. When somebody fills out documents to enter into a business relationship with a company through purchase or service or whatever, does the fact that they're signing that — presumably, intelligently — presume that they're now releasing some of their freedom to the company? They're doing it, perhaps, unwittingly. That's my question.

V. Gogolek: Well, that's one of the questions that came up, and I'm not sure that the law is entirely clear on that. Of course, in different situations somebody might be trying to get out of an obligation to, say, the company that they have the contract with. The courts have…. I believe, Spencer, the case that dealt with lawful authority, dealt with some of that. I'd suggest you take a look at some of the paragraphs in the Spencer decision that deal with this. That, of course, is law enforcement — the company's ability to give information that they collected to law enforcement. It's an interesting question. The courts seem to be moving to more of a sort of standard of reasonableness: can you really be expected to do this?

There's another case, also involving terms and conditions. It's an older case called Gomboc, which is out of Calgary, that dealt with somebody's hydro information that was given to the police as sort of information: "Golly gee. These people must have about 16 hot tubs running in the house somewhere because they're using a lot of electricity." They used it to get a warrant, and they find a grow op.

The reasons of the court in that case, on the face of them, seem to be quite clear — it was a 7-2 decision — but unfortunately, four of the judges came down on one side, "No, there's no reasonable expectation," or that they're able to do that. Another three said, "Sure, you can do that," because you signed off on the terms and conditions. And another two said: "No, you can't do that at all."

Depending on which way you want to look at it, only three of what would seem to be the seven judges said: "Yeah, the terms and conditions are what allow you to do that." So it's not entirely super-clear in terms of that.

S. Gibson: There are companies, international and otherwise, that do what we call phone appending and data cleansing. These are companies where…. I'm trying to contact people by phone, but I don't have their phone numbers so I contact this company. Through algorithms and through sometimes, I think, nefarious means, they connect.

So Simon Gibson — my phone's not out there, but you want to contact me because you want to sell me something or you're with my alma mater society or something. You want to hit me up for a loan or for a donation. All of a sudden I get a phone call from you, and I wonder how you got my phone number — because you've gone through those phone-appending services that use algorithms to connect numbers and addresses together. It's very sophisticated.

V. Gogolek: Well, this is part of what we were talking about. We're seeing more and more of this, where you're scratching your head. That one might be a little more on the sketchy side, and presumably, some of these companies may be in the United States or outside of the authority of….

V. Gogolek: Yeah. So in that case, it's a little bit difficult to go after them.

G. Heyman (Deputy Chair): Thank you, Mr. Gogolek, for your thoughtful presentation and the work you and the organization have done for a number of years.

I want to ask a couple of questions. My first one has to do with your third recommendation, regarding the collection, use and disclosure of personal information by private sector contracted agencies. You suggest that we take a look at this. There's a bit of an interplay here between the public sector act and the private sector act. I just wondered if you think the…. I know we're reviewing the private sector act, but whether you think that amendment is best situated in PIPA or in the public sector act.

V. Gogolek: Well, it's probably both. We've made recommendations in the past, pre the committee, looking at FIPPA related to this issue. There's also our report, Culture of Care…or Culture of Surveillance?

We did our recommendation here in terms of the mandate of the committee: what can you do as the committee here related to PIPA? We think that there are things that you could recommend be done that would improve the situation. The alternative is we're going to end up at some point…. People who come into these private sector organizations are normally looking for government services because they need housing, they need training, they need health care, and they need other things. They're not well off, but they do still have privacy rights. At some point somebody's going to….

This may end up being resolved or not resolved or further confused by litigation. Our preference would be that this be looked at and be dealt with legislatively through our elected representatives.

G. Heyman (Deputy Chair): Presumably, you might think that amendments to both acts might be appropriate and that they be consequential.

V. Gogolek: It would be preferable to deal with both because, of course, this is…. The PIPA aspect is more the symptom. The cause is the massive data collection, data linkages. That's where the problem lies. If that didn't occur, then the PIPA amendments wouldn't really be required.

G. Heyman (Deputy Chair): I know there has been discussion, and the commissioner has suggested that for broader agencies of the public sector, that the scope of FOIPPA be expanded to cover those. It may be that we need to have some discussion in the committee about what the best approach is. I think the Clerk will be able to tell us whether suggesting amendments to other acts is outside of our mandate and can simply be a matter of commentary. But thank you for your comments.

M. Bernier (Chair): Sure. If you don't mind, we'll just move along. We only have a few minutes before our next presenter. We'll see if we get time to get back.

D. Bing: I was just interested in your comments on the point you made about the growing acceptance of the importance of anonymity as an element of privacy. Of course, when people take surveys and this sort of thing, you expect to be anonymous and not identified. But it seems to me that there is a growing trend of people hiding behind anonymity in the comments that they make. They're often less civil, and they often make very strong accusations using the fact that they are anonymous and can't be identified.

V. Gogolek: Well, it is something that we see. As human beings, which we are, when we say something…. You, of course, would be especially aware of this because
[ Page 37 ]
you're on the record either through the media or the nice people at Hansard recording your thoughts for posterity. You know, because your name is attached to it, that you have to think: "What am I saying here? Do I want to say this? Do I want to say this in this particular way?" You know that there are consequences if you don't.

In terms of anonymity, if it's something that's being held out as something that you are able to do this and do it anonymously — that your name will not be revealed or your identifying information will not be revealed — it's important that that actually happens. So that is one of the things this law is supposed to do. If you're supposed to be submitting things anonymously, you should be doing that.

In terms of a comments page, I think that's probably best left to the people whose websites are up, in terms of how they want to deal with these things. Did that…?

M. Hunt: In your comments…. I generally, when I look at legislation, especially legislation that's dealing with technology…. In your submission you're saying: "Come on, we've got to get up with the real world, because we've had this for ten years. We looked at it five years ago. We gotta get with the program."

But by the same token, your first recommendation is extremely prescriptive. So I'm wondering, as we look at that being very prescriptive into the actual act of picketing and that very tight…. Are we in fact going to find ourselves constantly dealing with exceptions for this tiny thing and this tiny thing and this tiny thing, instead of making it broader and more general so that things can apply within it or not? Or do you think that in fact this picketing is going to be a one-off type of situation of an exemption and that most likely we'll have extremely few of these?

V. Gogolek: The short answer is that I suspect the latter. This came up as a result of a case in the Supreme Court of Canada. Technically, because the act that was in question there was the Alberta act. The B.C. act actually is not faced with the situation of "Do it within a year, or it's invalid."

Again, we're back to substantially similar. We're back to how we make this work so that we have similar privacy protections for people in both parts, where companies and unions operating on both sides of the border can understand what their obligations are and that they aren't wildly different on one side or the other. Also, if B.C. didn't amend it, it would leave it open to another situation where there could be litigation.

I believe we still have unions and picket lines in this province — maybe one going now. I think it's better for you as legislators to deal with this situation that the court has presented us with. So that's the long answer, and the short answer is yes.

In this particular case we agree with your general thrust that what we should be trying to do is develop things that are more technology-neutral. Today's hot device…. When some or all of us are back here in six years looking at the legislation again, we may well be in a situation where what we're deeply concerned about today nobody has used for three years because it's been replaced by something else. That seems to be the way things go.

Just noting the time, I'd like to be able to wrap up in about a minute, but I know, Doug, you had a question, and then George, I'm not sure if you have.

D. Routley: Yeah, thank you. I apologize, Chair for being late. We even have traffic delay on Vancouver Island.

M. Bernier (Chair): That's fine. You didn't have the snow excuse like I did, though.

Thanks, Mr. Gogolek. I appreciate your presentation, which I've tried to read while I've been sitting here. I have two questions.

Quickly, No. 4, amending PIPA, explicitly requiring valid evidence of lawful authority, information collected by a private organization, by individuals.

We have a law that prevents the storage of public information, personal information, outside of British Columbia. Some of the private providers and, perhaps, public agencies are turning to a system called tokenization to anonymize information, and that may allow the storage outside of British Columbia of information that appears to be anonymized. But if I'm not wrong, tokenization could be simply tokenizing the name of a person but not their address. It could be tokenizing the name and the address but not the town.

Depending on the information, is it your opinion that modern programs data mining could reassemble that data and expose individuals' public private information stored by private agencies outside of British Columbia?

V. Gogolek: Well, we had a recommendation. I've appended electronically our 2008 recommendations, one of which was to provide notice and requiring the private sector to have conditions in terms of domestic storage or secure control over that information. You're correct.

It seems that the government is actually moving toward this. The commissioner had a report out about a month and a half ago. I also understand that the government has signed a contract with a company called Salesforce, which we're still trying to get a copy of. The committee…. If you're interested in how this tokenization works, it's like encryption that if in a document is entirely done, then it is impossible to get at.
[ Page 38 ]

The contract was apparently signed on September 23, and there was a memo on October 2, 2013, from the CIO to other CIOs and ADMs in government talking about this contract and how it could work.

We've got an FOI request in for the contract. We expect it'll be some time before we get it. That's one of the reasons we didn't deal with it in our submissions. We just don't have enough information.

If the committee is interested in pursuing this, you may want to get a copy of the September 23 contract, in terms of how tokenization is supposed to work, and also the commissioner's recommendations in terms of tokenization and what she would consider to be adequate.

D. Routley: Just a general comment from you, perhaps, on the notion of consent and whether or not, with all of these systems of data collection — GPS in our cars, our phones, all these things — becoming ubiquitous, the notion and principle of consent is possible to maintain. If it is, and I hope it is, then how do you think government can protect the right of an individual to consent?

V. Gogolek: Well, I think part of it is done through this piece of legislation, which is consent-based: "Have you agreed to this?" It provides the basis for people to defend their rights.

In the insurance case that we were involved in as interveners, that was the question: whether the consent could be inferred or taken as granted or whether express consent was needed. Ultimately, because of the interpretation of the law, the commissioners, adjudicator and ultimately the court and also the federal commissioner's office settled that — that if you're going to be requiring people to hand over their credit information or consent to that disclosure, you can't go off and just use it for other things without them expressly saying that's what you're using that for. It's this legislation, really, that is the protection for all of us.

M. Bernier (Chair): Okay, thanks. Just quickly, I think George is going to wrap things up.

G. Heyman (Deputy Chair): I'll be very quick. You raised the issue of the Internet of things and aggregate personal information and the use of algorithms and that your actual report won't be ready until after we issue ours. I'd just like to invite you, if you have preliminary thoughts before the final report that would be timely for the committee, to please submit them.

M. Bernier (Chair): Perfect. Well, thank you very much, Vince, for coming in. You can tell by all the questions there's a lot of information we still need to gather. We appreciate the presentation you put forward, as well, for us to absorb and look at.

Just take a couple of seconds to move along, and we're going to go right back in to our next presenter. Everybody has the presentation in front of them. We're going to move on to our next presenter here. From OpenMedia, we have David Christopher.

D. Christopher: Thank you very much, Mr. Chair, and thank you all for inviting me here to make this presentation this morning. I'm David Christopher. I'm the communications manager for OpenMedia.ca. We're a community-based organization. We're based here in Vancouver, and we work to safeguard the possibilities of the open Internet.

Part of that is…. For many years we've been engaging with Canadians on privacy issues. A number of years ago we worked with other organizations on a campaign to stop the federal government's on-line spying — Bill C-30. We had over 150,000 Canadians take part in that campaign, which was successful.

More recently, last year we started the Protect Our Privacy Coalition. This has the aim of securing effective legal safeguards to protect Canadians' privacy against government intrusion. We now have over 50 organizations and over 40,000 Canadians on board this coalition.

I think a key point is really that privacy isn't a partisan issue. Our coalition really transcends the partisan divides. We've got everyone from the Canadian Taxpayers Federation to the Council of Canadians on board, including many small businesses and labour unions. Many members are from here in British Columbia, including the B.C. Library Association, B.C. FIPA, the BCCLA and a number of businesses in our local tech sector as well.

We joined forces, really, because British Columbians and Canadians are facing a pretty stark privacy deficit. I think the PIPA in its current form contributes to that, and so I come here with some recommendations for how to tighten things up. To really help bring the views and concerns of British Columbians to this committee, we crowdsourced this presentation today. We asked our on-line community to let us know what their priorities were, to let us know their thoughts and concerns. I've incorporated their views and their input into this presentation.

I'll also be focusing on section 18 of the act relating to, as you know, disclosure of information without consent. That's where most people have really expressed concern.

At the end of the day, we're really trying to ensure that traditional privacy safeguards that people have long ex-
[ Page 39 ]
pected in the real world also apply to the modern world, with all our modern technology. Mike Houghtling put it this way on Facebook, saying: "Maybe we need a law that says what applies to the real world applies to the virtual world too."

There are sort of four key areas I want to raise this morning. The first is in terms of voluntary disclosure of private information to government authorities without consent. Secondly, the disclosure of private information to commercial entities and other organizations without consent. Thirdly, the lack of notification to somebody that their information has been disclosed. Fourthly, I'd like to discuss the implications of the recent R. v. Spencer decision by the Supreme Court of Canada.

Firstly, one key concern that's being expressed to us relates to the overly broad scope for how section 18 of PIPA permits disclosure, without consent, of people's private information to law enforcement without a warrant or a court order. Section 18(1)(j) allows for such disclosures not just to assist in an investigation but even to assist in whether to make the decision as whether to proceed with an investigation or not. We think this is an extremely low bar — it's really just mere suspicion — to justify undermining the privacy of law-abiding citizens.

At OpenMedia we've recently worked with experts at the University of Toronto on a project examining how telecom providers collect and store information on their customers. We're still getting results coming in from this, but it's clear that vast amounts of really personal information are being stored on us and, in many cases, then being shared with law enforcement without consent.

Now, of course, telecom providers are subject to the federal privacy law, but similar concerns do apply to businesses based here in B.C. that are subject to PIPA. Really, many businesses nowadays store deeply revealing personal information about their customers, and we believe it's important to make sure that information cannot be obtained by law enforcement without due process — without a warrant or a court order.

Unfortunately, section 18(1)(j) at this point in time does enable law enforcement to obtain information without a warrant. I see the Privacy Commissioner, Elizabeth Denham, has pointed out that PIPA lacks adequate rules on what information can or should be provided without a warrant. There's also no way of knowing how often this is happening, how much information is being disclosed or why.

This issue is also of concern against the backdrop of the debate around Bill C-13 before the federal parliament. That would actually amend the Criminal Code to create immunity for organizations that disclose to government authorities. Again, our Privacy Commissioner, Elizabeth Denham, has pointed out how this would undermine the regulatory framework for both B.C. and federal privacy law.

There's really a huge amount of concern out there among British Columbians and Canadians about this issue of warrantless disclosure. It's been an ongoing story in the media. Certainly, at OpenMedia we hear often from people concerned about this. One of our community members told us on Facebook, simply that warrantless spying is wrong, and innocent people deserve their freedom. Another community member, Leslye Gower, said there isn't "a free shot at the general public. You need to suspect a person, prove so for your warrant and then get your warrant" before you can obtain their personal information.

Really, given that section 18(1)(i) already covers circumstances where information is handed over subject to a warrant, a subpoena or a court order, we really believe section 18(1)(j) should be removed as a sensible measure to help safeguard the privacy of British Columbians. That would also bring B.C., I think, more into line with the Spencer ruling in the Supreme Court case, which I'll get to in a minute.

The second sort of key area relates to the disclosure of personal information to non-governmental entities — commercial entities, businesses, other organizations. There's a lot of debate about the federal government's Bill S-4, which would permit voluntary disclosure of private information to commercial entities.

An analogous provision in PIPA seems to be section 18(1)(c), which permits disclosure merely when it's "reasonable for purposes related to an investigation or a proceeding."

People are really concerned about how this kind of very broad language permits voluntary disclosure. It's really based merely on accusation. It's almost a guilt-by-accusation clause. There is no real proof or due process required. There is no need even for the accusation to relate to serious wrongdoing. One example that was raised to us was that it could be something as being accused of being in breach of one of the terms-of-service agreements, the endless agreements that you often have to click through when you install a new piece of software.

Again, there's also no obligation to inform the subject of these voluntary disclosures that their information has been handed over, so we'd really like to see section 18(1)(c) narrowed in order to better safeguard the privacy of British Columbians.

I guess the third point is simply the lack of notification for these voluntary disclosures. Really, as things currently stand both federally and provincially, these voluntary disclosures can happen to anyone at any time. It's almost worst of all that we don't even know when we're the victim of that. There isn't really a requirement under PIPA at the moment, under section 18, for people to be notified when their information has been handed over — for example, to law enforcement or to a commercial entity.

Given how consequential, how damaging these kinds of handovers can be, we think this is really unfair, be-
[ Page 40 ]
cause when a victim isn't aware that their information has been handed over, it's just impossible for them to seek redress. As I've previously said, we think section 18(1)(j) should be removed entirely to prohibit the warrantless disclosure of information to law enforcement. But really, even if it's decided to retain this section in some form, there should at least be an obligation to notify the individual involved, and similarly where that person's information is disclosed to non-governmental entities.

One community member told us via our website that once privacy has been surrendered, it will not be coming back. A full disclosure is the best way to maintain trust.

Fourthly, we've recently had a very significant Supreme Court decision in the R. v. Spencer case, where the federal Supreme Court ruled that it's unconstitutional for government authorities to make warrantless requests for people's private information without consent. Really, the result of the Supreme Court decision is that a warrant or court order is now required for the disclosure of even basic personal information such as a name and address. I know that when you look at the decision itself, the justices at the Supreme Court really dwelt on the fact that there is a reasonable expectation of privacy for this kind of information, particularly when that name and address relate to somebody's IP address, which can leave a whole sort of bread-crumb tracking about what people do and what people say on line.

Again, to put this in context, these kinds of warrantless disclosures have been happening on a huge scale. Hundreds of thousands of Canadians, tens of thousands of British Columbians have been affected. The federal Privacy Commissioner revealed earlier this year that law enforcement made 1.2 million requests a year in 2011. Prof. Michael Geist at the University of Ottawa did the sums on this, and it works out as once every 27 seconds these requests are happening.

The Supreme Court has now come out and said that this shouldn't be the case, that this is unconstitutional. In its current form, PIPA does permit this kind of warrantless disclosure, so we really believe PIPA needs to be tightened to bring it into line with this federal Supreme Court decision.

One of our community members told us on Reddit that the Legislature needs to bring B.C.'s privacy laws in line with the Spencer ruling; that warrantless disclosure of private information clearly violates the constitution; and that it's time everybody started taking on-line spying, both by private entities and the government, more seriously.

Really, just to wrap up, I think one of the best things for me…. A big part of my role at OpenMedia is coordinating our privacy work. Really, one of the best things is the way that this is an issue that really does bring Canadians together from right across the political spectrum. Privacy is a real Canadian and British Columbian value. It's something people really care about.

We had a recent forum research poll that revealed that 79 percent of Canadians expect their private data to remain private. Seventy-three percent are against the government's Bill C-13, which effectively encourages warrantless disclosure, though that aspect seems pretty much unconstitutional now. Just to illustrate the point that this does transcend partisan boundaries, even federal Conservative supporters are against their own government's proposed legislation by over 2½ to 1.

Really, I think privacy is a really important value for Canadians and for British Columbians. It matters because everyone really deserves a private space in which we can live our lives free from surveillance, a space in which we can be ourselves.

We had one Coquitlam resident, Ron Peters, who told us — I think he puts this better, even, than we could: "Privacy does not only matter to people who have done something illegal or that they otherwise want to hide. We all need space to develop our thoughts that are separate from the surveillance and judgment of society…. Privacy also safeguards democratic societies by giving people the right to choose what information about themselves they share with the government."

Just to recap, we recommend that section 18.1(j) be removed from the legislation; that the scope of section 18(1)(c) be narrowed to prevent voluntary disclosure to commercial entities and other organizations; thirdly, that there be an obligation in most cases to inform the subject of information disclosures; and, finally, that PIPA be amended to bring it into line with the Supreme Court's recent R. v. Spencer decision.

I think privacy is an issue that I think we can all come together around. I really appreciate you inviting me here this morning and hearing me out, and I welcome any questions you may have.

M. Bernier (Chair): Excellent. Thanks very much, David. That was a lot of information there. It's greatly appreciated, especially with the recommendations at the end, which is an important part of this, for sure.

I'll start with George, and we'll go around and see if there are questions after that.

G. Heyman (Deputy Chair): A quick question. Why specifically…? I know you make a reference to section 18(1)(i) covering circumstances where information is handed over subject to a subpoena or warrant. I think we all know that legislation tends to be repetitive to cover all bases. Why do you recommend that 18(1)(j) be dropped rather than include a requirement for a warrant?

D. Christopher: If it included a requirement for a warrant, I think that would be…. The key point for us is that there needs to be that sort of due process there. It's always been the case in the past — I guess if you look at 20 years ago — that law enforcement should get a warrant, that
[ Page 41 ]
there should be due process and checks and balances to safeguard people's privacy.

If there was a way of amending (1)(j) to make that clearer, I think that would work. It's simply because there's already a provision in there to cover the circumstances where information is disclosed for the warrant that we thought you could simply do without (1)(j).

M. Hunt: Just out of curiosity, when you did your crowdsourcing, did you have a clause at the bottom that said they release this information as to their name and where they live?

M. Hunt: When you did your crowdsourcing, did you have a disclosure statement at the bottom of your request that says that they release the information of who they are and where they live to you to disclose to us?

D. Christopher: We did, actually. We made it clear in the post. We did ask people to leave their full name and preferably where they lived in B.C. Not everyone did. The Internet being the Internet, we had people…. Especially on Reddit, most people use a user name. So we did our best on that.

M. Hunt: I find it interesting. Some you left as anonymous, others you gave the name, and others you have the name and where they live. So you have three different ways of describing there.

D. Christopher: I think that's the chaos of the Internet in doing this kind of crowdsourcing. Certainly, a core value for us at OpenMedia is that we do go out and ask people for their input for presentations like this. Where people did give their full name, we included it, and we did make it clear that we would be taking that to the committee here today.

S. Gibson: Tell me what your sense is of what it means to give consent. What does that mean to you? This was related to my earlier question or earlier delegation. Does giving consent really mean the same thing to everybody? When you give consent, often there are other implied measures attached to that that go beyond simply giving consent. I would like just your personal remarks on that, if you would.

D. Christopher: Sure. I think the key is really that it's got to be informed consent. You know, if it's sort of buried in a multi-clause sort of agreement that you have to sign before you enter into — I don't know — getting a new cell phone or something like that, or signing up for Internet service, then it's not really informed. They could sort of point back to: "Well, you gave your consent here when you signed off on this long thing that you probably didn't read."

When it's something as serious as handing over personal information to, let's say, a commercial entity like a copyright trolling company or someone that's kind of out to get you, for want of a better phrase, there definitely needs to be informed consent to that. People need to understand who it is that's requesting the information and the reasons for that request to give their explicit consent before that information is handed over.

I'd say similarly for cases where it's law enforcement wanting the information. I mean, there are many circumstances where people would have no objection to their information being handed over to law enforcement that are sort of sensible — in a an emergency situation and so on. It's just really important that people, wherever possible, can give their informed consent to that.

D. Routley: In your comments on section 18(1)(c) you indicate that there should be an obligation to inform the subject of such disclosures when information is disclosed to non-governmental organizations, and in the conclusion you indicate that that section should be narrowed to prevent voluntary disclosure to commercial entities or other organizations. Is that simple step that you recommend earlier enough to narrow this section, or are there other steps that need to be taken?

D. Christopher: I think the key is that these kinds of disclosures should not be happening without the explicit consent of the individual involved. When you're talking about your information potentially being handed to somebody who is investigating you and wants to, say, sue you over copyright rules or something like that, the provision should be in there for consent, because at the moment there's really nothing by way of due process there. There's a similar issue with the federal government's Bill S-4 at the moment.

M. Bernier (Chair): With some of the challenges around, like you say, the Internet, with Facebook and with all of these things, consent quite a few years ago was a lot more implied when you actually had to go get a paper file with all your personal information in there. Just for curiosity, I went on the Internet last night, and you can google almost anybody's name. Because they put so much out there, not thinking, on Facebook and things like that, you can find their address or where they live or all that information. They don't know they've disclosed it, but they actually have.

One of the challenges, I guess, will be the forward thinking around technological changes that will happen
[ Page 42 ]
over the next five to ten years. Where will that advance to — right? What are your thoughts, maybe, on that?

D. Christopher: Oh, it's a huge issue. I mean, certainly, people are greatly concerned about just the sheer amount of information that's on Facebook, and almost everybody — probably everyone in this room, almost everybody in this building — is on Facebook. The amount of information that Facebook is holding on them….

There was a story that came out a few months ago that Facebook actually ran a psychological experiment where they deliberately tweaked the sort of posts that would be appearing in your news feed. One subset of people of people got very negative posts, another subset got very positive posts, and then Facebook tracked the sort of resulting psychological impact it had on people. Most people who were subject to this whole experiment would not have realized that they were giving consent to this when they scrolled through the long message at the start when you sign up to Facebook.

You know, it's an issue of enormous concern. It's only…. I think we're really starting to grapple with a lot of these challenges now as this kind of technology has become more and more ubiquitous. Certainly, it will be a live issue, I think, for many years to come.

D. Bing: Yes, thank you for your presentation. I just had a question about informed consent.

Very often we're asked to accept or not accept something, and they give you a legalese kind of preamble of, you know, two pages of legalese, which very few of us actually take the trouble to read, and yet we're expected to make an instant decision. You accept these conditions or not accept them, and usually you do because you just want to move ahead to the next step. I wonder if you have any comment about that.

D. Christopher: Absolutely, and I think this touches on…. What I was saying to your colleagues was: it's really important that the consent be very explicit, that people absolutely understand in plain English what it is that they're consenting to, specifically if it's their information being handed over to a third party, whether a government agency or a private sector agency.

While there may be a necessity for people to get the two pages of legalese, I think that should come with a very clear, plain English explanation as to what exactly it is that people are being asked to consent to.

M. Bernier (Chair): Okay. Well with that, if no further questions right now…. I really appreciate your presentation. It's great information we have in front of us here for the committee to take forward, so thank you very much, David.

M. Bernier (Chair): With that, we're just going to take about a five-minute recess or so. Our next presenter's not here, and we'll give everyone a chance to fill up their coffees.

S. Olson: I had a bit of initial difficulty with putting together a written presentation for you because I really had no idea what your backgrounds were or what depth of information you have on the subject that I'm going to speak on. So I thought I would just bring some supporting documentation and talk to you.

I want to discuss the DNA industry and the Freedom of Information Act, as it applies or doesn't apply and my interpretation of that. I've been through several inquiries, one here and one in Alberta, so I have several lengthy roads that I've travelled to get this information.

The first thing is that under the Health Act of Canada, you cannot private-bill for services, and when I did check on line, Health Canada defines "labs, diagnostic or otherwise" as private, for-profit organizations. That's how they're defined. So they don't fall….

The criminal application is completely separate, but paternity testing is that grey area that falls dead centre. It's usually court-ordered, and it's not diagnostic in any way, so it is not a Health Act matter. And no matter where the lab is, whether it's in a hospital or outside of a hospital, it's a privately offered service that, as I said, is usually court-ordered, so it falls closer to the line of the criminal DNA testing.

However, they're taking the position — by "them," I mean the labs — that if they get you to sign a consent for testing, they then have, through FOIPP or through the Health Act, the right to share that information with any other medical service available, and you cannot determine who has this or not. If you say you want to have…. According to the law, you are entitled to the full release of the file for independent review. They will then insist, and they have — both of these facilities have insisted — that they can't release the file because it would be violating the personal information of the other parties of the testing.

But when you enter the agreement to have testing, you enter it as a unit, with no disclosure problems because you have to know what they're doing to test the samples, and then if you do not have a full and complete disclosed
[ Page 43 ]
file, you do not have your actual rights to examine the work, verify it. You have nothing.

The labs tried for the first many, many years — I think I've been at this for about 20 years now — to hide behind the Health Act. They did that successfully until very recently, and now they got shuffled off into FOIPP. But I'm going to point out one section of PIPA that makes this ridiculous. It says: "This Act does not limit the information available by law to a party to a proceeding." I believe that's part 1, section 4.

They're using the freedom-of-information offices to refuse to release information that, according to the law, I'm actually entitled to. I'm entitled to it based on expert witness testimony, which is…. A copy of legislation governs this. "You must produce upon request…." Well, I'll give it to you. I did bring a copy of this, as I wrote it out directly. It is simply court rules regarding the disclosure of expert witness evidence.

When they approach the freedom-of-information office as a way to try not to release this information to any party involved in the testing, by that part of PIPA, or FOIPP — it's applicable, both acts — they're actually dragging in a section of legislation that doesn't apply to court-ordered testing. Then the administration in the freedom-of-information offices don't have any idea what they're doing with it. They don't know whether it fits under the Health Act or FOIPP or PIPA. They don't have a clue.

In one case, an Alberta case, the adjudicator, Teresa Cunningham, actually said: "Well, they seem to have lost a lot of the information. There are no names on anything, but I assume they know this is really your file." There are no names on it.

S. Olson: Okay. When they put your profile down, there's like an X-ray taken of it so that you can then see what they're claiming to be reading. It must be dated, labelled. A sample size must be recorded, the date it was run and, of course, your name. If it's a court-ordered testing, which inevitably most of them are, you have to have a complete chain of custody of the sample. You can't just have things miraculously appear with no ID attached.

Teresa Cunningham, in her adjudicated process, said: "Oh well, they seem to have lost a lot of it, but I'm sure they have it right." Well, I took a different sample from another lab, and I sent it off to an independent reviewer. I actually had to leave Canada. I found this gentleman in Australia, and he said that the profiles are not even mine or my daughter's, so I went back to the lab.

I said: "You have, on court order, released profiles, claiming them to be mine, with no identification, no consent forms and with the claim that you lost this material. But here we have an expert witness, an expert geneticist and his sworn review" — he swore the document — "and it's not even me and my child. So who did you test, and who did you release? Whose documentation did you release to me?"

No one would answer. I got a very obtuse letter back from the freedom of information in Alberta that said basically: "We don't verify anything that's released. We just order whatever they claim they've got." Well, this is ridiculous. I now have material that's absolutely useless, as it's clearly not mine. And when I went back and said it's not correct, they said: "Sorry, this matter has been adjudicated. We can't go through it again. Done." So access to the documents that I am legally entitled to under the law I will never get.

Some recognition also must be given to…. Even the paperwork that you do get released comes out looking like this. They photocopy it, so it's unreadable — black areas, whited-out — and they say that's fully disclosed. I asked them if they had X-ray vision.

The spirit of the act, of the personal privacy information act, is being absolutely stomped on by the DNA industry, and specifically the paternity-testing industry. The criminal industry has all of their lawyers and everybody and the police all vying back and forth for their own controls over things, and they seem to have managed that well.

Then if you go to genetic testing for diagnostic purposes, it actually would fall under the Health Act. But this little gem sits dead centre. There are no guidelines, and I can't break through the barriers. It took two years to go through the Alberta inquiry process for nothing because now I have possession of material that isn't even mine.

When I went through the one here in B.C., this got even funnier. I quoted this section of PIPA, and the same exists in FOIPP. You're not to use the Freedom of Information Act in any way to bar someone from information that they are legally entitled to. I'm legally entitled to everything in that file because it's a privately paid-for service ordered by the court.

Hamish Flanagan was the adjudicator here in my matter. He said that all of the information I supplied them regarding court rules was unimportant because he doesn't have to consider anything but the Freedom of Information Act itself. He agreed that nothing should be released, because it would violate the privacy of the other parties, which are my daughter and her father.

I found this particularly interesting because we…. On the consent form, when you go in and you sign a consent form, it says, "To be released to all parties, lawyers and doctors, etc.," but because it doesn't actually say "the party," they said: "Sorry, it will be released to your lawyer or to your doctor but not to you." I'm self-represented. I
[ Page 44 ]
am my lawyer. Why am I being barred from information that my agent is fully entitled to request?

This is an act that's being used to hide information and evidence and actually commit fraud on the courts, because the courts are dealing with DNA as if it's written in stone, completely reliable and unable to be tampered with. Well, how can we verify that if we can't get the file to review it?

I'm asking for what I'm legally entitled to. I've been asking for it for 20 years, and every time I keep running up against whichever piece of legislation the labs and the freedom-of-information office can find to block me.

In one case I even found — it was inadvertently released to me, I'm quite sure — a small notation from a lawyer from Vancouver General Hospital in which she was sending a note to one of her fellow legal counsel persons that actually said: "How can we get rid of her? I'm going to talk to the freedom-of-information office to see how we go about it." So the freedom-of-information office is actually now providing counsel to government bodies on how to avoid disclosure rules.

There are a couple of other issues I take with this. The first is that there must be consent. Consent has to be proactive. You can't take an assumed consent, but under the Health Act and under FOIPP, they can exchange personal information with anyone they want — any lab, any doctor, anyone — without your knowledge, without your consent. You have no idea where it is. It's just gone. But under PIPA, fortunately not, which is why they try so hard to avoid PIPA.

The other thing is that the way the lab work works is that if it's private paid and a court-ordered service, the Freedom of Information Act shouldn't in any way apply to that particular evidence. That evidence is not meant to be hidden behind the Freedom of Information Act anyway. So why did I even have to go through four gruelling years of inquiry and all the paperwork leading up to it? Because they want to do it, they do it, and they get away with it.

Now, as a result of having this new geneticist on board, I've actually found a lawyer willing to try to put something together and go back to court. I've been there for 20 years, and I have been thrown out over and over again because they keep saying my case has no merit. How can I prove merit if I can't access the file? I have never ever, ever been able to access the file. Without the file, I can't do anything but keep going back to the court saying: "Please help me. I need the file. I need to cross-examine people. I need to be able to ask questions."

Another response I got from the Alberta freedom-of-information office. I kept asking: "Where did you get these profiles, and how do you actually claim that they're mine? Please indicate how you are telling me that this is my profile when I have another profile with a name on it over here and the two profiles are different."

The freedom-of-information office there said they're not compelled to answer questions. All they have to do is produce paperwork.

The privacy legislation is just simply not working as it applies to the DNA industry. Here is a suggestion I am going to make, and I'm hoping that somebody will listen. It has no place in the DNA industry. The DNA industry by itself…. Specifically, it should not be applied to court-ordered paternity testing in any way, in any act, because the court already has rules for those things — disclosure rules.

Oh yes, the other examples here. These are some more examples of what was released to me. You can see the ridiculousness of my attempting to have this independently reviewed. Blacked out. Whited out. All blacked out. All whited out.

If I sent that to my geneticist and said, "Tell me what you think," he'd say: "It's black ink."

I cannot get past the walls. Somebody is going to have to do something with the privacy act to get them out of the closet here.

M. Bernier (Chair): Thanks for your presentation. Thanks for sharing your concerns and your issue with us.

With that, I'll just look — are there any questions for clarification on this?

D. Routley: The privacy commissioner has expressed concerns about carve-outs of several sections of the FIPPA for the Ministry of Health as a public body. That is in order for the Ministry of Health and all of its agencies to be able to share information as needed to provide care to patients.

It may be that some of the concerns that Ms. Olson has expressed are descendent of that carve-out. You end up with potentially private bodies handling information without the kind of control that is usually required, because of the carve-outs of FIPPA.

I think perhaps we could ask for an opinion from the commissioner. Perhaps, as a committee, we could ask for an opinion from the commissioner as to whether this circumstance is part and parcel of the carve-outs that she's expressed concerns about.

S. Olson: One of the problems with the free exchange of information, whether it be FOIPP or PIPA, is that the DNA industry is also completely unregulated. There's not a regulatory body, and there's no verification of any standards.
[ Page 45 ]

They have a sheet that they produce with their standards list, and you have to just buy it. Unless you can review their work, you buy the fact that they've followed these procedures.

I don't know if they do carve out. How would you even know what they're doing? How would you have any indication of what this industry is doing?

Thank you very much for coming in. Again, we have everything documented, and I appreciate what you handed me here as well. We'll put that in.

With that, we'll take a few more minutes, a recess, to get ready for our next presenter.

M. Bernier (Chair): It's our pleasure to have members from the Private Investigators Association of B.C. with us today for a presentation.

Thank you, gentlemen, for coming. I'll let you maybe do some introductions and start with your presentation.

D. Jones: Certainly. Thank you for the opportunity to come here and speak with the committee. I have here with me the president of the association, Taras Hryb, and don't ask me to spell it. I apparently misspelled it once or twice before. Taras is an ex–Vancouver police officer, and he's been a security consultant and a private investigator now for a number of years.

Also, I'm Dave Jones, and I was a Vancouver police inspector. The downtown peninsula was my area of interest for the last eight years of my career. I retired at the end of 2003. I've been a security consultant and private investigator since then, working for a number of different organizations.

I believe that you've already received a letter from us that outlines the two areas that we wanted to weigh in a little bit on. Essentially, we're weighing in here because we have been exploring for the last year to two years, in conjunction with the ten-year strategic plan for policing in the province, to find a way to deal with the situations…. I guess it's called minding the gap, if you want to use a London expression.

That's the area between what the public would like police to provide and what police are actually able to or resourced to provide. In some cases that means that they don't provide a lot. As a former police officer, it feels bad to say that, but that's simply the fact today.

If you're a business and you have a fraud committed against you, unless it's in the amount of $50,000 or more and you can afford to hire a forensic fraud investigator or accountant, the chances of your getting that matter dealt with through the criminal law is just about none. Only the most serious of offences tend to get dealt with at the fraud level.

Banks and others, of course, have their own legislated investigators who can conduct investigations on their behalf and do that for them, but the average person and small business person doesn't. So sometimes they find themselves having to turn to private investigators. That's just a small piece of what we sometimes do.

There are also the smaller types of offences. Somebody's car is broken into, but it's the fourth time, and a phone-in report to police with no officer attending or even looking inside the car to look for a fingerprint may be past that person's tolerance level, and they would like to reach out to somebody who has some forensic experience to come and see if they can find a fingerprint of value in the car in an evidentiary context that they can then turn over to police.

In the letter I mentioned a case where somebody had had a diamond switched out of a ring. Well, that's not a case the police would ever look at. It's just simply be too complicated for a primary investigator to take on, and to get that past a primary investigator to a detective is very rare. However, a private investigator can put that case together, can get all of the information and start to build a case that can then be followed up by the police with their much greater resources, their ability to apply warrants if necessary. That starts to make some sense to people.

We were looking at this review of PIPA, and we thought that there were two key areas. One was: who does those investigations, and are they ethical, are they principled, are they licensed, and are they qualified and trained to conduct these investigations? We looked at PIPEDA, and we saw that they have something called investigative bodies. As we mention in the letter, that seems to be argumental. People argue about whether that's the right way to go or not. They seem to think that Alberta and B.C. have a better methodology where they define "investigation."

We're suggesting here that along with that definition of investigation, we think that people who are qualified to investigate…. By the way, there's another whole list of people who we don't require to be licensed under the security act in the regs. They include employees of government, local authorities, government of Canada, regional health boards, universities and institutions, B.C. Pavilion, and there's a whole other page of bodies that are exempted from having to be licensed in British Columbia.

But we think that what PIPEDA said here with respect to people having membership in a professional body that subscribes to ethics and principles and that is rec-
[ Page 46 ]
ognized by the security programs division as such and subscribes to PIPA in a very demonstrative way is good legislation for this province, because there are so many people in this province conducting investigations who are (a) unqualified and (b) unlicensed, untrained, and they don't fit into that list of exempted persons in the Security Services Act.

The second piece that we wanted to talk about briefly was…. I had discussions with Vancouver police about Internet investigations and families. What they said to me was that without a warrant, they're pretty much stuck, and then parents often find themselves concerned about their kids, concerned about what's going on. They've seen a behaviour shift. They don't know whether there is an onset of mental illness happening. They don't know if they're being bullied. They don't know if they're involved in something they shouldn't be involved in.

Right now the options for a parent are to try and do the cybercrime investigation themselves, which they're probably not qualified or capable of doing, or to send it off to a local computer shop and ask them to have a look at the hard drive and see what's on there and see what they can scrounge around.

That brings into play, I guess, the privacy interests of adolescent children, in particular. I'm not sure that we're talking about pre-adolescents, but certainly we're talking about adolescent children who may be exploring sexual identity. They may be exploring who they are in many different ways that are not illegal but are very, very personal.

The Supreme Court of Canada in the recent year has said that with respect to ISPs, your IP is as much about you as anything else. It is not a phone number in a phone book. It identifies you. It could be used to follow your surfing habits. It could be used to see where you go. I think that what they've said is that police are going to require warrants in those cases in the future.

Well, I think we can take that over to this particular situation. What does a parent do when they're faced with this difficult dilemma? Who do they call in, and what does that person do? Assuming it's a private investigator with the requisite skills, what exactly is that private investigator bound not to disclose?

I think that investigators are permitted to investigate crimes, and if they find a crime in there, such as the adolescent or the child is going to injured, is being threatened, there's a crime being committed against them or they are contemplating a crime themselves against another person, that that's clearly something that flows over to police very, very quickly.

But if they're exploring who they are in a sexual identity, where does that stand? Is a private investigator bound to not disclose that to the parent? I actually think they perhaps ought not to be able to disclose that to the parent. But they ought to be able to disclose that the kid is being threatened or that the kid is threatening somebody else. That was really….

We don't have an answer for that. We're not legislative drafters, and you have a research analyst over here who is probably much better at putting his head to that sort of thing than we are. And you have lawyers, of course, on staff that can think about what the implications of that might be.

Those are the two main things that we really came here to talk about today. If you have some questions, please go ahead.

M. Bernier (Chair): Perfect. Well, thank you again for coming in and being accommodating on the clock for us as well. We appreciate that. Maybe I'll look at the rest of the panel to see if there is anybody at this time who has questions.

S. Gibson: My understanding is that in order to do investigations, you have to be licensed — right? — so you have to…. Also, I'm given to understand, having known a few police officers over the years, that a lot of your folks are, in fact, as you said, ex–police officers. That gives a lot of credibility to it.

But there are a lot of other things that go on where private citizens do things as a friend to somebody. Say my colleague here Doug Bing — he's in some situation he has. He wants me to help him out, so I end up doing some of the things that private investigators do on kind of a collegial basis. I'm essentially performing some of the things that you would do on just, basically, a personal basis. At the same time, what you folks are doing is, to some extent, surveillance without permission, in a sense. If you're watching me, I don't know you're doing it.

How do you integrate those together, where you've got that professional role as registered private investigators, and at the same time you're doing surveillance, or you're essentially "spying" on people without their permission to elicit information that can be used, often for legal means to win a case for a client? Maybe you could comment on that just briefly — those two issues.

D. Jones: No, the Security Services Act is what I was going to make reference to here. Private investigators are permitted to investigate crimes, which include indictable offences under an act of Canada, an offence under an act of Canada or of a province that are punishable only on summary conviction and prescribed by the Lieutenant-Governor as a crime for the purposes of the act.

The things that private investigators do get involved in are where there's surveillance, there has to be an element of one of those crimes, if you will, or frauds or acts
[ Page 47 ]
that are going to appear ultimately before a judge and a court. I think that people hire private investigators for reasons that the private investigator has to be able to assess whether or not they have authority at all under this legislation to enter into an investigation. Then they have to be conscious of PIPA as to what they can collect, how they can collect it, how they can share it, and whether they can share it at all.

It's a complex area. When people come to somebody who has some special skill or knowledge in an area and ask them to have a look into something, they're really treading in a risky area in terms of their own personal liability for doing so. But they're also not providing a service in its full value to the person who's come to them, because they really don't know what they're doing in most cases, unless it's a very, very specialized area.

We have a lot of investigations that have been conducted by people in organizations that have led to an analysis of their computer and their e-mail. We have one colleague who does a lot of those follow-up investigations and has found that in many cases, the IT people have made mistakes, and people have been fired as a result of that. That's the case where people don't have the training of a private investigator, they don't have the authority or licensing of a private investigator, they're doing something they ought not to do within an organization, and there are consequences to people.

I guess, quite simply, we're licensed to do this work, and we're expected to do it in an honourable, ethical way, and we're expected to be bound by PIPA and the Security Services Act. Those are the people who should be doing the investigations.

There is a whole list here of people, as I said, who are exempted from this. Most of those are because they're legislated. For instance, the bank investigators are legislated federally to be able to do that kind of work, so they don't come under the B.C. Security Services Act.

T. Hryb: Yes. First of all, I take your exception with regard to having a friend or an acquaintance help a parent out with regard to their knowledge. What we are addressing are commercial enterprises. When a parent engages someone in a commercial transaction to render them a service, that's where the regulations would come in. That's where PIPA would come in. I don't believe PIPA applies to someone who is a private citizen, who's just been asked to come in and help.

The next thing. You mentioned the surveillance aspect. We are, essentially, an extension of the rights of a private citizen. Private investigators have no more ability to do anything than any other private citizen can do. If a parent or a corporation or a regular citizen were to engage our services, we cannot do anything more, legally, than what they could do for themselves. We are constrained by those things. So when you discuss surveillance…. If we were to be engaged in an act of surveillance, we'd be doing nothing more than what a normal citizen would have the legal right to do.

The next thing is that in our document here we have a list of services that private investigators undertake. Surveillance forms a very minor part of that. In fact, in my case — and, I'm certain, in Dave's case — I do no surveillance. All my work is overt investigation, where I approach people, I'm upfront, I disclose, I gather information, I investigate — very much like, perhaps, a patrolman or someone in uniform or a detective would do. I don't play the role of an undercover operator or do any surveillance in my business. I think you would find that for many, many private investigators, who are professional and licensed, that forms a significant part of their work. The surveillance or the sneaking around is a minor part.

S. Gibson: Just another super-quick question. Do you see where the culture of our society…? I know this sounds like a big philosophical question, but it relates to what we've heard before from the PIPA folks. Do you see your role as private investigators being compromised increasingly because of the fears of surveillance, of privacy, all those kinds of issues? Do you see your role being mitigated? Maybe that's my question.

D. Jones: We certainly see that a lot of large corporations are very cautious about the instructions that they provide to a private investigator when they're doing a surveillance. Some corporations require them, if approached by a person, to disclose that they are in fact a private investigator watching them.

Those would tend to be insurance claim–type issues, where somebody's claiming an injury of some sort. They see a car following them, and they stop and come back and say: "Who are you?" Some corporations are very cautious about that. They want to be very upfront — "Yeah, we're having a look at you" — although at the same time, they want to be in the background so that they catch the act that they're concerned about. But they will back off in that case.

I don’t think private investigators are feeling overly constrained. There have been some high-profile sorts of incidents, court cases, where a private investigator was using a hand-held video camera, and there was a lot of criticism about that — you know, distracted driving. Now most of them have mounted cameras that don't require their physical intervention to take pictures and things.

It's a murky world there. It's not overly clear sometimes what you can do. But I think what is clear is that you must have a crime, and you must be involved in an investigation. I think that from our perspective, we would rather have people who are trained to do that, who are knowledgable about PIPA, who are knowledgable about the Security Services Act, knowledgable about the law, who
[ Page 48 ]
are prepared and able to give evidence in court. I think I'd rather have those people doing that kind of work, who are accountable to the province.

A PI licence can be pulled in a heartbeat if somebody does something wrong and gets a complaint. The police actually have a better system in some cases, because they're far more protected by it than a security worker is. A security worker is at the whim of a complaint. If security programs thinks that there's some merit to it, they can find themselves suspended very quickly and an investigation entered into. You don't have that with most private citizens.

At least with a licensed person you have that ability to complain about their behaviour and to challenge them on the documentation they have. You can make a PIPA request for what it is, and you can even require — I think it's section 24 — that they correct any incorrect information that you have in a file, which, by the way, I quite like in FIPPA as well. I just wish the police were better at correcting information.

We had an incident with one of our private investigators who was involved in assisting the police with a homicide and got stopped at the border. All that came up was "a person of interest in a homicide," because that's the way the police do it. But the file was closed, and they had an awful time getting that fixed.

G. Heyman (Deputy Chair): Just to clarify, following through on the example that you gave. If an investigator was retained by a parent or parents to check into the activities of their child on the Internet, whether that involved looking at a hard drive or not, would you consider the authority for that to flow from an assumption or a belief, an honest belief, that there may be something illegal either being carried out by the child or by somebody else with respect to the child? Or is it simply a matter that the child is a minor in the care of the parent?

D. Jones: Well, the child is a minor in the care of the parent. The parent owns, likely, all of the computer equipment and property. And I think that's why we raise this particular issue — that it's not overly clear just where a private investigator could step in there. Certainly, the police are very apprehensive about it and, as I said, recently said to me that in that situation, unless there was something really explicit — and even if there was — they'd still probably want to have a warrant in order to collect it.

D. Routley: My question is closely related to the one that George just asked. I wonder…. The concern that's expressed here seems to have a twofold foundation.

One is the liability, potentially, for the private investigator and where the lines would be drawn pertaining to privacy rights of an adolescent and how the private investigator would know whether or not they're operating within those constraints. The other is the potential damage to the relationships within a family, given the examples that you put forward, and other potential negative outcomes that aren't related to a criminal act but could have harm.

What my question would be is: are you aware of precedence that's been set in establishing that line between the privacy rights of a child in this case or in the case that you mentioned? Has there been any case that has indicated a liability to a private investigator for sharing information of an adolescent or limiting the access of parents?

D. Jones: Taras may be aware of one. I'm not. But almost those exact words came out of my wife's mouth when I was talking to her about this. She's an adolescent therapist and a health worker, and she said: "If you're calling in a private investigator, the relationship between the parents and the child is already compromised to an extent that it could be very damaging." It's like, I guess, in days past, before technology, finding the key to the diary and opening it and reading it as a parent. You know, have you stepped over a line? Probably not legally, but in terms of your relationship, you've stepped over a huge line.

But I think that we've seen cases — two in the last year or so — where young girls have been threatened on line and have…. I think the most recent one was a young girl who had a sex video, and an individual tried to extort more nude photos from her in exchange for not distributing the video and then turned around and did it when she refused. Those are the types of investigations that the police get involved in, but only when they come to the attention of the parent or the child becomes sufficiently concerned that they disclose what's happening.

I'm talking about the incidents where the parent is seeing a dramatic shift in behaviour and is uncertain of what's happening. Where do they go? What do they do with that? If they do decide to take the computer into the local shop…. I think that's a bigger concern than having somebody who's licensed and has a code of ethics and subscribes to all of the PIPA elements doing that.

D. Routley: I have to say I really appreciate the tone that this is delivered in. The concern is, I think, well beyond your self-interest, and I think it behooves that we pay some special attention to that as well. You've pointed to some potentially very damaging problems that could be created, with innocent intent, but I appreciate the spirit in which it's delivered.

D. Bing: Thank you for your presentation. I just have a couple of questions. The first one relates to…. I wonder how many members belong to your association and how
[ Page 49 ]
many unlicensed private investigators there are out there. A second one is: you were saying there's a need for investigators to be licensed, properly trained and accountable. How would you go about doing that, to make sure all investigators were meeting that standard?

In 2008-2009 the Security Services Act was amended. It created a responsibility for a lot of people to get licensed that had never been licensed, so the security programs division sent out letters to a lot of organizations saying: "If you have people who are doing security for your business" — they're providing security advice or they're doing investigations — "they now need to be licensed under the legislation."

It's five years later, and there are still an awful lot of people out there, a lot of organizations, who are conducting investigations and who don't have the licensing to do those investigations. We're waiting for those cases to start to flow through the courts, where people, I guess, wise up to the fact that a lot of people are doing investigations. People are losing jobs over investigations that may or may not have been done by qualified people and licensed people, and I think that's a key area of concern for our organization.

If we want to push people towards, I guess, a higher moral position, to a more ethical position, we want those people to be members of an organization. We want them to be licensed, and we want them to be active participants in the process, not one-offs sitting in an office somewhere deciding that they have the ability to decide somebody else's life on the basis of incomplete training, inadequate skills and not licensed or accountable in that sense.

T. Hryb: We have two categories of private investigators in British Columbia. The first category is private investigators under supervision. These are people who have entered the industry and are being trained. Our association developed an on-line learning program through the Canadian Police Knowledge Network, and security programs has accepted that as the base-level training that's required for everybody who is now entering the industry.

After about two years of work that person, after their experience is assessed by security programs, can be licensed as a full, unrestricted private investigator. There are approximately — the last figures I had from Mr. Fraser Marshall — 700 unrestricted, licensed private investigators in British Columbia, and there are approximately 400 private investigators under supervision in British Columbia.

Our membership within PIABC has ranged from a low of approximately 100 members to a high of approximately 300 members, but we're the only association in British Columbia that represents private investigators. There is no other private investigator association in the province.

Every province has a private investigator association. The unfortunate matter is that many private investigators, although they are licensed and very ethical, choose not to join because there's a cost to membership. It's as simple as that.

One of the problems we have with unlicensed investigators is being experienced to a great extent in Ontario. Ontario has a very high population. They have very similar regulations to what we have in British Columbia, but what they're encountering now is that a lot of people are advertising on Kijiji or Craigslist, etc. "Let me follow your spouse, your girlfriend" — whatever — "and I'll find what you need to know." Totally unlicensed, totally unethical, don't know what they're doing, and they can put people in danger.

I'm aware of situations where people who are unlicensed have followed people and disclosed something that resulted in that person being in physical danger as a result of that disclosure. Licensed, ethical private investigators don't do that, right? When we are asked to find people, once we find them — if we are doing a people trace — we ask that person's permission to disclose their location and the fact that we found them. If they don't give us that permission, we don't report that back to our client. That's the way we do things.

With regards to the numbers, we tend to represent approximately anywhere from 15 to 25 percent of the licensed industry in British Columbia.

M. Bernier (Chair): Excellent. Well, seeing no further questions, I want to thank you, gentlemen, for coming in. Again, I appreciate your flexibility on the time for coming in. It's much appreciated. Also, thanks for the submission, which will be attached in here.

M. Bernier (Chair): Thanks, everyone. Welcome back. We have our other presenter here this afternoon. Anna Hardy is here from Central 1 Credit Union.

A. Hardy: Thank you very much. It's very nice to meet you, Mr. Bernier. I was actually in Dawson Creek for the first time a couple of weeks ago and very much enjoyed it.

Good afternoon, and thank you very much for inviting me here today. My name is Anna Hardy, and I'm the regional director of regulatory affairs for Central 1 Credit Union.

Central 1 is the central financial facility and trade as-
[ Page 50 ]
sociation for all the credit unions in British Columbia and our member credit unions in Ontario. My submission reflects the consolidated feedback of our 43 B.C.-based financial institutions. We are cooperative financial institutions that are dedicated to driving the economic prosperity of the province by paying dividends, financing commercial projects and residential mortgages, and staying committed to the financial success of the one in three British Columbians who are our members.

From Masset to Surrey, credit unions take privacy very seriously. Our suggestions to improve the Personal Information Protection Act are intended to ensure that we can continue to protect our members and employees to the greatest extent possible.

I'll divide my remarks into three main sections: areas of the legislation where greater clarification would be beneficial, areas of the legislation that we feel should be changed and areas of the legislation that should be made consistent with federal statutes and guidelines.

In general, credit unions feel that compliance with the act would be better supported with enhanced guidelines and standards. For example, clarification would be particularly beneficial in terms of fees. Section 32 permits organizations to charge a minimal fee, which is vague and does not acknowledge that it can be sometimes costly to carry out access requests and that sometimes one request requires numerous detailed searches.

We recommend instead that a fee schedule be established in regulation and that the term "minimal" be replaced with "reasonable" in the act.

Additionally, privacy legislation is becoming more consumer-centric, viewed as opt in as opposed to opt out. PIPA provides that consent can be deemed or implied in certain circumstances subject to reasonability, which is somewhat of a moving target and difficult for credit unions to assess. We recommend that reasonability be defined in the act or regulation and that circumstances in which opt-out consent be relied upon be defined.

Credit unions often build longstanding personal relationships with their members, and acting in the best interests of those members throughout their lives is extremely important to our principled approach to financial management. Unfortunately, circumstances in which members, particularly the elderly, become subject to financial abuse are becoming increasingly common.

While section 18 does permit the disclosure of personal information without consent if the disclosure is "clearly in the interests of the individual and consent cannot be obtained in a timely way," it is unclear in which precise situations this may be done, how and to whom. Furthermore, these circumstances may not necessarily constitute clear fraud, and credit unions must balance the risk of disclosure against a member's financial health and safety, terms not contemplated in the act.

We recommend that financial institutions be given authority and guidance on reporting suspected financial abuse to an individual's next of kin or authorized representative. This would also be consistent with the federal Privacy Act.

I should also mention that Central 1 participates on the Ministry of Health's Council to Reduce Elder Abuse and that credit unions are aware that they can disclose abuse to the Public Guardian and Trustee. However, in cooperation with this group, it was established that the PGT doesn't necessarily have the capacity to deal with an increasing volume of financial abuse cases, and disclosure to next of kin may be less intrusive in some circumstances.

Similarly, only a personal representative or nearest relative can currently act for a deceased individual — for example, when requesting information about the deceased's estate. This is problematic in the not infrequent circumstances in which there's no nearest relative or personal representative immediately identified.

Consistent with the 2008 report of this committee, we recommend that PIPA be amended to allow for the release of the deceased's information to a specified individual, such as their legal counsel.

The final change we recommend is to amend PIPA to allow for the use and disclosure of an employee's personal information without consent in limited situations where it is of benefit to a relationship with a previous employer. The existing requirement to only use personal information if there is a current employment relationship can lead to difficulty in the administration of pensions or benefits by a former employer.

In moving to consistency with federal legislation, under Canada's new anti-spam law — or CASL — the electronic commerce protection regulations make an exception to the consent requirement for commercial electronic messages sent following a referral if certain conditions are met. Yet under PIPA collection of personal information is not permitted in this circumstance.

Credit unions believe that CASL strikes a reasonable balance between commercial and individual interests and ask that PIPA be brought up to date to be consistent with CASL.

Additionally, the act's definition of source of information available to the public is too narrow, given the proliferation of the Internet and, particularly, social media. Consistent with CASL, we recommend that references in the act reflect technological advances.

Finally, while we have already adopted the best practice of notifying individuals in the rare event that the security of their personal information has been compromised, credit unions support amending PIPA to explicitly require privacy breach notification, consistent with federal legislation.

Credit unions have also adopted the best practice of retaining responsibility for personal information trans-
[ Page 51 ]
mitted to third parties via contractual or other means, as required in the federal Privacy Act, and ask that B.C.'s law be brought up to date to avoid confusion.

Hon. Members, thank you for your attention. The credit unions of B.C. are committed to the long-term financial security of their members and, through them, the economic prosperity of our province. PIPA is an important tool in helping us to achieve these goals reasonably, and we look forward to your amendments that will bring this legislation up to date.

I'll look around in a second. I've got a few I want to ask, though. Of these recommendations that you put forward, first of all, are any of them unique to the credit union or all mainstream banks? I'm just wondering. Any recommendations that we might put forward have to be broad enough to encompass everybody, possibly — right?

A. Hardy: Right. The banks, as federally chartered financial institutions, would in most cases be following PIPEDA.They would be permitted, through a recent legislative amendment, to disclose suspected financial abuse to a next of kin or authorized representative, and that's something that credit unions would request as well. Nothing in here is something that a bank wouldn't be allowed to do.

M. Bernier (Chair): I'm wondering if you can give me an example or clarification on one of your points — the third one you had, about giving information without consent around previous employers and that. What's an example there?

A. Hardy: That's one where…. I think the precise wording in the act basically states that there has to be an employment relationship. This is something where the administration of the pension or benefits…. Sometimes contacting that person is difficult or just very cumbersome, and it's mostly just to do simple administrative matters.

I can get a precise example of when that might have happened for you and follow up with the committee. But it's really just a matter of…. If it was a previous employer, there's no current employment relationship, so you can't disclose without consent, which leads to time delays and inconvenience for all parties.

M. Bernier (Chair): Okay. Well, thanks for that. I was just trying to wrap my head around that specific recommendation of how it would be applicable.

S. Gibson: Two quick ones. I'll just spin off that one, Mr. Chairman. That was the one I had highlighted too.

In that particular one that the Chair was referring to, can you give us an example of one where consent isn't needed? I think that's where you were going, and I don't think we got an answer on that. "Without consent" implies that the person wouldn't want to give consent or somehow they're not available. This one, I think, would be a bit dubious to me, based on what you were saying. Can you give a specific example of that one that would maybe allay my fears and maybe the Chair's fears too? I think it was well taken.

A. Hardy: I can't right now, but I can follow up with a precise example with Susan.

S. Gibson: Okay. My only other question is…. Credit unions are an amalgam of organizations under your rubric here. If I'm a member of Vancity and I'm sharing certain information with Vancity, is it presumed that that information would automatically be shared with another credit union, or is each individual credit union completely autonomous and discrete in their information?

A. Hardy: That's right. Every credit union is discrete and individual, based on the protection of their clients' personal information. None of that information is shared with other credit unions.

S. Gibson: So you as a central credit union have no access to the information of individual credit unions?

A. Hardy: No. We have access to the information of credit unions broadly — you know, their capital base and their liquidity — but we don't have access to personal information of the members of any particular credit union. If the credit union was to disclose information about a particular member to us, then they would have to get the consent of that member.

M. Bernier (Chair): It's what I've found when I've had to deal with different credit unions. They don't talk.

G. Heyman (Deputy Chair): Just in follow-up to Mike's and Simon's questions regarding release of information without consent, I think I understand the point you're making about avoiding delay and inconvenience, but of course, that's always the balance that has to be taken into account when protecting someone's privacy.

If you are going to forward to us further examples, it would be useful for you to identify if this in fact is no different a circumstance than releasing similar information to the current employer. I think Simon's point that someone may well not want the information released…. If it's not a question of fraud being suspected by a former employer in administration of benefits, it does raise the question about whether we're opening a door that is better left closed.
[ Page 52 ]

A. Hardy: Agreed. I think the issue there is that for a lot of people who are retired and receiving a pension, they might still view that employer that's paying the pension as a current employer. The fact that the act makes that distinction between a current employer and a previous employer is sometimes surprising to both parties. But I will definitely follow up with examples.

M. Bernier (Chair): For us, going forward, it's great to be able to have some background to reference to.

S. Gibson: Well, I'm comforted by the fact that she'll be returning to us with additional information. I'm sure that'll be helpful.

D. Routley: Under the "consistency with federal legislation," I see: "Additionally, the act's definition of 'source of information available to the public' is too narrow, given the proliferation of the Internet and social media." In recommending that that scope or definition be expanded, what guide would you expect the committee to take?

A. Hardy: If you look at the recent legislation, the guidelines and regulations in CASL, the source of information available to the public includes things like tweets, posts to Facebook and things like that. We would recommend broadening that scope in the privacy act to include "source of information available to the public" to be consistent, just so that there's no confusion as to what is considered public in PIPA versus CASL.

D. Routley: It just seems that in a way, then, the complaint is that the definition is too broad rather than too narrow. If the source of information is available to the public, it seems fairly broad, whereas narrowing the definition to specific sources seems like a narrowing rather than a broadening.

A. Hardy: I think the issue is…. It's not so much a complaint as just a weariness on the part of credit unions. If in federal legislation it says that this is considered public and then in provincial legislation it's somewhat unclear, they just want to be on the same page for both — if that makes sense.

G. Heyman (Deputy Chair): I just want to return to the issue of fees and minimal fees. You suggest that a schedule be established in regulation. If my memory serves, currently the commissioner can determine if fees are appropriate or excessive, or deal with complaints.

A fee schedule established in regulation would likely be fairly rigid and might not take into account all of the factors that the commissioner might consider, in terms of not only the scope of the requests themselves but the capacity of an organization to meet requests and, therefore, the responsibility of the organization to respond to requests, given its size.

Would it be equally useful or more useful for the commissioner to make a broad set of guidelines available? They may already exist. I may not have paid enough attention. But in trying to contemplate a fee schedule, I think it may actually be a disservice.

A. Hardy: A set of guidelines would be appropriate as well. It doesn't necessarily have to be a schedule. That was just something that I think the credit union said would add a lot of clarity.

Obviously, the term "minimal" — it's variable depending on what organization you're applying that to. We have credit unions that have five full-time employees. A minimal fee to them…. It would not necessarily cover the expense of having one of those full-time employees executing a request versus a larger credit union that would have one full-time employee specifically dedicated to executing those requests.

"Minimal" is just a very vague term. A set of guidelines would be sufficiently helpful. Just some clarity around that term would be: what the request would be.

D. Bing: Thank you for your presentation. I was just thinking of your point about the inconsistencies between provincial and federal regulations. I was thinking that this problem must exist in every province, and I was just wondering if there was any idea of having consistency between provinces. Obviously, we're different bodies, and we make different regulations, but in order to be consistent, it should be similar right across the country.

A. Hardy: Well, it's interesting, because…. Central 1 also represents most of the credit unions in Ontario, and the federal Privacy Act applies to our credit unions in Ontario because the rule is that it applies to any province or jurisdiction where there is not equal or stronger privacy legislation. So our credit unions in B.C. are actually subject to more stringent requirements than the credit unions in Ontario.

Should there be one privacy act across the country? I'm not necessarily sure that the federal privacy legislation is the best route to go. I would argue that B.C.'s legislation is stronger and better serves members of the public.

But it is an issue, particularly for our organization, as we have to provide advice and services to credit unions in, currently, two jurisdictions. So yeah, I think wherever
[ Page 53 ]
possible it's just best to ensure consistency, and in areas where maybe one piece of legislation is weaker than the other, I would say go for the stronger requirements.

D. Bing: In your opinion, are the regulations in Ontario similar to B.C., or is it stronger or weaker?

A. Hardy: In Ontario it would be the federal legislation, and it's a little bit weaker, yeah. Although that might change. It's currently being reviewed by the federal parliament.

D. Routley: The recommendation around fees is for a schedule. I think the experience with FIPPA and complaints to the Privacy Commissioner on fees has been so far-ranging…. And the commissioner will consider not only the expediency of the organization — which, of course, you're representing on the behalf of credit unions — but the perspective of the consumer. So from the consumer's point of view, "minimal" is a better word than "reasonable," probably.

But the application of a schedule has always been difficult — not only to achieve as a snapshot in time but to have it evolve with the evolving costs, or a decline or increase in costs, of meeting the requests.

FIPPA includes a reference or a description of fees needing to be reasonable. It all speaks very directly to the basic intent of these acts in that when they were initially debated, the intent was never to allow fees for information to become an obstacle to freedom of information and to transparency. So that recommendation does go to the very core of the spirit of the act. The people's right to their information is not to be impeded unnecessarily — obstacles put in place in the form of fees or anything else, process.

You seem not committed to one or the other. If PIPA were to be amended to reflect the definitions in FIPPA, which are "reasonable fees," would that, do you think, address the problem that you're identifying?

M. Bernier (Chair): Okay. Just looking around, it doesn't look like we have any more questions, so thank you very much for your presentation and your recommendations that you put forward. Those now will be part of the package that we, as a group, will continually discuss as we put forward our recommendations. Thanks again for coming in.

George, did you want to bring forward anything that we talked about earlier for a question on the record for research?

G. Heyman (Deputy Chair): No, I don't think we need any particular research done by the Clerk's office at this point. I think some of the information that I was looking for with respect to when a minor is considered to be capable of giving consent or not capable of giving consent is partly dealt with by the regulation to this act and partly dealt with in other acts that might be instructive for us. I'll track those down and circulate them to the committee through the Clerk.

D. Routley: Could I ask the Chair if it would be possible for research to acquire for us the contract mentioned by Mr. Gogolek of the B.C. Freedom of Information and Privacy Association, signed on September 23 with Salesforce — a contract for data storage?

S. Gibson: The only area that might be fruitful — and I'll turn it over to you for your opinion — is that there was some, I thought, interesting discussion with regard to the advisability of separating the matter of consent out from a lot of text that was given in terms of documents. It seems to me there was some consensus here that that would be advisable.

So we might want to ask our research folks to come back with maybe some formula or some way to delineate the approval for release of information over and above the traditional information that an employer or a company would require that we would accept as a matter of course in dealing with the wheels of commerce.

But I think there was some sense, both from some of our delegates and, also, today from our group, that it would be useful to perhaps legislate or at least entertain the idea of delineating, separating, the approval of release of information — that consent would not simply be one of 45 points on an approval document.

I'm wondering what, Mr. Chairman, you'd think about that — whether you'd like to pursue that.

M. Bernier (Chair): Well, you just put it on the record there, and I saw our researcher writing that down. Obviously, right now it's just at the point of gathering a lot of information, so we'll make sure for the next meeting we can debrief after we absorb some of this, for sure, and get a bit more.

With that, right now we do have the deadline — which is Friday, September 19 — for people to make submissions, and I'm just looking to the rest of the group, if everybody's still comfortable with leaving that date that we've advertised.
[ Page 54 ]

G. Heyman (Deputy Chair): I just have a question. We have, to date, received only one written submission. Is that correct?

G. Heyman (Deputy Chair): Okay, I stand corrected. I would just ask the Clerk if there are any organizations with a traditional interest in this legislation who we might expect to have made a submission who have yet to make it.

S. Sourial (Committee Clerk): There are probably numerous groups that have yet to make a submission. I was talking to one group in particular, and I think one of the things is…. It's the handing in of your homework at the very end of the deadline. It may be still a bit early to receive the submissions from the larger organizations. Perhaps we can update the members a bit closer to the deadline, and then the members could determine if they need to extend that deadline.

G. Heyman (Deputy Chair): You may already have done this or be in the process of doing it. Would it be appropriate to just circulate a reminder to — I'm not suggesting absolutely everybody but — major stakeholder groups who have submitted in the past to remind them of the deadline and ask them if they intend to make a submission?

S. Sourial (Committee Clerk): We have circulated a reminder e-mail — I think it was in August — to all the stakeholders that were invited. We can certainly send out a second reminder e-mail.

M. Bernier (Chair): With that, then, I just want to thank our Clerk, Susan, and Byron with research and our good friends with Hansard for coming here today and thank all of the presenters for their time, as well, to bring the information and their recommendations forward to the panel.

Access to on-line versions of the report of proceedings (Hansard)
and webcasts of committee proceedings is available on the Internet.

Chair:	* Mike Bernier (Peace River South BC Liberal)
Deputy Chair:	* George Heyman (Vancouver-Fairview NDP)
Members:	Donna Barnett (Cariboo-Chilcotin BC Liberal)
	* Dr. Doug Bing (Maple Ridge–Pitt Meadows BC Liberal)
	* Simon Gibson (Abbotsford-Mission BC Liberal)
	* Sue Hammell (Surrey–Green Timbers NDP)
	* Marvin Hunt (Surrey-Panorama BC Liberal)
	* Doug Routley (Nanaimo–North Cowichan NDP)
	* denotes member present
Clerk:	Susan Sourial
Committee Staff:	Byron Plant (Committee Research Analyst)

Witnesses:	David Christopher (OpenMedia.ca)
	Vincent Gogolek (Executive Director, B.C. Freedom of Information and Privacy Association)
	Anna Hardy (Central 1 Credit Union)
	Taras Hryb (President, Private Investigators Association of British Columbia)
	Dave Jones (Private Investigators Association of British Columbia)
	Sandra Olson

4) Private Investigators’ Association of BC	Dave Jones
	Taras Hryb

REPORT OF PROCEEDINGS(Hansard)

SPECIAL COMMITTEE TO REVIEW THE PERSONAL INFORMATION PROTECTION ACT

REPORT OF PROCEEDINGS
(Hansard)

SPECIAL COMMITTEE TO
REVIEW THE PERSONAL INFORMATION PROTECTION ACT