Review the Freedom of Information and Protection of Privacy Act — Issue No. 4

SPECIAL COMMITTEE TO REVIEW THE FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY ACT

Present: Don McRae, MLA (Chair); Doug Routley, MLA (Deputy Chair); Kathy Corrigan, MLA; David Eby, MLA; Eric Foster, MLA; Sam Sullivan, MLA; John Yap, MLA

2. The following witnesses appeared before the Committee and answered questions regarding the Freedom of Information and Protection of Privacy Act.

The following electronic version is for informational purposes only.
The printed version remains the official version.

REPORT OF PROCEEDINGS
(Hansard)

SPECIAL COMMITTEE TO
REVIEW THE FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY ACT


CONTENTS
Page
Briefing: Freedom of Information and Protection of Privacy Act	19
E. Denham
M. McEvoy

D. McRae (Chair): Good morning, ladies and gentlemen. Welcome to the second formal meeting of the Special Committee to Review the Freedom of Information and Protection of Privacy Act. Today we’re joined by Elizabeth Denham, the Information and Privacy Commissioner.

We’ve started a little late, and my apologies for that. Because of that, I guess, if I could ask Elizabeth to introduce herself and her staff.

I think you’ve met all of us before. I gather you have a presentation that could take 25 to 40 minutes, which is fine, and then some time for questions and answers afterwards.

With me today are Deputy Commissioner Michael McEvoy. I know some of you know Michael from previous lives. Also, Pat Egan, who is acting assistant commissioner. I’m also joined by a group of our staff, behind me, that do a lot of the heavy lifting to prepare me for these presentations. Thanks to them for being here this morning.

It’s a pleasure to be here to provide you with, really, a broad perspective as you begin the important task of reviewing the Freedom of Information and Protection of Privacy Act.

My purpose here today is not to set out a specific agenda but to give you my perspective, to put the current law in context and talk about the impact that this legislation has had on the citizens of British Columbia. I think a legislative review is a marathon; it’s not sprint. I’m going to provide you with a more detailed submission later in the fall, and I’m open to any questions that you may have after the presentation today and as this important process unfolds.

Let me start from the beginning. Although the federal government has had access-to-information legislation since 1983, British Columbians did not have a legal right to access government records until the introduction of the act in 1993. They didn’t have a legal right of access to government records, although it could be said that there were various pieces of legislation protecting citizens’ privacy.

If a citizen wanted information on, say, whether her child’s daycare provider was licensed or what its safety record was, she had to locate the administrator of the licensing program, write them a letter, and whether she got information depended on the often unwritten policies of that agency. If she didn’t get what she was looking for, there was little or no mechanism for review or recourse.

In other words, access to information was an arbitrary matter. And if the information was forthcoming, there were no timelines for delivery of the information, no independent review, no right of appeal that allowed a citizen to inquire why the information requested was not forthcoming. The passage of the Freedom of Information and Protection of Privacy Act marked an important milestone.

Citizens’ privacy rights were codified, and their access to information rights were defined. Exceptions to those access rights were identified, and independent oversight, a commissioner supported by an office, was established. And while this piece of legislation legally protects access and privacy rights, I want to emphasize that it was designed to be and should be an act of last resort. The law guarantees a right of access. It does not require, though, that a person file an FOI request every time they seek information from government.

Today there are access-to-information laws in over a hundred countries around the world. Similarly, there are 109 jurisdictions that have privacy or data protection laws. British Columbia combines the two into a single statute. Public bodies have the critical task of making sure personal information collected from citizens is protected while also ensuring that government is both open and accountable with independent oversight of both by my office.

When FIPPA was first introduced in British Columbia, it was praised as being the best legislation of its kind in Canada, perhaps in North America. “State of the art,” they said. Even today B.C. is still recognized as a leader in access-to-information and privacy legislation.

The Centre for Law and Democracy, which publishes an access-to-information report card for Canada each year, has consistently given British Columbia the top score of all of the provinces. But this year we placed second, outscored by Newfoundland and Labrador because they have a newly overhauled access-to-information and privacy regime.

By the way, if you’re looking for cabin reading this summer, I would suggest that you read at least the 128-page executive summary of the Newfoundland review, because it is really the most substantial review that we’ve seen in the few decades of provincial legislation.

Within Canada B.C. is consistently ahead of the pack, but on a global scale we are not. B.C.’s laws rank 32nd of 102 countries, tied with Georgia and Uganda. We fall behind the U.K., Brazil, Mexico, India and many others.

This being what I believe is the fourth review of FIPPA, it’s important to consider the external trends affecting the operation of the legislation as much as the internal dy-
[ Page 20 ]
namics of information rights in British Columbia. And your work is critical to continuing the currency and the relevancy of this legislation.

As an officer of the Legislature whose role it is to oversee the legislation, I think I’m well situated to assess both the access element and the privacy element — what works and what might need some improvement. “Oversight” means that I’m responsible for ensuring that public bodies comply with access to information and privacy obligations. I also have the authority to adjudicate access to information and privacy disputes.

On both the access-to-information side and the privacy side, there are a couple of key factors that have changed since the last review of the legislation: (1) the rapid acceleration in the use of technology and the new challenges that technology presents, both to privacy and to access to information; and (2) global legislative trends dealing with issues such as accountability and effective oversight.

In my detailed submission to you in the fall, I’ll have some very specific suggestions for your consideration, but today I wanted to provide you with more of a high-level perspective of some of the areas that I think deserve your attention.

Technology presents new challenges and new opportunities. The pace and the intensity of technological advancement — our ability to create, store, use and share mass amounts of digital information and data — are really at the heart of some of the biggest challenges facing privacy and access to information today. We’ve moved from a paper-based system to an era where most records are born digital. Every day government employees are creating hundreds, if not thousands, of digital records, all of which must be stored and secured within government networks and then either disposed of or archived according to the law.

On the access side, there’s an expectation that government information is made available proactively in ways where it is easy to find, easy to search, easy to use and easy to reuse. While core government responded to 8,377 FOI requests in 2014-15, which is down from 10,000 requests the year before, there’s an increasing interest in proactive disclosure. Such disclosures would relieve some of the pressure on the system while promoting trust on the part of the public.

I note that the number of access requests to government is on the decline. That’s 15 percent fewer requests in 2014-15 than there were in 2013-14. That number would decline even further if government moved ahead with proactively disclosing more information — for example, calendar requests, which accounted for 12 percent of all of the FOI requests made to government in 2014-15.

On the privacy side, there’s been an explosion of information about us. Let’s not forget that citizens rarely have a choice whether or not to hand over their personal information to public bodies in exchange for services. Our capacity to collect, store and use personal information and data is advancing at a rapid rate. The personal data that citizens are required to provide public agencies increasingly has value. Public bodies are under growing pressure to use data analytics to mine personal data sets for the benefit of public policy-making and for compliance and enforcement purposes.

There’s a certain amount of public unease in relation to the use and the protection of personal information in our digital society. There’s a concern that the right of privacy and protection of personal information will be swept away by these data flows, and the ways that our personal information is being managed and used are becoming increasingly incomprehensible.

While we commonly talk about issues such as the openness principle as being focused on facilitating disclosure of information, it’s also reflected in the rules that govern sound management of personal information. The public can only be confident in how their personal information is being handled if they know what public bodies are doing and whether they’re acting as responsible stewards of the personal information.

This is, in many ways, demonstrated by the information that these agencies make available about how they’re managing personal data. So transparency is a very important element. In light of growing concern about new and emerging technologies and their impact on information and privacy rights, transparency and openness are essential to build public confidence in the information-handling practices of public agencies. Trust is essential as our society continues to deepen the way that we use digital information and reflect ourselves in that use.

Just a side comment about technology in the health sector. One sector that combines large amounts of personal information with challenging technology issues is health care. There’s a great and growing interest in the potential of new technologies to save lives, to change lives. Think genomics, health wearables and health data analytics.

But our personal health information is the most sensitive information that we provide to public bodies. I’ve always believed, and I’ve made many speeches expounding the view, that we can have both robust privacy protection as well as health research using this data. But we have to proceed carefully.

What complicates the health sector is the patchwork of laws and legislative carve-outs that knit together the rules for personal health information protection. Unlike almost all other Canadian jurisdictions, British Columbia does not have stand-alone health information legislation. The Ministry of Health has announced its intended consultation on the future of personal health legislation specific to the health care sector. I’ve called for stand-alone health information rules in British Columbia, and I hope that the consultations arrive at that same conclusion.
[ Page 21 ]

But until we know the outcome of the Ministry of Health’s process, then this committee will have to consider the particular impact and the concerns of the health care sector as you deliberate on the future of FIPPA. As you listen to and as you analyze the public’s submissions, I ask that you actively consider whether health information, which is increasingly part of an integrated system that operates across the public and the private sectors, needs specific rules within our legislation.

Moving on to my second topic now. On the topic of global trends, it will be of interest to the committee to know that there have been significant developments in law reform in various jurisdictions over the past five years. In Canada we’ve seen amendments to the federal private sector law as well as, mentioned earlier, a far-reaching overhaul of the legislation in Newfoundland and Labrador.

In the European Union there’s been much work done to update the data protection framework, work that is on the cusp of being finalized. This EU regulation is leading edge and will apply to 28 member states of the European Union, replacing domestic laws. Six years in the making, I consider that the EU regulation will set a very high bar with respect to privacy management, mandatory breach notification, sanctions and oversight.

When we look at these Canadian and global law reform initiatives, some important developments emerge that will be of interest to the committee. The first one of these big trends is explicit accountability requirements for public bodies written into law. The word “accountability” likely means something very specific to you as legislators or to your constituents, but let me describe what it means in terms of privacy and access to information. Applied to personal privacy, accountability means that public bodies have a legal duty to take seriously their responsibility to protect the personal information that’s entrusted to them by citizens and employees.

I believe there’s a demonstrated need for specific accountability measures in our privacy law to make sure that the rules that public bodies follow are comprehensive and protect personal information in their care. While a high-level principle of accountability is in B.C.’s law, the specific accountability framework that public bodies must take to adopt privacy protections is missing.

Some elements of an accountability framework would include mandatory privacy training for employees that handle sensitive personal information; privacy policies that account for how personal information is collected, used and disclosed; transparency reporting for disclosures to law enforcement; audit controls to monitor access; and data breach response plans.

Another significant global trend is mandatory breach notification, which ensures that when a data breach occurs, affected individuals are notified promptly so that people can take steps to protect themselves and that my office is advised to ensure we can exercise our oversight role of ensuring that breaches are managed appropriately and that future preventative measures are taken.

Right now we have voluntary breach reporting by public bodies to my office, and we receive less than 1 percent of all data breaches that we have later audited and been made aware of.

Breach notification is required by a directive in the federal public sector and is legislatively mandated in Newfoundland and Nunavut. Also, six jurisdictions in Canada require breach notification in their health information statutes. The proposed EU regulation is moving towards mandatory breach notification for both the private and the public sectors, with significant sanctions for non-compliance. So there’s a growing expectation among citizens that organizations and government will be accountable to them when a breach happens.

You may be aware that the special committee that recently reviewed the Personal Information Protection Act, PIPA, recommended mandatory breach notification and reporting for the private sector in B.C. I believe it’s time to consider a similar recommendation for mandatory breach reporting for the public sector. Public bodies really need to move from being reactive to events like breaches to being proactive. A comprehensive systems-based approach to privacy, written into law, will help us achieve that.

I know that core government has done a lot of work in developing a comprehensive approach to privacy in ministries, but many jurisdictions around the world are moving to implement explicit accountability requirements into their legislation and policies. The special committee reviewing PIPA also recommended that such language be included in B.C.’s legal framework as it applies to the private sector.

One thing for the committee to keep in mind is that there’s benefit in harmonizing, as much as possible, the provisions in the private sector privacy law with the public sector privacy law. The committee should consider similar amendments to FIPPA to make it clear what the public bodies’ obligations are to protect personal information in a proactive way. I’ll have more to say about this in my detailed submission.

Applied to access to information, accountability — back to the principle of accountability — means a number of things. It means public agencies making information available to citizens proactively in open, reusable data formats. So it means making that information available proactively without waiting for an FOI request. It means public bodies having a legal responsibility for the full life cycle of a record, from creation to final disposition. Accountability and access to information practices drive discussion for the need for a duty to document key actions and decisions of government, proper records management and archiving regimes, and ensuring that
[ Page 22 ]
information is not deleted or destroyed in an unauthorized manner.

When records are properly created, managed, preserved and disposed, then citizens and businesses, non-profits and others will get the optimal use out of our laws to better understand government and to participate more fully in our democracy in our society. I believe this represents good government.

Another global trend with respect to both the access-to-information and the privacy elements is that of increased authority for independent agencies that provide oversight of the legislation. Effective oversight means things like having the legislative authority to ensure that there are proper information management systems in place for records and personal information.

I think of information in the same way that accountants think about financial assets. The key is proper management systems and controls to ensure records and information are handled appropriately. Effective oversight means ensuring that the only records that are destroyed are authorized to be destroyed by legislation and policy. It means that the government and other public bodies can account for, through recordkeeping and documentation, what has happened to records or personal information when they are called upon to do so. These duties require independent oversight, and as in Alberta and Ontario, this oversight should be located within FIPPA. It may also mean providing administrative penalties and sanctions for deliberate destruction of records.

I’ll have more detailed proposals reflecting the global trends and effective oversight in my presentation to you in the fall.

These technology changes and global trends tell us that the world of privacy and access to information is constantly evolving and that if B.C. wants to stay current, our legislation must evolve. Although there’s merit in dealing with specific problems by addressing specific clauses in the legislation, I suggest that this be done within a broader context of defined values. FIPPA has some important values embedded in it, and I think this lays a solid foundation for future amendments.

The values that I think continue to underpin any recommended changes the committee may make are trust, transparency and accountability.

Where there is no public trust, there is no public confidence. Where there is no public confidence, public agencies have a really hard time implementing new programs, especially those that involve new technology. This is why, when considering any potential changes to the law, I encourage the committee to assess whether the public would consider what you’re doing as promoting the building of trust in public bodies or eroding it.

The second value is transparency. Transparency is critically important to the integrity of the operations of a public body, and it’s essential in getting buy-in from the public as government agencies increasingly shift their operations to the digital realm. It’s also the foundation of proactive disclosure regimes and lawful responses to access-to-information requests. So when the committee is considering any changes to the law, I urge you to consider how greater transparency can be achieved, including such ideas as open by default.

Finally, there is accountability. Public bodies need to be able to explain how they use personal information and how they process requests for records and be willing to be held accountable for these explanations and these processes. As demands for accountability grow, the committee should consider how proposals enhance accountability for personal information in the possession of public bodies or for their processing of information requests.

Coming to conclusion, your committee will, I believe, have a lot of work to do. I think you’re going to receive a lot of submissions in the coming months. Many are going to deal with specific issues, such as the fee structure for access-to-information requests or steps to make it easier to store government data outside of Canada in the cloud. Many are going to be broader in scope, such as suggestions to improve access to public agencies’ information, to encourage proactive disclosure or for a duty to document, just to name a few.

My guidance for your consideration is that the principles that underlie access and privacy rights in FIPPA remain fit for purpose. I think it’s important to maintain the fundamental principles and not move away from them while updating our law to deal with developments that are created by technological challenges and by new access and privacy legislative developments in other jurisdictions.

The act is not without its critics. But in providing a largely free and universal right of access to information, subject to legitimate exceptions and protection for citizen privacy, the current law is a solid foundation on which we can build a yet stronger framework.

I’m really pleased that the committee has been established, and I look forward to providing my detailed submission to you later this year. I encourage you in your cabin reading, and I can give you more suggestions for that.

Finally, I’d like to invite everyone on the committee to attend a conference that my office is hosting November 12 and 13 in Vancouver. It’s called Privacy and Access 20/20, “The future of privacy.” Registration is open. We have many, many speakers from Canada and around the globe. We’ve got a great agenda, and I look forward to welcoming all of you there.

Thank you very much for your attention this morning. I think my presentation was longer than 29½ minutes. Thank you for your patience. I am willing to take any questions you may have.
[ Page 23 ]

D. McRae (Chair): Thank you very much. First of all, I must add that your definition of cabin reading and mine might be slightly different, but we’ll leave it at that today.

D. Eby: There was a lot of information in that presentation. Do you have a summary document or something that maybe you could provide the committee with, just to give us a reminder of the key ideas you were putting forward?

E. Denham: I can certainly do that. I’ll give you an outline of the presentation that might get to those key issues, the two trends and what they might mean for B.C. law. Absolutely.

D. Eby: Thank you. We were provided a document that had a list of recommendations put forward by the 2010 committee and where we were at in terms of the implementation as a province. Recommendation No. 4 was: “Expand the definition of ‘public body’ in schedule 1 to include any corporation that is created or owned by a public body, including an educational body.”

Now, I understand the history of this is that in 2005 Minister Shirley Bond issued a press release saying that school boards that owned entities would be subject to FOI. Then the 2010 committee said yes. Public bodies that own corporations…. Those corporations or bodies that are owned by the public body should be subject to FOI. They made that recommendation.

We got an update last week, this week — it’s all blurring together — saying that this was under consideration, that there were consultations that had been done, and there were implications that may have “unintended consequences” — the wording that was used. I’m having trouble understanding how in 2005 the government could say that they were going to do this and in 2015 we still don’t have this in place. Are you able to shed any light on what the delay is around including subsidiary, fully owned corporations owned by public bodies within the act?

E. Denham: Absolutely. This recommendation really is about an accountability gap in the Freedom of Information and Protection of Privacy Act. Subsidiary corporations of local government are completely captured by the access and privacy provisions of the legislation, and yet subsidiary corporations of educational bodies are not. This was a concern of the 2010 committee. It continues to be a concern of our office. The concern is about the use of public funds. Where public funds are used to create a subsidiary corporation, to invest in a subsidiary corporation, then it’s my view that the records should be subject to freedom of information and protection of privacy, and they are not at this point.

I have written to ministers responsible twice over the years, once in 2011, once in 2014, asking for an update on their consultation process. I don’t have any more detail, except that there is a consultation process going on and the government wants to hear from stakeholders and ensure that there aren’t any unintended consequences. That’s the answer that I have.

But I think, bottom line, where public resources are used to operate a subsidiary corporation, then the entity should be subject to FOI. I think British Columbians deserve an expeditious response to this issue.

D. McRae (Chair): Thank you very much, and thank you for your response to our requests for an outline of your presentation. If it’s possible, could you forward that through to our very able Committee Clerk for distribution?

D. Routley (Deputy Chair): I have a couple of issues that I wonder if I could just list for inclusion in your more fulsome brief that you’ll bring forward later — areas that I have interest in and I think we could benefit from having more information on.

One of them would be the stand-alone health care legislation — how we can move towards a recommendation that informs the creation of that, best benefiting from existing statutes in other jurisdictions, and what guidance you could give to the committee in order that we make recommendations that are productive.

And then in terms of significant sanctions, specific sanctions — it’s a repeated theme. The Government Information Act that was passed recently removed the Offence Act from application to the mishandling of information, so perhaps the Offence Act isn’t the right vehicle to achieve this. Perhaps you could help us with what you would recommend in terms of building a framework or an approach to sanctions.

I’m interested in a couple of things that I wonder if you could respond to now: data linking, the state of government’s efforts in data linking and how your office is responding. You have in the past commented on the amount of litigation that your office is subject to, that perhaps the Office of the Information and Privacy Commissioner of B.C. is more litigated than the same offices in other jurisdictions — maybe an update on the status of that issue.

E. Denham: Yes. So four things. In answer to your request to provide more information around how this committee can view stand-alone health information legislation and what the, maybe, special issues are around health information protection — I can certainly do that. I
[ Page 24 ]
can also refer more cabin reading to the committee, and that is my 2014 report called A Prescription for Reform, which is really all about the integrated health sector. It contains 21 recommendations that I think the committee might want to look at when they are reviewing FIPPA.

You can’t assume that there is going to be new legislation in the health sector that governs personal health information. You can’t consider that it’s going to happen, so this committee is going to be tasked with examining whether there needs to be a special code, maybe even within FIPPA, to deal with health information. I talk about how health information is special, including consideration of genetic privacy, genetics and genomics, which is a really complex area and new information that we really haven’t tackled before.

Secondly, in response to your ask for some considerations around sanctions or penalties or oversight of the Information Management Act, which was introduced as Bill 5, yes, I will be providing the committee with my thoughts on that. There have been changes in legislation across the country, in both Ontario and Alberta, to give those commissioners oversight over recordkeeping functions and destruction of records, because you can’t really do the work of access to information without assuring that there’s proper recordkeeping. It’s a foundational piece.

With the 1936 Document Disposal Act, passed a few years before Gone With the Wind…. That legislation is out, new legislation is in, but there are no sanctions in the new Information Management Act that existed in the 1936 act. I will be providing my thoughts to the committee on that issue.

E. Denham: So data linking. I will be providing, again, more detail about this in my submission, but in amendments that were made to the act in 2011, the government and public bodies received new authorization, new powers, to allow them to link databases of personal information as long as they provided our office with early notice of data linking and as long as they provided a privacy impact assessment, and there were supposed to be regulations that defined rules for data linking.

This is an area of great concern in the public. Unfortunately, we’ve been unable to exercise our oversight over data linking since 2011, because the definition of data linking is so narrow that in four years we’ve only seen one data-linking project come before our office. My submission in the fall is going to be detailing a fix to this problem, which is a new definition of data linking. That’s going to be contained….

Data linking is a great concern, and in this area of big data, when data analytics…. Many public bodies want to use data analytics. We need the corresponding oversight so that citizens can make sure that somebody is watching and that there are rules around data linking.

Your last question is about litigation before our office. I am happy to tell you that we are not the most litigated Information and Privacy Commissioner’s office in the province. In fact, I think our…. Litigation before our office is down somewhat this year over last. On average I think we have about six or seven challenges before the court out of 60-plus orders that we issue every year. It’s about 10 percent. So 10 percent of the orders and decisions that we make every year are litigated.

D. Eby: In the list of recommendations we were provided, as well, there was a discussion of…. It was recommendation 19, I think. I’m just trying to pull it up here. Recommendation 19: “Review section 25(1) in light of the Supreme Court of Canada decision, Grant v. Torstar.” Under the action taken as a result of the review, it was marked as complete — that no amendment was deemed necessary.

Now, I’ve had a quick look at the decision. It discusses public interest. The section itself discusses when the commissioner should release matters in the public interest. I assume that the discussion was about amending section 25(1) to include the court’s definition of public interest in our legislation or somehow incorporating it. I’m not clear about that, though.

Can you talk a little bit about your understanding of what the implications of Grant v. Torstar might have been for the act and whether it was your understanding at the time that no amendment was necessary or whether it is now?

E. Denham: I am going to provide you with my comments later through the Chair, because I haven’t studied that decision. But I can say that in the past our office has made a recommendation that section 25(1)(b) be amended to provide a broader interpretation of what can be released in the public interest.

I recently released a report on Mount Polley, and in that report I have reinterpreted the public interest under our legislation. It’s my view that we don’t need an amendment to section 25, of (1)(a) or (b), in light of the reinterpretation that I’ve made with Mount Polley.

Previous commissioners had judged the public interest to be very narrow and that there be a temporal urgency to determining what is in the public interest. With the reinterpretation, there’s a broadening of the definition of “public interest,” where there needn’t be a time urgency or circumstances that are urgent. It can be a matter that is just generally in the public interest.

That report and that reinterpretation — again, good
[ Page 25 ]
reading for the committee. But if it’s useful to the committee and if the Chair would like, I can summarize that and also provide you an answer with my interpretation of the court decision in light of section 25 — if that’s helpful.

D. Eby: I imagine it was the temporal aspect that was the key there in Grant. I don’t think it’s necessary for you to summarize that. I think sub (b), your clarification on that, is sufficient for me, anyway. I don’t know about the other committee members.

S. Sullivan: I’m on the board of the Rick Hansen Institute. One of the constant themes is not being able to access data from people’s health records, even aggregated data. It does really affect the ability to do research and to make new discoveries and such.

I’m just wondering: is that part of this effort? Is it probably the reason why we can’t access the data — because of this legislation?

E. Denham: I don’t believe that there’s a barrier in the Freedom of Information and Protection of Privacy Act, at all, to access. There’s no legal barrier to access, especially de-identified information for research. It’s not a legal barrier. It’s allowable. With ethics approval, there’s even the provision to use identifiable information.

Section 35 of the Freedom of Information and Protection of Privacy Act does a good job, I think, of laying out the legal rules. That said, there are a lot of other reasons and conservative interpretations, perhaps, of the act. Other issues within….

Let’s say it’s a health authority that holds the data. There could be administrative reasons why they can’t make the data available. But there’s a lot of discussion going on now about the need to actually establish a secure research environment, a platform, a facility, so that health information can be accessed more readily by public interest researchers.

That’s one of the recommendations that I made in my prescription for reform. Again, how do you create a secure platform where all the data resides and researchers can gain approval to access even identifiable data? They can be approved at the outset, and we can speed up the process. My point is that the law is not getting in the way but that there are some things that we could do as a province to make it easier for researchers to get legitimate access to important health data. That is something that I can include in my submission.

M. McEvoy: I just wanted to add that the commissioner has actually led two significant round tables in the province now over the last couple of years, bringing together researchers, the university, community — the Rick Hansen Foundation was part of that — to talk about some of these issues, to talk about some of the barriers and how they can be overcome. I think those were very significant conversations and have gone some way to bringing down some of those barriers — certainly, I know, with the Ministry of Health.

Our office has, through the commissioner’s work, has been forefront in leading breaking down some of those barriers.

E. Denham: I believe strongly in the need for health research, public interest health research. We have to make it easier for researchers to get access to data. We also have to make sure that data custodians have the proper resources to do things like de-identify data, make it available. That’s why I think there should be a one-stop shop for health information to make it available. Those conversations need to be had.

This committee will have to look at whether or not there’s a legal barrier to making that happen, but I’m really glad that you asked that question.

S. Sullivan: Just one other question. There are quite surprising amounts of information people give — you know, put on Facebook and give to corporations. Are there rules about government being able to access that kind of information that seems to be freely available out there?

E. Denham: Where I thought your question was going is…. I thought you were going to say: “Isn’t privacy dead because everybody is on Facebook?” Individuals choose to share, through social media, a lot of information, a lot of personal information about themselves. But my view is that just because an individual decides they want to share information with what they believe is a defined group of friends and colleagues, it doesn’t mean that they want their data mined by the government, by national security agencies and used for other purposes.

If somebody has a social media account that’s not locked down, so it’s public…. Your question, I think, is: can public agencies mine that data? Can an employer in a public sector organization start looking at your profile on Facebook to figure out whether or not they want to hire you?

I think it’s problematic in our law. With the collection rules, you’re supposed to collect information that is necessary for the purpose. Also, public bodies have a duty to collect accurate information. I think that’s problematic if public bodies are just cruising the Internet looking for stuff. Somebody could be an imposter. Somebody could have made posts on somebody else’s social media page.

So we’ve got accuracy. We’ve got necessity. There are some barriers to public bodies going out and perusing and cruising and mining the Internet for personal data.
[ Page 26 ]
We’ve got to be good stewards, and we have to make sure that we collect information with the person’s knowledge, when it’s reasonable, and it needs to be accurate.

D. Routley (Deputy Chair): I’m concerned about the erosion of the notion of consent, particularly around the information being given in order to qualify to receive services and in the handling of people’s information. There was recent legislation in the field of education that would circumvent previous consents given by people. They may have an understanding that their information is private and only to be used for one use, but recent changes have implied that those consents are not as strong as people would expect and that people would not be notified that, in fact, the consent they gave has been overridden.

Do you share a concern? How do you think the committee should be responding to that?

E. Denham: Mike, do you want to take that? You’ve been looking at the education sector.

M. McEvoy: I mean, I think it still goes back to what the commissioner just said about necessity. Even with consent, our office would look at whether the collection is necessary. Then beyond that, you’ve raised the question about what the purpose is for which that has been collected. Even with consent, there is a limitation. It can’t be used for something other than the purpose for which it has been collected — or at least consistent with that purpose.

I’m not specifically familiar with the issue that you’ve raised, but we would be happy to look at it and make an assessment of it.

Well, noting the hour, I would like to say, first of all, thank you very much for coming this morning. If I could ask the Committee Clerk…. You made reference, Commissioner, to the prescription for reform in the health sector in 2014. It’s readily available on the website. I’m sure, Susan, you’re able to give a link to the committee members and save the Commissioner some effort there.

As well, to the committee members, you’ll remember that at the ministry briefing we had last week, we ran out of time and we invited members to make written submissions through the Clerk to the ministry for response. If it’s possible for the Commissioner as well, could we also make that request of you until this Friday — if a committee member has an epiphany in the next little while and makes that request in writing by Friday? If you want to, you could either answer that way or just say that you’ll include it in your formal presentation later on.

E. Denham: I’m happy to do either one. We’ll respond to the committee as a whole, all the members of the committee. If we receive a question, we’ll send it out.

D. McRae (Chair): Since I don’t see any other business for today, I adjourn this committee.

Hansard Services publishes transcripts both in print and on the Internet.
Chamber debates are broadcast on television and webcast on the Internet.
Question Period podcasts are available on the Internet.

Chair:	Don McRae (Comox Valley BC Liberal)
Deputy Chair:	Doug Routley (Nanaimo–North Cowichan NDP)
Members:	Kathy Corrigan (Burnaby–Deer Lake NDP)
	David Eby (Vancouver–Point Grey NDP)
	Eric Foster (Vernon-Monashee BC Liberal)
	Sam Sullivan (Vancouver–False Creek BC Liberal)
	Jackie Tegart (Fraser-Nicola BC Liberal)
	John Yap (Richmond-Steveston BC Liberal)
Clerk:	Susan Sourial

REPORT OF PROCEEDINGS(Hansard)

SPECIAL COMMITTEE TO REVIEW THE FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY ACT

REPORT OF PROCEEDINGS
(Hansard)

SPECIAL COMMITTEE TO
REVIEW THE FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY ACT