SPECIAL COMMITTEE ON
INFORMATION PRIVACY IN THE
PRIVATE SECTOR
Monday, June 26, 2000
3:30 p.m. – 4:30 p.m.
Birch Committee Room
Parliament Buildings, Victoria
2000 Legislative Session: 4th Session, 36th Parliament
SPECIAL COMMITTEE ON INFORMATION PRIVACY IN THE PRIVATE SECTOR
MINUTES AND HANSARD
|
SPECIAL COMMITTEE ON Monday, June 26, 2000 |
|
Present: R. Kasper, MLA (Chair); J. Weisbeck, MLA (Deputy Chair), P.
Calendino, MLA; S. Orcherton, MLA; G. Abbott, MLA; K. Whittred, MLA
Unavoidably Absent: G. Clark, MLA; G. Janssen, MLA; E. Walsh, MLA; G.
Plant, MLA
1. The Chair called the Committee to
order at 3:42 p.m. Craig James
2. The Chair advised those assembled that a quorum was not present. The
Committee agreed to proceed on the basis of receiving information at today's
meeting.
3. The
Committee heard testimony from the following witnesses:
o Brent Grover, Corporate Information and Privacy Analyst
o Kevin McKee, Information and Privacy Analyst, Corporate and
Information Access, Information, Science and Technology Agency
o Ann Guinchard, Corporate Information and Privacy Analyst
o Chris Norman, Director, Corporate Privacy and Information
Access
4. The Committee adjourned at 5:00 p.m. to the call of the Chair.
Rick Kasper,
MLA
Chair
Clerk of Committees and
Clerk Assistant
The following electronic version is for informational purposes only.
The printed version remains the official version.
MONDAY, JUNE 26, 2000
Issue Number 11
| Chair: | * Rick Kasper (Malahat-Juan de Fuca NDP) |
| Deputy Chair: | * John Weisbeck (Okanagan East L) |
| Members: | * Pietro Calendino (Burnaby North NDP) Glen Clark (Vancouver-Kingsway NDP) Gerard Janssen (Alberni NDP) * Steve Orcherton (Victoria-Hillside NDP) Erda Walsh (Kootenay NDP) * George Abbott (Shuswap L) Geoff Plant (Richmond-Steveston L) * Katherine Whittred (North Vancouver-Lonsdale L) |
| * Denotes member present |
|
| Clerk: Committee Staff: |
Craig James Wynne MacAlpine (Committee Researcher) |
| Witnesses: | Brent Grover (Ministry of Advanced Education,
Training and Technology) Ann Guinchard (Ministry of Advanced Education, Training and Technology) Kevin McKee (Ministry of Advanced Education, Training and Technology) Chris Norman (Ministry of Advanced Education, Training and Technology) |
[ Page 121 ]
The committee met at 3:42 p.m.
R. Kasper (Chair): Okay, I'll start the meeting. Just to advise the committee, we don't have a quorum. But I think that in the interests of time -- and notice has gone out to members -- because staff are here to continue with their overview and reports that they started at our last meeting, we'll get started.
We have an agenda. It lays out three items: the technology backgrounder; an oversight mechanism, an audit section; and privacy legislation and sectoral privacy codes. There are three staff members here from ISTA. I'll turn it over to Brent Grover.
Brent, if you could just give your name for the record and where you're from, I'll turn it over to you. Okay?
B. Grover: Okay. Thank you very much.
R. Kasper (Chair): Great, thanks.
B. Grover: I'm Brent Grover from the corporate privacy and information access branch. We do have handouts; we gave them out last time. Wynne has just stepped away to get them. We'll redistribute them again.
The title of this portion of the presentation is called "Trust and Certainty in the Electronic World." Basically this is not going to be a talk about technology or a lot of the really nice acronyms like SSL or S-MIME or VPN or any of those things. But it's more a discussion of some of the concepts and principles involved in trust and certainty, as well as trying to provide the members here with a bit of a first look at some of the definitions in this area for some of things that you may be touching on in your deliberations.
When we talk about trust and certainty, we're usually looking at it in terms of two basic concepts in the privacy and security area. Basically the assurance of identity is: how sure are you that the person at the end of the line is who they say they are? The other portion of that, of course, is: how secure is your document or your data or your message when you send it electronically over the Internet or over a secure private network?
[1545]
As I work through the discussion here, what I'll do is kind of build this up in terms of the concepts and the principles and then lead into digital signatures and have a kind of very brief overview of PKI, which means public key infrastructure, which is one of the leading technologies right now. The idea isn't to make you all experts in PKI, but rather to provide you with a basic overview so that you know how to dissect the basic principles or use the principles to dissect the different security mechanisms and see how they take in and relate to privacy and security on the Internet.
R. Kasper (Chair): Just a question for me: noting our time and the fact that we had a fairly extensive question-and-answer period at our last meeting, are you confident that, from your side, the staff who are here, we in fact could be able to get through what you're going to present here?
B. Grover: From this material that I have, we're only talking six slides.
R. Kasper (Chair): Yes, right.
B. Grover: I can do it in the next 12 minutes.
R. Kasper (Chair): Okay.
B. Grover: And then the questions, of course, will expand that. It just depends on where the questions go.
R. Kasper (Chair): Okay. You know, I'll put the same question to Kevin McKee.
The committee recessed from 3:46 p.m. to 4:02 p.m.
[R. Kasper in the chair.]
R. Kasper (Chair): Okay, carry on. Let's start it.
B. Grover: Okay, I'll just pick up from where I left off. In terms of trust and certainty in the electronic world, what we're really looking for is a trustworthy system that is reasonably secure from intrusion and misuse, has a reasonable level of availability, reliability and correct operation, and does what we want it to do so that our message gets from point A to point B. No one else sees it; the people at the other end can understand it. And we know who we're dealing with at the other end.
Now, we can look at this, if you want to turn to the second page of your handouts. Basically we're talking about a really basic interaction here, just between a person who's sending a message to someone who's receiving a message. The question comes up, you know: is there really a problem out in the electronic world? Well, there is in some degree, because of the questions that we have listed there. Can the person at one end deny that they sent you a message? Is that person who they claim to be, or are they pretending to be someone else? Are they authorized to use the systems that you have there? Really, is your data secure?
When we look at this from a business requirements point of view, what we start to do is boil it down into some key concepts. We talk about authentication. It's not enough for me to say that I'm Brent Grover from corporate privacy and information; you want to authenticate my identity. Then I have to show you my driver's licence, my birth certificate, some other proof that I am who I say I am. This is important in the electronic world, because all you have to identify people is generally their e-mail address.
One of the big certification authorities, called VeriSign, used to give away certificates of identity for e-mail transactions. You could apply and say that you were Bill Gates or Elmer Fudd or whoever you wanted to be. And you would have a really nice certificate that said: "Oh, I'm Bill Gates. This is my opinion."
Well, you have to look at the reasonableness of what you're getting in. That's why you need to look at authenticity. All these things here are not black and white; they're a range. You have to apply some common sense in how you look at them, and that's part of the problem in this area -- the same with the concepts of authority, integrity. How do you know when people have looked at your message or altered it in some way, especially if you're dealing with transactions that have a large dollar value? Privacy, which we're concerned
[ Page 122 ]
about here, is when we apply a digital signature, for example. It doesn't encrypt the message; it doesn't change it so no one else can read it. It just lets you provide a way to notice if someone has made any changes to it.
And finally the concept of non-repudiation or: can the transaction be denied? What I find is that when we look at this area, we're basically talking about two key concepts: trust and certainty. How much trust do I have to have in each of these characteristics? How much certainty do I have if I have to go back and prove it?
We're also finding that we're asking some other questions in this area about the appropriateness of the security measures, of the level of privacy that goes into a transaction. That's why on the next page, for example, you see there a diagram. Really, on the Y-axis is data protection or assurance of message content; on the X-axis is assurance of identity.
So if you want to make sure that your message gets from point A to point B and the data is protected, then next thing you would want to do is look at: how much assurance do you need that the person at the other end of the line is really who they say they are? And how much assurance does that person need to make sure you are who you say you are -- because we're not dealing with face-to-face transactions anymore? We're dealing electronically. And you can be anybody you want to be, basically, with some degree of certainty.
So when we talk about assurance of data protection, integrity, confidentiality of the data, typically, you know, for what we can
Assurance of identity -- basically it's the same type of thing: how much trust and certainty do you need to have in the people or the parties that are involved in the interaction? Not all transactions are going to require the same levels of trust and certainty. For example, if I send an e-mail saying, "Let's go to lunch," I don't need a lot of encryption on that. I don't really care who else sees it. You probably will be okay with just the e-mail address saying that it's me. If you contrast that to a stock transaction that says, "Here's my bank account number; take out $10,000 or $100,000 and buy stocks with it," I want to have a lot of trust in who you are. And I want to have a lot of certainty, so that if you do that, I can go back and prove who I sent the message to, who I authorized it from. That's how we start to break out some of those things.
For each of the transactions you have different levels of assurance of identity. Some of the examples that I'll use, just as I work my way along the
x-axis of the little diagram there
As you move up this graph, you get more and more certainty about who's involved in the transaction, until you finally get to the far right edge there, when we start talking about digital certificates, which are basically the start of digital signatures. A digital certificate has a digital signature incorporated into it, and it's a way of proving a person's identity or authenticating their identity within the constraints that I described earlier.
[1605]
The digital certificate is basically -- if you want to flip the page there -- unique to the person that it's created for; it's verifiable for the purposes that it's being used. It's under your sole control, and it's linked to a document. So if you change the wording in a document -- for example, the stock example that I gave
Questions?
K. Whittred: What does a digital signature look like? I mean, is it a number? Is it an actual signature? Is it a code?
B. Grover: If you flip the page, you'll see what one looks like. It doesn't look like a signature at all.
K. Whittred: Okay, I'm looking at that. But if I'm doing a transaction -- it's a really dumb question -- what do I hit on the computer to indicate that's my signature?
B. Grover: If you're using e-mail, it'll say: "Do you want to digitally sign your e-mail?" And you just click a little button, and all this stuff happens in the background. Basically what the digital signature is, is code. I mean, it's like the old code that you would use during the war or between countries. It's a fancy algorithm or a fancy code that has a public key and a private key. So there are two keys. When you encrypt something with the private key, it can only be decrypted with the public key.
P. Calendino: That's very technical jargon.
B. Grover: Okay. So it's like if
R. Kasper (Chair): It's like the Enigma machine.
B. Grover: Exactly. That was one I was trying to think of.
R. Kasper (Chair): During the Second World War. So if I wanted to say, "Go north," it would type out something totally
B. Grover:
R. Kasper (Chair): So then somebody else would have to have a machine to
B. Grover: Put it in again.
R. Kasper (Chair): Yeah, to translate it. So what you're saying is that the digital signature is what your computer does
[ Page 123 ]
when you're sending the identifier -- meaning me or my computer or my terminal or my little base. I'm transferring the information over to somebody else, and those two computers talk to each other, and it's done in this code.
B. Grover: Yeah.
R. Kasper (Chair): Am I right or wrong? I don't know.
B. Grover: That's basically correct. The only thing I would add is that the two machines that you have on either end are totally unique. They exist as a pair so that they can talk only to each other, and that's the strength of this. If something is made into code from one machine, only the other machine can take and figure out what it was.
R. Kasper (Chair): Okay. So if I phoned up or got my computer to talk your computer or Pietro's computer
B. Grover: Right.
R. Kasper (Chair):
B. Grover: Yeah.
R. Kasper (Chair): Okay.
C. Norman: If I could just try this another way.
R. Kasper (Chair): Yeah, go ahead.
C. Norman: They talk about computers having keys -- keys at each end. The value of that concept -- which helps -- is that when you transmit the information from my computer to another person's computer, there are two things that you want to have assured. One is that if somebody does intercept something between point A and point B, it's only gibberish to them -- that it doesn't go in straight language. So if somebody does intercept it and pull it into their machine, it wouldn't make any sense to them anyway. That's encryption.
That's a very key thing to understand: anything going across public transmission lines goes as gibberish, for all intents and purposes, except for the sender whose machine can translate and put it into the gibberish. The person at the other end who gets it on their computer has the prearranged ability to translate that gibberish into something readable. To distill it down to a very basic thing -- that's where the keys come into place. You make a prearrangement that your key and this person's key are twinned and that in fact you can type it in, gibberish it, send it over there, and they've got another. I put a new verb into the lexicon.
R. Kasper (Chair): Right on.
G. Abbott: I've been gibberished.
C. Norman: And you can ungibberish it at the other end. You've got two gibberishes that speak to each other and understand each other. It's like children when they speak a language that you don't understand. It's prearranged. They've gone together and prearranged it, and the computers have done that. So if you want to distill it down to its most basic, that's where the security part comes in, and that's where the concept of encryption comes in.
B. Grover: It's like a lock with two keys. One key will close it, and only the other key will be able to open it.
[1610]
C. Norman: And they must match.
B. Grover: Because they're matched and you get the key, so it's your private key, and you're the only person that can use it. The mathematics behind it are that it's very unlikely that anybody else could duplicate it. So it provides those key characteristics for a digital signature that is unique. We can verify that it belonged to you, and you were supposed to keep it safe. If you didn't, there's a problem, and you can link it to the document.
R. Kasper (Chair): Now, just to save some time here, the people who are in charge of transmitting or gathering the information from a private person -- be it me or anybody else -- have safeguards built within their system. Do they not? Is that normal?
B. Grover: They might, and that's part of the
R. Kasper (Chair): The issue.
B. Grover: Yeah. Part of the issue here is that, really, you're looking at a range of needs and a range of security options that can be put into place.
R. Kasper (Chair): Right -- okay.
B. Grover: I'm choosing to talk about the highest level here, with digital signature and PKI, because it seems really attractive. We've had some reports from other jurisdictions that it's also very costly, very complex. But it's good within a certain range of transactions.
R. Kasper (Chair): Now, just so you know -- I don't mean to interrupt -- some corporate entities are embracing this concept and have this approach and concept implemented or already in place -- right?
B. Grover: Yes.
R. Kasper (Chair): And that's part of their certification or gold seal of approval. It's a standard that's recognized internationally.
B. Grover: No.
R. Kasper (Chair): No. Okay.
B. Grover: You have to understand what the certification does. For example, VeriSign, which is one of the big certification agencies, has seven different levels of certification. There's the one that I talked about originally, about how you could be Bill Gates or Elmer Fudd.
[ Page 124 ]
R. Kasper (Chair): Right. And then it goes up the ladder.
B. Grover: Then it goes up, and they'll certify lawyers. They'll say, when you get to that level, that you have to bring in your photograph, your driver's licence, your passport, your professional credentials. They may do interviews in your workplace, depending on what is required to authenticate you at that level of certification.
R. Kasper (Chair): Okay.
B. Grover: Puzzled look.
K. Whittred: No, I do not. I understand.
R. Kasper (Chair): Now, just being mindful of the time
G. Abbott: You keep interrupting and then keep saying: "Being mindful of the time."
R. Kasper (Chair): I know that, but it's my prerogative. I shouldn't say that, because John does it occasionally too.
B. Grover: I'll just point out two more things that I outlined with the last diagram. The things that I'd like to point out are what we're seeing in the banking industry. They're not embracing digital signatures wholesale. The Bank of Montreal, for example, is using a different system, which is user-ID password. They ask you a bunch of questions, and you get to write out what the question is and the answer. "What was my dog's name when I was five years old?" -- things that are unlikely for other people to know. You can sign into the system, and they present two or three of these questions, and you provide it back to them. That's an alternative to digital signatures. That's why we're not exactly sure what's happening in terms of how this technology is being picked up. It's really big in a lot of places; it's been getting a lot of press. But when you look at some of the leading financial institutions, some of them are going a different way.
[1615]
The way that this is very attractive is when you start looking at international trade or trade where you want to do a transaction outside the province. If you look at the last page, it really just concerns three different parties: a subscriber, the certification authority and the relying party. As a subscriber, you go to the certification authority and say: "I need a level 3 certificate." And they say: "Well, you provide us with the authentication. Give us your driver's licence and your ID." They'll provide you with a digital certificate that will have your signature on it. You use that to send a message to someone else. They go: "Is that sufficient for my needs?"
If they're getting the Elmer Fudd ID and you're trying to do $10 million in stocks, that's probably not a good idea. The idea is that just because you have a digital signature or digital certificate, it's not the same as having to trust in the transaction or trust in the relationship. The relying party would use the digital signature and go back to the certification authority and verify who you are. Because you've seen what the certification authority requires in term of authentication, they're basically verifying that you are who you say you are. Now, you have to remember that this all takes place out of your view, so it's done electronically. You have to rely on somebody else to verify the other person's identity and that they actually went through a process to do that.
K. Whittred: Can you tell me how many or how much or to what extent has security gone beyond the password level? Is the password still the major way that security and verification is accomplished?
B. Grover: We've certainly had this discussion within government, and because we have a secure internal network, password ID is plenty for whatever you're going to do. It's when you start to go into the Internet, when you buy from Amazon.com. That was the example from a couple of weeks ago. When you start trying to buy from sites outside, then you have to think about how much trust and certainty you need in this process. If I'm trying to talk to your MLA office or know your ideas, you could be who you say you are, or somebody could be spoofing and pretending that they're you or, for example, vandalizing your web site.
C. Norman: If I could just add to that and maybe give an example, once you move out into the Internet, into the public pathways, which is how I look at it to make it easy to understand
If you're actually transmitting sensitive personal information across those public pathways, you really want to make sure that at each end you've got the best level of security. You really have to make an assessment based on the level of protection you think is appropriate to the type of information going. You don't necessarily need to get out the sledgehammer -- being PKI -- to drive in the finishing nail, because you're sending an e-mail to a family member saying: "Hi, how are you doing?" You probably want the sledgehammer if you've got to drive a big spike into some very important special information that you're trying to transmit.
The problem is that people tend to see this as one of two extremes. Either there's no security, and you essentially let the whole thing be an open freeway, or you put on the highest level of security for things that you don't necessarily need. You need some kind of way of choosing what's appropriate. For sensitive personal information, I think you're probably going to need some ability to encrypt that information and have people with keys at each end to make sure that it's getting there right. A lot of other stuff -- probably not as big a concern.
R. Kasper (Chair): We're only talking about the technical aspects of it -- right? We're not talking about the people who are actually looking after the equipment and who have the ultimate responsibility -- correct?
B. Grover: Right.
R. Kasper (Chair): Okay.
C. Norman: The equipment is just the tool.
[ Page 125 ]
R. Kasper (Chair): Just the tool. Okay.
[1620]
P. Calendino: Explain to me how the two parties agree on the key. Do they do that electronically as well, which obviously can be intercepted by somebody else in the meantime?
B. Grover: The way it works is that when you apply for a digital certificate, the certification authority will basically give the subscriber a private key. They'll hold that public key for that person. So when you're the relying party, you go back to the certification authority and say: "Gee, I have a digital signature here for Chris. Can you confirm it?"
They confirm it by using the public key against the signature, and they say: "Yes, that's who he says he is."
P. Calendino: Okay. So this certification authority is independent.
B. Grover: Yes, it's a third party; it's independent. It's absolutely critical to this particular type of security measure that you have them on the outside so that they can take and verify who the different parties are.
P. Calendino: And this is for e-commerce.
B. Grover: This can be used for e-commerce. It can be used to
P. Calendino: Legal contracts, lawyer to lawyer, etc.? That's apparently being accepted already, not encrypted.
B. Grover: Yes, we're using it with land titles. Land titles is using an electronic filing record system. In the amendment that was passed last year, digital signatures were a component of that. The law societies are looking at doing this so that they can sign contracts and pass information back and forth.
P. Calendino: Well, I know that the business community is asking the Minister of Finance to permit the electronic signature on every legal transaction that takes place among businesses. So would they have to go through this certification authority to do that?
B. Grover: That's one mechanism. What's happening is that you have
British Columbia signed that agreement, and four of the provinces and B.C. will shortly be bringing out legislation based on that. Saskatchewan, Manitoba, Ontario and Quebec have all brought out legislation to do digital signatures in much the same way that you described. But they let you have a range of options there. For example, when I use e-mail in government, my little signature block in the e-mail address is good enough for signing a message. I don't need a digital signature.
R. Kasper (Chair): Okay. No further questions?
Brent, how far along are you with your presentation? Are you finished or just about?
B. Grover: That's it.
R. Kasper (Chair): Okay. Thank you very much.
Now, Kevin McKee, also from ISTA. You are going to be talking to us about oversight mechanisms-audits. I hope we don't take too long, because I'd like to hear from Ann, because she attended our previous meeting. I think you were here and didn't get a chance to speak.
A. Guinchard: I wasn't intending to speak last time, so I'm not offended.
R. Kasper (Chair): Okay. Well, we'd sure like to hear from you today too.
A. Guinchard: Okay.
R. Kasper (Chair): And I hope members could be accommodating.
Okay, go ahead, Kevin.
K. McKee: I'm Kevin McKee from the corporate privacy and information access branch of ISTA. What I'm going to do is give you some very basic principles that operate around the issue of how you provide oversight to privacy legislation. Basically all privacy legislation in Europe and most of the legislation that has been developed thus far in other parts of the world include some mechanism for oversight -- some means by which we can evaluate what's going on in the context of the types of activities that are occurring and properly oversee those activities. In most cases it's either a commissioner or a data control officer in some form or another.
[1625]
In Canada we have two examples already with the private sector. Both Bill C-6 and Quebec have acts that include an oversight mechanism. What I've tried to do in the short paper in front of you is demonstrate how they operate. Basically we've looked at four primary characteristics that are present in both of those pieces of legislation and in the B.C. public sector privacy act. The first is that the federal privacy commissioner is responsible for privacy oversight for both the public and private sectors. The same is true for the commissioner in Quebec; he is responsible for privacy oversight in both the public and private sectors. The federal privacy commissioner does not address access issues at the federal level; there is a separate commissioner for access questions. In the case of B.C., we have an information and privacy commissioner who is responsible for not only privacy oversight in the public sector but also access oversight in the public sector. So that's the current situation.
The second issue is their ability to make decisions. The federal commissioner does not have the power to make orders. He may have his staff become involved in dispute resolution. So basically what would happen is that the person would complain that a private company has somehow violated the act with regard to the protection of their privacy. It would go to the commissioner's office, and a member of the commissioner's staff would attempt to mediate the dispute between the parties. If that is not successful, the commissioner may issue a set of findings, but he may not order the company to take any particular action.
In Quebec the commissioner has the right to make orders. Again, this would be preceded by an attempt by staff of the
[ Page 126 ]
commissioner to mediate some sort of settlement between the private company and the complainant, but ultimately the commissioner may order the company to take action to adjust their policies or their practices.
In British Columbia, in the public sector, the commissioner attempts to resolve disputes between public sector bodies and individuals first through the mediation process. But if that is unsuccessful, he may order the public sector body to either reconsider or make a change in their policy, or he may rule that they have acted appropriately.
In all three of those cases, there is a further mechanism of appeal. In the case of the federal government, the commissioner's finding may be appealed to the federal court. In the case of Quebec it's the Court of Quebec, and in the province of British Columbia it's the Supreme Court of B.C.
So if our commissioner issues an order against the public sector and either the public sector disputes it or the original complainant disputes it, they can proceed to the Supreme Court of B.C. In Quebec it's the Court of Quebec. In the case of a finding by the federal government, if an applicant or a complainant was dissatisfied, they could go to the federal court. The federal court does have the power to order a company to make changes to its policies. And the federal court has the ability to levy charges or, in essence, a fine against that. They can award damages to an individual or to a company who believes personal information has been damaged by a particular private sector company. Given that Bill C-6 is brand-new legislation -- of course, it won't come into force until next year -- we don't know how this will affect the courts at the federal court level. We don't know what percentage will go forward and what percentage will not in terms of going past a finding of the commissioner.
Another area is the issue of auditing powers regarding whether companies are acting appropriately or not. The federal government in Bill C-6 gave the commissioner very extensive auditing and investigative powers. He has full power to enter and view any documents within a company that he chooses if he believes there is grounds that there may have been a violation of some section of the act. He does not require a complaint to do so.
Quebec has the same investigative powers. In B.C. our commissioner has some investigative powers, but they are not as complete as they are in the federal legislation. There are some limitations placed on our commissioner's ability to intervene in a public body. This was a major issue with the private sector when the federal legislation went forward. There are a number of private sector companies that complained bitterly about the complete access powers that the commissioner had. They were concerned that this might lead to witch-hunting within companies looking for problems. Their power of investigation is extremely strong, but it's matched up with no power of order-making.
[1630]
An example, though, of how effective you can be without order-making power was the finding of the federal privacy commissioner against HRDC, where he issued in his annual report a criticism of one the labour market survey structures they had created. The federal government withdrew it within about a week and a half, based on the public reaction. So even without order-making power, he is able to have a significant impact on the way in which the public sector operates, and the federal government believes that will happen with the private sector as well.
Basically those are the main logistical or significant points in the context of each. We've also included on the back several questions that you might be asked regarding that: what is substantially similar? I'll cut to the chase on question 2, and if you look at the last bullet:
In all likelihood, all of those would be required to be substantially similar. It doesn't mean you have to mimic the federal legislation, because Quebec clearly does not, but you're probably going to have to have those kinds of aspects included for it to be considered substantially similar."It is likely that to qualify for consideration as 'substantially similar,' any proposed legislation must include: a commissioner" -- or oversight officer of some form or another -- "some means of complaint resolution; either an order-making power or the capacity to publicize findings" -- at the end of a process -- "some ability to audit the personal information practices of organizations and" -- finally -- a method of judicial review of the decisions or findings.
We've also listed below some of the things that an oversight office would likely do, and those you can read. Public education would be a principal area. I'm open to questions.
R. Kasper (Chair): Chris, did you have a comment?
C. Norman: Just two or three small things to add. One is a way of kind of turning in your minds the difference between the federal model that exists for both the public and the private sector now and, say, the B.C. model. The federal model is usually described more as an ombudsman type of approach, where they take it in, try it and issue some kind of finding. But they can't order you to do anything. In Quebec and in the public sector in B.C., it is more like a quasi-judicial capacity, so they can actually have a hearing or an inquiry and order at the end of that. It's kind of an easy distinction. Those tend to be the two models that are followed.
The other thing, for the information of the committee, is that the oversight mechanism tends to be one of the more contentious areas as far as the public is concerned. In our initial experience with consultations and in my involvement with the federal-provincial discussions over Bill C-6, the oversight mechanism tended to be one of the hotter buttons for the private sector. Their initial starting position probably was: "Well, you don't really need it." But once they accepted the fact that it was very likely that you would need it, then it was more the kind of model that you had, the kind of powers that you might have had. As Kevin correctly pointed out, the issue of the audit powers of the federal privacy commissioner with regard to C-6 were probably the most heavily discussed single issue in that legislation, and there was a lot of feeling that the powers had gone too far. We'll see as it bears out.
[1635]
R. Kasper (Chair): Are there any questions, members? Okay. Thank you very much, Kevin and Chris. Now, the last presentation is from Ann Guinchard.
R. Kasper (Chair): The floor is now yours, so carry on.
A. Guinchard: My name is Ann Guinchard. I'm an analyst with the corporate information and privacy access branch,
[ Page 127 ]
and what I am going to present to you today is background information on the legislation versus privacy codes that the private sector put forward themselves.
The beginning of this process was probably 1980, when the Organization for Economic Cooperation and Development put together guidelines to protect personal information, especially across borders. In 1984, Canada signed on to this agreement, and currently there are about 40 countries that are proposing legislation to protect the privacy of people's personal information. In the year 2001, on January 1, Bill C-6 comes into effect. This will apply to all federally regulated industries and all transborder information exchanges. Unless provinces enact their own substantially similar privacy legislation, Bill C-6 will apply to private sector activities starting January 1, 2004.
Running alongside the legislation process, there have been privacy codes developed by industry. The Canadian Standards Association developed a model privacy code in consultation with government, business and consumer groups. They put together ten principles that are incorporated in Bill C-6 and are considered to be an industry standard. The ten principles are accountability
Then there's consent, so a client would have to give consent for the use, disclosure and even disposal of information. And there's the fourth principle, which is limiting collection, so they can really only ask you what they need to know. If they don't need information, they really shouldn't have to ask and you really shouldn't have to answer.
Another principle is limiting use, disclosure and retention. So if they gather information from you, there are limits on what they can use, like they have to use it for the purpose they specify. If they want to use it for another purpose, they would have to ask your permission, get your consent. There's activity around how they retain the information and actually how they dispose of information.
There's a principle that concerns the accuracy of the information they have about you. So you're able to ask what kind of information they have. If there's something that's not quite right, you can ask for a correction.
Another principle concerns safeguards of your information; this could be stuff in a file -- a paper file or electronic. They have to make sure that your information is protected from unauthorized access.
There's an openness principle, where if you have questions to ask them, they have to be able to answer your questions. It's your information, and you have the right to ask. Individual access -- again, you have access to your own information. With openness, too, they have to be open about what they're going to do with the information, so they can only really use it for the purpose they've requested it.
Challenging compliance is, if they don't adhere to their own principles, that you can go in and challenge them on that.
So private sector corporations now are establishing their own privacy codes. Telus and the Royal Bank are two examples I gave, and they're based basically on the CSA standard. So when it comes to electronic commerce, it's a good business practice for someone to implement a privacy code. That way the consumer is sure or can be reasonably sure that their information is being protected. But because a person or an agency has a code, that doesn't mean they're obligated to comply with it.
[1640]
J. Weisbeck (Deputy Chair): What are the consequences of non-compliance, then?
A. Guinchard: Well, that's the thing right now. That's why we probably need a mix of the privacy code and legislation, and have private sector develop their codes and their policies and so on, and base it on whatever legislative framework is supplied to them. So it would be bad business practice for them to violate, because they would lose consumer confidence. But with whatever legislation we come up with, we would have some kind of mechanism there to audit.
C. Norman: It's probably good to look at this and say that it's not necessarily a question of either/or. I think that with the legislative framework, as Ann says, it creates a level playing field -- that everybody has to step up to a certain bar. What a code has tended to do -- some of the better codes -- is become a cultural document for the particular entity. In fact, they use it as a way of going in and changing their corporate culture. There are usually training plans attached to it. There's usually clear articulation at the basic level of the kinds of things that it would mean to an average employee, where legislation could never really get into that kind of detail.
It usually is a process of implementation for an entity like Telus; they have done presentations on how this was a very positive, culture-changing process for their particular entity. But they also realize that the legislative framework is important, because at the end of the day not only does it keep a level playing field, but it's the only place where you can have an oversight mechanism where you could challenge compliance outside of Telus. It's good for them to say: "We have an ombudsman in place. If you have a complaint, we'll look into it." But a lot of people may not trust them, at the end of the day, if they say: "Well, we didn't find anything wrong." People would like to say: "Well, I'd like some other place to go and a commissioner oversight mechanism."
So they tend to be seen as very complementary pieces, not necessarily that one obviates the need for the other.
R. Kasper (Chair): Kevin, did you want to add something briefly?
K. McKee: Yeah. One of the interesting things is that when they were doing the discussions on Bill C-6, and there were a number of meetings going on, organizations like the Direct Marketing Association were ones who pushed very hard for privacy codes within their industry and legislation. Their argument was that they could create a code that the majority of businesses within their industry would follow very well. But their concern was that there's the small fly-by-night organization that gets set up, and that then creates a problem for the rest of the industry by not following standards. So both the banking industry and that industry and
[ Page 128 ]
several others came forward saying: "One of the reasons we need legislation is that we cannot police everyone within the industry, and we need everyone in the industry to follow these standards." So that became the point.
R. Kasper (Chair): Okay, moving along, did you have a question, Katherine?
K. Whittred: No.
R. Kasper (Chair): Carry on, Ann.
A. Guinchard: Additionally, like my counterpart here, I provided a couple of questions and answers in case you are asked basic questions about these processes. And that's as fast as I could talk.
R. Kasper (Chair): Well, that's good. Actually, you did well.
K. Whittred: Well, then I do have a question, if Ann is finished. Are all businesses that are not federally regulated provincially regulated? I mean, are all businesses considered to be regulated? My question really is: if we had provincial legislation, are there any businesses that would not fall under this legislation?
C. Norman: I think the default is that if an entity isn't federally regulated, it's considered provincially regulated.
R. Kasper (Chair): Or locally -- you know, when you have the division of powers that go from the federal to the provincial to a municipality.
C. Norman: Well, I don't know that a municipality has, other than bylaw ability
K. Whittred: I have another question. Can you tell me: is there any experience -- I guess it would be mostly in Quebec, because they're the only province that has the provincial legislation -- in terms of the reaction of small business? I understand this, and I've heard a lot. I've been at many conferences where we talk about Telus and the Royal Bank and so on. But what about the small retail merchant on Lonsdale who has a few employees? Frequently it's the small business person who wants even more information, because it's the only way that they have to ensure payment of bills. I'm just wondering what the experience is there.
[1645]
C. Norman: I think that has tended to be a criticism of C-6 from the standpoint of saying that it is a very complex machine that will be easier to implement at the large federally regulated types of entities. All the provinces that I've had contact with, which are looking into bringing in legislation in their particular area, are very sensitive to the need to develop legislation and an implementation approach which would be sensitive to the corner 7-Eleven or the video store or those kinds of places where, in fact, they contain and hold some of your most sensitive personal information -- small business -- minimizing red tape and making it that if we can't come up with a "just add water and stir" formula, at least we're coming up with a package that small business can implement in a real way -- commonsense principles that will help you to be privacy compliant.
A. Guinchard: And in Quebec, if you take it down another level, it seems like the public are more trusting of Internet and online services because they have this legislation -- if you look at service such as what Kevin spoke about in the last topic. It seems people in Quebec are more confident than anywhere else in Canada.
K. McKee: The Quebec model
Most of the principles that are enshrined in that group of ten are basic records management and operational structures that, once in place, operate fairly smoothly. They don't demand a great deal of excess paperwork. In fact, what they do is encourage you to restrict the amount of paperwork when you're dealing with people's personal information. So it actually may have the effect of streamlining some of their operations.
G. Abbott: We started out some months ago talking about whether C-6 would fit the bill if we chose, as a committee, not to pursue provincial legislation. I'm interested -- I guess, particularly from Chris -- in the discussions going on with the other provinces around where they're going in terms of provincial legislation. I think sometimes we forget here that we're probably one of eight other provinces that are trying to grapple with this and make those decisions and presumably arrive at a piece of legislation that's (a) going to be complementary to C-6, and (b) be similar, if not identical, to what's adopted in other provinces. Where are we at on that, Chris?
C. Norman: With my contacts in other jurisdictions -- and I'm trying to keep in fairly close contact with them -- many are waiting to see what Ontario and B.C. do. Ontario has announced its intention to move ahead aggressively with private sector privacy legislation. I'll be surprised if we don't see some legislation introduced there in the fall session. That's the latest word that I have.
Other provinces are aware that we do have this committee, that that's an indication that the Legislature is taking this very seriously and that B.C. is formally considering what options it has to move in this particular direction. Some of the rest of the provinces
[ Page 129 ]
But I think there is keen interest. I'm contacted quite regularly by the other provinces to find out where we are, and they would like to follow that. Some of the smaller provinces are saying: "Maybe we just let ourselves be covered by the feds. But if some of the other provinces come up with workable provincial legislation which looks substantially similar and is sensitive to small business and minimizes red tape, then maybe we can try to mirror that."
There's a lot of keen interest in where Ontario and B.C. are going. I think those who cut trail will find others coming along the path behind them trying to get to the same place. The one thing I think I can say with certainty is that I've not heard any province which isn't preparing to kind of face up to the fact that private sector privacy legislative coverage is needed. It's just kind of choosing the model or the vehicle that best suits the needs of the province.
[1650]
R. Kasper (Chair): George, did you want to carry on?
G. Abbott: Well, just one other question and that is, I guess, a kind of general comment. I think the big challenge here is going to be to develop an alternative model to C-6, if indeed we choose to go in that direction. But whether it's C-6 or a new provincial model, the challenge will be to have a model that doesn't very quickly become outdated by the changes that happen, obviously, day by day in this world and that I long ago gave up trying to even cope with.
C. Norman: I think that's, again, one of the reasons why any legislative scheme that is being considered
Any time you go and look at putting in a new technology, if you do a privacy impact assessment of that technology that's in compliance with the legislation, you will still meet the legislation and will still protect privacy. I think that's what C-6 tried to do, and any of the models that I've had some experience with that the provinces are considering, they consider the same thing: make sure that what you articulate is
G. Abbott: Just a final question, now, if I could. In the opinion of ISTA at this point -- and I presume you may come back with something more definitive at a later point -- is there a framework which would be better for the province of British Columbia than that offered by C-6?
C. Norman: I won't speak for the agency at this point, but I would be happy to give an agency position on that, if you would like.
G. Abbott: Sure, if it can be offered briefly, that would be good -- or, I guess, at another time, obviously.
J. Weisbeck (Deputy Chair): I'm still having a lot of difficulty with this compliance thing, because we're talking about the Internet and talking about
A. Guinchard: We don't have it yet.
J. Weisbeck (Deputy Chair): Yes, but even with something in place, even if there was legislation in place, do we drive people offshore or out of the country to bypass the
A. Guinchard: With the international agreement now, more and more people are coming on board, because if you don't have this type of thing, you're going to drive away business. I think it's very good business practice. The U.S. doesn't have legislation right now, but they're working now to become more compliant with international standards. It's something that has to be done, or you lose your market.
K. McKee: In the case of the United States federally, there is still an ongoing discussion about whether safe harbours, which is a set of voluntary guidelines within different industries, is good enough. At one point a year and a half ago, I would have said that that's where they're going to end up. They're now drifting more toward some sort of regulatory model. A number of states are bringing in their own legislation that is much more in line with the legislation in Europe. Europe has already gone a fair distance down this road.
The question then becomes: what about the Internet and the transfer of information? Ultimately, somebody was responsible for that information in the first place. They're the party that would be held responsible for whether it got disclosed to somebody else. You will always, hopefully, be able to locate that source. In other words, I gave that to Amex Bank of Canada. If it shows up in somebody else's information data bank, they had to get it from there or from one or two other places. Somebody gave it to them. That's the party that has a question as to whether they disclosed it appropriately or not.
[1655]
R. Kasper (Chair): Chris, did you want to answer that?
C. Norman: Just a last point. We do have some more of these that we can do for you at your convenience. We're working on one in particular that's proving to be a very interesting challenge, which is looking at C-6 and what kind of gaps there might be in the net that it creates, and on some of the issues that I've heard you raise in other meetings. We're working on that one and a few others. At your convenience, we can come and address these issues. I will take the question that was raised with regard to any recommendations that ISTA might have in that respect, and we can come back at your convenience.
G. Abbott: Thank you. I think the offer from Chris will be a very useful thing to the committee. Additionally -- and this may be challenging -- I would be very keen if ISTA was able to get either draft legislation out of Ontario or some detailed analysis of where they're going there. We don't want to all be reinventing the wheel, first of all, and we presumably want all of our provincial legislation ultimately to be compatible across provinces.
[ Page 130 ]
C. Norman: I think the likelihood of us being able to get something more definitive by the end of the summer, particularly with regard to Ontario
R. Kasper (Chair): Just to keep us on track here, are there any further questions in regard to Ann's presentation from any committee members? Okay.
Just a couple of things that I'd like to get clarified. It's been brought up that Bill C-6 coverage issues was a further presentation. We sort of touched on that today, briefly. I know that Katherine has raised this: health information issues.
A Voice: That's also being worked on.
R. Kasper (Chair): That's being worked on. What I would like to do is just get a bit of an idea to what extent we will be discussing the issues around discussion on consent and justification in Bill C-6. And then there's the privacy legislation. No, we've done that. So we don't
C. Norman: The consent and justification is also being worked on and can be presented at your convenience.
R. Kasper (Chair): Okay. So those are basically the three areas that are remaining.
C. Norman: And any others that you identify for us -- we'll take those back and prepare something on those for you.
R. Kasper (Chair): Are there any things that any members want to add? Okay.
I'd like to thank the members for attending and giving us the overview. I think what we as members should do, as a committee, is kind of work on when we're going to meet next. Chris, I've just got to get this from you: would the three items be ready for presentation to the committee next week if we chose to have a meeting next week?
C. Norman: Yes, absolutely.
R. Kasper (Chair): So there's no problem that way, be it Tuesday, Wednesday or
C. Norman: Apart from the holiday, as Kevin points out.
R. Kasper (Chair): No, no, I understand.
C. Norman: The next meeting -- we can be ready next week at any time.
R. Kasper (Chair): Okay, that's if the committee chose to meet, other than
I'd like to thank members for coming. Perhaps John and I can work on that and see if we can come up with a date, because I'd like to get this done sooner than later.
G. Abbott: Sorry, it doesn't have anything to do with this, but we have to get the FRBC oversight committee together again. Maybe if we're going to have committee days, if people are coming down, we can have the two days
R. Kasper (Chair): George, I agree. I don't want to have us all working off in different directions. There's quite a few members who are on the same committees. I know it can be frustrating, but I would sooner get our technical stuff done first, as quickly as possible, then we won't have to meet again until the fall -- right?
A Voice: This meeting is adjourned?
R. Kasper (Chair): Yes, the meeting is adjourned.
The committee rose at 5:00 p.m.
[ Return to: Legislative Assembly Home Page ]
Copyright © 2000: Queen's Printer, Victoria, British Columbia, Canada