Review the Personal Information Protection Act — Issue No. 6

Present: Mike Bernier, MLA (Chair); George Heyman, MLA (Deputy Chair); Donna Barnett, MLA; Dr. Doug Bing, MLA; Simon Gibson, MLA; Sue Hammell, MLA; Marvin Hunt, MLA; Doug Routley, MLA

2. The following witnesses appeared before the Committee and answered questions:

• Bette-Jo Hughes, Government Chief Information Officer and Associate Deputy Minister

• Sharon Plater, Acting Executive Director, Legislation, Privacy and Policy Branch

The following electronic version is for informational purposes only.
The printed version remains the official version.

REPORT OF PROCEEDINGS
(Hansard)

SPECIAL COMMITTEE TO
REVIEW THE PERSONAL INFORMATION PROTECTION ACT


CONTENTS
Page
Briefing: Personal Information Protection Act	57
B. Hughes
S. Plater
E. Denham
M. McEvoy

M. Bernier (Chair): Good morning, everybody. We have a couple of presentations this morning again. Thanks to the committee members for coming in and, also, to the presenters.

We’re going to start off with Ministry of Technology, Innovation and Citizens’ Services. We have Bette-Jo Hughes and Sharon Plater with us.

B. Hughes: Good morning, Members. I just wanted to start off by thanking you for allowing us to come back and offer some final thoughts and provide closing remarks before you get ready to make your recommendations. We understand that there have been a number of submissions, so we very much look forward to the recommendations that will come out of your review.

We also wanted to take the opportunity to thank the individuals and the organizations who took the time to present their ideas to the committee on how PIPA could be improved. We see these reviews as invaluable in ensuring that we are keeping our privacy laws current, practical and meaningful.

We have a very brief agenda. On slide 2 you’ll see the agenda. What we wanted to do today is just place some of the current submissions into context of those that were made in 2008. We wanted to highlight a few of the more high-profile issues and provide some updates with respect to developments in those areas and, lastly, just point out a few general observations respecting the current submissions, which I think will be useful when the committee is reviewing these submissions before you develop your recommendations.

At this point I’m going to hand it off to our subject matter expert on PIPA, Sharon Plater, and she will go through the next group of slides.

S. Plater: Good morning. As we mentioned in our introductory presentation in May, the Ministry of Technology, Innovation and Citizens’ Services has considered the recommendations made by the 2008 committee, and we’ve taken those recommendations out to stakeholders for comment. As a result of the ministry’s own review and those consultations, the ministry has agreed to propose amendments to PIPA based on those 2008 recommendations at the next available opportunity.

We also noticed that a number of the current submissions asked for amendments that were made and rejected by the 2008 committee. We’d like to ask the committee, when it is considering these previously requested amendments, that it look to the reasons cited by the 2008 committee for why they did not support or consider these recommendations for further action.

With the 2008 recommendations in mind — this is slide 4 — I would like to bring particular attention to mandatory breach notifications. Mandatory notifications were brought before the 2008 committee by the Office of the Information and Privacy Commissioner and other groups, and again, during this current review, this issue came up again.

A number of the submissions mentioned federal Bill S-4, which, among other things, will amend the private sector privacy act, PIPEDA for short, to incorporate mandatory breach notifications. Some submissions emphasize the passage of Bill S-4 and the need to amend PIPA to ensure it remains substantially similar to federal legislation or risk PIPEDA applying in B.C., and this is generally true.

Government has been closely monitoring the progression of Bill S-4. Our understanding is that it reached second reading in Senate on November 5, 2014, and was referred to the Standing Committee on Legal and Constitutional Affairs. As such, it has not yet become law.

We do recognize that Alberta was an early adopter of the breach notification provisions in May 2010. While B.C. does strive to align as much as possible with Alberta’s legislation, given that they touch similar business groups, it is not required that B.C.’s PIPA remain substantially similar to Alberta, as some groups have seemed to suggest.

An amendment to mandatory breach notification in PIPA was included in the consultation package that went to stakeholders and is part of the proposal that the ministry has agreed to take forward at the next opportunity.

The next slide, significance of the Supreme Court of Canada ruling respecting Alberta’s PIPA. On November 15, 2013, the Supreme Court of Canada released a ruling invalidating Alberta’s PIPA on constitutional grounds. The Supreme Court decision acknowledged the importance of PIPA’s restriction on the collection, use and disclosure of personal information by organizations but said that they infringe on the union’s freedom of expression, a fundamental right in the context of labour disputes.

The Supreme Court found that that this infringement is disproportionate to PIPA’s objective of giving adults control over their own personal information. Alberta was given one year to amend their act in relation to the Supreme Court decision. This date expired recently, and the Supreme Court extended the date of completion to May 15, 2015.

The ruling does have an impact for B.C., as B.C.’s and Alberta’s PIPAs were drafted together with the idea of providing consistency for individuals and organizations
[ Page 58 ]
across the two provinces. Unlike Alberta’s PIPA, though, B.C.’s does contain a provision that allows organizations to collect and disclose personal information gained through observation at public events. A related ruling may be slightly different, given this particular provision. The provision, however, is still probably not broad enough to address the particular labour issues that were raised in this case.

The government understands that it will need to amend PIPA legislation so that it will not be subject to a similar ruling if a B.C. case is taken before the courts. We will continue to monitor Alberta’s response so that consistency of approach is achieved as much as possible.

The next slide, Supreme Court of Canada ruling, R. v. Spencer. This ruling is mentioned a lot in the submissions and has to do with warrantless searches by law enforcement, and that’s a very broad interpretation.

Section 18(1)(j) of PIPA does permit disclosure of personal information without consent “to a public body or a law enforcement agency in Canada, concerning an offence under the laws of Canada or a province.” The disclosure is “to assist in an investigation, or in the making of a decision to undertake an investigation,” in two instances: “(i) to determine whether the offence has taken place, or (ii) to prepare for the laying of a charge or the prosecution of the offence.”

There were a number of suggestions in the submissions that section 18(1)(j) should be altered to reflect the Supreme Court ruling. I wanted to let you know that we are aware of the ruling and that we’re taking a close look at it to see if it has any impact on PIPA. Then we’ll address that accordingly.

Finally, there were some themes in the submissions that we’d like to provide comment on. One of those related to other legislation. There seem to be some concerns related to legislation such as the Freedom of Information and Protection of Privacy Act and the Strata Property Act that the submitters wanted to address through amendments to PIPA.

One of those, in relation to FOIPP Act, was where sensitive information was having to be provided by private contractors to government, and in the case of the Strata Property Act, it was where individuals wanted access to information about the strata council’s workings.

I just wanted to mention that one of the principles underlying the development of PIPA was to keep it easy to understand, to keep it simple so that the broad spectrum of organizations that operate in B.C. — including the large number of very small organizations, businesses and not-for-profit groups — could interpret the legislation without having to have legal counsel at their side.

If we try to use PIPA to repair perceived deficits that are occurring in other pieces of legislation, it has the potential to undermine the clarity that’s in PIPA and produce a complex piece of legislation that can be both cumbersome and confusing.

To avoid this outcome, we respectfully suggest that recommendations that relate to other pieces of legislation be referred to the ministries that are responsible for those pieces of legislation. Or in the case of FOIPPA, it could be referred to the FOIPPA special committee, which is legislatively mandated to be struck in 2016, which is just a little more than a year away.

Another theme that we saw, seemed to be related to access to general — i.e., non-personal — information. When PIPA was constructed, it was meant to be substantially similar to the federal private sector privacy law and to deal precisely with the privacy of individuals. The only access provision that is in that legislation relates to an individual getting their own information.

The reason that’s there is so that that individual can understand what information the organizations hold about them, how it is used, to whom it has been disclosed and, also, to assist that individual in making corrections if they want to do that or if it’s necessary. They weren’t meant to be access-to-information acts, like the FOIPPA, which applies to information about government operations or public body operations, as well as access to your own personal information.

There’s this kind of a blurring of lines there in the requests that individuals are making for that more general access. That’s probably dealt with better in a different way than through what PIPA was designed to be, which is privacy legislation.

Finally, in a number of instances, there were concerns that PIPA was being used to override other pieces of legislation to prevent information from being accessed. I just wanted to emphasize that there is a provision in PIPA that states that the disclosure of personal information is authored under PIPA if “the disclosure is required or authorized by law.”

This means that if an organization is regulated by law, it could choose to disclose information if its governing legislation permits it to do so. So there is that facility in PIPA that allows an organization to disclose information if they have authority in law to do so.

With respect to PIPA being misconstrued or misinterpreted, there are many opportunities for an organization to gain understanding of how the provisions in PIPA were meant to be read, how they were meant to be implemented. When PIPA was introduced, the government organized over a year of training that went to all areas within the province and also was open to all not-for-profit and business organizations if they chose to have a provincial representative come and provide training to them.

In addition, there was a large number of policy documents put up on the office of the chief information officer’s website. Those are still there today. They allow an organization to structure a very compliant privacy program for their organization.

Today the office of the chief information officer offers
[ Page 59 ]
PIPA training twice yearly, in Vancouver and Victoria. As well, there is implementation and precise training at the Annual Privacy and Security Conference in February. There’s training on privacy management, accountability programs and privacy impact assessments that these groups could take advantage of.

In addition, we have a privacy help line, and we have a training coordinator. The groups can contact either one of these resources and receive information that they need. The contacts for these resources are on the next slide. In addition to being contacted about training, the privacy help line is available to provide answers to questions that organizations may have about PIPA.

In closing, I’d just like to mention that, overall, we find PIPA continues to work well. This assessment is based on the number and types of calls we get on the privacy help line and in our discussions with organizations at training sessions. It was echoed by a number of groups who put in submissions. But as with any legislation, updates and clarifications are always necessary, so we welcome and look forward to the final report that the committee is going to release.

I’d like to thank you again for inviting the province to be part of providing a final submission. We’re happy to answer any questions that you have.

G. Heyman (Deputy Chair): Given that you’ve told us this morning that you’re prepared to propose amendments based on the 2008 recommendations of the committee, perhaps you could tell us why it took six years to get to that place.

My second question is…. I’m not sure I understand your reluctance to move ahead in concert with Alberta on mandatory breach provisions through amendment now. Why the caution? Why the delay or suggested delay?

S. Plater: With the amendments that came forward in 2008, there are stages that are gone through in terms of determining whether government is going to move forward with those. One involves research. One involves coming up with ways of presenting that. The third involves consultations, which we did. We took it out to stakeholders and received their feedback and then made changes accordingly if that feedback seemed appropriate.

Then, once you’ve got that, you have to wait for an opportunity to go forward to the House. We don’t dictate when legislation can go into the House. There’s a process that that involves. We put forward our submissions, and then there’s this decision made as to whether there’s time to do it in a particular session. So we wait for that session to come forward where there is an opportunity for PIPA to be put ahead.

G. Heyman (Deputy Chair): Can I ask a question of clarification on this point before I move on to the other point?

G. Heyman (Deputy Chair): Could you tell us when you made recommendations for amendments to the legislation?

B. Hughes: We put forward our request for legislation on an annual basis. Those are reviewed within overall government priorities, and then we are advised which pieces of legislation are going forward in a particular session.

G. Heyman (Deputy Chair): But I asked specifically about recommendations you may have made with respect to the 2008 recommendations of the committee.

B. Hughes: In the last couple of years it has been in our three-year plan in terms of going forward. I’m not sure, Sharon, when the first time was that it was put forward.

S. Plater: I’m guessing at this point. I certainly could find that information for you, but I would expect it was a couple of years ago.

S. Plater: Mandatory breach is part of that particular proposal going forward, if that’s accepted. Just before Alberta put theirs forward, the federal government came out and met with all the provinces and said: “This is what we’re planning on doing.” We looked at that. We researched it at the time, and we said: “Okay. Well, we’ll wait and see what happens.”

Alberta decided at that point that they would go ahead and do it right away. We decided to wait and see what the federal government was going to do because we need to be substantially similar to them.

They have not got it forward in that length of time, which is why ours has still sat there and languished. But it’s a good idea, and we will follow, again, what the federal government is doing. They’ve now taken something forward, so we have included it in that proposal.

S. Gibson: Well, it’s not really a question. Being new to this whole process, I very much appreciate the opportun-
[ Page 60 ]
ity to hear your presentations, and it’s been very helpful for me. You mentioned in your earlier remarks that you wanted to make the process, PIPA, be understandable, accessible, to the public. This is just a suggestion.

One of the things — I think, especially with younger people — is that 40 percent of our population, as you know, have some literacy issues. Having taught many university students, I can tell you that’s the case. I’m wondering. Because it’s such an important topic, have you ever thought about — I know this maybe sounds a little off the wall, but it actually is a sincere recommendation — trying to render what you do graphically, as opposed to text?

I think a lot of folks…. When you have these training seminars and people coming down, a lot of them will be beguiled by text and the vocabulary — the kind of thing you use. Yet what you’re doing is so important.

I would like to recommend that you render it graphically. As I think about what you have shared here and in the previous meeting, I think it could be explained much more legibly to many members of our population. If you explain your role and all of the entry points and obstacle points and points where decisions have to be made and rendered in order for information to be released — I believe that can be presented graphically.

It’s more of an anecdotal suggestion. It’s not a criticism. I think this material is understandable. But my recommendation is that you take a shot at presenting it graphically. I think that would be very helpful for much of the population.

S. Plater: That’s a really interesting recommendation. Most of the staff in our area are very young, and I’m sure they’d welcome the opportunity to work on something like that.

D. Routley: Thank you very much for the presentation. I wonder if I could ask you to elaborate on the issue of access addressed in the act and the singular path and then the notions that you might have around that — a little bit more, for our understanding — as well as one other thing. That is the…. Well, I’ll actually let you go ahead.

S. Plater: Well, I think the principles…. I think the first thing is I mentioned that this was meant to be privacy legislation, so it’s really focused on protecting individuals. So the access was limited to that. I don’t believe that there was any idea, when it originally went forward — because it did go to a special committee many years ago — that it would be broad access for businesses.

The reason you have the broad access in the public sector legislation is to make government accountable. But there isn’t that same kind of urgency in the private sector when you’re dealing with individual businesses. There are different ways of making them accountable than there is for government. So it was really focused on protecting people as they interact with the private sector.

D. Routley: Then the second question is around the stakeholder consultation process. Could you describe how that occurred, over what time frame and which stakeholders were involved?

S. Plater: When we originally did PIPA we had a very large stakeholder list that included national corporations. It included a lot of the not-for-profits in B.C. as well as business organizations in B.C., like the Retail Council, the chambers of commerce, as well as just independent organizations that didn’t have a larger body that they were associated with. We also included advocacy groups, like the B.C. Civil Liberties and FIPPA, in that.

There was a very broad consultation at that point. When we went out with the recent ones from the 2008 committee, we canvassed that group again. Certain ones decided that they wanted to partake. Some did it personally, so we went out and met with them and described what we were thinking of and what we were planning on doing.

Then others, we did it through mail or e-mails, because there were still ones on the national level that wanted to participate. I believe, in one of the submissions — I think it’s the Insurance Bureau of Canada — they mention that we had gone out to them with consultations and that they contributed to that.

So we do it by a variety of means, depending on where the organization is and what their capability is for meeting with us. We actually take out what we’re thinking of doing and ask them how they feel that will impact with their businesses, etc.

D. Routley: I wonder: had you expanded that to include, perhaps, organizations that weren’t as relevant in the previous rounds, such as data hosting and information — companies working with government to handle information — and whether or not that extended beyond our borders, provincial and national?

S. Plater: Right. When we did the consultations, we didn’t expand it at that point. Since that time we’ve been working really hard to broaden our consultation list in the private sector, primarily for training purposes, but also, when we go out for consultations, again, we’ll have that broader list of companies.

If we were to go out again, yes, we would have that broader scope. However, we wouldn’t often look at international organizations in those types of consultations. We would be looking more narrowly. It doesn’t mean we can’t give that consideration, but we haven’t at this point.
[ Page 61 ]

I wonder, since there are organizations that are international in scope that are handling information on a corporate level but on behalf of government agencies, if much consideration has been given or decisions made around companies that are doing that work currently or have applied to do that work through proposal.

S. Plater: Any private sector organizations that are doing work for government…. We’ll take MCFD as an example, where you might have a community agency that’s doing outreach for the ministry or providing services to families on behalf of the ministry. They would fall under the FOIPP Act.

What you have in the FOIPP Act is service providers are considered employees, so you have a flow-down of responsibility from the ministry down through to the service providers. They’re covered under that particular legislation in terms of their responsibilities.

FOIPPA is very strict in terms of when information can and cannot go outside of Canada. So those contractors or private sector service providers would have to abide by those restrictions in FOIPPA when they’re doing work on behalf of government.

D. Routley: Just for clarification on that one, government contracts with a company such as the Salesforce agreement, where information is being stored outside of Canada. There’s a private sector role. If I understand you, you’re saying that they will not fall under the scope of PIPA, that the responsibility flows directly from the ministry and would be captured under FOIPPA.

Okay. Well, thank you very much for your presentations. As you know, there’s a lot here for the committee to digest once we’ve finished hearing everything. We’ll be looking at not only the present submissions but obviously comparing them to 2008 to compile some recommendations. So thank you very much.

With that, we’re going to take a five-minute recess to see if we’re ready to go with our next presenter.

M. Bernier (Chair): We have our new presenters here. Again, it’s our pleasure to welcome Elizabeth Denham and Michael McEvoy here.

E. Denham: But I’m happy to be, because unfortunately, I have a longer presentation. I’m going to speak for about 20 minutes, and then hope to take questions after that, if that’s okay.

M. Bernier (Chair): We’re not looking for you to necessarily fill in all the time, but take what you need.

E. Denham: Good morning, hon. Chair and members of the committee. With me today is Deputy Commissioner Michael McEvoy and also oline Twiss, who is our policy analyst and has done a lot of the heavy lifting in preparing the submission that you have before you today. I want to begin by thanking you for the important work that you’re doing on behalf of British Columbians.

The Personal Information Protection Act is a balanced and effective law that protects the personal information of individuals while at the same time recognizing the right of organizations to collect and use and disclose that information for reasonable business purposes. But in light of significant technical developments, carefully prescribed changes to PIPA are needed to give current expression to the core purposes of the legislation that was enacted ten years ago.

In my initial submission to the committee I described some of the vast changes that have swept over and influenced the way in which personal information has been collected and processed since PIPA was proclaimed. Twitter was unknown, Facebook was still residing in a college dorm, and “big” was never a word used to describe data. All of these developments and many others have resulted in dramatic changes in how organizations manage and use personal information.

Some of these changes are really valuable to us socially and economically. They bring efficiencies to businesses, and conveniences to all of us. They allow us to connect in an instant for personal or business matters. We’ve also seen advances in storing personal information, from local storage to the cloud, and in applying data analytics to information for all kinds of purposes.

It’s a bit of a cliché, but it’s true nonetheless, that information is the new currency of the economy, the new oil of the Internet. This is the world that we now live in — one in which we must ask whether the legislation, now a decade old, requires updating to address those developments.
[ Page 62 ]

In 2004 when PIPA was enacted, it was one of the leading pieces of privacy legislation in the world. The privacy principles that are enshrined in PIPA are based on those established by the Organization for Economic Cooperation and Development, and those principles are fundamentally sound and as relevant today as they were then. These foundational principles must remain at the heart of any changes to PIPA that the committee might recommend to the B.C. Legislature.

I think the law is very much like a living organism. It has to grow and change to adapt to its environment. In my four years as commissioner I’ve undertaken numerous investigations and received hundreds and hundreds of complaints and requests for review under PIPA. I’ve assessed trends in the rest of Canada and around the globe where privacy authorities exist, and if I were to sum up in a single word what the current environment demands, and what all organizations must embrace, that word is “accountability.”

Accountability means that companies are ethically responsible for the use and protection of personal information that’s entrusted to them by customers, by employees, by clients. Accountability is analogous to the money that we trust the banks and credit unions with. When you deposit your paycheque, the bank has to keep the money safe and only use or invest it based on your decisions.

We all know that controls have long been in place in the financial sector to ensure that these rules are followed and that there are various accountability and transparency mechanisms for shareholders, for board members, for clients and for financial regulators. And there is a report to the client on a regular basis. Every month you get a statement that details your recent transactions, and every quarter you get a statement describing how your investments are going to grow or shrink.

Just as these controls exist in the financial sector, there’s a demonstrated need for specific accountability measures to be in our privacy laws, including proper controls and management processes to protect personal data, clear rules for third-party data processing and specific transparency and public reporting requirements when personal data is compromised or disclosed to law enforcement.

My written submission provides a detailed description of 11 recommendations that I’m making to the committee. If they’re implemented, the changes would clarify an organization’s responsibility to protect personal information. In other words, it would help businesses comply with the law and improve openness and transparency to the benefit of clients and customers.

This focus on accountability is very much a global movement. Lawmakers around the world are debating and adopting reforms to include specific legal requirements for businesses to create and maintain comprehensive privacy programs that span the entire organization.

There’s already a precedent in B.C. law, but writing specific accountability mechanisms into PIPA would put B.C. on the leading edge of a global movement and put us on solid footing vis-à-vis other Canadian jurisdictions whose privacy laws are evolving to address the challenges of the digital age.

I’d like to begin by describing how PIPA should be amended to explicitly set out the tools and controls organizations should have in place to be held accountable for personal information practices.

The fundamentals of accountability are already prescribed in our law. Sections 4 and 5 of PIPA state that organizations are responsible for the personal information under their control. The law also states that they must have policies and practices in place to meet their obligations under PIPA and that they must designate an individual who’s responsible for organizational compliance with the law.

When these were first enacted they were leading provisions on accountability in privacy in Canada. But it’s become abundantly clear to my office, through our enforcement actions and discussions with organizations, that many of them don’t know how to operationalize the current accountability elements.

What does this mean? This has resulted in an observed lack of meaningful commitment to privacy protection. It’s not unusual for us to see privacy policies that are just gathering dust on a shelf. Or when I ask an organization for their privacy policies, they say, “Privacy? We did that in 2004” — rather than an integrated approach where privacy is built into an organization’s management of personal information.

Over the past several years Canadian privacy commissioners have worked together to fill this knowledge gap and get businesses to commit to a culture of privacy by providing detailed, scalable and practical guidance that gives businesses a road map to accountability. This guidance is called Getting Accountability Right with a Privacy Management Program.

The policy document provides building blocks to a comprehensive privacy management program. The building blocks start with the fundamentals, creating a chief privacy officer role. This person in a larger organization should sit at the executive table and be empowered to lead the privacy agenda for businesses in a manner that’s similar to that of the chief financial officer.

Once this foundation is laid then you need program controls — training, education, risk assessment policies and practices — to ensure that privacy is built into the DNA of an organization. With this accountability guidance, Canadian commissioners are raising the bar on what it means to be compliant. In a world of ubiquitous computing, big data analytics and cloud computing, it’s not enough for a business just to comply with the narrow letter of the law or the technical provisions of the act when a new tool or a shiny new technology is implemented.
[ Page 63 ]

In an accountability framework, legal compliance involves a foundational commitment to privacy and a deliberate and meaningful investment to build a living and breathing privacy model that has the flexibility to address new technologies and the ability to comprehensively reduce the risk of costly privacy breaches, data spills and accidents.

Since that guidance document was published we’ve begun to see a better approach, an accountability approach, being implemented on a proactive basis as well as in response to some of our targeted work in certain sectors. We’ve seen good examples across the private sector, health care, professional regulatory agencies and Crown corporations, government-owned corporations, universities. This guidance tool has put Canada in the global spotlight as part of the conversation on accountability.

I think this committee has an opportunity to take this work to its next logical step — to express legal requirements, spelled out in law, that make clear what companies need to do to effectively protect the privacy of individuals. This would be consistent with the revised OECD guidelines adopted in 2013, which state that organizations should have privacy management programs in place and the details that should be prescribed.

I have provided additional detail in my written submission about how B.C. could follow suit and include express written requirements for accountability in PIPA. I strongly recommend that the committee consider how PIPA can be amended to more explicitly set out those elements of a privacy management program that will assist organizations and individuals.

One very important element of any privacy management program — especially in light of new technological changes that have taken place over the past decade — is the responsibility organizations have to protect data when it’s in the hands of third parties. I think this is where some of the questions from the members to government were going earlier.

Here I’m talking about technologies like the cloud and other outsourcing tools used by organizations to store and process personal information. It’s often said that data knows no borders. A business on Granville Street in Vancouver may be using a service provider that stores information on the other side of the world. As it’s currently worded, PIPA requires that businesses make “reasonable security arrangements” for the personal information under their control, including information that’s not in the custody of the organization.

My expectation is that the same standard of security should apply to that data, regardless of whether it’s in a filing cabinet at the business headquarters on Granville Street or whether it’s housed in the cloud in Oklahoma. But this principle is not explicitly set out in PIPA. I think adding such a provision will make the legal requirement crystal-clear. We have a good model in Canada’s federal legislation, PIPEDA, which is the language upon which I base my recommendation to the committee.

Of course, accountability is about more than technical mechanisms for compliance. It’s also about making sure that information is open, transparent and accessible in terms of an organization’s privacy practices. Individuals that hand over sensitive personal information in the course of doing business deserve to not only know that an organization is properly managing that information, but they should also know if that information has been disclosed or gone astray — which is why breach notification is an essential part of a privacy management program.

This was one of my key recommendations when I appeared before the committee last May, and I maintain that a legislated duty to report significant breaches to the individual and to my office is a really important amendment to PIPA. Breach notification would give affected individuals an opportunity to be aware of real and significant harms and take steps to mitigate them. It gives them the choice of whether they want to keep doing business with the organization in the wake of a breach.

I think breach notification provides an important accountability lever in the business-customer relationship. The notification requirement also needs to extend to my office, providing an important accountability mechanism from business to regulator. I think making breach notification mandatory would provide a critical incentive for businesses to make an investment in privacy and security protection such that they could prevent breaches before they occur.

We all know that B.C. would not be charting new waters with such a provision. We would just be keeping up with our trading partners. Almost all of the U.S. states have mandatory breach notification. Europe is currently reforming its data protection framework, which would make breach notification mandatory. We all know that our neighbours in Alberta have had a breach notification regime since 2010, and Bill S-4, which is the Digital Privacy Act currently before parliament in Ottawa, could bring mandatory breach notification to the federally regulated private sector.

It’s critically important that B.C.’s requirements be harmonized with those contained in the proposed federal legislation and Alberta. If we don’t adopt similar reforms in our legislation, we could be putting our “substantial similarity” designation at risk, meaning that companies would then be subject to two different laws, PIPEDA and PIPA, depending on the customer-employee relationship, and would be subject to two regulators. This would increase the regulatory burden on B.C. business.

For this reason, I’m recommending B.C. adopt the mandatory breach notification amendments that are in line with S-4.

Just before moving to your questions, I would just like to touch on one more matter that has arisen since I
[ Page 64 ]
appeared before you in May. That matter concerns section 18(1)(j) of PIPA. Sharon and Bette-Jo mentioned it briefly. A number of submissions talked about amendments to that section.

Just for a bit more background, section 18(1)(i) authorizes an organization to disclose personal information for the purpose of complying with a subpoena, warrant or order. In addition, an organization can disclose personal information to a law enforcement agency without a warrant under 18(1)(j).

It’s my view that what Spencer effectively does is clarify the range of disclosures that are permitted in 18(1)(j). In Spencer the Supreme Court made it clear that warrantless disclosure is an unconstitutional search by a police force. The decision dealt with the section of PIPEDA that’s analogous to section 18. At the same time, I think the committee needs to be aware — and I agree with the B.C. Civil Liberties Association submission — that organizations still need to be able to make disclosures in appropriate circumstances.

For the purposes of section 18(1)(j), one of those appropriate circumstances should be when the organization itself is making a complaint to law enforcement about an offence under the laws of Canada or the province. So amending that section to limit it to organizational-initiated complaints will bring it in line with the Supreme Court of Canada in Spencer.

In closing, my key message to the committee is that PIPA is a law that’s very current. It was very current ten years ago, but it needs to be updated due to external changes, primarily flowing from technological developments, with respect to the use of personal information, and from legal decisions. Accountability and transparency provisions embedded in a privacy management program are the key elements of our suggestions.

Thank you very much for the opportunity to speak to you again about PIPA. I hope that my submission to you will be useful, and I’m happy to address any questions that you may have.

M. Bernier (Chair): Excellent. Thank you very much for that update presentation again and for the work that you do.

One of the common themes that came through most of the presenters was around mandatory breach and recommendations or suggestions around that now. Can you give me, in your opinion…? When you say “significant breach,” what do you mean by that? I know some presenters were saying that only a significant breach should be notified of, or a material breach. In your opinion, what kind of definition do you put around that?

E. Denham: Our submission recommends the federal threshold of a real risk of significant harm. That’s not a science. That’s probably an art to be able to differentiate what is a real risk of significant harm and what is not. It’s something that’s going to require guidance to be published by our office and by other offices.

We certainly can learn from our neighbours immediately to the east about their determination in what is a real risk of significant harm. So again, we wouldn’t be starting behind the eight ball on that determination.

I think the trigger should be high. Otherwise, consumers could be swamped with notices where there isn’t a significant risk, and our office could be swamped by reports of things like misaddressed letters — one misaddressed letter, one e-mail that’s gone to the wrong person. We would not have the ability to deal with a number of breaches if they came in at that low a threshold.

I think it has to do with the scope of a breach. Does it affect hundreds or thousands of people? Does it involve a loss or a theft of a hard drive, for example? That’s different from a misdirected fax. I think you have to look at the scope of the breach, the chance that the data is in the hands of an unauthorized person. If something is stolen — a hard drive is stolen, for example, or a laptop is stolen with sensitive personal information — that could be a real risk of significant harm.

As I say, it’s an art, not a science. But it’s something that we would have to produce guidance on.

S. Gibson: Interesting. It’s been my experience in corporate life that breaches, to use the term, are largely compromises informally rather than explicitly. For example, gossip. There’s a lot of information disseminated in an organization that never really hits the radar, but it’s probably more insidious and more troubling than some of the material that actually reaches and, say, becomes apparent to an organization like yours.

I don’t even know how you address that, frankly. But in organizations I’ve been in, there are all kinds of horrendous violations — you know, somebody in HR is talking about somebody who’s getting fired next week. Of course, it’s anecdotal. It becomes gossip, and it spreads through the office. It’s highly inflammatory. It compromises the person’s character. It makes them unemployable, possibly, in the next situation. Yet it never is actually a formal breach, because it’s done insidiously. It’s done informally.

It’s my view that many of the tragedies out there never hit a formal corporate structure such as yours because they are below the radar by passive-aggressive people. How do you address that kind of thing?

E. Denham: I think you are discussing, perhaps, a contravention of another part of the Personal Information Protection Act, unauthorized disclosure of somebody’s human resources information. How do you deal with that? A person could still bring a complaint to our office that information was inappropriately disclosed to their colleagues. There’s defamation law.

When I’m talking about mandatory breach notifica-
[ Page 65 ]
tion, we’re talking about situations where’s there’s been a breach or a disclosure of an organization’s own security safeguards. We’re really talking about loss of data. We’re talking about somebody actually getting access to a company’s network with all the customer credit card information.

I think you’re talking about internal disclosures, unauthorized sharing of personal information. I think you can get at that through other aspects of the act. But we’re talking about something that Canadians are deeply concerned about, and that is unauthorized disclosure of their personal information — because the data is not encrypted on a laptop and it’s lost, because somebody hacked into a network and thousands of records have been compromised.

We’re really talking about an amendment to the law that will cause organizations to harden their security safeguards and take better care of data that they’re entrusted with. It’s really about those kinds of scenarios that would require an organization to report it to a regulator and, if it met the threshold, to report it to the affected individuals.

It makes everybody behave better. It makes everybody invest in our information systems. Just think about cybercrime. Think about the risks that electronic data systems, network systems, face in the world today.

There’s got to be some incentive to get B.C. businesses to invest in proper security. It’s good for the economy.

S. Gibson: There are companies that I’m familiar with that do phone appending and data cleansing. They’ve probably come to your attention. We have them in Canada. There’s one in my town, in Abbotsford. What is your attitude to these organizations?

So I have a database, and I want to have a calling…. What do you call those folks?

S. Gibson: Call centre. Thank you. Call centres — outbound call centres as opposed to inbound. I want to contact all my customers through an outbound call centre. I give them that list, and they append phone numbers to it through complex algorithms. What do you feel about that kind of approach? What’s your feeling about that?

E. Denham: Is that something that’s more related to a do-not-call regulation, or…?

S. Gibson: This company takes databases and phone appends using algorithms. What happens is, of course, they’re compromising the security. Those people never gave their phone numbers.

E. Denham: They didn’t give their consent to be called by a marketing organization.

E. Denham: How would PIPA relate to that situation? Again, if those individuals are getting calls without their consent, unless those are publicly published phone numbers then it would be a contravention of PIPA, and individuals could complain.

But we’re also dealing with a shade of grey in that there could be published phone numbers that are free for people to use for that situation. Certainly cell phone numbers would not fall into that scenario, and there could be a complaint under PIPA.

G. Heyman (Deputy Chair): I’d like to just follow up a little bit on your discussion and answer to the Chair’s questions about mandatory breach provisions and real risk.

One of the criteria you mentioned was the number of people whose information might have been compromised, but let me ask you how you would deal with a situation where somebody’s psychiatric records were inadvertently faxed to the wrong place. It’s one person, but it’s a fairly significant breach, or potentially a significant breach. Under the answer you gave, this might be excluded. I doubt that’s your intent.

E. Denham: To clarify, the number of individuals is one factor that we would consider in a real risk of significant harm.
[ Page 66 ]
That certainly is a real risk of significant harm to that individual, for sensitive medical information to be faxed to the wrong person.

What I was saying in the one-offs that we wouldn’t want to hear about is a misaddressed envelope that has non-sensitive information in it, because we would be swamped with breach reports. We wouldn’t be able to get to our other oversight activities if we heard about all of those one-off situations.

The organization that misfaxed sensitive psychiatric records to the wrong place should definitely notify the individual and notify our office. That would be a real risk of significant harm. But I’m thinking about a fax of a bill that, really, is not sensitive information. I would be overwhelmed if we had to have all of those reports.

G. Heyman (Deputy Chair): To some extent, the words “real” and “risk” are a bit contradictory, because risk is something that may happen. How do you envision defining that? Are you thinking in terms of the reasonable person test?

E. Denham: I think a real risk of significant harm will go to a reasonableness analysis. Then, again, I think we have the opportunity to learn from four years of Alberta’s experience, the Information and Privacy Commissioner of Alberta’s experience, in determining what is a real risk of significant harm.

We do have that. There is guidance. There is some jurisprudence. It would give us a step-up, even from where Alberta was in 2010, to be able to provide some guidance for organizations.

G. Heyman (Deputy Chair): I have another question, but I’m willing to drop back in the queue if others want to go first.

M. Bernier (Chair): Let’s go with Doug while he’s got a question. We’ll come back.

D. Routley: Thank you to the presenters. I really appreciate your contribution, again, and the continuing work that you do to protect the rights of B.C. citizens. It’s good work.

I have a couple of questions. The first one would be around the culture in which we live where there’s a general slippage and erosion of the sense that people have that their personal information can be protected. I often hear people fairly resigned to the fact that it’s a battle that can’t be won.

I think we’re being acculturated to accept that by different aspects of our lives — even popular entertainment. When people look at the role of law enforcement, they see very unrealistic portrayals of the access abilities of law enforcement on television programs. And in media understanding, reporting on these issues, there’s a lot of fear around the spectre of terrorism and other threats to people’s safety that leads people to accept, maybe, this erosion of their expectation of the right to privacy.

This seems to be really a momentum that is difficult for us, as policy-makers, and you, as an agency of enforcement, to contain or to keep up with. I think it’s very dangerous. You mentioned that we need to have clear requirements spelled out and expectations in order to achieve an accountability. This is against that backdrop of reduced expectation.

I think it’s very important that we grapple with this as a committee. Our policy-making recommendations need to reflect the struggle that we’re all engaged in and you are at the front line of. How can you see this architecture of requirements, which you might be recommending, somehow encouraging companies to reverse that trend and become more aware of their responsibility and become more accountable?

Attached to that is a second piece that I would ask you: the role of penalty versus incentive. You’ve indicated that mandatory breach notification is an incentive to corporations. Obviously, there would be a penalty to them, and their reputation, if they have to acknowledge a breach, and that’s something they would want to avoid. That would become an incentive.

But I, personally, am frustrated that there isn’t a better penalty mechanism to backstop that. Was that something that you are concerned about?

E. Denham: First of all, I don’t agree that Canadians are resigned to the slippage in the importance of privacy or the ability of regulators and companies and organizations to do a better job with personal information.

In fact, I was reading in the Toronto Star yesterday about a poll, “Canadians Growing Concerned over Internet Privacy, Poll Shows,” where 70 percent of Canadians are deeply concerned about the erosion of their privacy. They want strong laws, and they want strong enforcement.

I think Mr. Snowden, whatever you think about his actions, has actually encouraged people to take action, to write to their government. Civil society is more concerned, is more involved in making sure that we have protection, transparency and some control over national security agencies and law enforcement.

I think privacy laws like PIPA are more important than they’ve ever been. When I talk to British Columbians and Canadians across the country…. I’ve been a regulator for ten years in three different jurisdictions, and I’ve never heard so much concern.

My proposal for more accountability provisions in the law will build in better protection in the front line — so in management processes, in transparency processes. That’s going to go a longer way to protect personal information than notice and consent has ever done, especially when we think about how opaque data processing is right now. We’ve got companies that have partnerships with other companies, and it’s not like having one transaction with a brick-and-mortar office anymore, where we used to understand who we were giving our data to and what they were going to do with it. That’s gone, especially on the Internet.

What needs to take its place, I think, is a requirement in law to have good program elements in place to protect personal information. What I’m asking for is not crazy. I’m saying that there should be a requirement for training of staff. That should be in law; it’s not in our law right now. That’s a pretty fundamental element.

I’m saying that policies should be available, should be published for customers. We did a sweep. We were involved in the Global Privacy Enforcement sweep of applications and websites, and B.C. businesses were at the bottom of the list when it came to the percentage of websites that had privacy policies.

So we’ve got a lot of work to do in B.C. to even catch up with the rest of the world. My elements of a privacy management program are in line with the OECD. They’re in line with PIPEDA. It’s a fundamental that’s going to go a long way to better protect personal information.

You also asked me about incentives and penalties for breach notification. Having the requirement to notify customers in the event of a significant breach and notify a regulator in that event is an incentive to build better protection, better security for data.
[ Page 67 ]

The disincentive, the penalty, would be that if a company failed to notify of a significant breach, then it should be an offence under our act, under PIPA, and there should be at minimum — what I said in the submission — a $100,000 fine, which is equivalent to what is contained in the Alberta legislation. It’s the incentive, but for not notifying, there needs to be a penalty.

D. Routley: Yes. I remember being told about — I think I’ve mentioned this before — a study that showed that over 70 percent of Canadians considered the protection of their personal information as a vital and essential right, but a similar percentage were willing to trade their social insurance number for 70 grams of chocolate on line. It indicates, maybe, an awareness that it’s an important right and freedom integral to our rights, but less awareness around the architecture of how that can be achieved.

Perhaps education is a significant piece. I wonder how the training opportunities are being structured and delivered to stakeholders.

E. Denham: I’m glad that you ask that question. Also, referring back to the member’s question and comment around the importance of education of younger people, we have an education mandate. We focus a lot of education on PIPA organizations so that they can come up to compliance. We hold a conference almost every year. Last year was sold out, with 500 attendees.

We have guidance for private sector organizations on our website — most currently guidelines on cloud computing, guidelines on the development of mobile applications that comply with PIPA, consent on line. We have a lot of guidance on our site.

The education of individuals on privacy rights — it’s a little tougher audience to get to. In the best of all possible worlds we would be building awareness with our four-year-olds before they go on line or start living their lives on their mobile device.

There’s a societal education about how to protect yourself on line and also what can go wrong when you’re not paying attention to privacy. I think some companies are doing a better job of building privacy into new applications from the ground up — privacy default settings. Even Facebook is doing a lot better job with privacy than they did in 2007. So I think it’s an evolution.

We’re part of the education. But again, we have 380,000 businesses in British Columbia that need training. I think focusing on the sectors — insurance, financial services, health services, retail — has been the way we’ve gone, and I think that that is the way that we’ll continue to go.

As stated, we live in an era of rapid technological change, and there’s this unprecedented escalation in collecting individuals’ personal data. As we know in business, it’s money or the lack of money that’s always the issue. I was wondering what incentives we have to get businesses to invest in the latest technology and to keep up in their firewalls and in protecting the data.

It’s sort of like the hackers are always moving and improving what they can do, and businesses have to keep up to keep them from getting at that data. Are there any incentives that can be done to make sure they stay up to date?

E. Denham: I think mandatory breach notification is, as we said, an incentive, but even small businesses that suffer a data spill or a data breach are going to have to incur huge costs to clean it up, to hire lawyers if they have to hire lawyers and hire security experts to fix the firewall, to give them advice, to come in afterwards and do the cleanup.

We’ve all seen the headlines where Target loses 100 million customers’ credit card information, and they have to spend $70 million to clean that up. There are firings of people and class action lawsuits. A small business can suffer reputational harm and lose their customers. To me, that’s an incentive to build in good security to prevent those kinds of breaches.

This is a real issue for even small businesses. In the past small businesses might collect paper records from their customers, but now a small business could actually hire a cloud provider to do a lot of data processing for them. So they need to think about who’s doing business on their behalf and be more aware of it. It is a real risk to small and medium businesses in B.C.

E. Denham: And if we had mandatory breach notification, there would be reports published about the kinds of risks that other businesses have faced. I think that would be a really good tool for other businesses — peer agencies, peer businesses — to protect themselves and not suffer the same fate.

G. Heyman (Deputy Chair): Thank you very much for all of your thoughtful remarks, including the response to questions. I want to follow up on Doug Routley’s questions a little bit.

You talked about a living and breathing privacy model. I had a chance to scan recommendation 4 in the submissions. I appreciate, from my own experience, that you’re recommending scalability of programs, having been involved a number of years ago in developing regulations that didn’t give enough thought to the different sizes of
[ Page 68 ]
enterprises and companies and got a predictable backlash reaction.

My question is twofold. Presumably, you would want to see the five points that are listed in recommendation 4 turned into legislative language. I’m wondering if you see it stopping there and being entirely performance-based compliance or if you see some form of combined compliance or performance and prescription through a reference in legislation to, perhaps….

You referred to a guidance document developed by privacy commissioners or some other document that could be a reference point, guidelines that could form the basis for the development of programs that would be a little easier for, particularly, small enterprises to reference rather than perhaps not be aware that such documents are out there and spend a lot of time trying to figure out where to find the information and/or develop their own.

E. Denham: I’m glad you asked that question and also that you brought to the attention of the committee that one of my five points was scalability. Keeping in mind that the B.C. business community is made up of a huge number of microbusinesses and small businesses, it has to be scalable. This is a framework. Privacy policies are already required in law. I’m taking them one step further and saying they should be made publicly available.

Employee training should be part of it, part of a framework tailored to the structure, scale, volume, sensitivity of the information that’s being processed, and one that’s kept alive — so not: “Privacy? We did that in 2004.” I can’t tell you how many times I heard that. “I don’t know where that policy is. We’ve never trained anyone on it.” That’s not going to work in a world where the cost of data breaches is so high to business.

This is a framework. I would say it’s a baby step. A document like the one that I was referring to in my opening remarks could be the detail that smaller businesses need. I could even see another document being developed by our office that’s for microbusinesses.

The problem that we face is that I think ten years ago, 20 years ago, we could draw a line between small businesses and large business and say: “Small businesses aren’t really processing a great deal of personal information. It’s really the big guys that we have to worry about.” I don’t think that’s the case anymore, because you could have two application developers working in their garage processing a great deal of very sensitive information. So why should they get a “get out of jail free” card and not have to comply with some really basic elements of protection of personal information?

The scalability question is more difficult than it has been in the past. I think it depends on the amount of personal information you’re processing and the sensitivity of it.

G. Heyman (Deputy Chair): Would you contemplate, for instance, if your recommendation was accepted and pursued by this committee, that a reference might be made in a manner consistent with document X?

E. Denham: The document that we have collaborated on with the Alberta commissioner and federal Privacy Commissioner could be the reference, because it lays out the elements and, again, in scale.

Just to emphasize, what my recommendation contains here is already contained in the Personal Information Protection and Electronic Documents Act, section 4.3.1. Again, it’s not out of line with what is already in federal law. In my enforcement activities, if I had a complaint about an organization’s compliance program, I would use that document as a road map to do an audit or an investigation — the reference document that we’re talking about, which contains more detail.

G. Heyman (Deputy Chair): In terms of keeping it a living document, living practice, living policy, I want to ask you…. You issued a report pursuant to another piece of legislation. It had to do with privacy breaches in the Ministry of Health. Your observation was that the ministry had failed to make clear the policy requirements to staff on a meaningful and regular basis. I’m not quoting you, but I think that was the gist of it, and you’ll correct me if I’m not getting it.

Given that, arguably, a large ministry in the public sector has perhaps more luxury than a range of private sector businesses to think about and implement policies enacted by its own government, what steps do you think would have to be taken to at least ensure that there is a greater chance that privacy protection and personal information policies are, in fact, maintained, are alive, are off the shelf?

E. Denham: I think waiting a year before the obligation was required under the law to give organizations some time to get ready for it. I think certified trainers could help small and medium-sized businesses get ready for complying with the obligation. Model policies could be produced by our office.

We already help businesses with every phone call. We had 500 phone calls last year from small businesses about PIPA and questions about compliance. I think we would step up our assistance to make sure that they understand that.

The Ministry of Health. I was greatly disappointed that 20 years after the law came into effect — the public sector law — they didn’t have a systems approach to protection of privacy. Again, that was an example of the privacy policy sitting on a shelf somewhere and a lack of training — a systemic issue there.

Businesses can do it. There are even small businesses
[ Page 69 ]
that can be leaders, especially private sector health providers. Physicians’ offices — which are subject to PIPA — are doing a pretty good job of protecting the records because confidentiality is the centre, the DNA, of their business.

I think assistance, help, guidance, clarity, certified trainers that go out and train on behalf of an industry association. There are lots of things that we can do.

S. Gibson: A quick one. I think we all agree that, as you mentioned earlier, the whole theme of this is accountability.

I’m just referring to appendix A, if you don’t mind. You have the prescribed details for notification of a privacy breach. I think you’ve done a good job of explaining that.

My only suggestion, and you may have reasons why it’s not in here, under (h), the name of the contact person who can answer questions, etc. Then down below, on the other one, (g), it says the person who can answer questions.

Wouldn’t it be better there to have the person accountable for organizational privacy? It would be better for me if that person was identified, rather than a guy who’s just going to answer questions. He may just say: “I don’t know.” But if you have the actual name of the person accountable in both (h) in the first section and (g) in the second section, it seems to me that would give more clout and more accountability if you actually identified that person by name. That’s my suggestion.

E. Denham: I think that’s a good suggestion, and we’ll take a look at that. It would have more clout, but the idea of section 2 is “all of the elements of a notice to individuals.”

Sometimes when an organization has experienced a breach, they may put somebody on the front line to answer all the phone calls of people who’ve received the notification. That might not be the chief privacy officer.

D. Routley: In another meeting your predecessor referred to the expediency of handling information trumping the protections in the act, or an effort to reduce the perceived obstacles the act puts in front of organizations in dealing with information, and how that reduction of the regulation and control over information might be sought by those who handle information to avoid the complexities, to have a more expedient use of information — be it a government body under FOIPPA or an organization under the scope of this act.

It was really coming from a lack of information or a lack of knowledge around the act and its provisions, such as the acceptability of disclosures in an emergency or a public safety issue and how the act already provides for those disclosures.

I wonder if some of the concerns raised by organizations are being addressed through the efforts you’re making around education and the process for having disclosure exempted. I don’t know if you want to address that. I have one more question.

E. Denham: Do you mean that people have a better understanding that they can disclose information in emergencies or exigent circumstances and they don’t need notification and consent?

E. Denham: I haven’t heard that complaint from groups recently, so maybe there is a better understanding of it. Quite often people say, “We need an amendment to the act because we have a special case,” and we look at the act and we find that there’s already been contemplation in the act for the disclosure without consent. I think that’s what you’re referring to.

D. Routley: Yes. The issue of information being stored by agencies outside of our jurisdiction — stored in the cloud. The recent opinion you offered around tokenization of information — that that is, in fact, anonymization of personal information. I’m wondering how we are going to be able to achieve standards when it comes to tokenization, and how we can enforce our standard outside of our jurisdiction.

We’re asking organizations that are storing information, who are subject to the Homeland Security Act, to somehow adequately protect that information. What measures can be taken to ensure that there is adequate protection?

If your position remains that tokenization equals anonymization, just how much tokenization is required, and how do we enforce that? How do we make a judgement of that?

E. Denham: I think I’m glad you asked that question. Just to start, for the members of the committee that may not know what tokenization is, tokenization is a technology that obscures identifying information for the purpose of anonymizing it when it’s in the hand of, let’s say, a company that is in the Silicon Valley or a cloud provider like Salesforce. The key to identifying that information again is held by the organization in Canada.

What I said in my opinion is that tokenization may be a solution for organizations to use, but only if it’s adequate tokenization. That’s the $6 million question. All of the elements of personal information need to be considered.

What do you tokenize? Do you tokenize just the person’s name and leave their birthdate untokenized? What about their social insurance number? Of course you’d want to tokenize that. What about their birthdate? You
[ Page 70 ]
have to really think of the possibility of information being reidentified.

I want to take your question back, though, to a recommendation that I’ve made under PIPA, because we’re focusing on the Personal Information Protection Act.

I think there needs to be an explicit statement in law that when a PIPA organization contracts out to a service provider, especially when data is stored outside of Canada, they are accountable for that information, even if they have somebody else who is processing it for them. They have to ensure — the PIPA organization has to ensure — adequate and comparable protection of that personal information.

That’s not an explicit statement in our law right now, and I think it needs to be. It’s creating confusion for businesses. Even small businesses now are actually outsourcing their IT services. Software is a service — storage of their data. It has to be made clear to them what they’re accountable for.

We actually are going to be issuing guidance on tokenization. You referred to an opinion we’ve given on tokenization in the context of FIPPA, the freedom-of-information and protection-of-privacy law. We’re working on an additional document that is guidance on tokenization.

D. Routley: Do you have concerns that even if we tokenize the explicit identifying information — name, numbers such as a social insurance number, address of residence — the data reassembly that seems to be emerging could re-identify people through demographics?

For example, I represent a constituency that has the lowest percentage of second-language speakers in all of B.C. All the other constituencies…. If, for example, someone were to have their information stored that identified a demographic characteristic — such as, just as an example, sickle-cell anemia, which would identify a fairly small demographic group — then within a very homogeneous community like the ones I represent, that could potentially lead to a reassembly that could identify a person.

It seems to speak to a descending depth of requirement in order to avoid the sophisticated reassembly that’s possible. How can we protect people, given those capabilities?

E. Denham: Yes, I am concerned about reassembly of data because of all the databases that are out there and the ability for organizations to link data with the so-called anonymized data. We are concerned about that. You will see in my opinion on tokenization that I’ve said there has to be a case-by-case analysis of those kinds of risks.

I also think that our next paper is going to assist to a certain degree. But again, what is tokenized and what information is out there to be linked is a concern. It is a concern, and it’s an evolving field. There are some standards that other regulators have issued on anonymization and de-identification. That might be an area that we need to do more work on in British Columbia.

D. Routley: I think you mentioned Edward Snowden. Whatever people might think of him, he’s actually done a certain service to the awareness amongst people of the consequences of bodies, particularly government bodies, handling information.

I realize, of course, we’re addressing PIPA here, but there is a grey area between corporate handling of information and government handling of information, given that so many companies are acting on behalf of government by contract.

I understand that the flow-through occurs from FIPPA, but I also wonder how many steps we need to follow before we’re actually dealing with PIPA if there are subsequent contractual obligations by companies not only directly related to that service agreement but sharing the same data storage agency. It just seems to be, to me, very concerning.

One of the things that Edward Snowden’s revelations allowed us to understand is just how sophisticated these reassembly efforts can become. I’m very concerned about that. I wonder how much you share that concern and if you think it’s possible, even, for us to completely seal the door on that.

E. Denham: One of the recommendations in this paper, in my submission, is something that the committee can do towards assuring British Columbians and making British Columbians aware of the extent of disclosures to law enforcement without consent through transparency reports.

To back up a bit, if you look at what’s happened federally, it was revealed that in 2011, 1.2 million subscriber records were disclosed by telecommunications companies to law enforcement without warrants and without consent. That’s concerning to Canadians because so much of it goes on without knowledge, without understanding the scope or the purpose of these kinds of disclosures.

Several of the large telecommunications companies have, on a voluntary basis, started to disclose the numbers of requests that they get from law enforcement. I call those transparency reports.

One of the recommendations in this submission is that PIPA organizations, when they disclose information without consent, under those sections of the act I referred to earlier, should be required to make transparency reports on the aggregate level. On the aggregate level, we could actually have a policy discussion about voluntary disclosures.

I think there is something that the committee can think about. I think Canadians are concerned about this.
[ Page 71 ]
I’m concerned about it because I think there needs to be more openness and transparency about what’s actually happening on the ground — disclosures to law enforcement, disclosures to national security agencies, which is beyond my jurisdiction. But generally, yes, I’m concerned about that.

D. Routley: Just one more, thank you. You mentioned that we could become compliant with Spencer if we follow the B.C. Civil Liberties’ recommendation that organization-driven or organization-initiated disclosures are exempted. Do you see it being very difficult to define exactly what that means — and finding a way to ensure that that is authentically what is occurring rather than, maybe, a nebulous first step that isn’t actually part of the recorded process?

E. Denham: What the Supreme Court of Canada found in Spencer was that it wasn’t the disclosure to the police that was unconstitutional by the telecommunications company; it was the collection by the police. The police sought the information, and their search was unconstitutional.

My recommendation around 18(1)(j) is to ensure that it’s the organization that still has the ability to file a complaint with the police when they think something’s going on in their own company that is a contravention of a law of B.C. or Canada. If you close that off completely, then how can companies call the police — because they think there’s fraud happening in their own company, for example?

D. Barnett: I just have one question regarding the accessibility for the law enforcement agencies. I think we have to be very careful that we don’t restrict their ability to perform their job, which is the enforcement of law. That is one concern that I have and a concern that I have heard from constituents and some law enforcement agencies.

How can we somehow get reassurance for the public, for legislators, that the law enforcement people will still be able to do their job in an expedient manner? All the processes they now have to go forward to — to get a warrant, to do their job — sometimes do restrict them from doing their job, and some people that should not be walking on the street are walking the street. How can we have a little reassurance that we have a balance?

M. McEvoy: There is a balance in the way that the law operates now. The commissioner mentioned that in terms of a company’s ability to disclose information to law enforcement on a voluntary basis, that’s something that has to be articulated and set out, we think, clearly in PIPA.

There is disclosure to law enforcement through a warrant process. Sometimes there are varying levels of proof that law enforcement has — to get a warrant, for example.

I think citizens in this province and in Canada understand and recognize the need for that balance to ensure that information is gathered properly and that there’s some oversight process. In emergent circumstances, where it’s not possible time-wise to perhaps get a warrant, the Criminal Code provides for that. Our legislation provides for that.

I think there are sometimes some discussions around the nuances of how law enforcement should get and needs to get information. I know that the commissioner, in terms of her consultation with law enforcement groups on this, finds it’s not so much the privacy law or the Criminal Code. It’s oftentimes the administrative process that’s involved in law enforcement.

I can’t get ready access to a judge on the phone because of the way the system is set up. I think the response to that is that it’s not a privacy issue. It’s not a Criminal Code issue. It’s an administrative issue within the law enforcement mechanisms themselves to ensure that those mechanisms administratively work more efficiently.

To answer your question, in short, I think Canadians and British Columbians can be reassured that there’s a balance in the system that allows law enforcement to do what it wants to do. Our recommendations around section 18(1)(j) are simply to clarify one aspect of that.

M. Bernier (Chair): Excellent. Well, seeing no further questions, I want to thank you for your submissions and your input and your thoughtful answers to the questions. As you can appreciate, there is going to be a lot of discussion now around the committee, trying to put all this together. We appreciate your input. Thank you very much.

With that, I look to the committee. One of the things around next steps, I think, is…. There’s a lot here, obviously, to absorb — a lot to look into. With your indulgence, I think it’ll be myself and the Deputy Chair — maybe working with staff. We’ll try to compile some of this over the next couple of weeks.

We’ll probably look at trying to set a meeting…. I think we’ll need to set a meeting in mid-December or something so we can start setting direction to staff and be able to start compiling some recommendations.

Any further discussion, maybe, from the committee on that? Everyone’s okay with that direction?

Okay. With that, thank you very much to everybody for coming in. With that, we’ll move adjournment. The meeting is now adjourned.

Hansard Services publishes transcripts both in print and on the Internet.
Chamber debates are broadcast on television and webcast on the Internet.
Question Period podcasts are available on the Internet.

Chair:	Mike Bernier (Peace River South BC Liberal)
Deputy Chair:	George Heyman (Vancouver-Fairview NDP)
Members:	Donna Barnett (Cariboo-Chilcotin BC Liberal)
	Dr. Doug Bing (Maple Ridge–Pitt Meadows BC Liberal)
	Simon Gibson (Abbotsford-Mission BC Liberal)
	Sue Hammell (Surrey–Green Timbers NDP)
	Marvin Hunt (Surrey-Panorama BC Liberal)
	Doug Routley (Nanaimo–North Cowichan NDP)
Clerk:	Susan Sourial

REPORT OF PROCEEDINGS(Hansard)

SPECIAL COMMITTEE TO REVIEW THE PERSONAL INFORMATION PROTECTION ACT

REPORT OF PROCEEDINGS
(Hansard)

SPECIAL COMMITTEE TO
REVIEW THE PERSONAL INFORMATION PROTECTION ACT