SPECIAL COMMITTEE ON
INFORMATION PRIVACY IN THE
PRIVATE SECTOR
Thursday, February 15,
2001
10:00 a.m.
Douglas Fir Committee Room
Parliament Buildings, Victoria
2000 Legislative Session: 4th Session, 36th Parliament
SPECIAL COMMITTEE ON INFORMATION PRIVACY IN THE PRIVATE SECTOR
MINUTES AND HANSARD
|
SPECIAL COMMITTEE ON Thursday, February 15,
2001 |
|
Present: R. Kasper, MLA
(Chair); J. Weisbeck MLA (Deputy Chair); P. Calendino, MLA; S. Orcherton, MLA;
J. Pullinger, MLA; E. Walsh, MLA; G. Plant, MLA; K. Whittred, MLA
Unavoidably Absent: G. Clark, MLA; G. Abbott, MLA
1. The Chair called the Committee to
order at 10:11 a.m. Craig James
2. The Committee reviewed the findings of the Ipsos-Reid Final Report.
Witnesses:
Cathy Forrest, Vice-President, Ipsos-Reid
Dr. Colin Bennett, University of Victoria
Chris Norman, Information, Science and Technology Agency
3. The Committee received copies of its draft final report and agreed to
meet to discuss details of the report.
4. The Committee adjourned to the call of the Chair at 12:03 p.m.
Rick Kasper,
MLA
Chair
Clerk of Committees and
Clerk Assistant
The following electronic version is for informational purposes only.
The printed version remains the official version.
THURSDAY, FEBRUARY 15, 2001
Issue No. 15
| Chair: | * Rick Kasper (Malahat-Juan de Fuca Ind) |
| Deputy Chair: | * John Weisbeck (Okanagan East L) |
| Members: | * Pietro Calendino (Burnaby North NDP) Glen Clark (Vancouver-Kingsway NDP) * Steve Orcherton (Victoria-Hillside NDP) * Jan Pullinger (Cowichan-Ladysmith NDP) * Erda Walsh (Kootenay NDP) George Abbott (Shuswap L) * Geoff Plant (Richmond-Steveston L) * Katherine Whittred (North Vancouver-Lonsdale L) |
| * Denotes member present |
|
| Clerk: | Craig James |
| Committee Staff: | Cathy Forrest (Committee Consultant) Wynne MacAlpine (Committee Researcher) |
| Witnesses: | Dr. Colin Bennett (University of Victoria) |
[ Page 173 ]
The committee met at 10:11 a.m.
R. Kasper (Chair): Okay, members -- if we could get started. Just get your refreshments, and I'd like to call the Special Committee on Information Privacy in the Private Sector to order.
We have an agenda, and our first item is the presentation of the Ipsos-Reid final report. This will be a PowerPoint presentation. We will in fact be receiving a hard copy of the report next week.
I'd like to introduce to members Cathy Forrest, vice-president of Ipsos-Reid. She's going to go through the PowerPoint presentation.
C. Forrest: Thanks very much for inviting me to come out here today and giving me an opportunity to speak to the research that we conducted on your behalf.
We were commissioned late last year to conduct a multi-phase study on your behalf -- in-depth research into B.C. public and business attitudes -- on information privacy in the private sector with, of course, a special focus on issues relating to potential legislation.
The overriding objective of the research was to inform and, more importantly, to provide balance to the information that you have already gathered through submissions made to your committee. This is an important point. The submissions made to the committee are mostly -- entirely, I guess -- made by a self-selected sample. That's how we would call it in the research business. It's people who have a particularly strong agenda and who are very, very motivated to come out, seek you guys out and present their thoughts to you. There are a whole lot of other people who clearly didn't come out and take the time to make those presentations, but they have opinions, too, that are valid and should be heard. Our role as researchers was to seek out those sort of random representations of the B.C. population and hear from them on this issue.
So that's where the balance comes in. You've got a self-selected sample -- people who are very motivated and have strong opinions already. We want to hear from sort of everybody else -- the people who aren't that motivated to come out and speak about it -- and that's on the business side and on the general population side.
There were three phases to this research, and I'm actually presenting them out of order here. The first phase was actually focus groups with the general public, and that was randomly selected people invited to come down to our office in downtown Vancouver. We had a balanced mix of gender, age and income -- people from the urban areas of the lower mainland and also out in the suburbs -- so that we got a nice mix of people. There were, I think, 17 people or so who attended the two focus groups. So it's not what you'd call a representative sample in any way, but a snapshot -- just a little picture of what people are thinking.
[1015]
The other piece of qualitative research that we did was in-depth interviews with representatives of different kinds of businesses and organizations. We had credit unions, on-line retailers, retailers with loyalty programs, direct marketers. We had a couple of charitable organizations, property managers, HR professionals and some health care providers. I think we had two doctors and a dentist and a therapist or a counsellor, or something like that.
Those individuals were interviewed on the telephone. It was really an open-ended, wide-ranging conversation that was focused on the issue of information privacy and on the issues relating to legislation. Those interviews lasted anywhere from 20 to 50 minutes, depending on how engaged the respondent was at the other end of the line. I should point out here for Wynne's benefit that there were supposed to be 20 of these interviews. One on-line retailer keeps cancelling and rescheduling, so we may get to them eventually. We want to talk to them, but they went on vacation.
Following those two phases, we did quantitative research. We did 600 telephone interviews. They were about 15 minutes in duration, and we conducted them with a random sample of adult British Columbians in late January. The questionnaire design -- and this is the key -- was based on what we learned in the focus groups. We took the most important things that we learned in the focus groups, and we projected them on the population as a whole to see how representative the attitudes in the focus groups were. As you'll see, they were extremely representative.
You should bear in mind a couple of things in interpreting the data that I'm presenting today. Data collected through qualitative research is important. It's valuable, and it's valid, but it is not projectable onto the population as a whole. You can't say that because six out of eight people said this, 80 percent of the population would say the same thing. It's not possible to make those kinds of conclusions. Qualitative research provides us with an opportunity to dig deep and understand the whys and hows of people's ideas, but it doesn't tell us how many people feel that way. It just gives us an indication of what people are thinking, in much the same way that the submissions to your committee give you a sense of what people might be thinking. But you can't project them onto the population as a whole in a statistically reliable way. So I've just explained all that.
Now, on the other hand, the data that was collected in the quantitative study is absolutely representative of the B.C. population as a whole. A sample of 600 is accurate to within plus or minus 4 percent, so that means you've got a range of about 8 percentage points on every finding that you see here. You know that if we had interviewed the entire adult population of British Columbia, the results that I'm showing you today would be correct within about 8 points altogether. So it's very, very close to what people are really thinking out there.
The other part that is important to know is that it's representative of what people were thinking during those particular dates -- the last week of January, roughly. Things change. Media stories come out. Things will make people's attitudes shift a little bit, so it's a good indication of what people are thinking. But it may not be identical if we went back and asked the same questions today. So it's a snapshot, again, of what people are thinking.
We took the data that we collected in the sample of 600, and we mathematically adjusted it to make sure that it was absolutely representative of population distribution by region, age and gender. It's a little kind of magic that we do with numbers, just to make sure that everybody is perfectly represented in the sample.
Now, objectives. The key objectives in the business interviews were to learn about current practices, to determine
[ Page 174 ]
perceptions of the public's needs -- of their customers' needs and expectations -- in terms of dealing with their information, to get a sense of overall awareness of impending legislation and any steps that they're taking now in preparing for that, and what their expectations are for the legislation in terms of its scope, function, impact -- what their priorities would be.
[1020]
In the focus groups, it was much the same sort of thing. We wanted to find out overall awareness of and level of concern about the issue of information privacy. We wanted to understand what perceptions there were of the issue and, if people were concerned, why that would be. What are their expectations for how their personal information should be treated?
Critical to a focus group is that it's an opportunity to hear how people talk about issues in common language. What words do they use to describe the concepts that you guys talk about all the time in this committee? It's different. People use different kinds of language in the general public than people who are focused on an issue really, really closely, like you guys are. So that gave us an opportunity to know how to ask the questions in the quantitative study and to know that people would understand what we were asking.
Then, of course, we looked at some attitudes around legislation -- whether people think there is a need for it, whether they think it already exists and their expectations for how legislation might work. In the telephone survey, as I said, we took the key findings of the general public focus groups and tested them mathematically, tested them quantitatively with the population as a whole, just to see how representative they were. So we took all the key findings from those focus groups and developed a questionnaire that gave us an opportunity to measure public attitudes. We also threw in a couple of other things that we weren't able to cover in the focus groups, including an interesting exercise on the level of trust that people have with different kinds of businesses and organizations.
Key findings. First, the business interviews. We wanted to find out about their current practices in information handling. A key finding, I think, is that most of the people we spoke with are aware that there is some public concern about the issue of information privacy, but they report that they receive very little feedback from the public. They don't get a lot of people coming to them and saying: "What are your policies?" or "I'm concerned about the way my information is handled." They just have a vague sense that people think about this and that they're concerned about it, but it's not something that they hear about all the time.
So as a result, they tell us, most of them have policies that are proactive, not reactive. That is, they've developed policies for handling information that will protect them and protect their consumers -- their customers -- in the long run, in case anything goes wrong. So what they've done is limited their information handling practices to those which they feel are reasonable and necessary -- reasonable to the consumer and necessary for them.
Over and over again in these interviews, the respondents said that the most important thing for them is that they treat their customers' information with respect. And they feel that they are doing that. Without a doubt, everyone that spoke with felt that they are already in some form of compliance with whatever legislation might be coming about, and they feel that they are treating their customers' information with absolute respect at this point in time.
So what are they doing? Well, they say that they're keeping all personal information internal. They never sell or trade, but they will buy lists that other organizations will sell to them. They don't sell their information, but they will buy it from other people.
P. Calendino: And somebody has to sell.
C. Forrest: Yeah, somebody's selling it.
They take steps to limit access. They limit it only to employees who have to see the information in order to do their jobs. And they use a number of different systems, depending on how they've collected the information and how they store it -- you know, password protection, firewalls, encryption. And then if it's a small business and they're just working on paper, they have locked filing cabinets, and only certain people have keys. They say that they have systems in place.
Larger companies -- and this shouldn't be too surprising -- are much more likely to have very formal, spelled-out policies. Some of them even have a position called the information privacy officer. Smaller companies are more likely to have very informal, just verbally communicated policies, as in, "I've got the key to the filing cabinet with the information in it; you can't have it," and that kind of thing -- very, very informal. But they're aware of it.
What they're not aware of is legislation, for the most part. Some of the larger businesses are aware, and some of them have taken some steps. Some of those who are aware of C-6 but not subject to it immediately are planning to become compliant within the next two years, just because they feel it's a good idea to get ready.
[1025]
Small businesses that we spoke with really, really have very low awareness of it -- very low understanding of what's going on. But as I was sort of alluding to before, when it's presented to them, they say: "Oh well, that's not going to be problem for us, because we already treat our customers' information with the utmost respect, so we're already probably compliant. This is not an issue for us."
Only the very largest of the organizations that we spoke with were aware that C-6 derives from the CSA code, and these people who'd given it some thought had some clear ideas regarding some potential problems. I think these are some of the things that you guys heard in the submissions to the committee.
They were concerned about a limited ability to forward debt to a collection agency. They were concerned that it would result in decreased access to consumer mailing lists and a lessened viability of the lists that they could get. The potential for consumer access to files was an issue that they worried about. They were especially concerned about people seeing their information and not liking what they saw. They were very concerned, as well, about the requirement for retroactive consent if there's information that they already had. They didn't like the idea of having to go back and say: "Is it okay if
[ Page 175 ]
we use this information for things?" And just generally, they were concerned about the possibility of an added level of bureaucracy, red tape, slowing down their business practices -- that sort of thing.
But even those who had spent a little time looking at C-6 and thinking about it said that they just didn't know what it was going to mean to them at the end of the day, because they weren't sure how it was going to be interpreted by the courts in the long run. So they were sort of sitting back, taking a wait-and-see attitude. They understand to a certain extent what the law says, but they don't know what it's really going to mean to their day-to-day business practices. And this was only the very, very largest of the organizations that we spoke with. This may be one or two of the interviews that we conducted where people were this informed.
On the whole they support the idea of legislation. They recognize that protection of consumer privacy is a good thing. But what they want is for any legislation to balance the needs of business with the needs of consumers; it's got to be fair. Fair is a word we heard a lot.
There is very strong support for consistent legislation across Canada. Larger companies are more insistent on this point than small. But small companies recognize that it's a good idea; in their minds it's a good idea for everybody to be on a level playing field and for things to be consistent nationally.
One little aside here: we spoke, as I said, with a number of health care professionals. They are not opposed to stricter regulations for medical information. They are in fact quite supportive of that idea.
J. Weisbeck (Deputy Chair): One question -- sorry. Is there any concern about consistency internationally as well?
C. Forrest: We didn't hear anything about international regulations -- no. We were talking with sort of small to medium mostly B.C.-based organizations, so it may not have been top-of-mind for them.
"Priorities for Legislation: There was no consensus that B.C. should introduce its own legislation prior to 2004." There was a whole range of opinion on this one. Some felt that this would be acceptable. These are the folks that think they are already compliant, so whatever happens doesn't really matter to them, because they're fine. They're covered, in their minds. Others who were preparing to become compliant anyway, just in case
But there were some others who, you know, support the idea of legislation but would rather have till 2004 to get ready for it. They don't want to be pushed through; they don't want it rushed. They're a little concerned about the extra paperwork and the sort of costs that they see possibly coming out of this. They're hoping that nothing's going to happen till 2004 so that they can be ready.
They had kind of a wish list for what they'd like to see the legislation look like. On the positive side, they think the legislation should restrict distribution of personal information outside the company and provide safeguards where this might be allowed. In other words, they don't want it to be a free-for-all with trading lists and selling lists and what not. They do want to be able to continue that practice, but they feel that there should be safeguards and sort of guidelines for how that is done and when that is done.
They should be allowed to use information internally for their marketing and research. They think that it's okay to provide consumers with what they call reasonable access to their information. And especially, most importantly, they want the legislation to be straightforward, easy to understand and easy for them to administer within their companies.
[1030]
What it shouldn't be and what it shouldn't do? Legislation should not impose a lot of extra paperwork; this we heard ad nauseam, over and over again. It should not interfere with the company's ability to form a relationship with its customers. They want to be able to understand their customers' shopping habits and practices and those sorts of things, so that they can, in their minds, better serve their customers. So they don't want that relationship to be limited by the legislation.
They do not want random checks and inspection by government officials. They are talking about, kind of, people coming in and invading their systems, and they were quite concerned about the possibility of that. And this goes back to public access to files. They were worried about nuisance libel suits by disgruntled customers who don't like what they see in their files, and this is credit records and those sorts of things. They're concerned that they're going to be bogged down in legalities.
That takes care of what business is thinking. Moving on to the general public, this is interesting. There was clearly some familiarity with the concept of information privacy, but as I said, this is one of the key goals of this research: to find out how people talk about it. And the language that they use is different from the language that you guys use, in some cases. They understand and they used words like confidentiality, consent and security when they're talking about their information. But in many cases, it means different things. And it meant different things to different people at the table
We had eight people at the table, and they all had a different definition for the word "confidentiality." They all had a different definition for the word "security." On the whole, the word security has a technological implication for people. They think about encryption and those sorts of things. So they think about kind of on-line information. The word security has very strong technological implications.
The word "confidentiality" was all over the map. But for the most part, confidential information is the most sensitive information, in their minds. That's what that means. It means that it has to be protected. If it's confidential, it has to be absolutely excluded from outside eyes.
The word "consent" is one that they used the same way that you guys do. They understand that concept. They like the idea of giving their consent for the use of their information. It's something that gives them some comfort.
R. Kasper (Chair): Did they understand the accepted definition of what personal information is? Was that
C. Forrest: That's another area where they have their own definition for personal information. In the focus groups and also in the quantitative study, we had
[ Page 176 ]
phone survey we had what we call a pre-test, where we phone a couple of people on the first night just to see how the questions are working, if people are understanding the questions, and give them an opportunity to give us feedback on what we're asking. What we heard from them is that the term "personal information" typically means things like their age, their gender, their ethnicity, their religion -- stuff that's very, very closely tied to their identity as individuals. Stuff like financial information and their medical information -- those are separate: "That's my medical information and my financial information." Personal information is about their identity as individuals.
P. Calendino: I just want to know whether, in the discussions, there was a distinction between security of systems, or whatever, and actual individuals' privacy. They are not the same thing. Companies can maintain things securely, but they can also provide information to other people that they think may keep it safe and secure. But they're still giving away information without consent from
C. Forrest: Our discussion of the word security in the focus groups was just mostly to get a sense of how they defined it. We just said: "What do you think about when you hear the word security? How would you define that?" That's as far as we took it. We let them explain to us, and they said: "We think about technology." We didn't pursue that particular line -- no.
Are there any other questions before I go on? Okay.
[1035]
So there is definitely some concern about information privacy, but it's kind of a low-level concern. It's something that people have in the backs of their minds, but it's not something that they're worried about all the time. That certainly confirms the suspicion that the business people that we spoke to had. It's something that their customers think about, but it's not something that they talk about with them on a daily basis. It's not something that they hear about all the time. So there's concern, but it's not a pressing, immediate concern.
In the focus groups and in the quantitative survey, what we saw was that at the beginning of the discussion, when we first got people engaged, they were kind of: "Oh yeah, information privacy -- that's something that I think about." After talking about it for a length of time, after hearing about different issues and thinking about it for an extended period, their engagement and their level of concern were higher. It's not a huge surprise that that should happen, but it was quite remarkable. And we'll see in the quantitative findings
The word "control" came up really, really strongly in the focus groups. Concern about information privacy is tied really closely to a perceived lack of control: "I don't know what they're doing with my information. I can't control what they're doing with my information. I can't control what they're doing with something that defines me as an individual." That was a really big concern for people.
Why is that a concern? Well, first of all, as one woman said, it's kind of creepy. She just doesn't like the idea that people know things about her and that they can do things with that information without her having any kind of control over that. As well, though -- and more importantly, I think -- they feel it leaves them open to fraud and crime. That's why their financial information and their medical information were the two pieces that were most pressing for them to be controlled -- financial information in particular. I mean, with anything to do with their credit card numbers, they're very, very worried about what can happen down the line. So there are two streams, but it all ties back to control.
The other thing that was kind of interesting in the focus groups is that we were able to sort of gauge their emotional response to the issue. Yes, they expressed some level of concern, but there were different ways of expressing that concern in different things that happen. The most common was a kind of sense of resigned acceptance. It's like: "Well, it's kind of a pain. I don't really like the idea of giving my information to all these people. I don't really know what they're doing with it, and I don't like that very much. But it's kind of the way things work, and I don't really have any choice."
Yes?
J. Pullinger: Sorry, I just
C. Forrest: No. It was across the board.
J. Pullinger: Across the board, eh? So there's no
C. Forrest: It was across the board. I would say that the unease was
J. Pullinger: Right.
C. Forrest: But there were also women who were very clearly in the resigned acceptance camp -- yeah.
R. Kasper (Chair): What about age?
C. Forrest: Wynne, do you remember any particular age? I don't remember
W. MacAlpine: In the focus groups?
C. Forrest: Yeah.
W. MacAlpine: No.
J. Pullinger: What did you test for in terms of characteristics?
C. Forrest: This was
J. Pullinger: I mean, you had gender, age
C. Forrest: Where they lived.
J. Pullinger:
C. Forrest: Yes, income. Did we ask employment? I don't have the screener with me right now. It was back in November, so I'm not absolutely
[ Page 177 ]
J. Pullinger: So it was fairly broad.
C. Forrest: It was quite broad -- yeah.
W. MacAlpine: We did have, I think, age, computer at home, at work or no computer access.
C. Forrest: Yes, that's right.
W. MacAlpine: Children at home.
C. Forrest: So we had a mix of parents and non-parents.
W. MacAlpine: Yeah.
C. Forrest: I don't remember there being a particular age gap on these issues.
W. MacAlpine: I guess the one thing that stands out was that the few older people that were there seemed to have an idea about the Big Brother concept.
C. Forrest: Yes, definitely. And that comes up again in the quantitative research -- this idea of Big Brother or government knowing a lot about me and having control over my information.
But getting back to the emotional responses. So there's the resigned acceptance. The example of resigned acceptance that came up a few times was the Safeway Club card. You know if you sign up for the club card that they're getting a lot of information about you -- that they're tracking your purchases and that they know about you in a pretty detailed way. You're not real comfortable with that, but you know that if you use the club card, you get a $2 discount on toilet paper. So the $2 discount is worth it, is a decent trade-off. That was resigned acceptance at its clearest.
[1040]
Unease. Again, this is the sort of sense
The annoyance factor. That was a big one -- people who are ticked off because they fill out an application or enter a contest and then afterwards they get subscription applications and all kinds of phone calls and all kinds of unwanted junk mail related to that one little form that they filled out. And that's annoying. Nothing more serious than that -- it's just an annoyance.
Then there were some people -- and these folks were in the minority -- who just don't think this is an issue. They think it's overhyped by the media. They think that there are kind of panicky people running around making a big deal out of this, but it's really not a big deal in their lives.
J. Pullinger: What percentage?
C. Forrest: Well, in a focus group we don't talk about percentages.
J. Pullinger: Oh, was this the focus group?
C. Forrest: This is the focus group. It was a couple of people.
J. Pullinger: But not a significant
C. Forrest: No. It was a couple of people, and there were people who expressed more concern earlier in the discussion who kind of heard that point of view and went: "Yeah, you might have a point." So you know, it was kind of underlying some of their concern. There is a sense that things are overhyped generally in the media, so why not this issue too.
Zero awareness of impending federal legislation -- just not a thing. When asked, "Well, what's going on out there now? Is there legislation? Are there rules? How is this stuff handled?" they were really not clear. Some people thought that there had to be laws. I mean, how could there not be? -- this sort of a thing. And others thought: "Well, you know, they're careful with my information. It's just good business practices, or kind of maybe there are rules where each kind of sector follows internal rules, that kind of thing. Doctors have their own sets of rules; lawyers have their own sets of rules. Maybe that's how it works." But they were really not sure, and they sure weren't aware of C-6.
But there's overwhelming support for the idea of legislation. They want to make sure that they're protected. And they do not trust businesses to consistently
Again, and this came out quite strongly in the groups, there was a sense that any legislation has to balance the needs of consumers with the needs of business. We saw slightly different results in the quantitative study, and I'll get to that in a bit.
Just as in the business interviews, there was no clear consensus on the path B.C. should follow. They were sort of split down the middle on whether we should wait for C-6 to apply in 2004 or adopt legislation now that vaguely echoes C-6. The one thing that was fairly clear, though, is that there weren't that many people in the groups who thought that B.C. should go ahead and adopt different legislation of its own. There was a real clear sense that there needs to be consistency, and they want it to be consistent from province to province, from business to business. Big business, small business -- it needs to be balanced; it needs to be the same.
There was a sense of timing that was an issue. They want to be sure that all businesses are subject to the same laws at the same time so that there's not a period where some people have to comply and others don't. They want timing to be consistent as well.
K. Whittred: Could I ask
C. Forrest: No, it was more of a Toronto-B.C. thing. An east-west split is a stronger theme -- you know, if companies in Ontario and Alberta are having to do these things, then B.C. should too. I don't recall any kind of talk about international law or international regulations.
K. Whittred: But no one ever asked about, say, Amazon.com or some other thing that they've perhaps ordered from that is in fact in another country.
[ Page 178 ]
[1045]
C. Forrest: It did not come up. So it's not something that they're thinking about.
In the focus groups there was support for some kind of regulatory body to oversee the legislation, but they were quite clear that they like the idea of audits but only if they're reactive and not proactive. They want audits if there's a problem, if there's suspicion of a problem, but they don't want to sort of see the thought police, as they were saying, going out and checking on businesses randomly. And they were concerned that any regulatory body not be too onerous and that there not be too much bureaucracy or too much red tape and that it be fair.
G. Plant: Could I ask you a question?
C. Forrest: Absolutely.
G. Plant: I'm not as familiar with focus groups as I probably ought to be, but I have a bit of a sense of what the discussion must have been like. When people in a focus group are asked to think about or offer comments about whether there would be support for a regulatory body to oversee some new initiative
C. Forrest: No, we didn't go down that road in this group.
G. Plant: No. So people are just sort of in the air, thinking about
C. Forrest: Yeah.
G. Plant: Right.
C. Forrest: The sort of underlying theme to this accountability discussion is that they just want to make sure that the legislation has some teeth, that it's not just, you know, in a big book somewhere, and then everyone's -- it's a free-for-all -- doing whatever they want anyways. They want to make sure that there's some kind of enforceability, and that's really as far as we got. We didn't get into cost, and nobody raised it, from what I recall of the conversation. Nobody raised it as a concern.
G. Plant: Since I interrupted the flow, I'll ask my other question.
C. Forrest: Okay.
G. Plant: One of the issues that is present in this discussion is the extent to which self-help is or is not adequately pursued by citizens. That is, are citizens who care about privacy rights doing everything they can as citizens to protect their own privacy rights? Did that issue get discussed at all?
C. Forrest: It did in some ways, yeah. There were people
G. Plant: Thanks.
C. Forrest: Good, okay. That was a nice place to ask the questions, because now we're moving on to the telephone survey. The first thing we asked, just as kind of an icebreaker almost, in a
G. Plant: Sorry, I do need to interrupt, just in case somebody ever reads the transcript of this but doesn't read it from start to finish. It is important to me to note that the focus group was done in November.
C. Forrest: Yes.
G. Plant: The poll, the telephone quantitative survey, was done in January.
C. Forrest: That's right.
G. Plant: I say that partly because I do recall some year-end media attention being paid to the fact that Bill C-6 came into force on January 1. So there may have been a change in public awareness between late November and late January, just as a matter of speculation.
C. Forrest: Yeah. Actually, I think that's reflected in the findings that we have here. Thank you.
As an icebreaker, at the beginning of the survey we always have to ask a question that's kind of painless, just to get people into it and thinking about the issue that we're going to be talking about. So we asked if they'd seen, heard or read anything about information privacy. Now, we're calling that -- for the sake of just to make it simple -- awareness. But it's not really awareness; it's more like how much attention they've been paying to the issue. And what we found is that four in ten British Columbians say yeah, they've seen something recently about this. It's something that's in the back of their minds.
[1050]
Now we see
The regional break I cannot explain to you. We've been wracking our brains to try and understand why. It may have something to do with media stories, as you were saying. I don't know. But for some reason, residents of Vancouver
[ Page 179 ]
Island and the North Coast are significantly more likely than other British Columbians to have heard something about information privacy recently.
G. Plant: If I may, I wonder if you could tell me whether the profile of awareness by age group is consistent here with what profile you might expect to see about a number of public policy issues that aren't sort of in the top three or four top-of-mind issues. That is, on any given day people 55 years of age and older are likely to be more informed about these kinds of issues generally than 19-year-olds.
C. Forrest: You're absolutely right, yeah. It's absolutely consistent with the sorts of things that we see all the time, yeah. They just read the paper more often. They pay more attention to these sorts of things, yeah.
W. MacAlpine: I just wanted to go back for a minute, if I could, to the topic of the cost of the oversight body. That was something that we would have expected to come out as an unprompted response, if it were a concern -- like if it were an overriding concern. That's how I was looking at it, anyway. So we just put out the idea of oversight and then got unprompted responses.
The idea of the legislative choices. One thing that came up was that when looking at the options of having C-6 apply to the provinces and not passing any provincial legislation, passing provincial legislation that's very similar to the federal or doing nothing and allowing it to apply, the lack of coverage for private sector employees in the provincial private sector was one issue that made people say that they wanted provincial legislation, whether it was very similar to the federal or not.
C. Forrest: Yeah. Good point.
W. MacAlpine: Sorry about that.
C. Forrest: No, that's okay.
So following on whether or not they had heard anything recently about this issue, we asked: "Is it a concern for you? How concerned are you personally?" You'll see that the kind of purply-red wedges are all different levels of concern. This was a scaled question, and many of the things that we're going to be looking at today are going to be scaled questions.
In this case we asked them to consider their responses on a seven-point scale, where 1 equals not at all concerned and 7 equals very concerned. The greenish wedges are the people who are at very low levels of concern; they don't really think it's a problem at all. That totals 15 percent. Concerned overall: 74 percent. And extremely concerned -- the very, very highest level -- three in ten British Columbians say that it's a big, big concern for them. So that's important.
The one point on this scale that I wouldn't put a whole lot of weight on is 4, which is kind of the midpoint. Typically, people who assign a score of 4 are thinking: "Well, I'm not really concerned. I'm not really not concerned. I'm kind of in the middle." But you can never be absolutely positive that that's exactly why they said that. So we tend to just look at the people who were clearly in one camp or the other. The ones in the middle -- and there weren't very many of them who fell into the middle -- we're not as worried about at this point.
Let me just see if there are any kind of big differences demographically on this one. Yeah, women: 77 percent of women said they were concerned. They assigned scores at the high end, versus just 69 percent of men. And on the Island, even though there was higher awareness of the issue, there was lower overall concern. They were at 63 percent overall concerned, versus 75 percent or 76 percent in the other regions of the province.
Interjection.
C. Forrest: I don't know why. I can't answer that.
J. Pullinger: We're more laid back on the Island.
C. Forrest: Yeah. You read the paper. You're just more relaxed.
R. Kasper (Chair): Could it be that because those are people who are aware?
C. Forrest: That they're less concerned?
R. Kasper (Chair): Yes.
C. Forrest: It doesn't actually necessarily follow.
R. Kasper (Chair): Sorry, I'll just repeat it for Hansard. Could it be, going back to the awareness issue, because they were aware
[1055]
C. Forrest: It's possible. It's definitely possible.
R. Kasper (Chair):
C. Forrest: It's entirely possible. The only thing I should point out is that other than these two places, there are virtually no big differences regionally on this issue. I looked for patterns. I looked for other kinds of clues from Vancouver Island to explain why these two things happened, and I just couldn't see anything. There was just nothing really big there. So I don't know.
After asking sort of their overall level of concern, we asked an open-ended question: "Why do you say that? Why are you concerned or not concerned about this issue?" In an open-ended question the interviewer actually records every word that they say in response. They don't have a prescribed list of possible responses that they tick off. They actually record every word. We read all of their responses, all 600 of them, and we categorize them. So, you know, we can group them, so that we can measure them. But we do actually have, word for word, everything that they said in reply.
The people who assigned scores at the high end, the 5s, 6s and 7s who were concerned about the issue
[ Page 180 ]
The first, the biggest thing they said, is that they just feel they have a right to privacy; it's no more focused than that. It's just their right, and that's all. That's why they're concerned about it.
The next one, absolutely critical, totally echoes what we heard in the focus groups: they feel they have a lack of control. It's a big issue for them.
Then there's the annoyance factor. They don't like the idea of lists being sold; it kind of makes them uncomfortable. They don't like getting junk mail and that sort of thing.
Then we heard a couple of specific kinds of information that make them uneasy and make them worry about their information privacy. Credit card and financial information was a big one, and just sort of vague ideas about the Internet. Anything to do with the Internet kind of makes them think that they need to be worried about this issue of information privacy.
Again, here we go with Big Brother. There were 9 percent of people that answered this question and said they just don't like the idea that somebody -- and some of them called it Big Brother; some of them said government specifically -- has all this information about them. It's not businesses that they're worried about; it's some kind of bigger body that knows about them, knows what they do and where they go. They don't like that. Then, again, the other kind of specific information that came up fairly frequently was medical information.
So this is top-of-mind; this is no prompting. We just ask: "Why are you worried?" This is what they said; we've broken it out by the different levels of response. So the people who are in the middle
Again, with the junk mail, control comes up here in this group. This is a new one: they don't like the idea that their information could be misused. Now, this is something that I would have expected to see, actually, in the more concerned group. But it was very, very low; it was only -- I don't know -- 4 or 5 percent or something of that group. But here the people who kind of fall in the middle say: "Well, I'm just kind of uneasy about how my information is going to be used."
The Internet comes up. And I should point out here that the Internet is as frequently mentioned by people who are very concerned about the issue as it is by people who are not at all concerned about the issue. The numbers
So the people who don't worry about it at all
G. Plant: What does it mean to say Internet in that context?
C. Forrest: It meant a whole bunch of stuff. I mean, the responses that we saw, some of them went into great detail about exactly what it meant. They exchange information over the Internet; they don't know where it's going -- you know, that kind of thing. What we did was that we categorized. Everybody who mentioned the Internet specifically as a reason for being concerned -- we grouped them together.
[1100]
G. Plant: I guess my question is
C. Forrest: That's right.
G. Plant: So what is the question that the interviewer is asking at this point -- why is it that you're not concerned about information privacy?
C. Forrest: No. The question previously is: "How concerned are you?" And they gave a number on a seven-point scale. The next question is: "Why do you say that?"
G. Plant: "Why do you say that?"
C. Forrest: Yeah. "What is the main
G. Plant: So "the reason why I have no concern about information privacy is because
C. Forrest: Yeah. "The reason that I gave a score of 2 out of 7 is because
So then we asked them -- again, in an unaided way -- what kind of information they were thinking about. What did they think we were talking about here? When I said information privacy, what kind of information came to mind as being relevant to this discussion?
So here's what they came up with -- again, we didn't give them a list; we just heard what they said and categorized it: 55 percent said financial information is the thing that they think about. When they think about information privacy, they're thinking about their financial information. A third of them said it was their medical information. Individual information -- that's their age, gender, ethnicity
Their credit card information came up in roughly 20 percent. In identifying information -- that's directory information -- their name, address and phone number came up. This is top-of-mind. Shopping came up, actually, more than I would have expected it to, given that we hadn't heard anything much about it previously. Social insurance numbers came up specifically. And then a bunch of stuff didn't come up very often. A couple of people -- not very many -- mentioned party affiliation. Charitable donations were not a big concern for them on this issue. But some did mention it.
G. Plant: I have to say this; I don't know why this didn't occur to me until now. But it's interesting looking at the results of a quantitative survey on information privacy rights -- that
[ Page 181 ]
is, a survey which violates the privacy rights of individuals to ask them how they feel about privacy, presumably only with their consent.
C. Forrest: Yes, thank you.
G. Plant: I get that. But there is still something
R. Kasper (Chair): There are no identifiers.
C. Forrest: And it's absolutely confidential and anonymous. We don't collect names
G. Plant: That's right.
C. Forrest: And you never know who has said any of these things, for the record.
G. Plant: I think I am only saying that because I am the sort of person that if we got to question 4 and I was waiting for dinner, by question 4 the microwave would have rung. I would have said: "Well, you know what? I'm not answering any more of your questions. Boom!"
C. Forrest: See, now you know it can be valuable, and maybe next time you'll answer all the questions -- I don't know.
W. MacAlpine: Actually, we were talking about that a bit, and you said that you just have to get another person in that instance.
C. Forrest: Yeah.
W. MacAlpine: So you still have the same numbers.
C. Forrest: Yeah -- we just have to replace it.
The next thing we did was presented them with our list of different kinds of information, and we asked them -- again, on that seven-point scale -- how important it is that each of these specific kinds of information are kept private. So the ones that have the highest ratings, as you'll see, are the ones that they thought of top-of-mind immediately and the ones that they use as the reasons for being concerned: financial, medical -- that kind of stuff. So what you're seeing here are the people who gave a score of either 6 or 7 on the seven-point scale. So it is very, very important that this information is kept private.
These numbers are unbelievable to me as a researcher, especially these top ones. I haven't seen anything quite so strong in a long time. It's very important to keep financial information private. Nine in ten British Columbians said it was very important. Credit card information -- again, nine in ten. Medical or health information, three-quarters; your credit record, three-quarters. Then we get down into some stuff that's sort of around the middle, around the halfway point. The majority of people are assigning scores that are at the very, very top end of the scale here.
[1105]
Identifying information -- about 55 percent. We saw a very important gender gap on this one. I'm just going to take a moment to talk about that.
W. MacAlpine: Did you explain identifying information?
C. Forrest: That's directory information: name, address and phone number. Whereas overall it's 55 percent very important, among women two-thirds said it was very important, and half -- 47 percent of women -- assigned a score of seven, the very highest score. Compare that with just 33 percent of men. So this is a very big deal for women -- a very big deal.
Moving along. Internet usage. Half think that it's important to keep private. So I guess they're thinking about where they go when they surf and all that kind of information. They want it to be private. They don't like it getting out there.
G. Plant: Would that also conceivably include gender identity in a telephone directory itself, for example, which is something that I think women sometimes are sensitive about?
C. Forrest: The identifying information?
G. Plant: Yeah.
C. Forrest: Yes, absolutely.
G. Plant: Right.
C. Forrest: So then we go down the list. At the bottom here is shopping habits. Just a quarter think that it's very important to keep that sort of information private. As we saw earlier with the Safeway Club card, they're willing to let that information be tracked because they get the discount or whatever. It's not a big problem for them. This was a really interesting exercise and something that we didn't get into in the focus groups, just for a lack of time more than anything.
So while most British Columbians are concerned that their health information is kept private, they also appear to trust health care providers to do just that. All of the health care providers that we looked at in this particular question rated very, very highly in terms of the overall level of trust that people had in them.
On the other hand, financial information is the other biggie for people, and the people who are most likely to have our financial information are trusted significantly less. So again with the seven-point scale, these are 6s and 7s. And I think 1 is "do not trust at all" and 7 is "trust completely."
For individual health care professionals -- doctors, nurses, dentists and that sort of thing -- 61 percent trust them a great deal. Hospitals, just over half; pharmacies, just over half; medical labs, just around half.
Then we drop significantly to banks. I don't want to give too much away about myself here, but I personally think it's interesting that banks are a little higher than credit unions. I was expecting it to come out the other way around.
A Voice: No kidding.
C. Forrest: I don't know if it's my personal stuff. But banks were a little higher than credit unions, at 36 percent and 34 percent.
Then we take another big plunge down. Charitable organizations, 22 percent. This is extrapolating a little bit here,
[ Page 182 ]
but I think that has something to do with list trading and junk mail -- that sort of thing. Certainly that's what we heard in the focus groups: "I make a donation to the SPCA" -- for want of a better organization -- "and there's a spelling mistake in my thing, and two months later I get 15 junk mail letters that have that same spelling mistake in them. I'm pissed off about that." So that's something we heard in the focus groups, and that may be an explanation for why there's a slightly lower level of trust. I apologize to the SPCA for that example.
Then we drop down to insurance companies, at less than one in five.
Here at the bottom is where it gets very interesting. Retail stores. Large retailers -- Eatons, the Bay, Sears, Safeway and those sorts of things
But then we get down to the bottom, with the Internet, and there is no trust at all. Just 7 percent say that they trust Internet services or Internet retailers a great deal. So there's
[1110]
J. Weisbeck (Deputy Chair): How does that compare with the U.S., for example, who seem to be doing a lot more on line than Canadians?
C. Forrest: I don't have comparative data, I'm afraid. I don't know. Anecdotally, I would say it's probably about the same. I mean, we certainly hear a lot about that, but I don't have any real data for you.
G. Plant: But again, to come back to your point of a minute ago, the lack of trust may not reflect itself in their actual behaviour. I mean, people may use Internet services and retailers notwithstanding their almost complete lack of trust in the information practices of those organizations.
C. Forrest: Yeah. We do know from some other research that we've done on the Internet that a significant proportion of people -- and I wish I had the number with me -- or a significant proportion of British Columbians, anyway, don't do transactions on the Internet, don't actually buy things. They go and shop; they look at sites; they do comparative shopping. But they don't actually ever buy anything on the Internet for that very reason, because they don't really trust what's going to happen to their information. And it's quite a significant number. Of course, it's not at my fingertips right now.
Now that we've kind of established what they think about information privacy, their level of concern overall and what they understand about it, we move into the area of legislation. "To the best of your knowledge, are there any laws or regulations here in B.C. that protect individuals' information privacy?" Well, two-thirds think that there is; 66 percent of British Columbians say: "Yup, there's definitely some kind of law." But 23 percent said no, and 11 percent said that they just didn't really know. And I'm just double-checking to see if there are any
Okay. So you think that there's legislation. Then we say: "Well, whether or not there is any at this point, do you think that there's a need for it?" These numbers are huge; 92 percent of British Columbians think that there is a need for it. Now, the way that we phrased this question was that we read two statements. One was: "Do you believe that there is a need for legislation to cover information privacy?" The other one was: "Or do you feel that businesses can be trusted to do the right thing without any kind of legislation or regulation?" And 6 percent said that they think businesses can be trusted; 92 percent said that they want legislation.
And just as a point of comparison here, even people who say they're not particularly worried about this issue strongly support the idea of legislation. So 81 percent of those folks at the bottom, the unconcerned -- those are those 1s, 2s and 3s on that concern scale -- still say: "Yup, we need legislation."
We asked a couple of little questions just to get a sense of where the Internet fits into this and whether it's playing a role in the need for legislation, and it's pretty clear that it is. But it's kind of a torn position here: 80 percent strongly agree that the Internet has made it more important than ever that information privacy be protected. But seven in ten say: "Even so, we can never be 100 percent sure with the Internet. New technology has just made it impossible for us to ever be positive that stuff is protected." So on the one hand we're seeing that kind of resigned acceptance, and on the other hand we're seeing: "Well, even though I'll never really know, I'd sure like to have something there in place."
We went through a number of different exercises to look at different priorities for the legislation. One was that we presented them with a list of different kinds of information and asked how important it was that that information be included in legislation or addressed specifically in legislation. The next one was that we looked at a number of different requirements that the legislation might make of different businesses, and then we presented some different options for how the legislation might be implemented.
So we'll start with the different kinds of information here. No big shock here. The kinds of information which people see as most sensitive are the ones that they think need to be addressed specifically. I mean, that's a no-brainer. So 89 percent say it's very important to include financial information; 87 percent say patient information. Then we get employee information. Now, this hasn't been a big deal for people in top-of-mind discussions. But when you present it to them specifically and say, "Look. Should employee information be addressed in this legislation?" they say: "Oh yeah, that's a good idea." So 70 percent said yes. So it's not top-of-mind, but it is something that, when you present it to them, they acknowledge as a potential issue. Internet usage was a little lower -- 60 percent. That's still a majority saying it's important. And consumer information was right in the middle, so, yeah, you should include it. But it's not a real strong drive.
[1115]
They expressed a very strong appetite for making legislation comprehensive in its scope and power. They want the legislation. An overwhelming majority want the legislation to
[ Page 183 ]
require businesses to protect Internet transactions -- "ensure that they are protected" I think is how we worded it. And 86 percent say that to obtain consumer permission to share information with other organizations is very important. To provide consumers with access to their own information, to inform consumers of how their information is used -- that's three-quarters. Even to obtain permission to use information internally, just about seven in ten say that it's very important that legislation provide that.
Again, we see a strong call for consistency; 87 percent strongly agree that businesses across Canada should be subject to the same privacy laws. An interesting one that we didn't hear from anybody in the groups but that was certainly very strong here was that private sector businesses should be subject to the same laws as government. So that was 75 percent. Then, finally, three-quarters again said that all types of businesses should be subject to the same laws. Businesses and organizations, which is how I believe we presented it in the questionnaire, should be subject to the same laws, regardless of the size or nature of their business -- so across the board consistency.
We asked how important it was that they be accountable, and 71 percent think it's very important that businesses and organizations be accountable to an independent authority. Even though there was some discussion in the groups about audits and that sort of thing, support was strong for the idea of accountability, and it's echoed here in the quantitative
While in the focus groups we saw a strong call for balance between the needs of consumers and the needs of business and lots of talk about potential problems for business with red tape and bureaucracy and that sort of thing, when we presented the issue in the context of this survey, it was clear that it's more important for the general public that consumers are protected than that things are made easier for business. The needs of the consumers outweigh the needs of business in this measure, quite strongly.
On the whole, however, we found that British Columbians are really quite optimistic about what the potential impact of the privacy legislation could be. They do not agree that it's going to be a big red-tape problem and bad for the economy in the long run. Just 14 percent agreed with that statement, and I believe it was something like
There is consensus, however
J. Weisbeck (Deputy Chair): Were those specific about
C. Forrest: I'm sorry. I'm not sure I understand.
J. Weisbeck (Deputy Chair): We talked about having this impact, that consumers feel that there would be a positive response to this. I'm just wondering whether the Internet had the same response.
C. Forrest: It wasn't asked specifically on its own. It's just sort of: "Generally speaking, do you think this is going to have a positive impact?" And yes. So I imagine that when people are considering their response to that answer, the Internet is in their minds. But we don't know the extent to which it is.
[1120]
W. MacAlpine: Okay, I found it. Now, what was the question?
C. Forrest: "Privacy legislation will create more red tape." We wanted to know the number of disagrees. The low box.
W. MacAlpine: That was 41.2 percent.
C. Forrest: Yeah. So 40 percent strongly disagree that that's true -- that there will be red tape and it will be bad for the economy. Thanks, Wynne.
So as I was saying earlier, the more you talk about this issue, the more people kind of think about it, and their concern rises. This last chart compares that. On the left you'll see
G. Plant: Is that movement typical or unusual for surveys like this?
C. Forrest: This is higher than I would have expected to see. I've asked this sort of thing on a number of different issues. I mean, unless it's a really, really contentious issue, you typically see 3, 4, 5 percent movement. So 10 percent movement on a single point on a scale and on a highest point on a scale is absolutely significant, yeah.
There's one thing that I want to reiterate with you guys, and that is that the pre-discussion bars are a true measure of what's going on out in the public right now. It's kind of what people are thinking right now. The post-discussion just sort of gives you a sense of the impact of talking about the issue.
I wouldn't use the last number if you were talking about, oh, 40 percent of British Columbians being very, very concerned about information privacy. I wouldn't go out and say that. I would say that 30 percent are very, very concerned about information privacy; 40 percent are very concerned if you talk to them for 20 minutes about it first -- you know. So once they've got some information and once they've had a chance to think about it, the level of concern increases.
K. Whittred: You mentioned definition at the very beginning of your presentation, I think. I'm just wondering where
[ Page 184 ]
definition falls into that category. When we say 30 percent are very concerned about information privacy, how do you put that into context in terms of being concerned about financial information and/or having my name or my phone number known?
C. Forrest: We know that at the beginning here, the 29 percent
K. Whittred: But if we're making the overall statement that 30 percent are very concerned, that 30 percent would include that small number of people who regard personal information as a priority.
C. Forrest: Absolutely. It includes everybody. It includes people who think that their social insurance number is the most important piece of personal information they have. It includes the wide spectrum of people who are thinking about different kinds of things.
The one thing that I would say, as well, about the post-discussion measure is that at the beginning of this discussion, people were probably just thinking about the ones that occur to them first. Thinking about information privacy: "Oh, yeah, my credit card on the Internet. Yeah, that's a really big deal for me. Yeah, okay, I'm very concerned." By the end of it, we've presented all kinds of other things to them: their employee information, their medical information, stuff that they may not have been thinking about in the first case. That would naturally, you would assume, lead them to think: "Jeez, maybe I should be a little more worried about it than I was initially." So that may explain some of the movement as well. It's simply providing them with more of a definition.
Finally, some kind of overall conclusions. There's low-key awareness of this issue, both among members of the public and most sectors of the business community. As we were just saying, it seems pretty clear that concern about the issue is heightened by increased exposure to the issue. The more you talk about it, the more you think about it, the more you think it might be an issue for you. Larger businesses are more acutely aware of the issue than smaller businesses and are more likely to be taking proactive steps.
[1125]
There appears to be significant support among both the public at large and the B.C. business community for legislation. Public support for legislation appears to be founded on a concern about a lack of control over an important part of their personal identity as well as concern over the potential for abuse and fraud.
Of utmost importance to both the public and the business community is that any legislation be consistent from province to province, business to business and sector to sector. It should also be fair, taking into account the needs of both businesses and consumers. And as we were saying before, it's not too shocking, really, that the public generally feels that their rights outweigh the convenience of business.
I think that's it.
W. MacAlpine: Can I just say a couple of things that occurred to me through the discussion? Someone back talking about the focus groups was asking: "Did anybody say that they take any measures to protect their own personal privacy?" That did come up, and people said that they do things like not giving out their social insurance number, using a middle name or a different name when they fill out a magazine subscription or catalogue request. They fill out forms incompletely, or they use false information. They don't provide credit card information on line, or they don't make on-line purchases. Or they'll register at trusted web sites, like high-profile
C. Forrest: The CBC was mentioned, for some reason.
W. MacAlpine: CBC was actually mentioned, yeah.
So they did take into account the fact that they do take measures on their own initiative to protect their privacy. Another thing that the data was set up to show was whether there was any correlation between concern with any of this type of information -- Internet information -- and people with children. Are they more concerned about anything? And that didn't show anything whatsoever.
C. Forrest: There were no significant differences in that area. We were both really expecting to see parents expressing stronger concern about certain things. And it was just very, very consistent, whether or not you had kids at home.
W. MacAlpine: It came up in the focus group with, I think, one person.
C. Forrest: There was one mother in the focus group who was very, very worried about it. But in the quantitative, there was no difference.
P. Calendino: I just want to know
As I say, at the conferences I attended, there was a minority, but in general, I think academics or people from organizations in the community, etc., generally reflect what your study is reporting here: that there is a strong need for regulation, whether it be legislation or some other form. As a matter of fact, one very well known academic from Harvard University, when he referred to the self-regulation by the industry, said: "That would be like giving a flock of sheep to a pack of wolves." Did discussions come up at all about self-regulating?
C. Forrest: In the discussions with the business people, most of them feel that they are self-regulating already. But that didn't preclude any support for the legislation. They feel that there's still a need for it, if only for appearance' sake: "I'm already doing the right things, but if you put legislation in place, then my customers will trust me more, so that's okay." That's kind of how they thought about it.
[1130]
[ Page 185 ]
E. Walsh: I just wanted to say that going back and looking at your slide No. 33, some of the relevant information for discussion
The other thing that really surprised me when I looked through this information was Internet usage. Today the information that is available on the Internet
C. Forrest: But what you're looking at here is that we're asking people: "What kinds of information are you thinking about when you think about information privacy?" That's what this question is right here. And the people who are under "Internet usage" are people who talked about where they went, what web sites they visited -- that kind of information. The people who said financial or individual or credit card could have been thinking about the Internet as a means for transmitting that information. But it was that kind of information that came to mind.
So they're thinking about their financial information as needing to be protected, and they may be thinking that it needs to be protected from hackers on the Internet. But it's the information itself that they're thinking about.
Now, when it comes to social insurance numbers, we did hear them tossed around much more often in the focus groups as being: "Oh, yeah. I don't like to give out my SIN. I like to keep that to myself. I don't put it on forms that I fill out, because I know that they don't really need that information. It gives away too much about me." That came up in the focus groups. But here again we're just saying: "The first thing that pops into your head -- what are you thinking about?" And it didn't come up that often.
R. Kasper (Chair): Just to beg the committee members' indulgence, Dr. Colin Bennett is here as an observer to the presentation. My recollection is that in his written submission he had actually touched on the issue of social insurance numbers. Colin, did you want to add to that? Or did you have any comment that you may want to pass on to the committee in regard to social insurance numbers? Can you come forward and identify yourself, and
C. Bennett: Sure, thank you.
Not on that particular issue. I've got two or three responses to the overall presentation, if you'd like to hear those.
R. Kasper (Chair): Well, perhaps we could conclude the presentation, and if it's the wish of the committee to hear your views, I guess, added to your original submission, then we could entertain that.
C. Bennett: Sure.
R. Kasper (Chair): Okay, great.
G. Plant: I'm not sure if
E. Walsh: Yeah.
G. Plant: A moment ago, in explaining a bit about what was behind slide No. 33, you used the example of people perhaps being concerned about hackers. Hackers is a security issue, not a privacy issue.
C. Forrest: Yes.
G. Plant: I just want to be clear in my recollection that in the context of the focus group, where you had this kind of open-ended, structured dialogue, your observation was that people used a variety of terms, which means they may not have been as analytically precise about what they were talking about. But that dialogue doesn't happen in the context of the survey work.
C. Forrest: No, it doesn't happen. That's right.
[1135]
G. Plant: That, I guess, leads to this question. I'm not sure if it's the right question, but you'll get the point. How do I distinguish between security and privacy concerns when I look at your survey results? I have to say intuitively that when I think about the possibility of electronic commerce as an individual and I think about financial information, which is, you know, off the chart in lots of these cases as being the first thing people think about, I'm thinking about the risk that someone has access to my computer who I don't even know about. I am not thinking about a secondary transaction undertaken by the primary consumer of my personal information, which is really the focus of the federal legislation. So I have a concern about whether it's possible to separate the two issues, and my sense is that it would be awfully hard.
C. Forrest: It would be extremely hard, and we certainly saw that in the groups. People see these things as being absolutely linked together -- security, privacy, the whole thing. It's my information. It's what happens to my information that I care about. I don't care whether you call it security or privacy; I don't want people messing with my stuff. That's the heart of it. So I don't think you can separate the two when you're talking about the public.
G. Plant: One of the factors identified -- in fact, it may have been second on the list of the top-of-mind concerns -- was loss of control. First on the list was right to privacy, which does, to me, touch the right buttons. But when people speak about loss of control, that seems to me to be much more potentially confused in terms of whether the issue is security or privacy.
C. Forrest: It is, but it is what's driving support for legislation. It's what's driving support for what you guys are doing.
[ Page 186 ]
G. Plant: Right. Only to the extent that we may try to legislate in relation to security, which I have to admit is not on my mind at the moment because we're thinking about privacy.
C. Forrest: I think the key here is that the public perception is that those issues are the same issue. I guess the most important thing to take away is that this is how the public at large thinks about this stuff. It's all the same -- yeah.
S. Orcherton: I'd like to first apologize to the committee, the Chairperson and particularly to you, Ms. Forrest, for being a little late this morning. I was tied up imparting some information to the media on the Public Service Commission and how we hire people based on merit in the Public Service Commission.
What I found kind of interesting -- and really, I think it's something the committee's been wrestling with for some time -- is the lack of attention that the public generally, in day-to-day life, pays to these kinds of questions. What was interesting in your presentation was that I think about two-thirds of the public already believes they're protected by some sort of legislation out there.
G. Plant: As they are.
S. Orcherton: In British Columbia. But the sense I got from that
G. Plant: There's an FOI act.
S. Orcherton: Hold on. Do you want to carry on, or can I finish my thought?
G. Plant: No, sorry. I wanted
S. Orcherton: Thanks. I really appreciate that.
There's a sense out there that they're covered and that it's not an issue. I think we've been finding as a committee for some time that in trying to engage the public in debate and discussion about the future of these kinds of questions has been a rather tough process, in a way.
C. Forrest: Which is why I'm here today, I think.
S. Orcherton: No, I know. So I looked at your documents with some interest. It seems to me that there is some interest when people engage on the question, and there's a high level of concern. I wonder whether the concern is simply because of the polling that's going on. It twigs at the people's minds, and after they hang up the phone they walk away and go: "Well, there are other far more pressing things in my life." That's the sense I got. Is that where you think it is too?
C. Forrest: I think that's fair. I think it becomes an issue when something bad happens to your information or if you get annoyed about something. You know, if there's a problem, it becomes a real issue for you. Or if you spend 20 minutes talking about it with somebody, then you see the potential for problems down the road and it becomes an issue for you. That's when it's an issue. Otherwise, it's not on your mind. I mean, what's on your mind is paying your rent and buying groceries.
We see that on all kinds of issues -- the environment and all kinds of things. Unless people are confronted with it directly, it's on the back burners. Yeah, yeah, we acknowledge that that's something that we should be thinking about, but right now what I care about is staying warm or something that's more kind of vital.
[1140]
S. Orcherton: One other
C. Forrest: When they were expressing support for the idea of legislation, that was the rationale that they gave most often as their support. It wasn't a theme that kind of ran through: "I absolutely think my consumers will love me better because I have this legislation." No. It was something that
S. Orcherton: So it's consumer confidence that ran both ways.
C. Forrest: Yeah.
S. Orcherton: That's interesting. Thanks.
K. Whittred: I wanted to ask, really arising from your response a couple of questions ago that, in your sense, the public made no distinction between privacy and security: would it be fair to conclude also
C. Forrest: I don't recall that thread coming up at all -- do you, Wynne? -- in the groups, that paper files are somehow more secure than information
W. MacAlpine: No. Actually, they didn't seem to be giving examples of security; they were just talking about what it meant to them. It means basically that whoever has their personal information, it won't be stolen.
C. Forrest: Yeah, or passed on inappropriately.
W. MacAlpine: Actually, I think that was more to do with confidentiality.
C. Forrest: That's right, yeah. You're right -- secure, which is that nobody's going to get in there and get it that shouldn't have it.
W. MacAlpine: One thing about the idea of security: I'm not sure that the difference between security and privacy is all
[ Page 187 ]
that meaningful in terms of
R. Kasper (Chair): Okay. So does that finish
P. Calendino: Let me add to that, because I asked earlier whether they were making the distinction between security and privacy, and you did say no. From the comments I hear now, it's that what's in the mind of people is really the issue of privacy of the information that they provide to whoever. It doesn't matter whether it's in a computer or in a file cabinet, etc. They want that information to be kept private and not to be disclosed to anyone without their consent.
C. Forrest: They want it protected, yes.
R. Kasper (Chair): Cathy, I just have a question that relates to
[1145]
C. Forrest: I don't have access to that.
R. Kasper (Chair): Okay. You know, just to see if there's been a shift in the public mind
C. Forrest: Yeah. The surprises were just based on
R. Kasper (Chair): Okay.
W. MacAlpine: We could do a comparison of this data with the surveys that Chris Norman's branch provided as well. They gave us some survey data from Canada as a whole and different ones like that.
R. Kasper (Chair): If it's agreeable to the committee, Colin Bennett's here, and he has actually asked me if he could have an opportunity just to give his opinion as to an issue on the awareness around C-6. He may have some insight around that from work he's done. Is that correct, Colin?
C. Bennett: Sure, yeah.
R. Kasper (Chair): Just briefly, if that's okay with the committee.
C. Bennett: A few minutes and
R. Kasper (Chair): Yeah, just a few minutes. And then I'll ask Chris Norman if he has anything. He may want to give us an observation.
S. Orcherton: It would certainly be helpful for me
C. Bennett: I don't want to intrude upon the committee's time here.
S. Orcherton: No, no, that's not what I said. If I could have some kind of introduction
C. Bennett: Yeah, sure. That's all right. I'm a professor of political science at the University of Victoria. I've done a lot of work on privacy-related issues and on the development of privacy legislation in different countries. I've also done some work on the other public opinion polls that have been done in Canada. Obviously I found this presentation extremely interesting. I mean, I can put my views in writing if you don't want to hear views in the here and now.
R. Kasper (Chair): Just carry on. We can give you a few minutes.
C. Bennett: Sure, okay. All right, two or three random comments, then.
The point about the lack of awareness of Bill C-6 is kind of interesting. It demonstrates that the federal government has not done a particularly good job in informing businesses about their obligations under that legislation, which is something that I personally have discovered in the work that I've done on this and in commenting in the media, etc.
Regarding two or three of the committee's comments about these attitudes toward privacy, two things. The lack of awareness issue -- I think on slide No. 45: "There is low-key awareness of the issue of information privacy, both among members of the public and most sectors of the business community." A lot of that, I think, is attributable to the fact that people will be having and experiencing privacy problems, but they will not see them as privacy problems. They will see them as: "I didn't get my mortgage," or "I got denied credit," or "I'm getting a lot of junk mail." They do not see the information relationships that are at the bottom of that.
So I think that explains the perceived contradiction between the low-key awareness that you have on those kinds of issues and the very, very strong support for more legislation that is in slide 37, which is, to me, probably the most important slide here. Ninety-two percent is an extraordinarily high number, I think.
The other issue that just caught my attention was the question about the trust in institutions and the different institutions that individuals are concerned about. Other polls suggest that those kinds of concerns very much correlate with whether they have a trust in the institution in the first place -- right? And the trust in that institution is also very much related to whether you know that institution. So when people say they trust their medical practitioners, it's because they know their medical practitioner, or they know their banker. They do not know these Internet companies -- e-Bay, Yahoo!, Amazon, all these weird new brand names which people are very, very unfamiliar with -- even though, quite frankly, it's far more secure to give your credit card number over the Internet than it is to give it over the counter in a shop downtown.
[ Page 188 ]
Those are just a few random thoughts. Finally, the point about employee records is very key to me, I think, in that if nothing is done, then there's a vast number of areas of personal information to do with employee records that will not be covered by just letting C-6 float into this. Anyway, as I say, I can write my views out in a more coherent manner if the committee would be interested.
[1150]
R. Kasper (Chair): Thank you very much.
Chris Norman, did you want to add some views? Chris is from ISTA. He's been monitoring or watching the goings-on of the committee for some time.
C. Norman: Thank you for an opportunity to have a couple of comments. One thing that I think this does -- these results -- is that it very much confirms and correlates virtually exactly to the kinds of other polling that's been done. I mean, there are no real surprises in this data other than the fact that it confirms a very high level of emphasis on legislation. I think the fact that even businesses are indicating a high support for legislation, let alone in 92 percent of those polled, is a very significant number -- one of the most significant numbers in this.
I've given a lot of thought to the issue around security, because this has come up in the committee quite a number of times. My analysis or my conclusion is that privacy is the concern. But security, in many ways, is the way of losing it or keeping it. So in other words, what people are concerned about from the standpoint of security is whether there's enough security to help them guarantee their privacy.
So in the sense that they're separate, there are security issues that don't have anything to do with privacy. But in the case of our interest for the purpose of this exercise, what people are concerned about is their privacy or loss of privacy -- their control. The poll brings that out. Control is the issue. You want to have the ability to choose whether you're going to give your information out or whether you're going to keep it to yourself. It depends on
But to me, the security issue is the issue of -- for want of a better word -- the tool. If your concern is privacy, is there adequate security to guarantee your privacy? If we look at the public sector legislation -- the FOI and Protection of Privacy Act -- the issue is privacy. But in that act, as you know, there's a part about security. Security is one of the ways that you help to maintain that. Is there security in transmission? Is there physical security, etc.?
So that would be how I would try to put the security piece in the context of the overall issue, which is the privacy. And I would very much agree with Dr. Bennett's comment about employee records. I think, in a way, that really is the tripper from the standpoint of the legislative approach. There's 92 percent supporting legislation -- an incredibly high number. They want a consistent legislative framework. But I think the one trip for a provincial approach still rests in the fact that there is this large area of employee records. I think, as Cathy pointed out, people may not be that aware that there's that hole in the net. But when they do become aware of that hole in the net, it becomes an issue for them.
R. Kasper (Chair): Great. Thank you very much.
Cathy, on behalf of the committee, I'd like to thank you for your presentation today. I understand that you're going to be submitting the final version of what you've presented here today.
C. Forrest: A detailed report, yeah.
R. Kasper (Chair): Okay. Thank you very much.
Our next item of business: Wynne has distributed a basis for a draft committee report to the members. What I would ask members to do is go over the report in these initial stages, bearing in mind that it's my recommendation that what we will be receiving from Ipsos-Reid would actually become an appendix to our report, as information that the committee gathered.
[1155]
W. MacAlpine: What I was planning to do, subject to the committee's agreement, is take the focus group and business interview parts of the Ipsos-Reid findings and integrate those with the submission information, because those are both qualitative. They're not measuring anything quantitatively, but they give you the ideas that people are thinking about. There's a big difference between the focus group and business interview data than the ones that sent submissions in, which were self-selecting, as Cathy has said. They're often from well-informed organizations or individuals. So that would be a good balance. And if we dealt with those the same way in the body of the report, I think that it would be a better representation of that focus group and business interview data. Then, if we could append the quantitative part, I think that would be a good way of presenting that.
J. Pullinger: Why would you not put any discussion of the quantitative part in the report?
W. MacAlpine: I was going to use some of the figures as well, but it might be useful for the public to be able to look at the full survey -- the quantitative.
J. Pullinger: Yeah. Oh, absolutely. I was asking about exclusion, not inclusion. I just wanted to make sure that the whole thing was referenced in the report.
R. Kasper (Chair): John, did you want to add anything as the vice-Chair?
J. Weisbeck (Deputy Chair): No. I think I'm more looking at process at this point in time. I think that we have a caucus meeting on February 22, and you've called for a meeting at that point to review this draft report. I would maybe suggest that we could, as individuals, call in to you, for example, and give you suggestions that we could add to the report and possibly do that on a finalization of the committee report with those suggestions.
J. Pullinger: Clarification -- sorry. John, is what you're saying that we just do the finalizing of the report by telephone, in other words?
[ Page 189 ]
J. Weisbeck (Deputy Chair): Well, at least get your suggestions in, and then possibly we can discuss them on the final report. Unfortunately, we're not available that day.
J. Pullinger: Or we could even fax out the final report and just
J. Weisbeck (Deputy Chair): Or fax it or whatever -- sure. For example, I fortunately had the opportunity to read the report already. There were just some
J. Pullinger: Sure, the context.
J. Weisbeck (Deputy Chair):
J. Pullinger: I'm just thinking of the expense and time to come back. At this point it may be okay, if everybody submits their
R. Kasper (Chair): Is that agreeable with everyone, then -- that you go through the draft and whatever additional comments you may want to add or see, then submit them to Wynne, with attention to myself and John?
K. Whittred: Well, that would be acceptable to me, Mr. Chair. But I think in addition to that, once the amendments or suggestions are in, we need to see a draft copy to really look at.
J. Pullinger: That was my suggestion, Katherine -- that we e-mail or fax or snail-mail the final draft and then have a conference call to confirm it.
K. Whittred: Oh, I'm sorry. I missed the part about the final draft.
J. Pullinger: Yeah, so that we have it in front of us in time to read it before we have a final conference call or just sign off on it.
P. Calendino: Just a comment in answer to John. He wants a comparison of what is happening in the United States. I think that there isn't any overall legislation in the U.S, but it's coming. My understanding is, from a conference I attended, that there are 66 pieces of legislation being introduced either at the state level or at the federal level.
What regulates business in the U.S. is the Federal Trade Commission. They oversee federal practices. But even that organization is of the opinion that overall legislation like we have with Bill C-6 -- and they envy us for having introduced it -- would be good for business in the U.S. But they haven't had one as yet. There are a number of bills that are being introduced even in the House of Representatives in the next sitting.
J. Weisbeck (Deputy Chair): I guess my concern is that, you know, they're our major trading partner. So if we create an unlevel playing field, it might have some impact on the way we do business with the U.S.
P. Calendino: Yes. We understand, though, that the economics in the U.S. are a little different than ours.
J. Weisbeck (Deputy Chair): Yeah, I appreciate that.
P. Calendino: The private sector is much stronger. For example, the technology industry or the information industry leans towards self-regulation, while legislators and consumer protection agencies obviously want to see legislation.
[1200]
G. Plant: The interesting discussion that is on the verge of breaking out is to me a reminder of the fact that we have not actually yet had a discussion about what we think we ought to do about the problem that's been presented to us. I haven't read this draft report, but I'm sure it will start that discussion.
I personally cannot, in absence of having read this document, give any kind of assurance that I could settle the issues by means of a telephone conference call. I think we are going to have to meet again, hopefully with a revised draft report that has the benefit of the comments people are saying they are going to make. I don't know what the draft recommendations are that people are making in this draft document that I haven't read, and I think we're going to have to meet again at least once.
R. Kasper (Chair): Yes. Just to refresh people's memories, there were actually three meetings suggested. One was March 1, and then the third one would have been March 15, which would have given those opportunities to do just what you suggested. But in the meantime, just to help the process along, if members would go over the draft report with some draft recommendations
Okay. Is that agreeable? Thank you.
I don't think there's need for a motion. I think we all understand what we could do. Wynne has some direction, and John and I will be in touch.
I'd like to thank members for coming today. Please go through it and give us your comments, in writing or verbally.
The committee adjourned at 12:03 p.m.
[ Return to: Legislative Assembly Home Page ]
Copyright © 2001: Queen's Printer, Victoria, British Columbia, Canada