2001 Legislative Session: 4th Session, 36th Parliament
SPECIAL COMMITTEE ON INFORMATION PRIVACY IN THE PRIVATE SECTOR
The following electronic version is for informational purposes only.
The printed version remains the official version.
THURSDAY, MARCH 1, 2001
Issue No. 16
| Chair: | * Rick Kasper (Malahat-Juan de Fuca Ind) |
| Deputy Chair: | * John Weisbeck (Okanagan East L) |
| Members: | Pietro Calendino (Burnaby North NDP) Glen Clark (Vancouver-Kingsway NDP) * Steve Orcherton (Victoria-Hillside NDP) Jan Pullinger (Cowichan-Ladysmith NDP) Erda Walsh (Kootenay NDP) * George Abbott (Shuswap L) * Geoff Plant (Richmond-Steveston L) * Katherine Whittred (North Vancouver-Lonsdale L) |
| * Denotes member present |
|
| Clerk: | Craig James |
| Committee Staff: | Wynne MacAlpine (Committee Researcher) |
| Witnesses: |
Chris Norman (Information, Science and |
[ Page 191 ]
The committee met at 10:10 a.m.
R. Kasper (Chair): I call the committee to order. We have a quorum, and there are some members who have sent their regrets.
Wynne, I'll turn it over to you, if you can lead us off. And what we're going
to just go through
Wynne, I'll turn it over to you, if you want to lead off with what you've compiled to date.
W. MacAlpine: Okay. The two documents that were handed out are essentially the same thing. The draft recommendations have been pulled right out of the draft report, so they're also in there.
I guess I'll just go through the draft report. It starts off with an introductory section on the context of information privacy, explaining what has been done internationally and within Canada to date. And then it goes into a discussion of the rationale for information privacy becoming an issue. It looks at the development of privacy as a human right at the international level and how it moved from there to information privacy laws for individual nation states, especially in Europe, and then the move to information privacy protection for the private sector.
Then the next section, "Information Technologies and Businesses' Information Practices," explains how information technologies have become widespread throughout society and what implications that has had for information privacy in the private sector and not just in the government sector. Towards the end of that section it focuses on three particular technologies: Internet cookies, profiling, data matching and data mining. It explains those things and what the privacy implications are.
Following that, there's a section on what the committee heard from British Columbians about information privacy in the private sector. This section compiles the views of witnesses, focus group participants, survey participants and some of the expert witnesses that have spoken to the committee. It starts off with the views of British Columbians on information privacy and then moves into private sector businesses' and organizations' views. So it sort of raises the concerns of both individuals and businesses on the issue as a whole.
Then the next section explains how many national jurisdictions and provincial jurisdictions have dealt with information privacy through the adoption of their information principles and goes through each principle: accountability, identification of purposes, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, individual access, mechanisms for challenging compliance, self-regulation.
Okay. "Self-regulation" is the next section, and that's a topic that came up through witnesses' submissions to the committee: the argument that industries can regulate themselves and don't need to have a privacy law to ensure that their consumers and clients are protected.
[1015]
Harmonization is another issue that came out of the participation with the
committee -- the focus groups, survey and the witnesses' submissions. The
Canadian Standards Association model code for the protection of personal
information
"Sectoral Codes" is a section, again, on witnesses' comments on the use of sectoral codes by industry in order to provide more detailed rules to fit with the privacy legislation, which they recommend should be more general than particular, in terms of what different organizations and businesses should do. "The Right to Information Privacy" summarizes the views of different witnesses and participants and some of the privacy literature on the value of having privacy recognized as a human right.
"Scope of Application" is a section dealing with some of the
details that people would like to see in any private sector privacy law:
consistency across the private sector
"Justification of Purposes" is a recommendation that some people made, saying that not only should businesses and organizations be required to explain why they need information and what they're going to do with it, but individuals should be able to challenge the proposed use as not justifiable. That's supposed to assist them in strengthening their consent to the use of information.
"Information in Electronic Formats" deals with recommendations recognizing that there needs to be protection for electronic documents but that it's not simply a matter of protecting privacy using technology or personal information that's considered to be in electronic format. It goes down to paper files and paper records as well.
" 'Publicly Available' Information" is directory information. There were a lot of comments about that. Marketers basically would like to see that the availability of that information is not threatened by any privacy legislation. On the other hand, there were some comments from individuals saying that it's a matter of personal safety and privacy that they be able to regulate the disclosure of that.
"Research Purposes and Archival or Historical Purposes." Archival and historical purposes is an issue that came up with the previous committee. They want to make sure that the collection and organization of archival documents is not threatened by privacy legislation. Research purposes is a bit broader. That encompasses all of the research technologies, data matching, data mining, health information and the ways that different personal information is combined and manipulated in research. There are various views on what should be done about that, in terms of protecting individual privacy.
[1020]
The last section deals with accountability, fees, oversight mechanisms. The fact that legislation should be easy to under-
[ Page 192 ]
stand was something that came up from some individuals. Education was a point that witnesses made strongly -- that it should be a function of government, any oversight body and businesses to educate the public on their rights and responsibilities.
R. Kasper (Chair): Okay. So is that it?
W. MacAlpine: That's it for the report.
R. Kasper (Chair): Okay. Was there anything else you were going to add to the document that you've circulated that isn't included?
W. MacAlpine: Electronic privacy act
R. Kasper (Chair): Okay. And that's page
W. MacAlpine: That's on page 104.
R. Kasper (Chair): That's page 104, for members. I did note that there are quite a few of the pages actually not numbered in my copy. I don't know if members have the same problem, but on the copy I have there are no page numbers in the beginning of my document. But I don't know if other members found that.
J. Weisbeck (Deputy Chair): There are a number of draft recommendations that you've got as you go through the report. Some of them are numbered; some of them aren't. So I'm trying to get a handle on what's in here.
W. MacAlpine: It's just a matter of getting the content here for you before formatting it. In the interests of time, I thought it was more important to get the content.
J. Weisbeck (Deputy Chair): Okay. That's fine.
W. MacAlpine: I'm sorry that it's confusing. But under each section heading in the table, I'm expecting that the committee might want to make some kind of recommendation, whether it's to not make a statement on whatever issue or to make some particular recommendation.
S. Orcherton: I think, sort of broadly speaking, the report's good. I
don't have any problem with it, but just a couple of areas
W. MacAlpine: Yes.
S. Orcherton: So you're still going to flesh out a bit of this. What I
always find helpful in these kinds of reports, when you get them
So you can look quickly; you can have a look and say: "Here are the recommendations the committee is looking at." If you're very interested in issues around technology-neutral and things like that, you know where to go immediately to look at that. It's more of a process thing as opposed to the substance of the report. But overall, I think the report looks good.
R. Kasper (Chair): How does the committee want to deal with this? Wynne actually gave us kind of a synopsis of the basic recommendations.
W. MacAlpine: For discussion purposes.
R. Kasper (Chair): Are all these recommendations contained in the body of the report?
W. MacAlpine: Well, for some reason, one that's actually under "The Right to Information Privacy" on page 64 didn't make it onto here. But other than that, it's there.
R. Kasper (Chair): Well, then perhaps we could go through each section
as per the table of contents, and where there is no specific recommendation
[1025]
W. MacAlpine: No, that's just a discussion of what businesses told the committee that they actually do, what sort of practices they have adopted and what they use information for.
R. Kasper (Chair): Okay. And then on the next one it's informational practices -- no, sorry, it's British Columbia views. There is no specific recommendation there.
W. MacAlpine: No.
R. Kasper (Chair): Where's our first recommendation? Would it be under "Employee Information," in that section?
W. MacAlpine: No.
R. Kasper (Chair): Okay.
W. MacAlpine: It would be
R. Kasper (Chair): What about "Health Information"?
W. MacAlpine: Those sections are more
R. Kasper (Chair): General?
W. MacAlpine: Yeah.
[ Page 193 ]
R. Kasper (Chair): Okay.
W. MacAlpine: But basically "Self-regulation,"
"Harmonization
R. Kasper (Chair): Okay, so "Self-regulation,"
"Harmonization
W. MacAlpine: And "Fair Information Principles" -- I think at the outset of that section is the second recommendation on this page.
G. Plant: Could I interrupt for a second?
R. Kasper (Chair): Yes, Geoff.
G. Plant: I just want to catch up with where we are. Last time we met we were given something called a preliminary draft report dated February 15. And on page 29 of that document there was a recommendation entitled "Recommendation No. 1," which broadly speaking was a recommendation, drafted, that the government of British Columbia enact legislation to protect information privacy.
Now today, arriving here, we have been presented with a much longer draft report, which I think is building on the outline of the report that was handed to us on February 15 and fills in some of the blanks that were left in that report.
But am I right that, in keeping with the overview that Wynne has given, the
first 64 pages of this draft that we now have today represent, in all the ways
that Wynne has described, a sort of preliminary analysis and overview of the
relevant considerations and then lead to the first
R. Kasper (Chair): Recommendation.
G. Plant:
W. MacAlpine: I think I've moved that.
G. Plant: Am I following along properly?
R. Kasper (Chair): Yes.
G. Plant: Right. So the two-page document entitled "Draft Recommendations" might be described as subsidiary or conditional recommendations or something; I'm not sure what the right term would be. But all the recommendations on this two-page document presume it is our view that we would recommend that there be legislation. They all follow from that recommendation, which is presented on page 64 of today's draft. Have I got that right?
[1030]
R. Kasper (Chair): Yes. And that's under part 2, "Information Privacy Rules for British Columbia's Private Sector." And the first recommendation -- correct me if I'm wrong, Wynne -- is: "The committee recommends that the government of British Columbia enact legislation to protect the information privacy of British Columbians in private sector transactions and that the proposed legislation achieve a fair and workable balance between information privacy and the use of personal information for legitimate business purposes." So that's our very first recommendation. And you are correct that what we have additionally circulated here today are additions or subsequent recommendations that unfold from the original draft that we received at our last meeting.
G. Plant: When I go forward, if I may for a moment, about three or four more pages into today's draft, there's a page that has the word "Harmonization" at the top, and that also has in bold a recommendation -- a harmonization recommendation. But I don't think that is included in the two-page summary of draft recommendations either.
W. MacAlpine: I don't think that the word-processing function I used
to cut these sections out worked properly, because the first broad
recommendation under "Information Privacy Rules for British Columbia's
Private Sector" was changed from the original that you received last week.
It's now after "Harmonization." There's "Self-regulation,"
"Harmonization," "Canadian Standards Association Model Code
G. Plant: In fact, if we go a little bit more deeply into today's draft of the longer report, we'll find a couple of other draft recommendations, which means that this two-page document is substantially incomplete as a summary of proposed recommendations.
R. Kasper (Chair): And Wynne actually mentioned in the beginning of her presentation that there some items in our new report that are not on this two-page summary. Maybe we should disregard the two-page summary and pick up from where we were. We have the first recommendation, and then the second recommendation dealt with harmonization. I'm at a total disadvantage because my pages aren't numbered.
G. Abbott: Well, mine are not numbered either, until you get to 77 or 78.
K. Whittred: I don't think any of them are numbered.
R. Kasper (Chair): Okay. So "Harmonization." Is everybody at "Harmonization"?
G. Abbott: Approximately what page are we at?
S. Orcherton: Right after part 2, "Information Privacy Rules for British Columbia's Private Sector."
G. Plant: Seven or eight pages further on.
R. Kasper (Chair): Okay, should I read out the recommendation? The recommendation is: "That the proposed leg-
[ Page 194 ]
islation harmonize with other Canadian and international jurisdictions, particularly the federal Personal Information Privacy and Electronic Documents Act, by establishing a legal framework of the internationally recognized fair information principles as expressed by the CSA Code" -- and it goes on -- "accountability; identifying purposes; consent; limiting collection; limiting use, disclosure and retention; accuracy; safeguards; openness; individual access; and challenging compliance."
Does anyone have any problems with that recommendation?
G. Plant: Sorry, I thought we were simply identifying its existence. Maybe I've missed something. Have we already had the substantive discussion around the first recommendation?
R. Kasper (Chair): No.
G. Plant: I don't have any problem with understanding the words that are used as you have read them in the second recommendation.
[1035]
R. Kasper (Chair): Okay. So you'd like to go back to our very first recommendation.
G. Plant: I don't mean to be difficult about this, but I think we've
met an awful lot of times and done an awful lot of work, and I guess sooner or
later we're going to have to ask the question: what do we want to do? I'm not
sure how you as the Chair want to structure that discussion, and that's entirely
R. Kasper (Chair): Like I said, it's perfectly up to you. I said that I took full blame for actually initiating some paper and to put together a series of recommendations at our last meeting.
I asked all members to bring forward any comments they may or may not have in regard to our first set of draft recommendations and our first draft report, noting that there was going to be additional information added to the report based on the presentation we had at our last meeting. It's my understanding that there were no forthcoming calls to the Clerk's office or to myself in regard to what members wanted to see added or changed, with the exception of the vice-Chair, who actually wanted to know what other jurisdictions are doing elsewhere. I think John was advised that in the U.S. they have multiple types of pieces of legislation that are fairly far-reaching. There is no sort of unanimity as to what is out there.
So I'll leave it to you. Would you like to lead off, then? Is everybody satisfied with the recommendation?
G. Plant: All right. So the recommendation is that the government of British Columbia enact legislation to protect the information privacy of British Columbians in private sector transactions in some language about striking a balance. I really think it's important that we consider and recognize that we're not asked to make this recommendation or even consider this subject generally in what might be described as a legislative vacuum. We're here because we recognize that there are important public policy issues at stake, but we're also here because the federal government has more or less required that we be here.
We're perhaps constrained in our discussion in this sense. While in a world where Bill C-6 did not exist we might, as a committee, reach a certain set of agreements about what we think ought to be done to the statutes of British Columbia, our discussion is constrained by the fact that not only has the federal government legislated but the federal government has legislated in a way that will apply automatically to British Columbia within a certain time. And the federal government has, in its no doubt nearly infinite wisdom, reserved to itself the decision whether or not anything we do in this jurisdiction is good enough for the learned and honourable Members of Parliament who occupy positions in the federal cabinet.
We have, for example, the situation where we look at the issue of
harmonization in a different context, because some people have argued
I actually think it's important that we recognize those constraints as part of what we're doing here. They are bound to have an impact on what we decide at the end of the day. So I want that concern, if you will, to be there on the record in some way or another. The point, in part, is that whether or not we make this recommendation, if Bill C-6 is constitutionally valid, by the year 2004 there will be in place in British Columbia legislation to protect the information and privacy of British Columbians in private sector transactions. It just won't be legislation of the people of British Columbia; it will be a federal statute. That's kind of an interesting context in which to be asked to make a recommendation.
[1040]
In broad terms, I also want to say that since Bill C-6 is primarily directed at commercial transactions, I recognize that we've done a lot of work to find out what it is that British Columbians think about this. Not surprisingly, when you engage British Columbians carefully and persistently in a discussion about something, you will eventually awaken their interest. I believe a lot of the polling results need to be examined in that context -- that is, people who, having been given lots of opportunity on their own to express an opinion about the subject, remained silent. Only when they were asked repeatedly for their opinions did they indicate that they had them.
That distinction is significant to me in the context of consumer relations
for this reason: at the end of the day I want to be sure I know the difference,
if there is one, between what people say they will do and what they will
actually do. I noticed, for example, this morning in the Federal Trade
Commission's report of May 2000, which is a pretty interesting document
[ Page 195 ]
pretty sure I saw the observation that, roughly speaking, over a five- to seven-year period, the growth in Internet commerce in the United States was expected to be from $26 billion a year to $1 trillion a year.
Every single person who transacts business over the Internet as a consumer has a choice. They have a choice whether to do that business over the Internet or not. You have a choice whether you want to buy a book from Amazon.com or walk down the street to your neighbourhood bookstore. People may say that they're concerned about these things, but what I see is that they relentlessly increase the rate at which they do them. And I know that the public opinion polls also say that people say they would do more of it if there were better protections in place.
The question, then, for us as public policy-makers is whether we ought to say to consumers, "You force the people that you do business with to make those rules better," or whether we should solve their problem for them. And again, I must admit I am by nature skeptical when people say to public opinion pollsters that they would do more business over the Internet if they had greater assurance, because the overwhelming evidence is that they are by exponential factors year by year increasing the volume of business that people are prepared to do over the Internet, which I agree is just one context in which this issue about privacy arises.
So when we're looking at consumer protection, I want to be mindful of the fact that people, generally speaking, who are participating in consumer transactions have a choice. They can choose to care about their information privacy rights or not care. They can choose to transact business with companies that publish privacy codes -- and many do -- or they can choose not to. I think we would be wrong to ignore that.
I think we would be wrong to ignore the fact that in British Columbia, we do have private sector protection for privacy rights. We've had it for a long time. We have a privacy act. It takes a different approach to the idea of personal privacy. Again, it is an approach which focuses less on creating a bureaucracy in government that will protect us from ourselves and rather puts the onus on us as individuals to determine when and if we think that people have violated our privacy rights.
[1045]
But it creates a tort for breach of privacy. That's pretty powerful stuff if you think your privacy rights have been violated. I think that ordinarily, I would want to be pretty mindful of the importance of that legislation as part of the context within which we're operating.
And there's more. But I could go
But at some level I sort of ask myself: "Why bother having the detailed, careful and thoughtful public policy discussion?" We either act, or the federal government acts for us. I think there is some merit in the argument that we need, as a province, to be ever-mindful of the fact that we have constitutional responsibility for property and civil rights in the province. And if for no other reason than to kind of make sure we hold our ground in our conception, as a province, of what our constitutional responsibility is, we probably ought to do something as a response to Bill C-6. I don't think that's a great way to make public policy, but I'm still thinking about it. That probably means that this recommendation as expressed is acceptable, with reluctance.
I'm not so sure whether it might really not be the obligation of the government of British Columbia at this point, rather than to make a statute, to embark upon and to undertake a leadership role in working with the other provinces in Canada -- to do nothing alone until we have all figured out what we're going to do together and then do that. That's another course of action that's occurred to me, because I do think it would be a mistake if each of the provinces reacted to Bill C-6 sort of individually and we did end up creating a patchwork of different regimes. So harmonization, when we get to it, I'll probably have no trouble with.
I'd be interested in what other members of the committee think about those issues. "I'm not prepared to dissent from this recommendation," I guess, would be what I would say at this point.
R. Kasper (Chair): Okay. Any other members?
S. Orcherton: Yeah, just a couple of comments. It is an interesting
discussion, and I'm not sure if this is helpful for the member in dealing with
these concerns. There are no page numbers, of course. But
One of the troubling issues about this
Maybe this is not the best example in the world, but I think it's kind of like if you go and ask a citizen: "Do you believe there should be malpractice insurance for doctors?" Well, the answer to that is yes. Do they want to discuss that? Well, not particularly, because, you know, how do you discuss what is malpractice and what isn't? There's a sense there that things are okay in a way. Maybe that's sort of what we're up against when we're talking to the public on this issue -- that kind of similar scenario.
[1050]
What we are up against, I think, is what the future is going to bring. And it's very hard to try to legislate and bring in laws that can anticipate the future. The member talked about the use of the Internet in buying books and used those kinds of examples and how those usages are increasing. At some point there will be a substantive public discussion, I predict, on where all that information is and how it's being used and where it's going.
[ Page 196 ]
So we have to do something here in terms of the federal government responsibilities that are being pushed to us. We have to engage the public in the discussion. We've got a tough job, really, in terms of planning for what future circumstances may or may not be.
At the end of the day here, on this issue, I was very encouraged by one singular thing that came forward to the committee, and that was that the business community in British Columbia supported us moving in this kind of direction. They took a view that it actually enhanced their capacity to instil consumer confidence in what they were doing in terms of information-gathering and processing. I think we have to do something here. I think the recommendations that have been put forward at the very least set a framework that maybe we can continue to move forward on, on this issue.
Back to the recommendations. Recommendation No. 1 -- I think it's fine to go ahead with it. But pardon me, I'm a little confused here. I'm looking at the recommendations that are in the report, and they're not mirrored in the two-sheet handout. Some of them appear to me to be quite different. They're sort of in the same context, but there's a different characterization of the recommendations.
I've looked through the report. I think the recommendations that are in the report are fine, generally speaking. Where this goes in the future, I don't know. I mean, our obligation is just to move a report forward to the Legislature for perusal and discussion by the members, and I think we need to meet that obligation. I'm confused about how these recommendations here don't mirror what we've talked about in the report.
W. MacAlpine: The two-page recommendations?
S. Orcherton: Yeah. Right. Recommendation No. 1 is: "The
committee recommends the government of British Columbia enact legislation to
protect the information privacy of British Columbians in private sector
transactions." And then it goes on. Recommendation No. 1 here is:
"That private sector businesses and organizations be encouraged to develop
and adopt privacy codes to assist in
W. MacAlpine: These are random recommendations that were just meant to
be discussed. They're not meant to be like a coherent
R. Kasper (Chair): Which are over and above what?
W. MacAlpine: There's more, but these aren't different.
S. Orcherton: Where did these come from?
W. MacAlpine: The report.
J. Weisbeck (Deputy Chair): I thought we'd more or less agreed
R. Kasper (Chair): And so we disregarded it -- right?
J. Weisbeck (Deputy Chair): That was the agreement initially.
S. Orcherton: If we are disregarding it, that's fair enough. Earlier on I suggested that the recommendations that are in the report be listed in the front, to make people feel more comfortable with the report. If we're disregarding these draft recommendations at this point, that's fair enough.
G. Abbott: I just wanted to follow up on Geoff's comments a little bit here. I agree with his analysis. We're here because of C-6.
One of the questions that we discussed at an earlier meeting
[1055]
In terms of that approach versus what other provinces might do, I think it certainly is critical. I have been convinced by a variety of witnesses over the previous months that harmonization is absolutely critical, that we may well be rendered looking remarkably foolish if our legislation is not consistent, and therefore workable, with C-6 and whatever else may come into play here.
That then raises the question: what are the real advantages to British Columbia in having their own piece of legislation versus waiting for the eventual application of C-6? I guess one issue may be that if we have our own legislation, we can start -- theoretically at least -- to protect privacy more quickly in that area. Geoff mentioned the protection of our constitutional grounds around property and civil rights. That presumably could come into play here as well.
The other thing I think we need to keep in mind here is that if the ultimate
goal is to see the regulation or administration in this area be conducted on a
uniform and consistent basis
Anyways, I think that's one element here, if that's the goal: to achieve that uniformity and consistency -- whether it's going to be better to do that by allowing C-6 to have application here or to try to grab hold of the thing and set down our own administration of this.
J. Weisbeck (Deputy Chair): I guess the recommendation actually calls to enact legislation. With that comment, it seems to put some urgency on the fact that we should have legislation introduced. I've never felt that. I mean, we do have a number of options. One of them is to do nothing; one of them is to look at what other provinces are doing.
I asked Wynne to pull together some information on what was happening in the U.S. They've got numerous acts happening down there, which would obviously have absolutely no harmonization whatsoever. I certainly wouldn't want that to happen in Canada.
My personal opinion is that there is no urgency. I think that Bill C-6 has just been introduced. We have a number of
[ Page 197 ]
years to look at this. The public has expressed very definitely that they want some harmonization to happen. We certainly can't have harmonization if we go ahead and develop our own act. My concern would be that we spend some time, in the future, with some of the other provinces and try to come up with something that has a lot of harmonization in it. That may be Bill C-6, for example. But certainly I think it involves some interaction with some of the other provinces before we move ahead with our own.
K. Whittred: Just following up a little bit on what my colleagues had
to say, it seems to me -- again, I think John expressed it -- that we have a
variety of choices. When we went into this process
I'm a little bit concerned, though, about all of the various recommendations here, because it seems to me that those are more principles on which the single recommendation should be based. I'm wondering if it isn't more within the mandate of this committee, at the end of the day, to come out of this recommending one of those several choices that we had in the beginning, which were to recommend legislation, to do nothing, to take a legal route -- to do whatever.
[1100]
There was a variety of choices, and the one choice we seem to have agreed upon is that the province should have its own legislation and that that legislation should be based on these principles that we have discussed and which we have heard from the public. So I put that idea out there for the committee to perhaps think about.
G. Plant: While I'm happy to think about that, I wanted to add a couple more elements to the mix. What I said before is not exhaustive of my views on the issue that we have before us. Even this second attempt is not going to remotely complete the list of issues that I think are before us.
But let me say two more things, and they're about Bill C-6. First, I think
there is a good argument that British Columbia should legislate in response to
Bill C-6 rather than do nothing -- that is, if those are the choices. And if it
is, in that context, assumed that Bill C-6 will legitimately operate in the
private sector intraprovincially, within British Columbia
The principles, I think, are what's important about Bill C-6. What the statute does to give effect to those principles, as I understand it, represents a legislative drafting process that was unusual in that the people drafting the bill were trying their best to preserve sort of a deal, I guess, that they had with the people who put together the CSA code. They would do as little violence to the code as possible, even though the code was clearly not written to be legislative. So we've got Bill C-6 as kind of a strange statute.
I think that if we were to choose to legislate in British Columbia, we could take the principles and draft a statute here that would achieve the recognition of those principles. But we could do so in a way that I, as somebody who cares about legislation, would believe could be a better piece of legislation.
The second thing about Bill C-6 that is important to remember -- and I say this not so much in response but as a footnote, if you will, to something that Mr. Orcherton said a moment ago -- has to do with his observation that the business community, largely speaking, supports these initiatives. In the context of Bill C-6, it's important to understand what the relevant business community is. The business community that participated in Bill C-6 consists almost entirely of large national organizations including, for example, banks and telecommunication companies, which employ hundreds if not thousands of people and clearly are, on a day-to-day basis, faced with information management challenges that are just a part of how they do their business. If a bank doesn't know how to keep track of its records, it's not going to be able to work as a bank.
So I think that some large national organizations that use information in their business and use it across borders saw a commercial opportunity, which Mr. Orcherton has correctly identified as a laudable commercial opportunity. But we ought not to lose sight of the fact that large organizations have better ability -- more internal capacity -- to respond to these kinds of initiatives.
Now we move to a different world. And we're not just moving, frankly, to the world represented by some of the large organizations that have appeared before us. We're actually going to be moving to a world where, depending on how the statute is drafted, if it's to be drafted in British Columbia, individuals across the province will be subject to laws that regulate what they can do with information they keep in the smallest, most local of contexts.
[1105]
I'm not even just talking about 7-Eleven stores and small, local consulting businesses where it's basically a sole proprietorship. I mean, it's everything. We ought not to underestimate the potential regulatory burden imposed by any legislation that creates a new set of rules for how people manage the information they acquire and use in the course of their daily businesses.
I think that second general principle is, broadly speaking, encompassed within the last part of the first recommendation which asks that we strike the appropriate balance. I just would want anyone who looked at our report to have an opportunity to see that we recognize that the challenge of imposing a privacy regime on the Royal Bank of Canada is an entirely different challenge from imposing a privacy regime on somebody who operates a sole proprietorship five miles down the road from the smallest town in British Columbia but yet uses information in the course of their business.
Maybe to conclude this set of my observations: as a further reason why we are probably driven to make this recommendation, I would invite members to consider the receptiveness in a small-town, small business situation in British Columbia on the part of the business operator if they were to wake up one day and find that the privacy commissioner of Canada was on their doorstep proposing to conduct a huge audit of their information management practices.
I think, actually, we'll have more to say about oversight when we get to it. But if we don't legislate and if Bill C-6 does
[ Page 198 ]
operate of its own force, that is exactly what will happen. And I suggest, with respect, that that would not actually improve anything about how we live in Canada. It wouldn't improve privacy protection. It wouldn't make this place an economically prosperous jurisdiction. So again -- through the back door -- reluctantly, I find myself driven not to oppose recommendation 1. But I wanted to make those additional comments.
R. Kasper (Chair): Fair enough.
J. Weisbeck (Deputy Chair): One of my concerns, of course, was on having this interaction between provinces. I've been told that that is happening. Maybe Byron might want to comment on that.
G. Plant: I don't want Byron to comment.
R. Kasper (Chair): I just got a note handed to me.
G. Plant: We're talking the recommendations now.
R. Kasper (Chair): Yeah, well, we are. But just to give members comfort, I've been advised that Alberta is moving forward on legislation. British Columbia, Ontario and Alberta are working together on a model legislative project or package, and that a B.C. act -- as we all know from the analysis we've had done and the information we've received on C-6 -- would fill in the gaps that exist because of the shortfalls that Geoff had touched on -- that there are gaps in C-6 so that not all personal information that is held by the private sector would be dealt with in the same fashion. So you'll have varying degrees or components of information, like personnel records.
G. Plant: No, that's a different issue. We're going to get to the
scope of what legislation
[1110]
R. Kasper (Chair): Yes, of course. Now, are there any more comments? If I could just add my two bits' worth, I think we all know that this is a recommendation that would go and hopefully would be enacted upon by a future government. And the series of recommendations that follow there after this one would at least establish a framework or what should actually occur within such proposed legislation to address the concerns that I think all members have expressed about any kind of legislation being brought forward -- for example, the harmonization issue.
Then, to ensure that when that legislation-drafting process does take place, I think it should even go beyond those who are drafters and those who are legislators to actually get a comment -- i.e., by way of a White Paper -- from the sectors out there that would be affected. I think that's something that is food for thought for a future government, to give them comfort that whatever legislation is adopted -- and that's an if -- still has wide circulation.
I have received a letter -- just a follow-up, Geoff, from the meeting that you and I attended with the legal people -- signed by their sub-subcommittee actually recommending that we embark on legislation. And the sooner we take those steps, then the sectors out there can have input. They want to see and be involved. They don't want to see either government bureaucracy or legislators going out in a different tangent than what they have comfort with. And that's what I envision in our recommendations.
G. Plant: Could you elaborate on what you mean by that last bit? I'm
sorry, I
R. Kasper (Chair): Okay.
G. Plant: Are you talking about
R. Kasper (Chair): With draft legislation in hand. Okay?
G. Plant: Ah.
R. Kasper (Chair): I don't think that it would be appropriate to actually develop the legislation and then adopt it without any degree of input or scrutiny. You know, the federal government did it. They gave the legislation its initial readings, and then it was spread out across the country for input -- "This is the legislation." And people got their two bits' worth.
Does that make sense? Okay.
So could we deal with recommendation 1? Can we agree by consensus that we will support this recommendation and that we include it in the report? Okay. Hearing no objections, we'll go on to the second recommendation, which is dealing with harmonization.
I read it out. I don't think it's necessary for me to read it out again. I think we actually delved into harmonization and the issue there and what should be done. The thing I do like about the recommendation is that it says that the proposed legislation -- and I think we should bear that in mind -- would deal with the concerns that you've raised, and I think this recommendation embraces that. So does anyone have any additional comments or something they'd like to add?
G. Abbott: No disagreement. I'm reassured by the suggestion that B.C., Alberta and Ontario are working towards an act which embraces common principles and a common approach to this. I think that would certainly be reassuring.
R. Kasper (Chair): Well, they're working together and at least they're talking, because I think they all realize that somebody's going to have to do something at some point in time.
Okay. Is it agreed by consensus that
G. Plant: I'm not going to disagree. As much as anything, I'm wondering if it's a drafting issue.
This recommendation expresses two principles, if you will. The first is the stated principle of harmonization. The second, and almost implied, principle is the recommendation that what we do should be informed by and consistent with the CSA code. That's actually a freestanding point -- that in effect, what we're being asked to do by this recommendation is to say that we think that the CSA code principles are the
[ Page 199 ]
correct principles for privacy protection. And again, that's not as open-ended a question as we might like it to be, given that Bill C-6 exists in that context, just for purposes of illustration.
[1115]
I want to make the point that when the Federal Trade Commission reported to the U.S. Congress in May 2000, they talked about four widely accepted fair-information practices: notice, choice, access and security. The CSA code is more extensive, although clearly they interrelate, overlap and interact.
I actually have some questions about a couple of the principles in the CSA code. I have long thought that the question of the right of access to information held by someone is a question where context is important. Again, dealing with a large commercial organization that has a high degree of internal technological capability, asking someone to disgorge all the files that exist about you is one thing. But you take that to a much smaller organization, and the request and the process could become quite burdensome.
And I should also point out that I have, at least, always asked myself the
question
R. Kasper (Chair): Okay. So does anybody else want to add anything to that? Then we'll agree that that'll be our recommendation.
The next one deals with the right to information privacy. Sorry -- it's
sectoral codes. The recommendation is: "That private sector businesses and
organizations be encouraged to develop and adopt privacy codes to assist in
implementing and complying with the fair information practices required under
the proposed legislation, and in educating their consumers and clients." I
don't know if that's the proper wording. Where it deals with "the fair
information practices required under the proposed legislation," should we
say "required under any proposed
G. Plant: Yeah, or maybe it should be "recognized under proposed legislation."
R. Kasper (Chair): "Under proposed legislation." Cross out "the" -- right?
G. Plant: Yeah, I'm not even sure that maybe "recognized
G. Abbott: We could even delete all the words after "fair information practices."
G. Plant: Yes.
G. Abbott: The balance of it can go pretty much unstated, because it's captured in the earlier two recommendations anyway, I think.
G. Plant: So it would read, Mr. Chairman: "That private sector businesses and organizations be encouraged to develop and adopt privacy codes to assist in implementing and complying with fair information practices, and in educating their consumers and clients."
[1120]
R. Kasper (Chair): Very good. That makes sense. Does everybody agree? Okay, good.
Then the next item would be "Right to Information Privacy." The recommendation is: "In recognition that a legislative expression of our social values can help to prevent human rights abuses that are facilitated by developments in information technology, that" -- and we'll cross out "the" -- "proposed legislation recognize information privacy as a human right in order to afford information privacy clear primacy over administrative or commercial efficiency." Well, that's a mouthful.
G. Abbott: It is more than a mouthful, actually. And again, I'm
wondering whether all those words are captured just as effectively by the
initial recommendation that talks about striking an appropriate balance. I guess
I don't have a problem with saying that information privacy is a human right.
But a lot of the rest of it
R. Kasper (Chair): Wynne, did you want to add something?
W. MacAlpine: Yeah. This is sort of referring to the entire report, under the section on information technology and business practices, and then some of the historical factors that led to the need for information privacy rights at all, even in terms of public bodies. So it sort of refers to a lot of the background information and some of the other sections that talk about health research and some of the developments in health information technology as well.
G. Abbott: I guess the question I'd have is whether there is anything in that recommendation which is not earlier captured in the recognition of the information principles expressed in the CSA code and the requirement of balance that's contained in the first recommendation we discussed. Is there anything there that is not captured in those two?
R. Kasper (Chair): I don't think there is. We could probably stop it after "privacy as a human right."
G. Plant: Well, I wonder if we need the recommendation at all. I think that's what the question that George is asking leads to.
Let me add to the comments that have already been made the observation that it is the function of people who draft legislation to do so in a way that would state clearly the relationship between, in this case, information privacy and administrative or commercial efficiency. That's exactly what
[ Page 200 ]
this bill has to do. To say that the nature of the interest at stake is something else would -- I venture to suggest with great respect -- confuse, obfuscate and enlarge the relevant questions. And over the long term, we might find that the legislative initiative we're contemplating created an unacceptable level of uncertainty in a context where I think our objective is to provide clarity and certainty.
R. Kasper (Chair): And to also ensure that fair and reasonable business practices can occur -- right?
G. Abbott: Well, I think there's always going to be a struggle
R. Kasper (Chair):
G. Abbott: Yeah, to find that balance -- and I think we've set out to direct the draftsmen of the legislation to find that appropriate balance in the first section. I think, as Geoff has said, that we're likely to complicate that issue by the words contained in that "expression of human rights" thing.
R. Kasper (Chair): Wynne, I'll let you just
W. MacAlpine: This was something that was recommended by some of the privacy advocates that spoke to the committee and some privacy advocates in other areas as well. It may not be properly put as a recommendation. I just wanted to make the committee aware that some people feel that recognition of privacy as a human right is an additional protection. It may not be that the things that this committee is looking at need to make a recommendation like this.
For example, in Quebec the fact that they have a privacy law for the private sector, the public sector, and also the recognition in a human rights statute of privacy as a human right has been considered internationally to give them the strongest expression of privacy rights in Canada. The combination of those things is maybe what's more important, although some witnesses did say that they would like B.C. legislation to incorporate a right to privacy.
[1125]
G. Plant: I was aware of those submissions and also the summary that you've given of this issue in the text before us. I took those submissions into consideration when I made the comments that I made earlier, and I remain of the view that I expressed earlier in respect of those submissions.
S. Orcherton: I think it's important that we have something in our recommendations that deals with this particular issue. I'm not overly excited about the wording here, because I don't think it reads very well. I don't know if this going to be acceptable to the other committee members, but really what we're talking about is some kind of a preamble, I think, to whatever legislation may be contemplated, and making some reference to social values and characterizing the right to information privacy as a human right. I would hope that no one has any objections to that.
I'd really offer a bit of a wording change that might deal with that. What I'd suggest is to say: "In recognition that a legislative expression of our social values will help to prevent human rights abuses that may be facilitated by developments in information technology and that information privacy is a human right." That certainly deals with the issue for me, because information privacy is indeed a right that people expect and should expect.
G. Abbott: As Mr. Plant has commented, my concern on this
recommendation is that it attempts to inject into the mix perhaps some
appropriate expressions about human rights and social values, and so on. I think
it is going to have the effect of detracting from the clarity and consistency
which we have been seeking in earlier recommendations. Again, if we go back to
recommendation 1, "The committee recommends the government of British
Columbia enact legislation to protect the information privacy of British
Columbians in private sector transactions," and that we move to a fair and
workable balance between that and the use of personal information for legitimate
business purposes
Again, in the second recommendation on harmonization we explicitly point to the information principles expressed in the CSA model code. I'm just not seeing where this recommendation is going to be of assistance in developing, in conjunction with other provinces, a consistent set of principles and legislation that will carry us forward. I'm still not seeing that.
R. Kasper (Chair): Katherine, did you have anything to say?
[1130]
K. Whittred: Only that I support what I have heard from my colleagues. I believe that the recommendation regarding social values complicates the mandate of what we're trying to accomplish, and I think the intent is covered in recommendation 1 -- that the general mandate of this legislation is to protect information privacy of British Columbians. Then it goes on to talk about balance, as has been mentioned several times. I believe the principle that is suggested in the recommendation under discussion is encompassed in that first recommendation -- the principle of fairness for everyone.
G. Plant: There were some people that came to us and made some pretty strong submissions about this. I want to be clear about this. I oppose this recommendation, but I oppose it because it doesn't add anything. The identification of privacy rights in this context as a human right or the recognition that there are important social values here at stake -- it's all part of the dialogue around how important this is. It goes without saying, but sometimes it's better to say it: we've already recognized that it's important. We have in fact recognized that it's so important that we are recommending that the government of British Columbia write a statute about it.
It will not improve the operation of that statute to complicate its language with more statements in general terms, using open-ended language that will only have content as courts define that in decades to come. It won't help the average British Columbian make sense of this bill in their day-to-day lives if we do that. The challenge for the draftspeople who eventually have to do this is to write something that is clear, that makes sense, that sets rules that ordinary people can follow without going down the street to visit their lawyer.
I think that we should just encourage the people who take up the primary recommendation we make, in the strong-
[ Page 201 ]
est possible terms, to ensure that that is there -- that they draft legislation that does that. Our response to the people who came to us and made the submissions that gave rise to this recommendation is to say: "We listened; we took this into account. What you said is part of the reason and the rationale that helped motivate us to do this." And that's it. That's my view.
R. Kasper (Chair): The only thing I was just going to suggest is that instead of having this wording, a recommendation could be worded in such a way that proposed legislation strike a balance between information privacy rights and the conduct of the private sector in carrying out their administrative or commercial transactions.
G. Abbott: Can you state it any better than it's been stated in our first recommendation, which is "that the proposed legislation achieve a fair and workable balance between information privacy and the use of personal information for legitimate business purposes"? I think that's stated as succinctly as one can state it.
R. Kasper (Chair): Look, if we're going to keep going
S. Orcherton: I wasn't anticipating such a lengthy debate on these
recommendations today. I thought everyone had been more or less in agreement,
and that's why there would have been no submissions made to the Chair or the
Clerk's office. Look, you know, if
G. Plant: Actually, Mr. Orcherton, we're looking at a document I never saw until an hour ago.
R. Kasper (Chair): Yeah, so these are new things.
G. Plant: I mean, let's just stick to the subject instead of, you
know, that stuff. I never saw the recommendation that's in front of me until I
showed up at the meeting. So I apologize for the fact that I didn't call
somebody about something I didn't know about yesterday, but, you know
S. Orcherton: I'm not trying to put into place any sense of confrontation here. I'm trying to move this along. Your opinion is different than mine on this issue, clearly.
G. Abbott: Great. We'll let the committee resolve it.
S. Orcherton: And the committee will resolve it. It's my view that we do need to frame these recommendations in the context of information privacy as being a human right. You disagree with that. You think it's already taken care of. That's your opinion, and you're entitled to it.
I take a different view. I think it's important that we frame what we're recommending in that context very clearly. And I think that while this recommendation that we're dealing with is somewhat stumbling in its context, what I proposed earlier is a way to make it a little smoother so that people understand, indeed, what our intent is here around information technology and the right to information privacy, in the context of it being a human right.
[1135]
R. Kasper (Chair): Wynne, you wanted one more comment, just from the technical side.
W. MacAlpine: It is not a very well-worded recommendation, but I was
just trying to put something in front of the committee so that you could discuss
the idea of whether you want to sort of anticipate possibilities or
R. Kasper (Chair): Okay. We're not going to get it resolved. I don't
sense any consensus, so my recommendation is that that particular wording and
that recommendation be struck from the draft report. I don't want to get into a
big argument on this; that's not my way of doing business. I would
G. Plant: May I make one comment, though, which I'm intending to be constructive. I think, consistent with what Mr. Orcherton is saying, that it is appropriate -- and I would encourage the author, the draftsperson, of what we're looking at here -- to ensure that we state in the report our recognition of the importance of these factors as being part of the motivating rationale for our recommendation. That's not something that needs to take the form of a recommendation, but it is clearly part of the context of the work that we're doing. I don't have any problem with that.
R. Kasper (Chair): And it should just be a statement at the end of that section, you know, that "the committee believes" or "the committee feels" or whatever -- okay?
G. Abbott: Yes.
R. Kasper (Chair): Is that agreed?
G. Abbott: That's agreed.
A Voice: Agreed.
R. Kasper (Chair): Great.
All right, the next recommendation under "Scope of Application: That
proposed legislation to protect the information privacy of British Columbians
apply to all of the provincially regulated private sector; that is, all
businesses and organizations not falling under the jurisdiction of the B.C.
Freedom of Information and Protection of Privacy Act. In this manner, the
proposed legislation
S. Orcherton: Where are you?
G. Abbott: Page 66.
R. Kasper (Chair): "Scope of Application." And it was the
section after, which dealt with that recommendation we scratched. So I think
you've got to turn it
S. Orcherton: Okay, good. Thanks.
[ Page 202 ]
R. Kasper (Chair): It gets into a lot of
G. Abbott: I've always prided myself on not being a lawyer, so I don't want to sound like one now. But it would seem to me that by identifying those five groups -- consumers, clients, employees, patients and students -- we may, indirectly or inadvertently, exclude someone else by actually singling those out. Now, is that a potential difficulty here?
I think I understand what the purpose of this is. It's to pull in all of those businesses and organizations not falling under the jurisdiction of the B.C. Freedom of Information and Protection of Privacy Act. But by recognizing those groups and only those groups, I wonder whether it's possible that we might create a situation where someone might be outside that net and therefore inadvertently and, I guess, without purpose be excluded here. So I guess I'm asking, in a very long-winded way, whether there is value in that latter sentence or whether it might work, actually, to the detriment of the clarity of the bill.
[1140]
R. Kasper (Chair): Okay. Well, "consumers, clients," you know, deals with the business aspect. I guess these are just terms. "Employees" deals with an area that wasn't specifically highlighted in recommendation No. 1, because there is collection of employee or personnel information. And then "patients" deals with what the private health care providers have. And there's "students," because our current public law does not cover private schools because of a ruling by the commissioner's office that they are not deemed public because not more than 50 percent of their funding is from a public source.
So in order to gain access to information, there is no methodology. You have
to go directly to the source, and if the source decides not to give out the
information that's been collected in regard to a student, because it doesn't
come under the provincial law, then this would fill in that gap. So I think, you
know, that's part and parcel of what you mean. Now, if you can think of more.
J. Weisbeck (Deputy Chair): Actually, Mr. Chairman, we could just put:
"
R. Kasper (Chair): Okay. Look, I'm not a lawyer. Wynne, can you see any problems with that, just from your perspective?
W. MacAlpine: I'm not a lawyer either, but I was wondering as I wrote
this whether that would be limiting. I just wanted to make sure that
R. Kasper (Chair):
W. MacAlpine:
R. Kasper (Chair): Well, is it possible for us to have the words "without limiting the following" or something, so that you're not restrictive but you're adding the "such as" without limiting? I don't know the proper term.
G. Plant: I don't mean to ignore the previous discussion, interesting though it has been, but that's not the issue here. The issue here -- which is raised in an interesting way by the way that it is drafted -- is the difference between the limited scope of Bill C-6 and the advocacy that has been made to us that whatever we do to protect privacy rights should include employer-employee relationships and include the health care sector. As you, Mr. Chairman, have indicated from your own perspective, I gather, you have an interest in the independent school sector -- whether that sector in effect should also be encompassed by this act. That is, with respect -- at least at this point, in my mind -- a substantive question, not an issue about the particular words of the way that this is proposed.
In other words, we'd better not fool ourselves by thinking that
I guess I'm saying that because -- at the risk of using slightly overstated language -- there was something on the verge of a holy war in Ottawa over the health care information in Bill C-6. And Bill C-6 was ultimately amended to give effect to some pretty strong considerations and advocacy there.
We heard some people argue about these things, and I've been listening to the submissions that have been made. One thing I know personally, which I am not as confident that I understand, is whether a set of information-and-privacy-protection principles designed by people in the commercial sector for their sector is appropriately applicable to other sectors. The CSA model code, I think, was generally the result of work of people like direct marketers, banks and large Canadian businesses. I frankly have not turned my mind to the question of whether those principles work in the context of the health care sector, for example.
[1145]
So I am mindful of the fact that we as a committee, and we as a province, have an opportunity to enact privacy legislation which is more all-encompassing than Bill C-6. And I would certainly be prepared to encourage the government to consider that possibility and to ensure that it consults appropriately with the affected interests before it legislates. I'm not sure that I am in a position where I can go so far right now as to say that we ought to unequivocally recommend that the act be as expansive as this recommendation contemplates.
R. Kasper (Chair): So are you suggesting that any proposed legislation would automatically embrace these people anyway -- without stating it?
G. Plant: No, I'm suggesting
R. Kasper (Chair): Are you suggesting that proposed legislation would automatically embrace these groups?
G. Plant: Well, that's the question. I'm saying that I'm not sure I know enough about the impact of what we're proposing on these additional groups to be able to express a firm
[ Page 203 ]
opinion on that subject. I'm not prepared to shut the door on that by any
means. I think there are good arguments why we should have information
protection in the workplace, for example. Employees should be
R. Kasper (Chair): Employee records.
G. Plant: Yeah.
R. Kasper (Chair): Just to give the members some comfort, the records
that a physician who is licensed to practise medicine in the province of British
Columbia
G. Plant: I fear that while I was talking about a general question,
you were looking at the words of a recommendation. I was trying to encourage us
to think for a moment about the larger topic and then, having settled our view
on that, look at the words of the recommendation. But if we want to be precisely
textual, what I would be supportive of is a recommendation that says that we
recommend that government undertaking a proposal to legislate to protect
information privacy rights engage in
[1150]
I'm not doing a very good job of drafting off the top of my head, but my
point is this. Let's deal with the health care sector as an example. I'm not
certain that I understand
R. Kasper (Chair): Okay. Well, then, maybe to strike a balance
J. Weisbeck (Deputy Chair): John, actually.
R. Kasper (Chair): John, okay. The last sentence would say, "In this manner, proposed legislation would recognize all British Columbians' need for information privacy" -- period. Is that fair enough, without being specific? That embraces all those categories anyway.
G. Plant: Sorry, I'm still not making myself very clear. Can you read the first two lines of that recommendation that the proposed legislation to protect the information privacy of British Columbians apply to all of the provincially regulated private sector?
R. Kasper (Chair): "
G. Plant: No, sorry. Stop there
R. Kasper (Chair): Okay.
G. Plant:
R. Kasper (Chair): And the last part is redundant.
G. Plant: I'm sorry; I keep having this difficulty. We've got a text in front of us. Maybe we shouldn't have had the text in front of us.
What is the scope of the act? That's the question. Can we possibly consider
that question for a moment or two without looking at the semicolons and their
placement in the words that have been drafted? I want to know whether, for
example
R. Kasper (Chair): No.
K. Whittred: I hear what my colleague is saying. He is saying, I think, as I interpret it, that the scope of this act -- the way it is presented in this recommendation -- is so all-encompassing that it doesn't give any opportunity to talk about the difference between a small business and the health sector. That is difficult to get one's head around.
I'm wondering if we shouldn't be using language that uses the word "consider" -- you know, that the proposed legislation consider those areas not covered by the current
[ Page 204 ]
B.C. Freedom of Information and Protection of Privacy Act. That way, it leaves some doors open to decide about those jurisdictions which may or may not be included in the legislation.
S. Orcherton: I think that the suggestion Geoff made is fine. I come to that conclusion because in most pieces of legislation that I've seen, there's always an avenue to be exempted from it or to have it varied in different circumstances. I can't predict what those would be or would not be. But notionally, the idea is that we put in place some legislation that generally covers everyone in British Columbia. It may be applied in different ways in different circumstances, and I can't predict how those things would occur.
[1155]
But you know, consultation is a tried and proven method of getting everybody on the same page in terms of legislation. So I think it's fine. I think the intent of it is captured in the first sentence, and I agree that it sort of embellishes itself with the last sentence and precludes that the areas could well be consumers, clients, employees, patients and students, and excludes some other areas that may be in place. So I think I agree. Just leave it with the first sentence, and I think that gives the intent of where we think things should be, with enough latitude for those who draft legislation to define the applicability of this proposal.
G. Abbott: I think I understand the concern that has been expressed by
Mr. Plant and Mrs. Whittred. I don't know whether this suggestion is useful or
not. But it seems to me that, again, the concern is that we may be calling for
something rather more sweeping here than one would really intend, based on the
sometimes difficult and conflicting concerns that flow around things, like a
right to information and privacy around medical records. This is my suggestion.
Again, it's off the top of my head, and I'm not sure whether it is of assistance
or not
That would perhaps place within the hands of the drafters and whatever future committee that might consider these things the opportunity to, again, weigh those difficult issues around, for example, health issues.
W. MacAlpine: Also, there was the recommendation under "Sectoral Codes" that, read with this one, might specify that there's a use for more detail in sectoral codes that conform to broad principles in proposed legislation. That's just two pages back.
R. Kasper (Chair): Does everybody agree with what George added? Does anybody have any objections?
S. Orcherton: I don't have any objections. It's already covered. The only thing I'd suggest is that it may be characterized as redundant. But if it helps us move along, I have no problem.
R. Kasper (Chair): George, are you just satisfied with that first sentence, and leave it at that?
G. Abbott: Well, I think it actually does add an important element to
the discussion to say: "
R. Kasper (Chair): As previously recommended -- right?
S. Orcherton: Consistent with recommendation No. 1.
G. Abbott: Okay, sure.
R. Kasper (Chair): It should be consistent with recommendation No. 1. Great. So that's the wording. No objections, and we'll move on.
The next recommendation is under "Scope of Application." It says here: "That the proposed legislation apply uniformly and consistently to all private sector businesses and organizations and to all activities undertaken in the private sector -- i.e., not restricted to 'commercial activity.' " Now, what that would do is embrace the employee records, which have nothing to do with the business transaction. That is one of the failings of the federal legislation -- that there is no embracing of employee records.
W. MacAlpine: And that was something that Chris Norman just pointed out to me about the first recommendation. Maybe the word "transaction" should be taken out of the first, if the committee would like.
R. Kasper (Chair): Because it's too specific.
[1200]
W. MacAlpine: Yeah.
G. Abbott: And again, all of our many, many discussions on this
R. Kasper (Chair): Well, I thought that part of the recommendations
that we either have made or, further down, deal specifically with
W. MacAlpine: There are exceptions, and that comes further down. There are exceptions for things like conducting investigations.
G. Abbott: Again, I think just adding the phrase "subject to the
exceptions noted in recommendation" -- whatever the heck it is or ends up
being
[ Page 205 ]
R. Kasper (Chair): Okay, so we'll note that. Then on this recommendation, no problems? We'll carry on; that's approved.
Then we'll go to the next one, which is "Justification of Purposes": "That proposed legislation include a provision that requires that information be collected only for legitimate purposes and, when challenged, to justify its request for the information." It basically keeps everybody in line. It's for proper practice -- right?
W. MacAlpine: Private sector businesses and organizations.
R. Kasper (Chair): Private sector businesses and organizations.
W. MacAlpine: "
G. Plant: Well, hang on.
R. Kasper (Chair): What was that?
G. Plant: Sorry -- I don't want to pass over this. Were you asking
Wynne a question? I just
R. Kasper (Chair): No, no. I just read out the recommendation. I said, under the "Justification of Purposes": "That the proposed legislation include a provision that requires that information be collected only for legitimate purpose and, when challenged, to justify its request for the information."
W. MacAlpine: Yeah, that businesses and organizations be required
R. Kasper (Chair): So what's missing from this, Wynne?
W. MacAlpine: "That the proposed legislation include a provision that requires businesses and organizations to collect information only for legitimate purposes and, when challenged, that they be required to justify their request for the information." So there's just the sense that it's the businesses and organizations that have to do this.
G. Plant: Can you say that again, Wynne? I'm sorry.
R. Kasper (Chair): Okay, just say it again.
G. Plant: Now, I gather that you've revised the text of the recommendations.
W. MacAlpine: Well, as I was reading it, I realized that it didn't actually say who this would apply to.
G. Plant: I see. And it only applies to businesses?
W. MacAlpine: Businesses and organizations -- like, private sector
G. Plant: In other words, everyone that the act will apply to -- right.
W. MacAlpine: It's just a grammatical thing.
R. Kasper (Chair): "
[1205]
G. Plant: Oh, I'm sorry. We're going way too fast for a document I only saw -- in this case, this page -- 30 seconds ago. In the interests of getting the discussion going, why is it that we need to change the CSA in this respect? I thought we had a discussion where we said the CSA model code was, generally speaking, what we were going to do. Now we're being asked by this recommendation to modify the CSA model code. So help me understand what it is that is deficient with, among others things, principle 4 of the CSA model code, which says that the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization, and all of the other things that flow from principle 4.
W. MacAlpine: Could I explain that?
R. Kasper (Chair): Well, no. I think I should explain it, because I
think that there are elements of the CSA code that are weak. And I think there
has to be real justification if there's a challenge. I think it's generally
accepted that people who are going to collect information
I think it's important that if there is a challenge to the collection of the
information, then it should be justified by those who've collected it. Look,
that doesn't mean to say that somebody can't collect it, but there should be
some provision or fail-safe mechanism where if I, as a consumer, go to the store
and say, "Well, why do you have that information about me? Demonstrate it
to me," and if I have a problem with it, then we're going to have a
dispute. But I think there should be an opportunity for somebody to confront and
say: "Look
G. Plant: What is it that prevents people from undertaking that confrontation today?
R. Kasper (Chair): Well, I think there are occasions where there may
be some intimidation, whether it's an agency that's collecting information for
loan purposes or for purposes that may go beyond the scope of what is a regular
business transaction
W. MacAlpine: The example given by the Civil Liberties Association was an employee or an applicant for a job, where they may be asked for certain information and may be asked for their consent, but in fact if they don't consent, they may not get a job or something like that -- that kind of situation.
G. Plant: Well, that's helpful.
R. Kasper (Chair): Well, that's better than the examples I gave. I'll acknowledge that.
[ Page 206 ]
G. Plant: So how do you see the interrelationship between this recommendation and the harmonization recommendation we made earlier?
R. Kasper (Chair): Well, I guess that's a decision that you and I probably won't make, because it may be well outside of our hands in the future. You know, we don't know what a future government is going to do as far as discussions or negotiations that take place between different provincial jurisdictions. We don't know what's going to unfold once this committee does make a series of recommendations, as to how other jurisdictions are then going to react. They may look at what we've recommended and perhaps piggyback on it or flatly reject it. You know, our recommendations aren't going to be the be-all and end-all. I think we've given some food for thought, and I would hope that the committee would like to be proactive instead of reactive. I would sooner see other jurisdictions react to what we've done.
[1210]
I think B.C., based on the public law, was looked at with respect, and other jurisdictions, when they took similar actions, looked at what British Columbia had done. And I think that's important for us. I don't think this flies in the face of the CSA stuff. You know, I think it enhances. You have to make some philosophical statements, I think, in a report. I think the powers that be will either flatly reject it or embrace it. It's almost like a motherhood issue.
G. Plant: Well, actually, with great respect, it isn't. I mean, it may
be a motherhood issue at the high level of generality that people would be using
when they're having a dinner table conversation about privacy rights. But what
we're talking about is sanctioning the situation where somebody goes into the
corner store and wants $20 credit in order to buy groceries, and the grocery
store owner says: "Could I have your phone number, B.C. driver's licence
number and a few other pieces of information?" And the guy says: "No.
You need to justify the request for that information." I think what you'll
have to do
So that's how I see this working out, not simply a motherhood thing but rather something that will in fact be engaged in every transaction that occurs between citizens in British Columbia in every imaginable context, conceivably. I wonder whether that is a recommendation that -- because I think in some respects it does go beyond the CSA model code -- is the right way to go. I mean, the CSA model code requires that purposes be identified.
R. Kasper (Chair): Yeah.
G. Plant: The CSA model code requires consent before you get to collect information. The CSA model code requires that the collection of personal information be limited to that which is necessary. I mean, if this is supposed to go further than that, then I guess my question is: why? What is the urgent need that exists to take that further step?
G. Abbott: May I speak to this too?
R. Kasper (Chair): Yes, go ahead.
G. Abbott: And I'm struggling with this as well. Perhaps a good example here is the Canadian Figure Skating Association when they sold lists of their skaters, including my son, to the bank.
R. Kasper (Chair): And they get a credit card?
G. Abbott: Actually, he got an offer, I think. But that would seem to me to strike a good example of using information gathered for an illegitimate purpose.
R. Kasper (Chair): Yes.
G. Abbott: But my concern is around the "and, when challenged, to justify its request for the information." Presumably we structure legislation that contemplates only the collection of information for legitimate purposes consistent with a set of principles expressed in CSA.
R. Kasper (Chair): Okay, I'm just going to add that on the next page,
it's been pointed out that under the
W. MacAlpine: Yeah.
R. Kasper (Chair): And it starts off at the top of the page, as does the PIPED in section 5(3): "(a) an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances."
W. MacAlpine: And that one has generated some debate about how much legal interpretation it will require to establish what a reasonable person thinks is appropriate in the circumstances. So it does sort of leave things open to interpretation.
R. Kasper (Chair): Okay. Look, I think the controversy or the dilemma
is the "and, when challenged, to justify its request for the
information." Perhaps to save wear and tear -- whoever is going to draft
this legislation, if it comes to fruition -- our recommendation should only say
that proposed legislation include a provision that requires businesses and
organizations to only collect information for legitimate purposes
Is that agreeable, members -- so we don't spell out clearly that somebody can have a fistfight in the corner store?
[1215]
G. Plant: I'm not proposing we have a fistfight.
R. Kasper (Chair): No, no. I'm just saying the person in the corner
store
G. Plant: We've already said we support, generally speaking, the CSA model code.
R. Kasper (Chair): Yeah.
[ Page 207 ]
G. Plant: We didn't go through it article by article. This will become
a recommendation which draws specific attention to
R. Kasper (Chair): Specific areas.
G. Plant:
R. Kasper (Chair): Okay. So does everybody agree that we just strike that last section: "and, when challenged, to justify its request for the information"? Okay.
All right, we'll do that, and the recommendation will stand as amended.
"Information in Electronic Formats." Recommendation: "That the proposed legislation be 'technology-neutral'; that is, apply to personal information regardless of the method by which it is collected, recorded, processed, stored, transmitted or disclosed." Okay? Agreeable? It's done.
The next one is a long one. It deals with publicly available information. Recommendation: "That the proposed legislation provide, perhaps through the regulations, specific and limited exceptions concerning the use of: (a) 'publicly available' information, in order to balance the need for this particular class of personal information to be used for marketing purposes, but to protect individuals from obtaining it for purposes harmful to the data subject's well-being, health or safety." I just want to deal with these one at a time. Or should I go through them all?
G. Plant: It looks to me like the three subparagraphs deal with different subjects. So maybe we should do them one at a time.
R. Kasper (Chair): Okay. The first one, then, (a).
G. Plant: Well, I'm not sure I understand it, having just heard it for the first time.
G. Abbott: So if we use the Canadian Figure Skating Association
example there, of them selling a list of members of their organization to a
private sector organization
R. Kasper (Chair): Wynne, can you give some specifics?
W. MacAlpine: Yeah, it's directory information.
G. Plant: The phone book.
W. MacAlpine: Yeah. On the other side of that page it shows Scott and
McNairn's interpretation of that class of information in the federal
legislation. That legislation says: "The regulations under the act could
specify, by class or otherwise, some or all of the information available from
these and other public sources
It's directory information, and that is personal information. Some people feel that it is something that they want to have control over, and businesses need it for marketing purposes, which most people consider legitimate in some cases. So that's essentially what this is about: should businesses be able to sell lists that they have previously been able to sell and use them? How should they be allowed to do that -- through a regulation or an exception?
[1220]
R. Kasper (Chair): So in short, it means that somebody could actually
go out and sell the information to somebody else, and the person that originally
agreed to that information being gathered or put in a database did so under a
certain condition. Now, if that person felt threatened, harassed or became
publicly known to other personnel or people -- i.e., their address and the fact
that they felt that their well-being or safety was being hampered
W. MacAlpine: Yeah. Some witnesses actually wrote that they had had
experiences like that, where the publication of their name and address -- which
they had tried to keep private, using the mechanisms that were available -- had
caused them some
R. Kasper (Chair): Grief.
W. MacAlpine:
J. Weisbeck (Deputy Chair): So I'm assuming something like a gender thing. They go through a telephone directory, and they can pull out the "Mmes." or the "Misses" or whatever, and that information can be used to target. Is that what you're saying?
W. MacAlpine: Or just particular individuals that are stalking someone -- that kind of thing.
J. Weisbeck (Deputy Chair): Yeah.
R. Kasper (Chair): Age classification, gender -- it could be pretty narrowed down. Correct?
W. MacAlpine: Yeah.
R. Kasper (Chair): I know I'm in there somewhere in somebody's list, because I keep getting phone calls: "Will you participate in a survey?" I don't know what that means.
Okay. Should I go on to the next one, and then you can think about that one?
G. Plant: Well, what I noticed in reading the discussion about this particular clause was that the Information, Science and Technology Agency essentially says that with respect to this issue, you have to do some pretty careful drafting. The basic principle expressed in the recommendation incorporates a recognition that traditionally there has been available information -- through telephone directories, for example -- that marketers have used since time immemorial to do their business.
R. Kasper (Chair): Yes.
G. Plant: The general sense of the public, as I understand it, is that they don't object to that, but that there are times
[ Page 208 ]
when they do object to the use of that information. And those objections are expressed in that part of this recommendation that talks about the need to protect individuals from obtaining this kind of information for purposes harmful to the data subjects' well-being, health or safety. I think that sounds like a reasonable attempt to strike a balance there, recognizing that the government agency responsible for this issue understands that there is some careful drafting work that would need to be done to strike that balance.
R. Kasper (Chair): Okay. No more discussion on that one?
Next one: "Personal information
W. MacAlpine: Law enforcement, emergencies
R. Kasper (Chair): "The best interests of an individual" -- that's pretty subjective, isn't it?
W. MacAlpine: Maybe that would be something that Chris could probably
R. Kasper (Chair): Change?
W. MacAlpine: Well, he could probably explain how it works in the public sector.
R. Kasper (Chair): I don't know. "Scholarly study, archival purposes and national security" -- well, we're not a nation in B.C. yet, so we could probably strike "national security." Correct?
W. MacAlpine: Provincial?
[1225]
R. Kasper (Chair): I don't know. That's an even scarier proposition -- provincial security.
A Voice: Precinct security?
R. Kasper (Chair): I don't know. I don't think "national security" needs to be there. That's just me.
S. Orcherton: Anything regarding vote 1.
R. Kasper (Chair): What was that?
Some Voices: Vote 1 security.
R. Kasper (Chair): Yeah.
K. Whittred: Mr. Chairman, I wonder if I could have an example of where journalism, art, literature, etc., should be exempted. I understand the others.
R. Kasper (Chair): Sources -- I think journalism gathers the information. And they may go out and talk to a number of individuals to gather information. They keep a record. And that record could be about you, me or anybody else. And I guess them having it is a lot different than them printing what they have.
K. Whittred: Yes, but isn't that the direct reverse of what these others are? For example, law enforcement, emergencies concerning life and so on might be that the law enforcement agencies, for example, would have the right to look for who was on a plane with someone who has been found to have a serious communicable disease or something. So you are infringing on those people's privacy to seek them out and try to assist them. I understand the journalism example you gave me. It just seems that it's sort of backwards, the idea that a journalist's sources are protected. I'm obviously missing something there. I just don't quite see that.
R. Kasper (Chair): Under the federal act, journalism is exempt. Art and literature -- like culture -- that's exempt.
G. Plant: I want to make sure we do understand this. Every major newspaper and other media outlet in British Columbia has a file on each one of us who is sitting here as an elected official. I never personally phoned up a major media outlet and said, for example: "Pursuant to principle X of the Canadian Standards Association model code for protecting my personal information, I demand that you give me access to the file you have." If we accept this exception proposed here, in that context we would ensure that that situation continued. So the journalists say, in effect, that what they do is entitled to higher value in the priority list of social values than other forms of human activity involving the collection of information.
R. Kasper (Chair): I don't know; it's up to you. Gee, I was going to throw political parties in the mix. They aren't stated or exempted.
G. Plant: That's because I've never met one that's well organized. You could never call it an organization.
R. Kasper (Chair): So with the exception
W. MacAlpine: I put together the wording based on what witnesses said about their concerns. So (b) is sort of a compilation of exemptions from B.C. and the federal legislation, (a) was worded by me based on what people said, and (c) is also taken from existing legislation.
[1230]
S. Orcherton: I just want to make a comment here. I'm having some trouble with this. What we're talking about here is some specific and limited exemptions that could occur -- right? -- either by way of the legislation itself or by way of regulation. I just find this is very limiting in terms of the discussion, and this is where we're starting to get off on, you know, what files a newspaper has. It raises a whole bunch of issues that may well be legitimate or not legitimate to be exempted from the legislation.
Would it not be easier to not sort of define, in a real direct way, what it is that could well be exempted from the legisla-
[ Page 209 ]
tion, but rather to say something like -- and I don't know how you would word this: "Some publicly available information that puts at risk an individual's well-being, health or safety" could be the subject of a regulatory exemption? Some legitimate personal activities could well be the subject. Then in the body of our report -- which I think we did, really, anyway -- raise some of the issues that people have raised to us around those particular categories. I mean, this opens up, really, a whole big can of worms on what kind of information could be exempted or should be or shouldn't be.
I think what this does, in a way, is really limit our recommendation. I think the people who are drafting this proposed legislation, if it ever goes forward, and the regulations that accompany it are going to be looking at all of those circumstances -- for instance, phone books. Political parties purchase phone lists. Is that the intended use of those? One could argue that it's public information. You could go and get that information and catalogue it how you'd like to catalogue it, or you could purchase it from the phone company. It opens up a whole variety of scenarios that I don't think we have a capacity here to contemplate and catalogue in terms of recommendations.
G. Plant: Following up on what Mr. Orcherton just said, I don't have any difficulty with recognizing that the legislation is likely to include some specific limited exceptions. Those exceptions may be given expression in the statute, or they may be given expression in regulations. I don't have any difficulty with that either. I don't have any difficulty with ensuring that we encourage the drafters to take into account these different kinds of circumstances as constituting areas where exceptions may legitimately be made.
The question, I guess, invited by Mr. Orcherton's comment is whether we want to go so far here as to, in effect, make a public policy commitment one way or the other on each of the items that is addressed here -- recognizing that while we've heard submissions on some of these issues, I'm not certain that we have heard the complete range of considerations that ought legitimately to apply to each of them. I know there are some complicated issues, for example, around the work of credit reporting agencies and debt collection agencies, which are encompassed in part within subparagraph (c). I'm not sure that I am in a position at this point, with the information that we've collected, to say that I know where I would draw the right balance. I know it's an important issue to look at. I think that government should consider it. But could we express the recommendation in the form that encourages government to consider it, as opposed to expressly committing ourselves?
G. Abbott: Just substitute "consider" for "provide" in the first sentence, and that should take care of it.
R. Kasper (Chair): Okay, I'll agree with that, then. If nothing is done, then the federal legislation would apply anyway, which grants a wide range of exemptions and embraces these ones.
[1235]
G. Plant: Well, actually, I haven't thought about that for a while. But my understanding is, generally speaking, that if we legislate and our legislation satisfies the scrutiny of the federal government, then our legislation is exhaustive. It covers the field completely, and the federal legislation is excluded from operation. So that's why the government needs to consider each of these issues one at a time.
R. Kasper (Chair): Okay. All right. Is everybody agreed on that?
The next area is on page 91 -- fees: "That private sector organizations,
interest groups and the public be consulted on the appropriateness of fees for
administrative services when responding to requests for access to personal
information held by private sector organizations. If fees are deemed appropriate
to charge, the proposed legislation should require that an estimate be required
in advance of proceeding with a response to a request. The proposed legislation
should also indicate that requests should be
W. MacAlpine: "
A Voice: It should be what?
R. Kasper (Chair): "Fulfilled in a timely manner." Just what we recommended with the public act -- in a timely manner.
So basically we're not saying there should be fees; we're just saying that if
they decide they need fees, because there is a cost to business and fees are
charged for public stuff, so
G. Plant: What does the CSA say about fees?
R. Kasper (Chair): I don't think they do, do they?
W. MacAlpine: Yes, it does. It says "reasonable
R. Kasper (Chair): Oh, they've got a new book out, eh? Is that their condensed version?
W. MacAlpine: Their workbook is appended to this book.
R. Kasper (Chair): Oh, okay.
I think we'd be remiss if we didn't make a recommendation or look at the issue of fees, because then there's the cost-recovery aspect.
J. Weisbeck (Deputy Chair): There shouldn't be any argument there,
because they're being consulted in the whole process, so that's the
R. Kasper (Chair): Right. But we're just going to look at what the CSA
G. Plant: I'm not going to oppose this recommendation problem we have
while we're still waiting to hear what the CSA model code says, but I just want,
I suppose, if nothing else, to put on record
Six people get together and they form a tiddlywinks club. You know, they actually have a file folder that contains the names, the addresses, the phone numbers and the tiddlywink
[ Page 210 ]
preferences of the six members of the club. And somebody says: "I'd like to join." No. 7 comes along and says: "I'd like to join." And they say: "Well, here's what we need to know in order to take your application." Then a few months go by, and number 7 doesn't get along well with the other six, so No. 7 says: "I'd like to see what you have in the file folder about me."
We're not actually just talking about
[1240]
Wynne has kindly brought to my attention the fact that principle 9,
individual access, has a subclause, 9.4, that says: "An organization shall
respond to an individual's request within a reasonable time and at minimal or no
cost to the individual." It goes on to say some other things, like that the
information has to be "made available in a form that is generally
understandable." Again, I mean, with respect, stuff that was clearly
written with large organizations in mind
R. Kasper (Chair): Okay. So everybody agrees? That recommendation stands.
No. 9 deals with oversight, page 93: "That the proposed legislation provide for an oversight mechanism through the extension of the statutory responsibilities of British Columbia's current information and privacy commissioner, and that the commissioner be empowered to conduct proactive inspections, make orders and to undertake research, civic education and provide advice and comment on proposed government legislation and programs with respect to the organizations and activities covered by the proposed legislation. The committee further recommends that the office of the information and privacy commissioner be provided with adequate and stable funding to support satisfactory oversight of the proposed legislation."
The only thing I have a problem with is the term "proactive." I've
been giving this some thought in that I think that there should be
G. Abbott: I think I'm agreeing with your observation. I don't think such a term as proactive really exists. It's a construction of recent years. I don't know what term we'd want to substitute there, but I don't think there's such a word as proactive.
Anyway, the use of the term in that context suggests to me that the commissioner is going to go out, make inspections, make orders and undertake research, etc., without having necessarily any indication that there's a problem. That's what proactive in that context suggests to me -- that he's going to go ahead and do that regardless of whether there's any apprehension of a problem. Is that what other committee members would understand from that?
Some Voices: Yes.
K. Whittred: That is what I would understand.
R. Kasper (Chair): But only in the context that the role would be an
oversight mechanism. And I think when you get down to where a problem can't be
resolved at the one-on-one level, then there's the ability for either side to go
to the commissioner. But I think it should be complaint-driven as opposed to:
"You shall do this, you shall do that." I just feel uncomfortable
[1245]
G. Abbott: And I do as well. I'm quite uncomfortable with the notion.
R. Kasper (Chair): You can blame me for it.
S. Orcherton: First, on your comment I agree. I think it should just
be empowered to inspect, make orders -- all that kind of stuff. Generally in
legislation, there's always the opportunity for a commissioner or whoever is
responsible for administering a certain act or regulations to engage in those
kinds of inspections on their own volition. It's usually something that is
raised to someone's attention that prompts these kinds of things, as opposed to
just going out
One comment. It sort of runs through this, and we had a comment about it earlier. It is that we keep saying, "that the proposed legislation," and we should just say: "that proposed legislation." We could tighten that up as we go through it.
J. Weisbeck (Deputy Chair): How is this different from the mandate in the public sector, the commissioner's role in the public sector? Is it any different?
W. MacAlpine: They do site visits, which are considered
G. Abbott: Then why not have the language parallel?
J. Weisbeck (Deputy Chair): Yeah. I guess I'm concerned that you're going to target the private sector with this mandate.
[ Page 211 ]
G. Plant: I share the concern that has been expressed by other members with respect to the proposal that the commissioner be allowed to act of his or her own motion. I think any powers that are granted to any oversight mechanism -- a matter about which I will have more to say in a moment -- can only be complaint-driven.
I think we need as members to recognize the distinction between public sector
bodies and the private sector. When the Legislature says that the information
and privacy commissioner has the power of his own motion to conduct not-random,
site visits what we're saying is that one of the ways in which we as citizens
and taxpayers -- who, after all, pay for and empower the public sector to do its
business
That consideration disappears completely, or at least becomes radically different, when we're talking about the private sector. I don't think there is a sound public policy rationale for giving any statutory official the power to conduct roving search-and-seizure expeditions into the homes and businesses of the people of British Columbia for the purpose of checking up on their information management practices. So I would support a revision of the recommendation that deleted the word proactive.
The question is: what should the oversight mechanism be at all, if any?
That's at least a question for me. I've thought about this one for a long time,
partly because when I was first introduced to the oversight mechanisms that
exist in the federal statute, for better or for worse, I formed the view that
they were awkward and in need of
I am hesitant to endorse the notion that we should give a statutory official the power to make orders here. I guess I would observe that the equivalent of the commissioner in the federal bill has the ability to conduct audits and make recommendations but not the ability to order compliance. That's my recollection.
[1250]
R. Kasper (Chair): Yes, you're right.
G. Plant: I've thought about this, but I don't have a completely articulated view of what ought to be done here. In part it's been because for a long time I thought it would be appropriate for the Legislature to state, with some care, what constitutes the tort of invasion of privacy by reference to something called fair information practices and then to allow the citizens of British Columbia to undertake self-enforcement of their rights -- which is, after all, something that we do in a huge number of areas of the world.
To be honest, I am still not persuaded that isn't a legitimate way to go. I know there's just a wonderful tendency abroad in society to make sure that every time we identify a problem we create another government official who will, without any further action on our part, make the world better. But I don't think we should do that on a case-by-case basis without asking whether that is exactly the only way available to us to solve this problem. I just wanted to put that reservation on the record.
I also want to put this reservation on the record: I have no idea what this will cost. I know that the information and privacy commissioner is already concerned that he has inadequate funding, or barely adequate funding, to discharge the mandate he now has. This would be at least a significant potential expansion of that mandate, and I don't know how much more it would cost. I'm not sure that I feel comfortable making a recommendation which in effect says, "Give this person a whole bunch more responsibility, and make sure he has enough money to do that job," without knowing a little bit about how much more that would cost and then having a discussion about whether we think that is tax money well spent, having regard to all the other demands there are for limited tax money in British Columbia.
Another alternative, of course, is to create a self-funding regulatory agency. You have a commissioner who essentially operates on a complaint-driven basis but pays for the operation of his office the same way the Securities Commission does, in effect, which is to say they charge fees, levy fines and do whatever they do to make sure that at the end of the year they've got enough money in their kitty to pay for those operations. I'm not sure that I would be prepared to completely dismiss that possibility out of hand without having some more information about what that model might look like.
I'm sorry to add a variety of complications to this particular recommendation around oversight, but it's been bothering me for about a year and a half. I wish I had a clearer answer, but I don't.
R. Kasper (Chair): The only thing I would add is it said that if
someone does not get satisfaction under the federal law
G. Plant: They could go to the federal court.
R. Kasper (Chair):
[1255]
G. Plant: For whom?
R. Kasper (Chair): Well, for both parties, whether it's a business and/or an individual or someone who felt aggrieved. I was hoping that the commissioner's role would be the court of last resort.
G. Plant: Thanks to the principles of judicial review of administrative action, that's never the case.
R. Kasper (Chair): No, I know that; I understand that. But the court, under the federal law, is the only one that has the right to award damages. And that's for both sides -- right? I just think there should be a simpler way of trying to nip the problem in the bud.
Our information and privacy commissioner has advised me that his office is consistently getting people coming to him
[ Page 212 ]
with private information problems, and it's a constant flow. They get a lot of inquiries on a regular basis, but they have to advise people: "That's not what we do; we deal with public agencies, public bodies."
I'm not overly excited about having his good offices given additional workload. Believe me; I'm not. But I think there has to be some mechanism. Do I have faith in a self-regulatory body? I don't know. It might be an option, substantially different from this, that could work. Maybe we could make the suggestion that there at least has to be a body that can make some rulings and that someone be empowered to basically say you go here, boom, and that can ensure compliance.
G. Abbott: So I understand this clearly from the discussion that's gone on before, the default mechanism, in the absence of the provincial legislation doing something else, would be those provisions that are contained in C-6 -- correct? -- in the absence of us doing something. It seems to me that further to Geoff's comments and given that we will be, as I understand from earlier discussion, embracing discussions with Alberta and Ontario and presumably other provinces around issues like this, that we shouldn't necessarily tie ourselves, in recommendation No. 9, to the information and privacy commissioner being the only possible oversight mechanism that could be considered -- that perhaps there are some other models that legislators should consider before moving there.
I guess the recommendation would then be that the proposed legislation provide for an oversight mechanism, either through the extension of statutory responsibilities of B.C.'s current information and privacy commissioner or through other oversight mechanisms identified through discussions with other provincial governments or the federal government. That would leave us a little more freedom in terms of constructing an efficient model for this.
S. Orcherton: I guess there are always lots of different options that can be considered, but in terms of on the public side the information and privacy commissioner is one that is in place. The Chair just talked about a circumstance that I'm familiar with: people who feel aggrieved because of private sector information being collected or mishandled go to that office looking for some resolution.
It strikes me that whatever mechanism we put in place here, at the end of the day it's going to likely be that the information and privacy commissioner is going to be involved, through that office in some capacity, in making a decision. I mean, that's the situation we have currently. Rightly or wrongly the public believes it applies broadly. And if we make some recommendations around oversight and how we deal with this legislation should it ever come to fruition, it strikes me that the option that's sitting squarely in front of us and the public is the one we currently have.
[1300]
We talked earlier about Alberta and other provinces working on some kind of a legislative model that sort of fits all jurisdictions, and I wish them luck with that. But I would suspect that the same kind of situations will be wrestled with at those discussion tables, as they will be wrestled with in terms of this report. It strikes me that this is the best model that we currently have, and I don't have any problem with moving it forward as a recommendation. If others want to say there should be some consideration given to other models, I think that's probably fair comment. But my view is that the model we have in front of us is likely the one that's going to picked, because it's the one that the public broadly has some understanding of.
R. Kasper (Chair): And they think they're doing it already anyway, based on that survey.
K. Whittred: In the interests of what we said earlier about harmonization and in keeping with the comments that George made, I think we should keep this recommendation a little bit more open-ended. I note that in the discussion comments around the recommendation it talks about the various oversight models around the world, and it says: "Roughly categorized they are the registrar model, the commissioner model and the ombudsman model." I think if we are ultimately a government that's going to come up with legislation that harmonizes several provincial models, those doors ought to be kept open, and we shouldn't at this stage in the process restrict ourselves to simply one model.
J. Weisbeck (Deputy Chair): Mr. Chair, I would agree with George's
recommendation; I think it allows us some flexibility. We're certainly not
saying that
W. MacAlpine: Just so I know, does that mean that the type of
oversight agent and the powers of that oversight agent are kind of
R. Kasper (Chair): No, no. I think it could be expressed in the same way. But we're just not necessarily comfortable with the existing office doing the job.
W. MacAlpine: Okay.
R. Kasper (Chair): Correct? And it could be some other agency. It could be either a self-regulating or -- I hate using that term -- a self-something body. I guess you have to use the term "self-regulating body." Well, you've got the college.
G. Abbott: It doesn't even have to be self-regulating, though. I think what we're uncomfortable with here is the exclusive nature of this recommendation, which says we want oversight, and the only appropriate mechanism for that is the office of the information and privacy commissioner. Further, we go on to say that he should be funded for that.
R. Kasper (Chair): Yeah, I know.
G. Abbott: It's very specific. And I think that in the absence of what I suspect will be a lot of discussions over the next couple of years with other jurisdictions about how they're doing it, we should leave the door open to the possibility that there might be a better way of dealing with this. Hence, again, my proposal would be that it read that pro-
[ Page 213 ]
posed legislation provide for an oversight mechanism through the extension of the statutory responsibilities of British Columbia's current information and privacy commissioner or another model, as identified by whatever.
R. Kasper (Chair): Or another type or style or agent or body -- oversight body or mechanism. I don't know if those are the proper words.
G. Abbott: Well, we use the term "oversight mechanism" there, so I don't see any reason not to continue that -- "an alternative oversight mechanism."
W. MacAlpine: And then that's it; we'll cut the rest?
R. Kasper (Chair): Then we would strike that the commissioner be empowered and that that entity or body be empowered, and we just leave it at that, whatever is decided. Is that okay?
[1305]
G. Abbott: It's fine with me.
R. Kasper (Chair): Okay, great. We'll do it that way, then, Wynne.
A Voice: And strike "proactive."
W. MacAlpine: And then "proactive" is struck.
R. Kasper (Chair): Yeah, "proactive" is struck. Then we should strike the last recommendation completely. But we should be cognizant that there are costs. There will be costs associated with doing something.
S. Orcherton: Yeah, I was looking at this one earlier. I think that we should just have a recommendation of something along this line: "The committee notes that proposed legislation would require adequate and stable funding to support any oversight mechanisms regarding the legislation and regulations."
R. Kasper (Chair): Period.
S. Orcherton: So we've turned our mind to it -- that obviously there's a cost to this. I mean, Geoff said it quite well. I have no idea what it would cost. But we did turn our mind to it, and it caused some concern.
W. MacAlpine: Would that capture the concerns that some members raised about the idea of funding? Does that imply that it's coming from a certain place?
R. Kasper (Chair): No, it doesn't; it doesn't imply. It just identifies the fact that there are costs. We don't know if it's going to be self-paying or like Geoff talked about or any taxpayer-funded. I don't think we should get into specifics.
G. Plant: Well, aren't we just saying that if the oversight mechanism is a mechanism that requires public funding, we are telling the government they better provide adequate and stable funding for it?
R. Kasper (Chair): Okay. The next one is
Some Voices: That's it.
R. Kasper (Chair): Is that it?
J. Weisbeck (Deputy Chair): That's it -- No. 9.
R. Kasper (Chair): Oh no.
S. Orcherton: When are we back together again?
R. Kasper (Chair): There's no need for us to come back together -- is there?
W. MacAlpine: What about the Electronic Transactions Act? Do you want to say anything about that?
R. Kasper (Chair): Oh, you mean we haven't finished?
G. Plant: There's a bill on the order paper. It'll get debated if it's introduced for second reading. I haven't read the discussion, so I don't know what exciting statements are made about it.
R. Kasper (Chair): Can I ask a question of the committee? When would committee members be able to meet again if we can't come to a resolution on that today -- the 8th? Who cannot come here on the 8th?
J. Weisbeck (Deputy Chair): I can't make it.
G. Plant: I don't know that I can. I'm not sure if I can.
R. Kasper (Chair): You don't know? It would have to be any time before
the 14th, because it's my understanding that the report would be tabled
G. Plant: The 14th is a Wednesday, so ordinarily we would not sit in the morning.
R. Kasper (Chair): We would not sit. But I understand that there's a number of legislative committees that are going to be reporting out, and if the House prorogues before that, then that creates a dilemma for those committees.
G. Plant: Yeah, but I think the usual practice would be for those committees to table their reports prior to prorogation. So when we convene, we convene pursuant to the adjournment motion, to complete the business that needs to be completed, and then we prorogue and go on to whatever else happens.
G. Abbott: Just so I'm clear, Mr. Chairman
W. MacAlpine: No. It was part of the committee's mandate to look at that, and the committee did, briefly. I'm not
[ Page 214 ]
sure that it's a controversial thing. It didn't seem to be. Based on the presentation that ISTA gave, it seemed to be rather straightforward.
G. Abbott: Well, why don't we have the discussion? And there may be no need to even think about coming back together again.
[1310]
R. Kasper (Chair): Did you have the report?
K. Whittred: It's on page 104. Have you got it?
R. Kasper (Chair): Okay. Is it possible for Chris Norman to say something? I think he made the presentation.
S. Orcherton: Can I just make a suggestion? I haven't turned my mind
to that issue. That's fair enough; I can follow along in the discussion here if
you want to have one. It strikes me that there is
I mean, what are we going to do here? There's a bill before the House -- right? We're not going to resolve anything.
G. Plant: I'm going to read with interest the discussion that is in the draft report, because it might help inform my response to the bill, if it's ever brought forward for second reading. In the circumstances, would it be possible just to note that we had some submissions about the Electronic Transactions Act, they're in the record, the bill's before the House, and we'll deal with it when we deal with it?
R. Kasper (Chair): Chris, did you want to add something?
C. Norman: I just wanted, if I could, to draw to the committee's
attention one piece with regard to your first recommendation, which was that by
using the term "private sector transaction
Most of the provinces that are looking at private sector privacy legislation are aware of the fact that that kind of requirement -- and the federal government had to do that because they were using their trade and commerce powers to go with C-6 -- is limiting and leaves a number of significant gaps in coverage of private sector private information. Therefore most of the provinces that are looking at this now are not limiting it to just transactions. They are trying to address personal information held in the private sector.
S. Orcherton: So are they saying information transferences or
G. Plant: No. "To protect the personal information of British
Columbians held in the private sector." Those are the words
C. Norman: Correct -- as opposed to limiting it to transactions.
R. Kasper (Chair): So you're suggesting that we delete "transactions."
C. Norman: I'm not suggesting but just pointing something out.
G. Plant: Sometimes we take more trouble with this than we need to. Hansard is actually at work here. Wynne heard the words. Wynne can rewrite the recommendation to give effect to that.
R. Kasper (Chair): And then everybody agrees with that.
G. Plant: Well, if everyone does.
R. Kasper (Chair): Okay, fair enough.
Well then, should we adopt the report and then give consideration at our next
meeting? If anyone wants to make any comments in regard to that electronic
transaction
W. MacAlpine: Is there a smaller group that would want to read the whole thing?
R. Kasper (Chair): I guess John and I could get together. John, are you back here next week?
J. Weisbeck (Deputy Chair): No, I'm not. Pardon me -- yes. We have a caucus meeting on the 7th.
G. Plant: No, we don't.
K. Whittred: No, that is cancelled.
R. Kasper (Chair): Okay. Well, I guess John and I
G. Plant: No, I want to see a draft
R. Kasper (Chair): Okay, you want to see a draft.
G. Plant:
R. Kasper (Chair):
G. Plant: Yeah. And then maybe we'll all be lucky, and we'll read it, and it will all be great, and we can just call up the Chair or the Deputy Chair and say: "Away we go." If not, then maybe we'll have to figure out how we solve that problem.
R. Kasper (Chair): Now, is it agreeable that members have a meeting by telephone conference to deal with the final approval of the report, so we do not have to worry about schedules?
S. Orcherton: That sounds fine to me.
R. Kasper (Chair): How's that? Okay, great. All right, thank you very much for your time. We stand adjourned.
The committee adjourned at 1:15 p.m.
[ Return to: Legislative Assembly Home Page ]
Copyright © 2001: Queen's Printer, Victoria, British Columbia, Canada