2000 Legislative Session: 4th Session, 36th Parliament
SPECIAL COMMITTEE ON INFORMATION PRIVACY IN THE PRIVATE SECTOR
MINUTES AND HANSARD

SPECIAL COMMITTEE ON INFORMATION PRIVACY IN THE PRIVATE SECTOR Thursday, September 21, 2000 11:00 a.m. – 4:30 p.m. Douglas Fir Committee Room Parliament Buildings, Victoria

Present: R. Kasper, MLA (Chair); J. Weisbeck, MLA (Deputy Chair); P. Calendino, MLA; S. Orcherton, MLA; G. Clark, MLA; G. Abbott, MLA; K. Whittred, MLA

Unavoidably Absent: G. Janssen, MLA; E. Walsh, MLA; G. Plant, MLA

1. The Chair called the Committee to order at 11:04 a.m.

2. The Committee Researcher briefed the Committee members on the prepared background information and the research proposal process currently underway. 

3. The Committee discussed further opportunities for consultation with expert witnesses and the public on information privacy issues.

4. The Committee recessed from 11:30 a.m. to 1:37 p.m.

5. The Committee heard testimony on the topic of “The Internet and Privacy” from Dr. Richard Rosenberg, Department of Computer Science, University of British Columbia and from Mr. David Loukidelis, Information and Privacy Commissioner.

6. The Committee heard testimony on the topic of “Health Information Systems” from 
Dr. Jochen Moehr, Professor, School of Health Information Science, University of Victoria and from Mr. David Loukidelis.

7. The Committee adjourned to the call of the Chair at 4:12 p.m.

Rick Kasper, MLA Chair

Kate Ryan-Lloyd Committee Clerk

The following electronic version is for informational purposes only.
The printed version remains the official version.

REPORT OF PROCEEDINGS
(Hansard)

SPECIAL COMMITTEE 
ON INFORMATION PRIVACY
IN THE PRIVATE SECTOR

THURSDAY, SEPTEMBER 21, 2000

[ Page 141 ]

The committee met at 11:04 a.m.

R. Kasper (Chair): We have a quorum, so I think we should start.

The first part of this meeting today is basically a very brief business section, and we're going to get an outline from Wynne MacAlpine, our researcher, on three specific items. That's in our agenda that's been circulated. Due to the cancellation of one of our expert witnesses, that's why we're only having witnesses this afternoon. Okay?

Wynne, would you like to lead off in the first area, which is a review of the background information that we've received to date, and give us a bit of an overview?

W. MacAlpine: Okay. You received three papers that were based on topics discussed at the Internet and Society 2000 conference, which was back in late May. The first one is called "Backgrounder -- The Internet." That just describes how the Internet works and some of the infrastructure that's involved.

[1105]

The second one is called "Governance of the Domain Name System," and that explains how the domain name system is governed. It's really the only centralized authority over the Internet for managing address spaces.

The third one is "Internet Security," and that just introduces some of the techniques that can be used to collect personal information during Internet transactions and some of the ways that hackers can compromise the security of an Internet system.

Then there are some news articles relating to each of those topics attached at the back of that package.

R. Kasper (Chair): Just to sort of capsulize what you've said, to date there has been fairly extensive media discussion at different levels that I've noted in the past few months on the issue of privacy concerns. For example, at one of the lower mainland universities or colleges, there was some interest expressed on cameras being installed in certain venues or locations that are not necessarily publicly visible. But they are in fact little, tiny cameras that are located, and some groups have raised concerns about that. The organizations have actually said: "Well, we deem it in our interest to make sure that it's a way of gathering evidence." So that has sparked some discussion from those who are advocating privacy rights and then those who are advocating protection of private property.

I know there's an extensive amount of written information that has been gathered over the past few months, and I know it's difficult for members to perhaps go through all of it. But I felt that it was important that everybody get as much information as possible, because eventually we have to submit a report or at least a series of recommendations, which is part of our mandate.

Wynne, do you have anything else that you may want to offer as to what you have noticed or received, other than what you've given to the members?

W. MacAlpine: There were actually two news items today. The first one was on CBC radio this morning. The Nuu-chah-nulth tribal council is attempting to retrieve blood donated by its members for an arthritis study. Following the study, the doctor who collected the samples used the blood for other research. The blood is currently held at Oxford University, and the Nuu-chah-nulth would like it back. That's the "Today's News" on-line summary of that discussion, and hopefully there will be a more extensive print write-up about that in the next few days.

R. Kasper (Chair): Perhaps that's an item that David Loukidelis may want to deal with, because I think it would fall within his purview. If the blood was collected as part of health care research. . . . Maybe members would want to ask him questions on that later on. Now, was there anything else?

W. MacAlpine: There's also an article entitled "Immigrants Facing Blood Tests." This is about the federal government's plans to require prospective immigrants to be tested for HIV and hepatitis B before they're allowed into Canada. I have copies of that I can hand out, if you like.

R. Kasper (Chair): Okay. If members would like copies of that, please let Wynne know.

Do any other members have any information or comments based on what Wynne gave us?

G. Abbott: The original agenda, or at least the original draft agenda, makes reference to focus group proposals received. Is that off the agenda at this point, or is it something we'll be discussing today?

[1110]

R. Kasper (Chair): No, it's our next item.

Any other comments, questions? Okay.

Wynne, we'll go on to the next item, which is an update on the recent proposal which the committee supported at our previous meetings. Do you want to give us an update on that?

W. MacAlpine: Okay. The Clerk of Committees' office sent out a request for proposal on August 10 to seven B.C. research firms. By the end of August, when the deadline was, the committee had received five proposals. The Clerk of Committees' office has reviewed them and suggested a shortlist. The office has also contacted all of the firms that sent in proposals, to acknowledge receipt of their proposals and to let them know that the committee would be reviewing them in September.

R. Kasper (Chair): You had circulated that information to the Chair and Deputy Chair.

W. MacAlpine: I haven't circulated the proposals themselves.

R. Kasper (Chair): Okay. As far as the shortlist, though. . . .

W. MacAlpine: I haven't circulated anything. I think we've talked about that. Craig and I will be meeting to go over those next week.

R. Kasper (Chair): George, did you want to speak on this?

[ Page 142 ]

G. Abbott: No. We should probably have the information. Then, unless there is something useful to talk about today, I have, broadly speaking, not been convinced yet of the need for focus groups in the particular exercise we're involved in. But I don't want to be disruptive about it, because I was in Forest estimates at the time the committee made that decision, and I don't expect the committee to revisit the whole issue right now. I'm happy to leave aside the discussion till we get to a point where we're dealing with specific proposals, perhaps because on reviewing those proposals, we'll see the value in focus groups. But I'm not convinced of it at this point.

R. Kasper (Chair): Wynne, do you have that information readily available, so that members may want to look at that, perhaps, when we finish this briefing?

W. MacAlpine: Copies of the proposals?

R. Kasper (Chair): Yes, and what in fact was circulated out to the different companies as far as terms of reference.

W. MacAlpine: Yes, the request for proposal is available. We would have to photocopy the actual proposals and distribute them, but that could be done.

R. Kasper (Chair): Would that suffice, George?

G. Abbott: That would be fine. The notion is that we'd get the proposal that was sent out and the shortlist that the Clerks feel is appropriate to deal with. I think that's fine.

R. Kasper (Chair): Okay, great.

Wynne, how long would that take to do?

W. MacAlpine: Over the lunch hour -- we could bring them back when the committee reconvenes.

R. Kasper (Chair): Is that fine?

G. Abbott: Yes.

R. Kasper (Chair): Okay. Great. Then we'll leave that.

Anybody else want to add any comments to that?

All right. The other item of business here deals with committee time lines and our next steps. Wynne, did you want to lead off with that?

W. MacAlpine: Some of the questions that came up at previous meetings were whether or not we should have a meeting similar to this one today with expert witnesses in Vancouver, with some Simon Fraser and UBC faculty. Also, we have almost completed the submission summaries for you to review. Other than that, we need some direction as to where to go.

[1115]

R. Kasper (Chair): Okay. My question is: how long will it take to complete the summary of the submissions so that that can be distributed to the members?

W. MacAlpine: That is nearly done. It was almost ready for today, but not quite.

R. Kasper (Chair): I guess, in short, probably within a week.

W. MacAlpine: Yes.

R. Kasper (Chair): Okay. The question now is: once we have completed the witnesses today and have received a summary of the submissions, do any members of the committee have any ideas as to what we may want to do -- i.e., the suggestion of doing something in the lower mainland, other than Victoria?

K. Whittred: Yes, I want to ask: who do we have in mind as expert witnesses in addition to those that we're hearing from today?

W. MacAlpine: In particular I was thinking about some of the faculty in the school of communication at Simon Fraser. Also, there are some gaps in coverage of the issues today, because we didn't have anyone from the school of business. We also didn't have anyone to speak to the issue of privacy as a human right as opposed to more of a commercial right. Those are some of the areas that I would be looking at filling.

J. Weisbeck (Deputy Chair): Have we had any interest expressed by these groups?

W. MacAlpine: No. As with this meeting today, our office contacted these people to see how interested they would be in. . . .

J. Weisbeck (Deputy Chair): I think, before we decide to have any meetings in Vancouver, we should determine what sort of interest. It might be a lot more economical, for example, to have them come over here rather than have the whole group go over there. We should get some sort of expression and then make a decision after that.

S. Orcherton: Just a couple of points by way of suggestion. I think we need to have a look at the RFP and the responses in terms of focus group. That may give us some sense of what those folks are thinking about in terms of our deliberations.

I agree with what I think Wynne was saying, in that there are more than two, but certainly two, aspects to freedom-of-information issues. One is the legal context of freedom of information. The other, I guess, could be categorized as the ethical context and what these kinds of situations could evolve into in terms of ethics. I for one would like to see what the proposals are, and I think that may be helpful in framing where we go in terms of asking other witnesses to come forward and so on.

K. Whittred: As a follow-up to my previous question about what possible expert witnesses we have on hand, an area that, it seems to me, hasn't been mentioned is the area as it pertains to children. This would fall, I think, within the kind of human rights side of the argument as opposed to the economic or business side. We do have expert witnesses who are addressing health issues. I just sense, in the community

[ Page 143 ]

and from things I read, that this whole issue has emerging questions as they relate to the rights of children and who controls those rights and so on. I would find it useful, I think, if there's someone in the community that can speak to that, to hear from someone in that area.

R. Kasper (Chair): Point well taken.

G. Abbott: I'm very happy to leave it to the call of the Chair and the Deputy Chair to get us together if there are people in the lower mainland, whether they're academics or otherwise, who can further inform us on the issues we're going to have to deal with in our report. I think it would be just fine to meet there. I'm happy to leave that call to the Chair and the Deputy Chair and proceed in that way.

P. Calendino: Notwithstanding what all the other colleagues have said, I think that there may be value in having some kind of a forum in Vancouver.

[1120]

For example, Simon Fraser has just opened up what they call the centre for dialogue. This centre for dialogue is established exactly for social issues such as this one. I think that if we did some work with SFU -- not just the department of communications, but the department of business or other departments, and with the president. . . . They probably have an expert panel there -- and then maybe even have students and civil liberties people come and discuss the issue. I think that would be an interesting exercise to engage in. We usually invite people who we consider experts, but we rarely ask for the public opinion in all this, and I'm sure there are a lot of people out there that do have opinions on privacy and privacy issues. So I would not have a problem in having some kind of forum at the centre for dialogue or at the SFU campus. Obviously this centre for dialogue is established for things like this.

R. Kasper (Chair): Okay. Based on the discussion, if you, Wynne, could compile a list, perhaps then the Chair and Deputy Chair could send off correspondence to the appropriate group or organization, asking them if they do in fact have an expression of interest to make a presentation to the committee or to perhaps pass on, in written form or in person, any views that they may have regarding their particular area -- privacy rights advocates. Also, what Katherine mentioned in regard to children -- it's very difficult for them to speak on behalf of themselves.

As Pietro outlined, the centre for dialogue. . . . And I think what you had mentioned, Wynne, is that there appears to be some form of response lacking from those in the communications end of things and the school of business. Would it be acceptable, then, that Wynne put together that list, the Chair and Deputy Chair send off appropriate correspondence to the groups that I outlined, and we'll get Wynne to compile the list? Okay.

P. Calendino: Mr. Chair, I wonder if we should not extend an invitation to the media, because they're directly involved in this, you know. What are their limits, and what do they consider their limits to be?

R. Kasper (Chair): Well, that's one way. I know that with the federal legislation, there are specific exemptions or exclusions. I think all of us kind of made the assumption that that would also be expressed to this committee in some way, shape or form.

P. Calendino: I agree.

R. Kasper (Chair): Mind you, that's an assumption on my part.

P. Calendino: Yeah. I agree with you. I know that they're excluded. But it would be interesting to have them in the forum and see what the reaction of the rest of the people would be.

R. Kasper (Chair): Okay. All right.

Well, Wynne, you had mentioned. . . . Was it the school of communication or. . . ?

W. MacAlpine: Yeah.

R. Kasper (Chair): Yes. So perhaps that's the way of actually getting it through a group like that. Okay.

Well, let's leave that. Under the section of "any other business," I know that a memorandum was sent around to members of the committee about any future conferences that would be coming up. I have in my hands. There is a conference in New York, and there is also a section of meetings in Washington, D.C. The conference in New York is October 5-7, and the meetings in Washington are October 9. I've had one member express to me that they'd be interested in attending both conferences. I'll circulate this to members.

[1125]

Our view, in the past, is that any member who deems it in the interest of the committee to attend a conference on an information-gathering purpose. . . . The consensus of the committee was that they'd be free to do so in the interest of preparing a well-rounded report and series of recommendations. So I'll just circulate this to members now. If members have any questions or discussions around that. . . .

S. Orcherton: Yeah, I know. I've seen the list of the conferences. Maybe there's some more information coming around, but I wonder what the agenda is for the conference and who the speakers are and those kinds of things.

R. Kasper (Chair): Yeah, that will also be circulated.

I know that when staff and members of the committee have attended previous conferences, our underlying requirement was that those who attend would in fact submit a report to the committee for the public record. That's been well received, because I think all of us have learned a great deal by attending the conferences and also from the reports that have been submitted by members of the committee.

Wynne, do you have any other details on that?

W. MacAlpine: We haven't heard from very many committee members that they were interested in going, so last week I got in contact with the Federal Trade Commission about setting up meetings for the week of October 9 just following the conference in New York. And they seemed very interested and helpful, so I am sure that could be arranged if

[ Page 144 ]

there were members interested in going. But other than that, we haven't had any response about the other conferences that were mentioned. So it's just where we left it last time.

R. Kasper (Chair): Now, there's one conference that isn't noted on the memorandum that was circulated. I think it's mid-November. It's one being held at Montebello in Quebec, and it's put on by Zero Knowledge. Is that correct?

W. MacAlpine: That's November 20-22.

R. Kasper (Chair): Do you have any information relating to the purpose of that conference?

W. MacAlpine: It's going to be workshops on various privacy-enhancing technologies and, I think, particularly the product that Zero Knowledge makes, which is software to allow your Internet transactions to be untraceable. Then there will be some more policy workshops as well.

J. Weisbeck (Deputy Chair): That should be quite a good seminar, because that was the individual who came and spoke to us from the federal government -- was it not? She's now one of the principals of that company.

R. Kasper (Chair): Yes.

J. Weisbeck (Deputy Chair): I can't remember her name.

K. Ryan-Lloyd: Stephanie Perrin?

R. Kasper (Chair): Stephanie Perrin -- that's correct.

And it's my understanding that a former employee with the information and privacy office in British Columbia will also be working for that organization for, I think, a one-year period. So they have expanded their role and have drawn upon resources, as far as personnel. I only became aware of that a week and a half ago. I'll leave it up to members to contact the Clerk's office on whether they are willing to attend any of those conferences and also to get any further written information on the conference that will be held in November in Quebec.

Do any other members have any other business prior to us reconvening at 1:30 this afternoon, any other matters you want to bring up? Okay, I'll call for an adjournment, and we will reconvene at 1:30. That's when we'll hear Dr. Richard Rosenberg from the department of computer science at the University of British Columbia. So we'll see you after lunch. Over the lunch break the Clerk's office will get copies of the short-listed proposals for the research information. Thank you very much.

The committee recessed from 11:30 a.m. to 1:37 p.m.

[R. Kasper in the chair.]

R. Kasper (Chair): Our first item of business is our witness, who is going to be speaking on the Internet and privacy, Dr. Richard Rosenberg from the department of computer science at the University of British Columbia.

Dr. Rosenberg, welcome. I trust you've met all the members of the committee. It's good to have you here. As I mentioned to you earlier, this is a fairly informal process, and we're pleased that you're here today. We're conducting these meetings and hearings in regard to expert witnesses so that we can get your comments and your views on the record of Hansard. It will, in a very important way, form a basis of our report that we will eventually make to the Legislature around this issue.

So I now turn it over to you. We have a scheduled time here of some 45 minutes. I trust that would suffice. So welcome, and you can now proceed.

R. Rosenberg: I've left a copy of the document I'm speaking from with Ms. MacAlpine. So what I'll do is read from the various portions. As the time diminishes, I'll read less, and then I'll stop and be available for questions. I'll show you a few cartoons, but these of course can't be entered into the records, since I don't have copyright permission. If you don't rat on me, then I'll be okay showing them.

I'm appearing before the committee today on my own behalf. In the past I've made appearances before government committees, both provincial and federal, concerned with privacy issues on behalf of Electronic Frontier Canada -- of which I'm a vice-president -- an on-line organization concerned with a variety of civil liberties issues, and FIPA, the Freedom of Information and Privacy Association of B.C. Indeed, a year and a half ago I appeared before the House Standing Committee on Industry to present the EFC's views then on Bill C-54, later Bill C-6. Earlier this year I appeared before a Senate committee to present FIPA's views on privacy.

So I'm now presenting my own views. Why am I here? For several years I have been doing research and teaching on the social impact of computers. I thought I'd flash my book while we're here in a friendly mode: The Social Impact of Computers. This is the second edition, which appeared in '97, and of course is totally out of date by the year 2000. In fact, I noticed that although I did most of the writing in the end of '96 and early '97, the word "Internet" appears only twice in the index, and there's hardly any discussion of it. At that time, the Internet. . . .

[1340]

Oh, excuse me -- this is the previous edition. By '97, I had in fact gotten the Internet right. Lots of stuff appeared. Five years earlier, when the first edition of this book appeared, is what I'm making my comments on. Then the Internet appeared only twice. Up to that point it had been basically a research vehicle. I had been involved with communicating on the Internet for over 20 years. It was mostly e-mail amongst colleagues -- that was pretty much it -- and then sending out some joint journal articles, which you distribute to your friends to see what they thought of them, getting feedback. The fact that the public might be interested in it, or even the academics beyond computer science might be interested in it, was a very strange notion.

My interests have focused on privacy, freedom of speech, access and intellectual property rights. Now, of course, I want to talk about the issues related to the private sector and personal privacy, which is, I understand, your concern. Amongst these issues, not all of which I'll talk about at length -- my paper should be available to you -- are privacy issues related to medical information, financial information, a whole host of Internet issues, children's privacy rights, and monitoring and surveillance in the workplace. Privacy is a fundamental right.

[ Page 145 ]

Let me attempt to establish some principles which guide my understanding of privacy issues on the Internet and elsewhere in the private sector. Technology, innovation and diffusion occur at such a high rate that it is very difficult to anticipate their impact, either short-term or long-term. Thus the law must inevitably confront situations not anticipated when relevant sections are enacted. Catching up and stretching interpretations have become a way of life. Uncertainty is prevalent. For privacy protection to be effective, privacy must be enunciated as a fundamental right applicable to all identifiable violations. It should be kept in mind that the Personal Information Protection and Electronic Documents Act was largely a product of Industry Canada, not Justice Canada. That is, its primary motivation is to make the Internet a safe place to do business by providing protection for the personal information of shoppers.

Just to indicate the enormous diversity of the assault on privacy, consider some of the recent reports of events related to privacy issues in both Canada and the U.S. Here I have several items which are taken from recent newspaper stories, and instead of reading the whole item, I'll just try to capture the significance.

This was a report from the New York Times of a little while ago, in the "Patents" section. It's prefaced by saying: "Each human body generates a column of slightly warm air that originates at the tops of the feet, swirls and rises, gathering speed and increasing in volume, staying with us as we move through the day and ascending the length of our torsos until it flows from the tops of our heads in an invisible geyser of air altered by movement and body temperature." That's quite poetic writing in the "Patents" section.

What's the point of this? Well, it carries the skin particles, and if you build a sensor, you can detect the chemical content of these particles. So you can get a reading on some of the chemical things -- like chemicals that have been digested, like narcotics and so on -- without physically intercepting the person. It could be used in airports; it could be used elsewhere. Certainly nothing is more personal than the makeup of our body chemistry, and machines can be built to examine it and report on it.

This was one which had to do with. . . . The next challenge to privacy will be location. As the use of GPS -- that's global positioning technology -- starts to become more prevalent, "your movements could be tracked and the data sold. And so far there's no legal protection" on this. So the notion is: "Fast-forward a few years into the future. Your cell phone is a smart personal digital assistant that's equipped with, among other things, a global positioning system chip. . .as long as it's turned on, the phone knows exactly where you are all the time. In many ways, this feature is quite convenient: consult your cell phone, and you can now find the nearest Radio Shack," etc., etc.

Just a few days ago, Amazon.com, one of the most successful dot-coms in the world, of course, although it's never made a dollar. . . . I presume it's successful, because what they lose on individual sales, they make up in volume. They've lost hundreds of millions of dollars, and yet people keep investing; presumably, there will be a payoff down the road. "Amazon.com Inc. clarified how one day it might share customer information with other companies, a cautious move at a time when the privacy practices of electronic retailers are coming under closer scrutiny."

Interestingly enough, one of the leading civil liberties organizations in the States, EPIC, Electronic Privacy Information Center, used Amazon.com to market publications by its members, and it has now broken off its connection with Amazon.com because of this change in policy.

[1345]

There is a case which is proceeding now in U.S. courts -- a company called Toysmart, which went bankrupt. About the only asset it had left was the information about its customers. It had previously guaranteed its customers that it would guard those, never make them available without permission. Now it wants to sell them so it can recoup some of the money in its losses. It's being sued currently by Attorneys General of various states. The Federal Trade Commission has made a deal with them, saying that they can only sell it to another company that has stated privacy protection at least as strong as Toysmart.

So if you do business with a company that guarantees your rights, and then they go broke, then your rights may or may not be protected. That's one of the problems with a marketplace solution as opposed to a legislative approach, in that whatever the marketplace will bear, it will bear.

Okay, those are a few. One other one that I want to mention is the microchip implant issue which is coming up. "Big Brother could soon be watching from the inside. Several international companies are consulting scientists on ways of developing microchip implants for their workers to measure their timekeeping and whereabouts." So it's not enough for you to have what are called "active badges," which you clip on your jacket or shirt, and wherever you are in the building or buildings, you could be kept track of. Well, why not put an implant in?

Now these have become quite common in the pet industry. So you could put an implant in your dog, and in case you lose it, it could be discovered. If the dog's discovered, you just run a scanner over it and determine information about its ownership. Well, do you feel okay about putting an implant just under your skin and running a scanner over it? You never lose this one -- right? It's always under your skin. It's not in your wallet. It can be updated, because you can read more things into it, and you can read stuff out of it. So you could have your whole personal history in this thing.

Now, with these kinds of technologies, I start seeing a world in which there is almost no personal privacy. You can't even escape from this; it's inside your body. It's become something that's always carried along with you.

Well, there are many more of these. In fact, that's the point. These kinds of developments, technologies and uses appear rapidly and give us very little time to accommodate existing law or existing approaches to privacy protection because of the fact, basically, that no one decides in advance what's going to happen. It's done because it can be done.

These very few examples are indicative of the continuous stream of reports on yet another way that personal privacy has been violated. Furthermore, they provide yet additional counter-examples to the argument that it is in the self-interest of business to respect the privacy concerns of its customers. I would reword this argument to read that it is in the self-interest of business to appear to respect the genuine privacy concerns of its customers. Whether or not the B.C. Legislature crafts its own version of privacy protection in the private

[ Page 146 ]

sector, it should be aware of the scope and diversity of such assaults on personal privacy. Some old and some new terms and expressions should also be kept in mind, such as cookies; Carnivore, the FBI variety; TRUSTe; on-line profiling; data mining; on-line privacy policies; Big Brotherware; Intel serial number; DoubleClick; Toysmart; Echelon; Coremetrics; Human Resources Development Canada's longitudinal labour force file; and Britain's Regulation of Investigatory Powers Act -- RIP.

Before proceeding to the body of this submission, I'd like to distinguish among the frequently confused words "confidentiality," "privacy" and "security." Confidentiality must be distinguished from privacy first. One thing that distinguishes them is control. The right to privacy protects individuals' rights to control the flow of their personal information. The duty of confidentiality defines professionals' obligation with regard to personal information disclosed to them. Another distinction between privacy and confidentiality is a growing recognition of privacy as a fundamental human right possessed by every individual and deserving of constitutional protection.

Security is distinct from both confidentiality and privacy. It is the means by which informational confidentiality and privacy are achieved. Security measures are the safeguards put in place to control access to information, in order to protect both the information system and its contents from unauthorized access. In a paper-based system, security may be as rudimentary as a lock on the records' door or a passkey system. In computer-based information systems, privacy enhancing technologies, PETs -- a range of technologies that safeguard personal privacy by minimizing or eliminating the collection, use and disclosure of identifiable data -- are in a state of rapid development. Legislators often express the desire to make privacy legislation technology neutral on the assumption that although technology poses threats to privacy, the law on technology itself can be effective in countering these threats.

[1350]

Let me add just one more comment on that. Very often you see companies making arguments that security. . . . Another organization says that you can be confident that their holding of the information that they have about you is secure, and that's good to know. The prior question is: what is the information that they're holding? Where did they get it from? Did they get your permission for it? What are they going to do with it? Those questions have nothing to do with the security. So if you decide that certain information you're gathering is okay to gather and use as you want. . . . We should all be grateful that it's secure, but we should ask the prior question: by what right do they have it? If they have it, what are they going to do with it? Am I even consulted about this? Have I lost all control?

I'm not sure whether I should skip some sections.

R. Kasper (Chair): Carry on.

R. Rosenberg: Just carry on.

First, privacy is a fundamental right. It's unfortunate that privacy was not explicitly included as a basic right for Canadians in the Charter of Rights and Freedoms. By that, I mean an explicit right. It can be inferred in a variety of ways, just as it can in the U.S. I mean, in the U.S. constitution and the Bill of Rights there is no explicit mention of the word "privacy," and it has to be inferred by other rights.

I must admit from the outset that I tend to use a lot of American examples, for a couple of reasons. One is that most of the developments on the Internet happen first in the States, because they're the single largest country with Internet users, and a great amount of technology is developed in the States. The other fact is that I happen to have a U.S. publisher who, although it will allow me to use Canadian examples, won't allow me to use many Canadian examples; they won't be meaningful to American students. My own students criticize me for this.

Since then, the Supreme Court has accorded privacy constitutional protection as a fundamental human right in certain ways. International organizations to which Canada belongs, such as the United Nations, have privacy rights as part of a broad compilation of basic human rights. Thus, rooting privacy protection as part of a constellation of basic rights is not just the right thing to do; it's the practical thing to do because of the unpredictability of characterizing the open-ended variety of attacks on personal privacy.

Why is privacy so important? An individual must be secure in the knowledge that his or her personal information is not generally available; otherwise his or her democratic rights are at risk. I quote from one of the most well-known quotations on privacy. Again, this is the U.S. Supreme Court Justice Louis Brandeis, who put it best in an oft-quoted passage from a dissenting opinion -- he lost on this case:

"The makers of our constitution undertook to secure conditions favourable to the pursuit of happiness. . . . They sought to protect Americans in their beliefs, their thoughts, their emotions and their sensations. They conferred, as against the government, the right to be let alone -- the most comprehensive of rights and the rights most valued by civilized men. To protect that right, every unjustifiable intrusion by the government upon the privacy of the individual, whatever the means employed, must be deemed a violation of the Fourth Amendment."

Privacy concerns with respect to personal information on computers is not new. One of the most influential reports in this area was released in 1973 by the U.S. Department of Health, Education and Welfare. Highlighted were the principles of fair information practices, which are often referred to. There are five of these. I want to read just the third one, which says. . . . Well, the first one, of course, is the basic one, "There must be no personal data record-keeping systems whose very existence is secret," because obviously nothing else follows. If you don't know that information is being held about you, then obviously you can't act or do anything to rectify some situation.

No. 3 is: "There must be a way for an individual to prevent information about him obtained for one purpose from being used or made available for other purposes without his consent." This is one of the basic concerns -- that so much

[ Page 147 ]

information is grabbed on the Internet specifically for the purpose of carrying out some specific transaction, and that information is then made available, unknown to the consumer or the participant in some interaction, without his or her permission and becomes part of a potentially detailed profile of that individual's behaviour. The problem, of course, is that most companies are not at all interested in going back to the consumer and saying: "Well, you gave it to us for purpose X; we'd like to use it for purpose Y and Z. Is that okay?" That doesn't happen.

[1355]

Well, let me say a little bit about privacy issues related to health information. Let me start out with one of the fundamentals of medical practice. This is part of the Hippocratic oath from the fourth century B.C. "Whatever in connection with my professional practice or not in connection with it I may see or hear in the lives of men which ought not to be spoken abroad, I will not divulge, as reckoning that all such should be kept secret." Well, if only it were so.

Much of the material in this section is taken from a draft of a paper that I and Susan Prosser have written for FIPA. FIPA, the Freedom of Information and Privacy Association of B.C., anticipates that one of the major issues for debate over the next year will be health information. So I was commissioned by FIPA to write this report. I will make it available to the committee when the final draft appears. It is waiting for FIPA to clarify its recommendations. We wrote the report on the basis of trying to articulate a variety of concerns and various positions. FIPA needs to say what its recommendations are. When those recommendations have gone by its board, that paper will then be widely circulated, and this committee certainly will get a copy of it.

To further emphasize the challenges posed by attacks on the health record, consider these words from the former privacy commissioner of Canada: "Personal health information stored in electronic systems is becoming fair game for bureaucrats, researchers, as well as insurance and pharmaceutical companies, among others. Many such organizations are already surreptitiously collecting and using personal health information without even the courtesy of telling us that our lives are being categorized and our records dissected."

The medical record is a valuable resource and deserves the highest level of privacy protection, in spite of the many seemingly unreasonable demands for access. For its part, the Canadian Institute of Health Information -- CIHI -- the non-governmental body charged with developing standards and managing some aspects of health information infrastructure, emphasizes the need for person-oriented information in order to track individuals' medical histories over long periods of time and to integrate survey or household information with person-oriented data to provide outcome information, socioeconomic context and non-medical health determinants for health care encounters. Whilst CIHI states that privacy is a fundamental value, facilitating adequate privacy protection for personal health information is not among what it terms deliverables in its report.

There have been arguments that personal health information could be used for medical research, both public and private, administrative purposes to measure efficiency and to identify problems and opportunities for improvement and medical emergencies such as epidemics without obtaining explicit permission. There is a concept of implied consent that suggests that all of these purposes and more are implied by the initiation of a medical record. Therefore it's argued by some -- and I add, perhaps many -- that if identifying information is removed, the medical record can be used for all the purposes and more. Non-identifiable or aggregate health information, then, is the information from which personal identifiers have been removed. Generally, this information does not raise privacy concerns, because the individual cannot be identified.

However, if this information is de-aggregated, linked or data-matched, or where sample sizes are small, even information which is non-identifiable on its face may allow individuals to be identified. This discussion of removing things is putting the use of information in its best light. Large amounts of information can't be done this way, because it needs to be linked to a variety of other things, and it needs information to perhaps come back to individuals if it's used for purposes of studying epidemics or other concerns.

The Canadian Medical Association's health information privacy code should certainly be examined by this committee, if it hasn't already done so. It's probably the best model for privacy legislation in Canada. Amongst the criticisms of Bill C-6, when it was being debated in the House and Senate. . . . Criticisms came from both sides on medical records. The Ontario Health department was particularly strong in saying that the bill shouldn't apply to medical records. The Canadian Medical Association said that Bill C-6 was too weak and that it shouldn't apply because it didn't give adequate protection. They subsequently produced their document, the health information privacy code. In the draft of the report that I just mentioned, we spent considerable effort looking at that code, comparing it to other codes and arguing that it serves an important purpose. In fact, the privacy commissioner of Canada at the time recommended this code.

[1400]

I'm concerned that certain claims will be made for the exclusion of public sector health records from coverage because existing provincial law will be said to apply. It seems to me that all health information records should receive uniform coverage under a single law to provide adequate protection for all Canadians, independent of where they receive health treatment. A seamless system of protection is the ideal, whether the coverage falls under provincial or federal jurisdiction or private or public treatment. It is not and should not be the concern of the individual to determine under what conditions his or her medical records receive full protections under the law.

Let me just focus on one other area of health protection before I turn to a couple of other things. The advances in genetic research, especially those forthcoming from the multibillion-dollar human genome project and other projects, promise to affect all aspects of medical care in ways only dimly appreciated now. But what is clear is that genetic information is a valuable commodity. Whether it provides knowledge that certain diseases are more likely for certain individuals or that because someone has a disease, his or her close relatives may be more likely to acquire it, the implications of personal genetic information are profound.

In a paper written for the U.S. Department of Health and Human Services about three years ago, William Lowrance notes that genetic analyses and interventions have exceedingly sensitive attributes. They broadly relate to health, to

[ Page 148 ]

qualities of life, to sense of fairness in the lottery of birth and treatment of the disadvantaged. They relate to race, ethnicity and parentage. They relate to gender and maybe to sexuality. They relate to mental competencies and tendencies and to behavioral predispositions. They have relevance for descendants and, therefore, possibly to reproductive choices.

What is very important is the fact that they're continually being used to evaluate workers for positions. This is a particular concern in the U.S., because identification of a problematic genome, in a variety of ways, could mean that down the road that employee may put a severe drain on the medical costs that the insurer for that company is bearing. Fortunately, we have state health coverage in Canada, and that will continue, but the genetic concerns remain.

Let me finish up this section with some comments on informed consent, because these underlie lots of issues with respect to medical care and others. The basic argument permeating this submission is that the individual must give informed consent for the collection, use and disclosure of his or her medical records or for other personal information as well. Cost and difficulty in obtaining such permission are not sufficient reasons to ignore this principle. Only in very special cases, such as incapacity and life-threatening emergencies, can it be abrogated. While recognizing the importance of personal medical information to medical research, it cannot be assumed that such information is automatically available without permission. Other costs of research are factored into research budgets; so must be privacy concerns.

I talk about financial information as also being quite critical and important. I think I'll skip that section, because I want to get on to some Internet issues and some issues related to privacy in the workplace. But it's here.

Let me first reference my paper on privacy protection on the Internet -- perhaps better, the lack of such protection. This is the paper I said I'm leaving behind, called "Privacy Protection on the Internet: The Marketplace Versus the State." It was written a couple of years ago and is in fact posted on a U.S. web site where other such privacy papers appear. The U.S., as you know, has resisted very strongly the introduction of comprehensive legislation protecting privacy on the Internet and elsewhere and has adopted what some have called the "sectoral" or "segmental" approach. You protect privacy for the renting of videos, which is really important. But you ignore privacy protection in general for people doing business on the Internet. You protect, perhaps, children's privacy; you may protect financial records; you may protect. . . . And it goes on and on in all these specific areas.

[1405]

Since it was written, the situation has actually gotten worse. In that paper I argued that it was necessary for the state to play the major role in privacy protection, because the private sector clearly showed it cannot be trusted. In the past two years the European data protection directive took effect, in October 1998. However, at this time, interestingly enough, several major countries have not yet passed the required legislation in their parliaments. These include Denmark, Germany, France, Ireland and the Netherlands. So while they're governed by the commission, they haven't done it within their own parliaments.

Of course, Canada has passed Bill C-6, which will take effect in January. This act, as noted above, was motivated by concerns related to on-line shopping. As part of Industry Canada's policy to encourage electronic commerce, it's necessary to make the Internet safe, and the notion of safety has several components, among which the most crucial are protection of privacy and the regulation of possibly offensive content. Not surprisingly, the level of concern is higher for children than for adults for both of these cases.

Over the past two years the number of privacy violations that have received public attention has risen significantly. Almost every week one Internet company or another is accused of either ignoring individual privacy or implementing a policy that actively subverts privacy. When made public, the response is typically: "No harm was intended. How else did people expect to have low-cost or even free services available on the Web?"

Even with a legislative system of privacy protection that will soon be available in Canada, serious concerns remain. First, doing business with U.S. web sites offers no protection, other than voluntary policies posted on these sites. Doing business on Canadian sites will offer protection, but the onus is on the individual to be aware enough to notice any problematic situations and then to contact the federal privacy commissioner's office to register a complaint. Clearly consumers must be educated, and this responsibility rests with the commissioner's office in the first stages.

Provinces that enact their own legislation for privacy protection in the private sector will have to bear the important and necessary burden of education, investigation and, if necessary, publicizing the outcomes of those cases in which privacy is violated. Presumably the threat of negative publicity is the strongest deterrent to an indifferent approach to privacy protection. However, in the U.S., exposures have rarely resulted in admissions of guilt, as mentioned above.

The spate of privacy cases indicates that without adequate privacy legislation in place, the on-line industry will argue that their intentions have always been honourable, promise to behave in the future, argue that any mistakes were inadvertent, defend the marketplace as the best way to protect personal privacy and announce their membership in yet another organization dedicated to establishing trustworthy logos for privacy. If all else fails, they and their allies will denounce a legislative approach as another intrusion of Big Brother into the public domain.

Much effort has been directed at the posting of privacy policies on web sites and the evaluation of those policies by public and private bodies. Almost all commercial web sites now post such policies -- not the case just a couple of years ago. Very often the links to these policies were not easily discovered; and when they were, the policies left much to be desired in terms of what, if any, protection was available to consumers.

In the U.S. the current concern is with the quality of these policies and the adequacy of their coverage. Recent hearings by the U.S. Senate Committee on Commerce, Science and Transportation under the chairmanship of Sen. John McCain revealed that many prominent sites have privacy policies that are nearly impossible to understand and whose guarantees therefore have little value. For example, Yahoo's policy -- Yahoo being one of the major portals on the Internet -- covers five screens and raises many questions about its efficacy. Cookies are discussed but not defined, and no information is provided about how to reject cookies, if so desired.

[ Page 149 ]

Crucial to the notion of consent is the accompanying qualification "informed." Almost all web sites implement the opt-in default option. That is, unless the consumer objects by sometimes employing procedures provided at the web site -- itself a rather forbidding task -- any information gathered during the period of time spent at the web site in question is stored by that web site and used, subject to its privacy policy. So for almost all visitors, any information they provide, whether intentionally or not, is left behind beyond their control.

[1410]

Informed consent, as an effective means for providing choice, seems to require an opt-out default. That is, unless permission is explicitly given every time, no information can be captured or subsequently used. Not surprisingly, the opt-out option is strongly opposed by almost all Internet entrepreneurs.

One of the examples of this is in the cookies. I understand that you've received some documents about what these things actually mean. It's no surprise that the term "cookies" was used to describe this particular activity, as a kind of innocuous term. Who could object to something called cookies, whatever it was doing?

The point is that the default on the browsers, if you go either to Internet Explorer or to Netscape, is that cookies as a phenomenon are transparent. You don't see them; you're not aware of them. You have to take steps to go to the "Preferences" table; you have to go inside of that. You have to look through a couple of windows, until you find that you have an option of ticking a box which says that you accept all cookies without examining them, which is the default position.

Or you can be asked if you're going to accept them, which is my default. I tick that box off, so I'm burdened when I go to web sites by the flashing on the screen of this box which says: "We want to download a bit of information on your computer, and it will be valuable for us -- and for you, of course -- to help you do business." And I say no. And it flashes on again and on again. Some of them flash on again so fast that you can't do anything but click no. Either you get fed up and click yes because you want to get out of the screen, or you have to be very dexterous and click no and then click back out of that window -- okay?

Since I study this phenomenon, I have to look at what the different things are, so I have to do all this fancy clicking. And it's that default. Why isn't it the default that before you use the browser, when you get onto a computer, it describes cookies for you, tells you what they're doing, gives you a choice? That's not the default. The default is: you get them, and if you haven't read about them or someone hasn't told you, they're moving through your computer.

Not only that, something in the rich terms. . . . There's a notion in computing called "distributed computing," which is having a whole bunch of systems together to do problem-solving. Well, here's distributed computing. Information about you, valuable to that company, is stored where? Not in their computer but on your computer. You helped them store the stuff. They don't have to buy more disk space. You store it, and then that stuff is accessible when they come to you.

Okay, how about just a quick break from me? I'll show you a couple of cartoons on privacy. These are just a few random cartoons on privacy. I don't know if that's readable: "Welcome to the information highway. Anything you say may be used against you." This was taken from one source and appears in a very valuable publication called the "Privacy Journal."

This one was sent to me by one of my students; it's the famous Dilbert. Can you see that? Well, you can go ahead and read it yourself, then.

Okay, this is one. . . . I believe there are a couple that have to do with the workplace, which I'm going to talk about next.

Okay, so these are a couple from Business Week, actually, over the last year or so. I'll mention some of the other statistics. We had 67 percent there; I think it's up to over 80 percent now -- U.S. statistics. I don't know what it is in Canada.

Another reason for using the States a lot is that whatever else they do, they publish everything they do. It's all available.

P. Calendino: Gee, you don't have government there at the table. I wonder how much that is.

[1415]

R. Rosenberg: No, the government doesn't say much about what it does to its employees.

To show that it goes beyond the workplace, back to the home -- I thought this was a very nice one. Can you see the camera up there, up on top? Yes, indeed. Just a couple more, and then we'll stop. I think that's all; we'll stop there. Now I can turn this off.

The next section of my submission has to do with children's privacy rights. Let me just raise it as a concern. I don't think the word "children" or "child" appears anywhere in the Privacy Act. I'm not sure whether it is a relevant concern or not, but for some reason -- well, for reasons I understand -- the U.S. has taken this seriously. There are real concerns about children's activities on the Internet.

For present purposes, the focus is on their privacy rights. The general assumption is that young children under 13 years of age should not be required to provide any personal information while on line. However, it is in the interest of web sites oriented towards children to uncover and use as much information about their visitors as possible, in order to improve their marketing strategies and ultimately their sales.

In recognition of the vulnerability of children, the U.S. passed the Child Online Privacy Protection Act. This is COPPA. You often hear something called COPA -- one less "P" -- which is yet another act, called the Child Online Protection Act, which has to do with means for avoiding pornography. So it passed this act and then required web sites to adhere to a set of rules issued by the Federal Trade Commission as of April 21 of this year. The basic requirement on web sites was to obtain parental permission before children under 13 could use the site. Some web sites reported that they would be forced to shut down because of the expenses involved in satisfying this requirement.

Privacy advocates in the U.S. were pleased with this provision but concerned that sites would be unable to deal with deceptive children, etc. The question for this committee is whether special provision for children should be included in B.C.'s response to PIPED.

Finally, monitoring and surveillance in the workplace. Here my presentation is based on another recent paper that

[ Page 150 ]

argues for better protection for workers' rights in the workplace. The single observation that applies both to Canada and the U.S. is that for the most part, workers have almost no rights -- when I say "workers," I mean white-collar and blue-collar workers in general -- with respect to protecting their personal privacy. I'm including here the introductory section of the paper, which I want to skip to get on to more things.

Let me refer to one rather famous case to indicate the weakness of employees with respect to their privacy. This is a case called Smyth v. Pillsbury. You know Pillsbury, that warm, fuzzy company that has this dough symbol -- very friendly and everything. This recent case seems to enforce the present situation -- that employees have very few rights with respect to workplace privacy, notwithstanding assurances by management not to monitor e-mail except in a few well-defined circumstances. Michael Smyth sued the Pillsbury Co. for being wrongfully discharged based on information obtained from Mr. Smyth's supposedly protected e-mail, in spite of the fact that the company "repeatedly assured its employees, including plaintiff, that all e-mail communications would remain confidential and privileged. . . . Defendant further assured its employees, including plaintiff, that e-mail communications could not be intercepted and used by defendant against its employees as grounds for termination or reprimand."

[1420]

The judge found for Pillsbury, and his reasons are revealing, particularly in the context of the accepted wisdom that well-defined and publicized e-mail policies are an absolute necessity for management to create an equitable and predictable environment. Consider the final paragraph of his decision:

"In the second instance, even if we found that an employee had a reasonable expectation of privacy in the contents of his e-mail communications over the company e-mail system, we do not find that a reasonable person would consider the defendant's interception of these communications to be a substantial and highly offensive invasion of his privacy. Again, we note that by intercepting such communications, the company is not, as in the case of urinalysis or personal property searches, requiring the employee to disclose any personal information about himself or invading the employee's person or personal effects. Moreover, the company's interest in preventing inappropriate and unprofessional comments or even illegal activity over its e-mail system outweighs any privacy interest the employee may have in these comments."

One of the arguments in the workplace is that companies should formulate policies and publicize them. In a recent survey by the American Management Association, which I comment on in this paper, it says that currently something like. . . Now I think it's up to 67 percent of firms, maybe 84 percent of firms, that have introduced software to monitor, to intercept e-mail and so on, and about 88 percent inform their employees that these policies exist.

The question is: what force do these policies have if at least one of the current decisions sets a precedent that a company can violate its own privacy policy and claim that it was reasonable to do because of the needs to protect the company from libel, from defamation suits, due to activities of its employees.

Interestingly enough, just a couple of months ago in the Senate and House in the U.S. a bill was introduced called the Notice of Electronic Monitoring Act. They've been very reluctant in Congress in the States to introduce anything affecting the workplace. This is an act to provide for the disclosure of employee communications and computer usage in the workplace. Simply, the act says that any employer who intentionally or by electronic means reads, listens to or otherwise monitors all this stuff -- wire communication, etc. -- of any employee of the employer, or otherwise monitors computer usage without first having provided the employee notice meeting the requirements of the subsection shall be liable to the employee for relief.

So it would be a requirement if this passed. It's currently being discussed in the House and Senate. It would be a requirement of employers that any policy with respect to the examination of e-mail, etc. -- the employees must be informed of this. Okay.

Such concerns have also been of Australia. And again recently, just earlier this year, the Australian privacy commissioner produced a document referring to privacy law in Australia, and he says that use of the Internet by governments and organizations has raised concerns about the privacy of staff e-mail and web-browsing activities. It goes on to argue that there are procedures that are available to be used for governing these kinds of activities.

My final comment in this is then to say that the issue of privacy in the workplace, I say, must be -- at least should be -- addressed by any privacy legislation for the private sector or, for that matter, for the public sector as well. I hope that this committee will assume that responsibility.

Finally, in my conclusions, let me list them as a series of recommendations or advisements, if you like.

Privacy protection must be based on privacy as a basic civil right, and I mention in this regard Sen. Sheila Finestone's charter of privacy rights as a good first step. The importance of the medical record must be recognized, and personal health information must receive comprehensive protection. Basing this protection on the CMA health information privacy code would be an excellent step to take, as advised by the former privacy commissioner of Canada, Bruce Phillips.

Further studies must be undertaken with respect to separate legislation for health information. There seem to be good arguments on both sides so I don't have a recommendation specifically on this, whether there should be a separate law for it or not.

The special status of financial information must also be recognized, and it must be adequately covered in privacy legislation.

The Internet raises a host of privacy issues. And any legislation must be carefully evaluated on a regular basis to determine its adequacy. Important current issues are cookies; Web bugs; clear, informative privacy policies; and preferred opt-out default, argued for in this paper. However, as with any explosive technology, privacy concerns can be expected to emerge rapidly and unpredictably.

[1425]

Sufficient funding for the privacy commissioner's office to allow it to carry out its responsibilities adequately with respect to education, investigation and reporting is an absolute necessity.

G. Clark: Where did that come from? David, did you write that?

[ Page 151 ]

R. Rosenberg: No, he didn't write it. This was first addressed to the federal privacy commissioner, but it certainly applies -- would apply and does apply -- to provincial privacy commissioners. The new burdens on the federal office are enormous under this new act, and my concern was that it would be silly to have so many responsibilities but not increase the budget in significant ways to carry them out.

Investigation into the privacy needs of children and determination of the adequacy of any proposed legislation is an important consideration. Providing adequate protection for workers' privacy, including the requirement to inform all workers of existing policies with respect to workplace surveillance and monitoring, must be included in any forthcoming legislation. All organizations, both public and private, must be bound by these policies. All privacy legislation must include provisions for regular reporting of problems, updates on performance and adequacy of coverage. Thank you.

R. Kasper (Chair): Thank you very much. Are there any members. . . ?

G. Clark: I have two completely unrelated thoughts that maybe you could comment on for us.

The first, I guess, is the question of the debate between Industry Canada and justice, or the debate between economics and protection of privacy. What are your thoughts on a small open jurisdiction, an economy like British Columbia, bringing in legislation which is different from -- i.e., stronger than -- all the competing jurisdictions in North America? For me, that's a bit of a dilemma. Even if you accept, as I tend to, the concerns you raised with respect to privacy, is it actually practical or possible? What are the consequences of trying to impose a regulatory regime on businesses in British Columbia, even if you accept -- as at least I would -- that constitutionally it's a provincial jurisdiction? I think it's a very difficult task to deal with.

The second -- as I said, it's completely unrelated -- is this question of informed consent. A lot of the debate and some of your recommendations are around this question of informed consent. In other words, this is the key to protection of privacy: to give people the opportunity. Instead of having the negative billing like Rogers had or, as we have in the case of web browsers, that the default mechanism is always, in the case of cookies, invisibility. . . . But in the case of other things, the default mechanism tends to be less protection of privacy. You reverse that onus and put it on the supplier, as opposed to the customer, to declare. So that seems to be certainly a powerful argument.

The problem I have is with how much of the consent is freely given. For example, I go to Safeway and use my Safeway card to get 10 percent off my groceries, which is actually quite a lucrative reduction in price. I assume -- I know -- they must be collecting information with respect to my habits, and I may even have signed something in order to get that advantage. If I go to Overwaitea Food, I need a different card. But nevertheless I would have another card, presumably. It's not really freely given consent to collect this information if in fact to not give that information penalizes me quite substantially over a long period of time.

It seems to me that we're in that situation quite commonly in the Internet world or in other worlds, where you don't have to give the information, they say, or you can declare it. But if you don't do it, then you don't get certain services, or you don't get put in this draw, or you don't get access to this, etc.

So it seems to me that if the push is to move towards informed consent, it may actually be only part of the solution to the problem. It may rather be more important to have a regulatory regime that puts the onus on the people doing the businesses, the proprietary interests governing them, rather than the consumers themselves. Most of our consumer legislation is predicated upon the notion of consumer sovereignty and consumer choice and open information and freely given, informed consent. It might be that in this electronic world, that is not sufficient. We may have to go, in fact, and try to put the regulatory regime. . .and not the options onto the consumer but on the actual purveyors of business on the Internet. Anyway, those are two completely different thoughts.

R. Rosenberg: On the first issue, of course, Quebec has been a jurisdiction that for several years has had privacy legislation which applies to the private sector. I don't think it has suffered economically because of that. We could debate it. But at least it's been there, and there is a model that they haven't been totally devastated by it. So it's possible to have a smaller jurisdiction and have stronger laws and not to suffer economically.

[1430]

G. Clark: Of course the laws only apply to. . . .

R. Rosenberg: Businesses in. . . .

G. Clark: You're bringing an extra regulatory burden, arguably, on the businesses that exist in British Columbia, not. . . .

R. Rosenberg: Sure.

G. Clark: When I'm on the Internet, I have no idea where the web site is located -- right?

R. Rosenberg: Yeah, that's right. In general you don't know. In fact, it's clear that many people who do their business on American web sites -- as I mention in here; I don't think I said it -- will have no protection other than that which is available to all Americans. It turns out that the Americans have negotiated a separate agreement. Because of the European data protection directive, as you are aware, the Americans negotiated something called safe harbour, which is a way of giving protection to or allowing American business to do business with European companies by protecting the privacy of their customers in a manner adequate, as the legislation in Europe says. This has been criticized by many American legislators, who are saying that people who do business with companies under safe harbour will get better protection than ordinary Americans doing business in their own country, which is sort of a strange kind of phenomenon.

Let me turn to the second. . . .

G. Clark: Explain to me how that works, then. I'm in France covered by the legislation there, and I'm buying from Amazon.com in Tacoma, Washington. Am I going to get that protection?

[ Page 152 ]

R. Rosenberg: Part of that business may involve personal information about you being collected.

G. Clark: It says: "Hi, Glen Clark, I have your preferences."

R. Rosenberg: Sure. Now if Amazon.com wants to do this kind of business, it has to adhere to these safe harbour principles which supposedly have been negotiated between the U.S. and the European Commission.

G. Clark: Oh, okay.

R. Rosenberg: So any company that wants to do business will have to adhere. Now the question will be. . . . Clearly one might believe that Microsoft and IBM and Amazon.com will adhere to them, and one can take their word for it, more or less. What about a myriad of very small companies that don't have that stature and don't have that track record? It's not clear to me how they will prove that they can be trusted with respect to this. I don't know. Do you know how they'll show it?

D. Loukidelis: No. I mean, the approach that's been taken under safe harbour is that what will happen is that the privacy policies or promises of a Web-based business will be in effect a representation to the consumer. The way it will work is if those policies are not adhered to that are honoured in the brief, you then have a complaint to the FTC, or a lawsuit can be taken. That raises issues, I think, of regulatory efficacy.

G. Clark: You're back to reverse onus again. You have to go and sue.

R. Rosenberg: With the informed consent issues. . . . You're quite right about the burden and the fact that it's an unequal playing field in that sense. I take your example of the Safeway card. In fact, a couple of things have happened. Safeway, prior to its card, used to have discount coupons, which was the same thing. Then they figured that without the coupons but with the card, they can track a lot of shopping. What this has led to, both in the Safeway model and others, is an extreme form of lying. People are lying left and right about information: about their name, their phone number, where they are. I'm not sure what all that means in the long run. If you base statistics. . . . Maybe you can discount a certain percentage of lying when you're computing statistics. But there's an enormous amount of lying. I don't know anybody with a Safeway card who's given their proper phone number on this card.

G. Clark: Oops.

R. Rosenberg: There must be some; I just say that I don't know of any.

I must admit personally that I've made one compromise in my rigid position on this, which has been with the New York Times. I've registered with the New York Times. To get the New York Times on line, you have to register. You don't have to pay them anything, but you have to register. They're monitoring all my access. I'm on the New York Times every day, several times a day, looking at stuff -- stories and so on. They know what I'm doing in the New York Times. I've done it because I don't want to buy the Times every day, and it's much more convenient to do it on line. I've only done this with the Times.

G. Clark: I do it with the two crappy papers here, because I don't want to buy them.

R. Rosenberg: But they don't force you to register, do they?

G. Clark: No, they don't -- not yet.

R. Rosenberg: And you can reject their cookies; you can sort of work those okay. The Times won't work unless you register.

There is a problem. What people have argued even beyond that notion is: how do you know the people are sufficiently well informed to give informed consent? Give informed consent -- that's in the medical area. I mean, if you want to get informed consent from someone, you have to educate them about what informed consent means. Who has that educating responsibility?

Typically, if you sign a waiver at a hospital or something, you are presumably given a lecture about what's going on, what your responsibilities are and what it means when you sign this thing. On line there are no such lectures. There are lots of windows which say all kinds of things, but it's not clear whether or not there's sufficient information to make an informed decision.

[1435]

G. Clark: Isn't true that the. . . ? You registered with the New York Times. They're collecting a lot of information. As yet, it's really only a few years old. They haven't really made use of that information. You're just starting to see that. Presumably, Safeway knows exactly what I eat. Presumably, they could advertise to me very specifically in a very appealing way. Presumably they could sell that information.

R. Rosenberg: And do.

G. Clark: The New York Times knows that you only look at the business section or something, so they could draw a profile from you. Presumably, as Amazon.com gives me my recommendations. . . . But over a longer period of time they're starting to collect elaborate psychological profiles of individuals and eating patterns, etc., which become increasingly valuable, particularly as computing power advances and the ability to interchange this information becomes. . . .

R. Rosenberg: Absolutely. You've heard about the term "data mining" -- taking vast amounts of information, extracting nuggets from it. In my other life I did work in artificial intelligence, which is where a lot of data mining tactics come from. And yes, there are enormous amounts of information out there, and prior to large-scale available cheap computing power, the stuff was out there, but it was not clear what it was good for. Everybody sort of knew there must be a lot of good stuff in there if one could access it. Now you can access it, and more and more will be accessed.

A lot of people, in fact, find this not so threatening, because instead of being bombarded with general stuff, you'll

[ Page 153 ]

be bombarded with stuff tailored to information based on your shopping patterns. I'm not so comfortable about that, because if they know my details about my shopping patterns, they know a lot more detail about everything I do. Therefore there will be fine-grained profiles of individuals readily available. All this stuff is sold beyond the company that gathers it.

In fact, one example in the past was that the first airline reservation system was called Sabre by American Airlines. It turned out that during a few years when the airlines were having some economic difficulty, the database of customer information was more valuable than the money gathered by flying people. So you could argue that American Airlines was flying people to gather information that they could market, because that gave them more money than flying people.

R. Kasper (Chair): Okay. George and then Katherine. We also have to allow an opportunity for David Loukidelis to comment. We are running roughly 25 minutes behind schedule.

G. Abbott: First of all, thank you, Professor Rosenberg, for a very interesting presentation. My question is, I think, largely a follow-up on Glen's first question. In the first part of your presentation, one of the themes that you put forward was marketplace solutions versus legislated solutions. As I understand the situation confronting this committee, one way or another we are going to have a legislative solution here in British Columbia. Again, barring some kind of constitutional challenge. . .

G. Clark: Solution may be too strong a word.

G. Abbott: . . .either we are going to have the application of Bill C-6 to the province, or we as a committee may choose to put forward a provincial alternative to it. It seemed to me that at a number of points in your presentation, you were suggesting around health information protection, for example, that a solution to those issues would really have to be pan-Canadian, because very quickly those health information issues go beyond the provincial boundaries. Therefore any meaningful solution to health protection issues would need to be pan-Canadian rather than provincial. At least, that's what I sensed, and I may have been wrong in that.

Perhaps the same arguments apply to workplace protection and to some of the other elements. So I guess, to make a complicated question short, the committee's going to have to make some decisions around whether the appropriate route for the province of British Columbia is to go to the default position and simply let C-6 come into application for the province, or to put forward our own provincial legislation, which may be some variation or some radical variation on C-6. Do you have any suggestions or recommendations around that very fundamental question that the committee is going to have to address?

[1440]

R. Rosenberg: That's obviously a difficult one. With respect to health information, there's a year coming up now. The year 2001 will be the year in which health information will be discussed, because the federal law doesn't apply to health even in the federal jurisdiction for the coming year. But after that one year to allow debate and discussion on the issue, it will apply. So B.C., as all provinces, will have three years to decide whether they're doing so. So for the health area, there's a chance to see what comes out of the federal debate and whether or not it just allows Bill C-6 to apply to health records and whether that's satisfactory. I'm not sure what's going to happen. That part of it, I think, will be. . . . We'll have a year, at least, to see.

For other aspects I've talked about, clearly it seems to me that for B.C. to entertain the possibility of some application of the law into areas that C-6 didn't go into seems not an unreasonable thing to do. The questions raised about whether or not this would isolate B.C. or hurt the economy or have problems. . . . It's something that has to be looked at very carefully and clearly. It wouldn't do to have an ideal law which resulted in business locating in Alberta because they didn't have that responsibility.

Nevertheless, I think there is time to explore these things. I think the committee started well in advance of the issue, not knowing what Bill C-6 would turn out to look like -- well, sort of knowing it; Bill C-54 was pretty close. So I would say that I'd have to be sort of wishy-washy here. I can't make a solid recommendation. I don't know what other provinces are going to do. I don't know how health's going to turn out. But it's certainly important to look at all of these things very, very carefully, and the economic impact is obviously a crucial one. One doesn't need to take a hit because other people can locate elsewhere.

It would be nice if there were some agreement amongst provinces, if they were not going to accept Bill C-6, to enact legislation which looks similar across provinces, I think. That would require coordination of different provincial approaches.

K. Whittred: I would like to thank you for a very, very interesting and enlightening presentation.

My question is related to something that you said very early in your presentation, and that was basically the idea that so far the concept that is driving the bus on this discussion has to do with industry rather than with justice. I just wondered if you could comment on that as it relates particularly to surveillance and monitoring in the workplace That seems to me to be an area in all our discussions that is really neglected. You know, Bill C-6, for example, largely addresses e-commerce. It doesn't really address the issue of the parent who has a camera that spies on their nanny. I would like to hear where you think that sort of issue can be dealt with by our government or this government or any other government, for that matter.

R. Rosenberg: Yes, I've been particularly concerned about the workplace, because it has been ignored in lots of areas. This whole question of surveillance and monitoring. . . . I think one of the words I used earlier in this list of concerns was Big Brotherware, a class of software available to employers to install in their machines which minutely tracks the activities of their employees: e-mail, web sites visited and so on.

In the earlier days, before the Web, before the Internet, there was software which monitored keystrokes. There still is -- that is, actual keystrokes, so that you could have a visit by your employer, who would say: "I want to talk to you about the fact that your average keystroke level falls below certain levels of the averages in the whole office and so on." It always

[ Page 154 ]

seemed to me, when studying this, that I couldn't accept the notion that the active monitoring on a regular basis could improve productivity and could improve a lower level of stress in an office, which would be beneficial to the organization.

The long-term monitoring and regulating of the workplace has been in effect for a very long time, prior to computers. It's been seen in most countries in North America, but not in western Europe, as a prerogative of the employer. That is, there are going to be two places where individuals lose control over their own rights, and one is as youngsters in school. The second is in the workplace. You cross the threshold to the workplace, and you have very few rights which you have once you go out the front door.

[1445]

So it doesn't seem to me a necessity. There's no absolute reason why the workplace can be this haven where the employer rules in absolute fashion. In some cases it's negotiated. There are some places where you negotiate. There are some places where it's argued that it's absolutely necessary. I can certainly see that if you have on-line reservation systems or telephone operators and so on who communicate with customers, it seems not unreasonable that the employer would want to make sure that this kind of interaction is done in a friendly and helpful way.

There was a recent strike in the States of employees in this new company called Verazon, which is a company formed from Bell Atlantic and some other company. Almost as soon as that was formed, there was a strike by employees, and everybody said: "This is raising new issues in the high-tech environment. It's like a high-tech environment. Why are they going on strike?" Well, one of the reasons motivating the strike was the fact that they were monitored in the workplace, and the second was that they were forced to use scripts -- that is, these things you use when you finish up an interaction. You're supposed to say something. Every operator would say exactly the same thing. One of the arguments they had was: "Why do we have to say, when we've finished some interaction, 'I hope you appreciate the outstanding service we have given you'?"

Well, that judgment of outstanding should be the customer's, not the person doing the selling. More and more in the high-tech environment there were concerns about stress levels because of the ease of monitoring.

What's the bottom line in all this? It seems to me that the very least of the kind of proposal in the States, which may or may not become law. . . . I don't think so. There has to be a clear enunciation of the principles under which people are working in companies -- about what the employer will do. In some cases there's warnings of monitoring; in some cases there's random occurrences as there is in telephone monitoring. But at the very least, there's got to be standard policies in the workplace that workers are made aware of, and those policies have to be followed. In the Smyth v. Pillsbury case I gave you, they were there but not followed.

It seems to me an important, necessary role of legislation to have uniform policies in the workplace that are followed. That makes sense. And questions about why e-mail is different than telephone conversations and sealed envelopes should be made clear. If I get a letter in the workplace, I don't expect my employer to steam it open and read it. Why is it okay to read e-mail? I'm sending off e-mail; I'm receiving e-mail. I mean, if it's okay to read it, let's make it clear why it's not okay to steam open envelopes.

I have to say that these issues are. . . . Let me just finish off this rather long answer with. . . . On Monday, in my own university, we're holding a public forum to discuss a policy that's been proposed for the whole university community: responsible use of information technology. I was chair of a university-wide committee that was updating our current policy to propose a policy which would apply in areas like privacy, free speech issues, content regulations and all kinds of things. This will be adopted by the board of governors if it's not objected to seriously by other parts of the university.

So I will be going and making the same kind of arguments I'm making now to an open forum, and I know I'm going to be asked about this question of: does the employer have the right -- the employer in this case for staff and faculty -- to read my e-mail? I can't imagine any of my colleagues working in a university where the university could read our e-mail -- could have the prerogative to decide in an arbitrary fashion to read e-mail.

It turns out that that's for the faculty. The staff always seems to be subject to that. You have the same employer and two different categories of employees: faculty and staff. Faculty would not put up with it; staff is used to being monitored and surveilled. And that policy may continue because there are no other laws or policies that apply. An employer is, by definition. . . . If they can monitor and watch, they will do it. The argument is that it will improve productivity, and it will protect them from legal responsibility if some employee sends out harassing mail or pornographic stuff to other people or steals company secrets -- or on and on.

These are legitimate concerns, and they could certainly be covered in the standard way investigations are carried out when there's concerns about theft or other problems in the workplace.

R. Kasper (Chair): Okay, thank you.

Now we have an opportunity for David Loukidelis, the information and privacy commissioner, to make -- I don't mean to tie your hands -- a brief commentary.

D. Loukidelis: I'd be happy to make it as brief as I can, Mr. Chair. What I've decided to do is basically more or less at random pick a couple of points of emphasis, if you will, in terms of commenting on Professor Rosenberg's presentation.

[1450]

In relation to the whole issue of workplace surveillance I'll just note, almost as an aside, that the University of British Columbia, as a public body that is subject to the Freedom of Information and Protection of Privacy Act, is obviously responsible for ensuring that whatever e-mail and other workplace monitoring and surveillance policies or practices it has in place comply with that legislation when it comes to collecting what can be called personal information of its employees. That's something that perhaps will come up at the forum on Monday; I don't know.

The whole issue of workplace surveillance generally. . . . I would concur with what Professor Rosenberg said insofar as there seems to be this notion that when you cross the threshold, if you will, of the place of employment, normal rules

[ Page 155 ]

cease to apply in the sense that because of the contractual relationship between employer and employee, the employer more or less has free rein to do whatever it wishes in terms of monitoring of employees' behaviour.

And yet we don't take issue with the fact that human rights legislation in British Columbia, the Human Rights Code, applies in the workplace and provides employees with certain guarantees. So if we accept that privacy is more than merely an economic right and, as I'll comment on in a minute, a fundamental human right, it seems to me that the analysis of appropriate workplace practices has to include the possibility -- and indeed, someone has suggested, desirability -- that restrictions on an employer's right to undertake monitoring of employees are appropriate because it's something that we already regulate. That is, we regulate how employers behave towards their employees when it comes to issues like discrimination on the basis of sex, sexual orientation, race and so on.

The next point I'd like to make, again by way of emphasis, is that I agree with Professor Rosenberg that it has to be borne very clearly in mind that security of information cannot be equated with the confidentiality or privacy of information. The right to privacy is much broader than that.

The metaphor that I use bears some similarities to the one Professor Rosenberg mentioned, which is that privacy is about what's in the filing cabinet; security is about the nature of the lock on it. Privacy is also about who has the keys to open that lock and when they can do that and not only what they put in the cabinet but what they take out of it and what they can do with it. That's privacy. Security is, again, one aspect of privacy protection and no more than that.

I think that sometimes the debate over Internet privacy is really a debate about Internet security. Specifically when it comes to the security of financial details, people are concerned, for example, about the security of their Visa number or another credit card number that they might use on the Internet. Very often the debate, certainly in the United States, seems to focus on those issues of security as if they were about privacy and as if there were no other content. Obviously, as Professor Rosenberg has very ably demonstrated, we're talking about fair information practices and a much broader set of rights and interests when we talk about privacy, including on the Internet.

The next point, by way of emphasis, is an obvious one, which is: obviously today's comments by Professor Rosenberg focus on the Internet and aspects of privacy protection associated with it, including in e-commerce, but the Internet is not the whole issue. When we're talking about private sector privacy -- and Mr. Clark's question touched on this -- we're equally talking about privacy protection in a traditional context. For example, a small local hardware store may have a customer list that it maintains in a paper form. The use of that information by that business as it goes about its operations is equally, obviously, a privacy issue. That's something that, I would suggest, has to be borne in mind when it comes to approaching various regulatory regimes, if any, that might be adopted at the provincial level.

I'd also agree with what Mr. Clark said and Professor Rosenberg's response, which is that one of the things that has to be borne in mind is the question of uniform regulation across Canada and what happens if a provincial statute were to be adopted here that arguably serves as a barrier to private business. My response to that is -- the thought came to my mind too -- that Quebec has gotten by very well, as I understand it, and I'm not aware of any major problems with it. The other comment would be that Bill C-6, I think, was a carrot-and-stick approach on the part of the federal government. What they're obviously trying to do is use the stick to encourage other jurisdictions to come forward with a comparable CSA-based approach such as that found in Bill C-6.

[1455]

The next comment has to do with medical information. There was some reference to the Canadian Institute for Health Information and how it is one of the prime movers in the development of an electronic health information highway in Canada. This organization is a non-profit corporation that was incorporated and has a mandate to develop, amongst other things, medical databases and also a common health information network for Canada. It is formed of all of the provinces and the federal government. The deputy ministers from the various health ministries across the country sit on the board of CIHI.

This organization is not subject to any privacy legislation whatsoever. It is not governed by the federal legislation; it's not governed by any provincial law either. It has adopted a privacy policy that's been approved by its members -- i.e., the provinces and the federal government -- but it is currently not regulated. It is going about making some very important policy decisions, not necessarily with the level of public input that some would like, and one would hope that that will come about as we move forward in the next year with the C-6 debate that Professor Rosenberg alluded to in the health sector. But it is something that, I think, has to be watched very carefully.

The second point on health information is that in British Columbia we have the broadest coverage of the existing public sector legislation. We cover hospitals and other health care organizations, and that's not the case in other provinces. My understanding is certainly that the Ministry of Health supports the single approach, using one piece of legislation as opposed to having special personal health information regulatory legislation. It is true that the B.C. legislation doesn't reach out to the private sector physicians and other health care givers, and that's something that would have to be looked at if there were any move to legislate in the area of private sector privacy practices.

Certainly there is support for the notion that a single approach is preferable. Certainly when the other approach has been taken in other provinces -- to have special private sector health information legislation -- there has been a concern expressed by some groups, including the Canadian Medical Association, that what ends up happening is that the bar actually gets set lower. If you don't accept that personal health information is of a different kind than other personal information -- it's merely more sensitive or can be very sensitive -- some would argue that it's kind of perverse that you have separate legislation to deal with that very sensitive information that actually sets broader parameters for its use and disclosure without informed consent by the specific individual about whom the information has been collected.

And then the last aspect, I guess, would be that. . . . Human rights legislation is something that I have referred to. But certainly it should be borne in mind, I think, as well -- and Professor Rosenberg touched on this -- that both under the Canadian constitution and by virtue of a whole host of

[ Page 156 ]

international treaties and instruments, privacy is not just an economic right. We are indeed talking about a fundamental human right.

I won't belabour the points that he made, other than to underscore the fact that the Charter of Rights very clearly -- and the courts have started to flesh this out now -- comprises privacy protection. That is something that arguably will have to inform the deliberations and recommendations, I might suggest, of this committee and whatever legislation is enacted, if any, by the Legislature to deal with the private sector. That regulatory regime will almost certainly be subject to Charter scrutiny at some point or another.

R. Kasper (Chair): Okay. Thank you very much.

That ends the first session. Again, on behalf of the committee, Dr. Rosenberg, I'd like to thank you for your presentation. You are free to sit in and hear our next witness.

Our next witness will speak on health information systems. We have with us Dr. Jochen Moehr, who is a professor at the school of health information science at the University of Victoria. Welcome, Dr. Moehr. I understand that you're going to give us both an oral presentation and a presentation by way of a screen, and I don't know if we have to make adjustments to the lights. I think they're being adjusted.

So I'll now turn it over to you. Noting the hour -- it's 3 o'clock -- we are running a little bit behind schedule, by some 45 minutes, as we were earlier. So without further ado, welcome to the committee.

[1500]

J. Moehr: Thank you very much, Mr. Chair, for inviting me. I'm a little afraid that the "without further ado" is stumbling across the usual stumbling blocks, which is that something in the hookup of this machinery doesn't work. I may have to reboot my computer.

R. Kasper (Chair): Well, how about we just have a brief recess? And then you could reboot your computer.

The committee recessed from 3:01 p.m. to 3:06 p.m.

[R. Kasper in the chair.]

R. Kasper (Chair): Now I'll turn it over to you, Dr. Moehr, and you can feel free to get started.

J. Moehr: Thank you very much. Of course I'm very pleased that I'm allowed to give you some input to this very important legislative process. What I want to do is essentially give you some information based on a very recent conference which we had here in Victoria, which was called Security of the Distributed Electronic Patient Record. It just took place in June.

The purpose of my presentation is, first, to convince you that these issues are real. We are in an age of the distributed electronic patient record. It is not something futuristic, and I think the discussion a few moments ago showed that already. Yesterday it was on the news that Health Canada has engaged in a process of networking all health care institutions, and they are currently thinking in terms of five to ten years to accomplish this. I think that's one of the most recent points to this effect.

The other thing is that I would like to give you an overview of the results of this conference, which combined something like 50 people here in Victoria. First, with regard to the reality of these threats, I think I can briefly add a few of the examples which were already cited. I want to make reference in particular to work that is carried out by my colleague Dr. Jim Anderson at Purdue University, who has engaged in an approach -- something like one and a half years ago -- to collect cases of privacy and security infringements. He told me at the conference that he was beyond 80 cases now and that he is probably quickly approaching 100 cases.

Here are some statistics of mainly American origin: 24 percent of health care providers report violations of patients' privacy; 18 percent of the public felt that it was inappropriate to use patient data without consent; 75 percent of the public felt that it was inappropriate to use prescription data to detect fraud; and 11 percent of the public -- I think this is the most serious figure -- reported not filing insurance claims to protect their privacy. This goes right to the heart of the problem -- that in the absence of trust in the records and the procedures surrounding them, the records will become meaningless if patients withhold information and falsify information, as was already stated a moment ago.

[1510]

Dr. Anderson emphasized not only that threats do come from hackers or criminals but that the majority of the threats are introduced by authorized professionals, for various reasons. There are errors. He gave examples of professionals dealing with patient records. In one case of a sex therapist in Iowa, these materials ended up being accessible to everybody through the Web. These kind of errors are a matter. Curiosity plays a role; financial reasons and personal reasons play a role.

I want to let Dr. Anderson speak for himself and give you an example of his testimony. This is a cut from his presentation at the conference.

"The London Times a few years back published an article that indicated that for £150 anybody could gain access to anybody's medical records through the National Health Service computer base by simply paying for it -- and for personal reasons sometimes or just for mischief or spite.

"One case was a 13-year-old girl whose mother worked in the emergency room in a hospital in Florida. She used her mother's ID and password to access patients' files or printed out the names and phone numbers of patients and called them up and told them they had HIV. In one instance a young girl who was told she had HIV tried to commit suicide as a result of this. So sometimes it's through pranks and mischief such as that. . . ."

There are obviously a lot of problems around, and the more inquiries, the more one finds. This conference that we had organized tried to address what could be done about it.

I want to give you a little bit of the background on the conference, in order to be able judge the credibility, and then go into some detail regarding the recommendations that were derived. These recommendations concern policy, educational, technical and organizational issues.

The conference is organized by the International Medical Informatics Association, which is a federation primarily of national organizations for health informatics -- for medical informatics, as it is called traditionally. All the nations have

[ Page 157 ]

typically one learned society which is the national representative. In Canada it is an organization called COACH. In addition to institutional members like academics -- the school of health information science is an academic member -- industrial companies are also members.

The main activity of this group is to put on a triannual conference, which is called MedInfo. The next one will be in London in 2001. In 1995 we had one here in Vancouver. Also, the group has working groups who are devoted to specific aspects. The number varies a little bit. Currently there are probably more than 12. These working groups organize conferences and special events at the large world congress. One of them is working group 4, which was the organizer of our conference. This working group 4 is devoted to security issues and health information systems. Originally, when it was started some 20 years ago, it was called data protection, I think.

As you can see here, there are working conferences held loosely every two to three years. The last ones were in the Netherlands, Finland and Japan, and the last one here in Victoria in June. Typically these conferences combine something like 50 to 70 participants and are based on invited papers from selected experts from around the world. These papers are supplied to all participants before the conference so that the conference can then concentrate on a synthesis deriving conclusions from these papers. The papers themselves are only very briefly -- within something like ten minutes, often -- presented, with an emphasis on whatever the author feels is important in the context.

[1515]

So there are discussion groups, and the results have been published, and the typical duration is something like three days.

This is the group which was assembled in Victoria at the Oak Bay Beach Hotel. I show this picture, for one, because I find it kind of pretty after the event is over, but more because all these individuals deserve credit for the points I'm going to make. They all contributed through many, many intense working sessions to what I'm going to present to you.

The structure was that for each of the dimensions of policy, training, education, technical and organizational, there were three parallel discussion groups. After a plenary presentation, which included the presentations of the presenters and then a feedback, finally the recommendations were digested into four groups, which I'm going to summarize here for you.

The results were reported, and Canada immediately -- the next day after the conference closed -- had a fairly large health informatics conference in Vancouver called INFOcus. They have been reported on a number of other occasions. Most importantly, they have been submitted to the IMIA general assembly, which is the world governing body of this international association. They have decided to sponsor the development of policies and ethical guidelines under the umbrella of this working group in the future. So the work is continuing. The proceedings will be available shortly. I'll be happy to supply you with the proceedings if that is of use to you -- probably within the next two weeks, I should think, in the International Journal of Medical Informatics.

Now, what are the recommendations in detail? Regarding the policy, there is an overview of scope and of objectives. I think I will go into the detail after that.

First of all is that there should be a policy framework, which has to be adapted to different cultural environments. Remember that this group is responsible for around the world, and, of course, we have different ethical principles here than in Arabic countries and so on. But it was felt that a framework is essential -- an international framework which allows us to communicate health data not only within nations but also across national boundaries.

Right now we have in health a similar situation as was alluded to earlier, that the security regulations in North America are not on a par with the European ones, which means that Europeans prevent the exchange of information with North America.

It was found that key principles for these policies need to be addressed, and the IMIA general assembly made specific reference to the contribution of my colleague Dr. Eike Kluge from the University of Victoria department of philosophy, who provided a comprehensive ethical framework for development of the security guidelines. That will be included in the publication, of course, as well.

These policies need to be developed, published and widely available to the public. They need to be monitored, they need to be enforced, and they need to be evaluated and updated. These policies are seen as requiring considerable flexibility so that they can be adapted to different regions and also over time. This requires appropriate management arrangements.

[1520]

The established policy principles have to be based on patient rights -- for instance, to access to their records, to the correction of inappropriate entries in the patient database. This is a very difficult issue, because it could be incorrect factually concerning the patient; however, it could correctly identify a train of thought from a care provider. So there is a reconciliation of different aspects of correctness necessary. The whole thing should be based on ethical principles. Here it's called an ethical code of conduct. Use and rights and privileges: there is an integrity requirement so that the records are not altered or falsified over time.

There are a number of operational parameters that have to be met, such as a quality standard, availability standard, security measures and mandatory audit trails. This includes awareness training and education -- the requirement for it -- in which I will get into more detail. There's the requirement for accountability of persons interacting with these documents, and there's the need for monitoring and enforcing adherence to the security standards. It needs to be based on established standards, and deviations -- incidents of breaches of confidentiality -- need to be monitored and reported. There's a need for balancing between different approaches and for conflict resolution.

The policy has to be owned by certain people, and that should involve the stakeholders -- for instance, the providers, the suppliers, the patients. But it also has to involve governments, international organizations, professional organizations, users, particular patient groups and the private sector.

Key issues are the necessity for championship leadership. . . . This was a recurring theme -- that somebody has to lead the effort. It was suggested that this could be the Inter

[ Page 158 ]

national Medical Informatics Association on an internationalbasis. It was also discussed that it could be somebody like the World Health Organization, but the principle would have to be reduplicated at the level of local government as well.

Priorities for action have to be established, and a number of issues have to be resolved -- for instance, such an issue as the legal acceptability of digital signatures at different levels.

There are standards necessary for such things as a public key infrastructure for the operation and for the integration and mutual fit of components of these records. I'll return to that.

In the meantime, I got the e-mail just yesterday that the International Medical Informatics Association has in fact taken action by making a decision in support of this proposition here. It has suggested that local support be established and feedback on these recommendations of the International Medical Informatics Association on a national or local basis be facilitated.

[1525]

And then, of course, the last points identify the work that is expected to have to continue within this working group, and a continued consultation process review of guidance and revising and updating the recommendations.

The next block of issues was around training and awareness. Here it was felt that the security will only be as successful as the education on these issues is successful. There's a very striking discrepancy in how people treat health records as opposed, for instance, to financial information. I think very few people would think of sharing their password for their bank account. Nevertheless, it seems to be quite common that passwords for the operation of hospital computers are shared among different healthcare providers, just because of what is perceived as time constraints and similar things -- also, in some instances, because the systems are inappropriately constructed. It was felt that this kind of practice has to end and that in order to end this, one has to institute appropriate education measures.

These were seen at three levels: awareness, training and education. Awareness is something that has to be achieved in the general public. Training tries to achieve more specific behaviours. And education is necessary for the upper-level decision-makers in order to achieve the development of the appropriate policies and their adoption.

So awareness is something which should in fact reach everybody. Training is something which is necessary for front-line workers -- for paramedics, nurses, aides, everybody in the healthcare system -- and also for associated people like insurance agencies, law agencies and so on. At the upper level we certainly need appropriate education for management-level executives in the health hierarchy, doctors, nurses and health informatics personnel.

It was felt that this kind of education and training is a prerequisite for trust and confidence in patient records. It's a prerequisite for people not withholding information or falsifying information in these records. Hence, it is a prerequisite for the acceptance and usability of the record system in the first place. Records which have falsified information or a lack of information in them are useless. They can even be dangerous. Hence it is a prerequisite for improved quality of care, for accessibility of the patient records, for better workflows, for understanding of the consequences of health care actions, for feedback on policies and for decreasing liability and -- what's the word? -- suits for negligence and malpractice and so on.

There are many prerequisites for education. It requires buy-in from stakeholders. That includes the schools; that includes the financing agencies; that includes the ministries that fund education. We felt that media support is required and that the media have to play an important role in the education of the general public. It is necessary that there's an education and awareness champion at the level of educational institutions or in more general realms, and of course there are resources necessary.

[1530]

There are many types of delivery strategies possible. There is on-the-job training, which would go a long way and which would have to be very broadly applied. Training could be integrated with daily activities and other education and could make use of periodic reminders, case reviews. We, being techies, are of course also thinking of making training packages available which could be used on demand, available through the Web or available through electronic media.

We feel that investment in education and training must be a priority, but awareness training and education must be a dynamic feedback loop to monitor its effectiveness, and that these developments have to be integrated with other security measures. We found that a statement of the desired outcome would be appropriate for ensuring that the effectiveness can be monitored.

Then on the technical level there are some general principles that must be applied. It is absolutely required that health information systems, including the electronic patient record, are implemented in such a way that they can be trusted and that they are trusted by the public. And this requires that the available security measures are indeed used. There's more available than is currently used in practice. There are standards needed in a number of areas. One is the technology; one important one is terminology. These are things which are addressed by such institutions as the Canadian Institute for Health Information, which has already been mentioned.

But there is considerable work to be done, which of course means that in our view, not only education but also research has to be fostered and funded. In addition, we are convinced that there are health-specific security requirements. For instance, it is not possible to anonymize, as the saying goes, personal health information, because the data sets are too detailed and too aggregated, so it is comparatively easy to conclude from a data set on the individual the data set pertains to, even if such things as phone numbers, name and so on are deleted from the set. So there's considerably more necessary to assure confidentiality.

How am I doing on time?

R. Kasper (Chair): Good. Let's see; how far are you on your. . . ?

J. Moehr: I'm about three-quarters through.

R. Kasper (Chair): You're allowed, then.

J. Moehr: Good.

[ Page 159 ]

R. Kasper (Chair): You're only five minutes overdue, so that means you've speeded us up by 40 minutes.

J. Moehr: Oh, good. I hope I'm not too speedy in my. . .and leaving you behind.

There are a number of specific technical issues which have to be addressed. One is the issue of identification and authentication, which includes not only the patients but of course also the providers.

There are different models which are pursued in different countries. One is to have a patient master index or a unique identifier which allows them to collate all the information on individuals. This makes it rather easy to link information across systems. However, an alternative model is that there are several identifiers, particularly for a patient. Every patient has their identifier in every concerned information system.

[1535]

That is typically the situation today. This makes it easier to control and implement confidentiality and to prevent loss of data. There are products available for linking these identifiers, and there are some technical approaches which have been developed over recent years. There is also a need for role-related identifiers so that the data exchange can be linked to specific roles -- for instance, of providers and of patients.

These identification systems have to be managed. There is public key infrastructure necessary. Particularly the Europeans have some rather advanced models where different duties and different roles are flexibly associated with different identifiers and authentication procedures to allow specific access to specific functions for specific persons. An alternative is the use of pseudonyms which conceal some of the identification and can be exchanged among different systems.

This is an overview of the public key infrastructure. It can become quite complicated. There is, as I said already, an association between keys and certificates and functions necessary. There are recovery mechanisms necessary for overriding the unavailability of keys in emergency situations, for recovering lost keys and so on.

An important point is that encryption is necessary but is not a sufficient means to protect privacy, so it has to be combined with other security measures. The storage of keys is an issue. One could resort to biometrics or store a key on token smart cards, and there are quite a number of products available nowadays. Auditing is essential; that has been said already. All this requires organizational measures. There are institutions, organizations, roles necessary which are not currently available in the institutions.

So the big thing is that as we get ready to share patient data among institutions -- not only within an institution but within the confines of an enterprise which is governed by, for instance, a common accepted, binding mission statement -- as these boundaries are transcended, a very new situation is created which requires new solutions. One thing which is required within the public key infrastructure system is trusted third parties which have the ability and the mechanisms to manage the policies; to certify users; to arrange for dispute and complaint resolution; to control, monitor and measure performance; and to ensure accountability of all involved players.

[1540]

It was recommended to create a task force to establish policies, as IMIA has decided to do just that. A very interesting model was provided by the U.K., which is to assign a security guardian, which is a different model than the ombudsman or watchdog role that is sometimes -- for instance, in Germany -- established. The guardian is perceived as a promoter, a champion, a facilitator of security who could be instituted at different levels -- for instance, at the provincial level, at regional levels and at the level of every health care institution, at least at larger institutions. The duty of this person is to promote security, to promote secure behaviour, to champion the educational activities and facilitate security-conforming behaviour and procedures.

There are quite a number of standards necessary for. . . . Typically the health care data are very different from commercial data, in that they are very detailed. We call it a fine granularity. They are quite ambiguous. This is not an effect of sloppiness of the health care professional; it's an effect of the biological nature of the substrate of the profession. It is quite a challenge to come to standards so that data which are exchanged between different institutions are not only meant to mean the same thing but that one can assure that they do actually mean the same thing.

We have to work and improve nomenclatures, data management and technology. It was felt that a collaborative approach which includes industry best practices and private sector research would be desirable. We require accreditation bodies, and there are standards in this case. It was recommended, when taking the approach, to develop pilots to ensure that these things are developed in the right way and that they can later on fit into the environment as a whole.

The recurring theme: the need for appropriate funding. This brings me to the end. I guess the implications for your work should probably be discussed. Thank you very much for your attention.

R. Kasper (Chair): Okay. Thank you. Any members have any questions of Dr. Moehr?

K. Whittred: I just have one question. I was interested in how this is, I gathered, an international body of people that you're talking about. Perhaps I can just describe another conference I was at. There was a speaker from the States discussing the culture of privacy as it related to the medical field. Anyway, one of his comments was that where he came from as opposed to, say, in Canada, there was really a culture of no expectation around privacy when it came to health. So my question is really: how do you accommodate on this level the whole variety of expectations and cultures as they exist in different countries? They're going to be quite different, I would imagine.

[1545]

J. Moehr: That was very well recognized. For instance, our Japanese colleagues at the conference made a point of stating that until ten or 20 years ago -- at the most -- the Japanese didn't even have a word for privacy; they didn't have the concept. It didn't exist in their culture. So this is why it was recognized that there would have to be a certain amount of adaptability to different ethical frameworks and different ethical principles.

However, within the western world there are also substantial differences. Here I think the feeling was that it was

[ Page 160 ]

worth trying to come up to advance a common framework, so that an exchange of data across provincial boundaries, across state boundaries, between places like Canada and the United States and with the European countries becomes possible. It was felt that it was significant that currently the European Union standards are not met in North America and that this is a barrier for the exchange of information.

Did I answer your question?

R. Kasper (Chair): Yeah -- I think to their satisfaction.

J. Weisbeck (Deputy Chair): I was interested in your comment about international identifiers. Is that currently being discussed?

J. Moehr: No. There are models of having a standard identifier. I think it has been discussed in Canada and various provinces. But I'm aware of discussions in Ontario, for instance. I think it has been discussed here in British Columbia as well. I am not aware of anybody who has taken this step and done it. However, for decades the Swedes have had a personal identifier for everything, for every person. Every person is identified from cradle to tomb by an identifier, and all actions regarding this person are linked via this identifier. So there are again different standards and different environments.

I think the conclusion in June was that one should probably continue to accommodate different identifiers and different systems, so that the Victoria situation -- translated, the capital health region now -- would have one system of identifiers, and MDS, the laboratory company, would have another system of identifiers. It would be a matter of devising an exchange and negotiation mechanism for the legal exchange of data.

A Voice: Amalgamating the information.

J. Moehr: Not necessarily amalgamating but sharing the information.

J. Weisbeck (Deputy Chair): I wanted to ask further about the whole cost of this. As we know, health care these days is becoming very cost conscious. I would think that this whole aspect of security would add a huge cost to it. I'd just like to have your opinion on that.

J. Moehr: Of course, we are not talking about implementing the whole thing in one fell swoop, the big bang approach. The cost is an issue. It was felt that if one would, for instance, include a ballpark figure of 5 percent in health information projects that is to go to security and confidentiality, that would be a great aid. You have seen that the suggestion was to decide on priorities, to start with the pilots first and then roll it up in this fashion. I think it is not a matter that it is a huge cost hurdle which one has to climb over initially. One has to develop a policy to include the costs that are required for an incremental approach.

The other thing is that our efforts to decrease health care costs may very well get stifled if people decide to withhold information, falsify information -- if we have to deal with incomplete records and so on -- out of fear. So there's a complementary cost, which looms probably already on this side of the horizon.

[1550]

J. Weisbeck (Deputy Chair): The other idea I was thinking of is the actual duplication of tests, for example.

J. Moehr: Absolutely.

J. Weisbeck (Deputy Chair): You know, if you have to redo those, there is a huge cost involved as well. Okay, thank you.

G. Abbott: The presentation which you made to us today -- and I thank you for it -- as I understand it, was really focused on the development of standards and practices across international boundaries. The focus of what you discussed, it seemed to me, was the internal development of those standards and practices within the health organizations themselves, as opposed to any jurisdiction -- be it provincial, national or international -- saying: "You must do X, Y or Z." It seemed to me the focus was on internal development rather than development prompted by external demand.

What I'm wondering, then, is what lessons we might take from your presentation in order to look at the issues this committee has to face about the application of Bill C-6, including the future health information protection issues or the possibility of the province developing its own alternative to that. Is there an application of what you have given us today to that debate, which we will undoubtedly have?

J. Moehr: Well, I should think. What the conference showed is that there are a number of very interesting approaches being tried out in different countries. On this basis, I think it would be entirely appropriate to include considerations regarding security -- for instance, the consideration of health information standards which are being conducted at the Ministry of Health here.

I also think that organizations like the capital health region, which is in a process of reforming and has to amalgamate information systems from -- I don't know -- five different health care institutions, take the opportunity to include adequate security policies and related technical measures in this development.

P. Calendino: I guess that's related a bit to what George was asking. One of the things that I noticed is that in all these medical information systems that were discussed, you were talking about the safeguarding of privacy simply by implementing some sort of information security systems. You were talking about encryption or some keys to be implemented within the system. We heard earlier form Dr. Rosenberg that security in an information system does not equate to privacy.

So I'm wondering whether you can expand on how you would protect privacy of medical records or medical information. I'm not necessarily referring to the information that a doctor gathers in his office when he visits with a patient, but there is medical information gathered in private laboratories, etc. How will the patient feel that his information will be maintained in privacy, if not securely, by information systems?

[1555]

J. Moehr: Well, a number of points. First of all, my intention was to draw attention to the fact that technical

[ Page 161 ]

measures alone are not sufficient. This is why we emphasize the need for comprehensive policies at different levels for educational measures and for the institutional organizational components to ensure security and privacy.

Security and privacy are sort of, in my view, different facets which are complementary to each other. A record from which data is lost or in which data is forged, falsified, is easily an infringement on privacy, just as the disclosure to unauthorized recipients is an infringement on privacy.

With respect to the ways one has to do it, I do not believe there is one patent recipe on how to do it. I think one would make good advances if it was, for instance, legislated that security and privacy issues have to be a matter of consideration, for instance, in new projects of information systems -- that they have to be included. I think it would be a big advance if one would have a security and privacy champion.

The English have this model of the Caldicott expert. Apparently there was a commission going on in the U.K., headed by Dame Caldicott, which came up with this recommendation of instituting the security guardian within the health care institutions and at different levels in the health care system. That seems to work very nicely and achieve positive results. This kind of a model could be adopted in some form, and I think that one would, in a gradual way, improve the security and the privacy.

But I guess the main thing was that the security threats in quantity -- and in consequence, large security threats -- do not stem from hackers or that kind of individuals. They stem from professionals. They stem from negligent use of information; they stem from inappropriate use -- taking advantage of loopholes and so on. I'm very passionate about this collection of Dr. Anderson, who included examples of very, very simple matching of data from the car registration agency with other data. People were able to get detailed health information on their employees.

Of course, this thing which he cited in the clip, which would combine, for something like £150 or the equivalent of $300, an excerpt of the medical record of anyone in the U.K. -- or could a few years ago -- is also threatening, because the people who are using these services and pay for them are employers who want to screen their prospective employees or are insurance companies who want to make decisions on whether to issue insurance to certain individuals and so on.

R. Kasper (Chair): Okay. One more?

P. Calendino: Yes, just one more.

I guess, again, that George was alluding to this. Eventually we'll have to decide here whether we should have provincial legislation or whether the medical profession can regulate itself. I know we've had presentations here that, I think, would have promoted legislation to ensure that the privacy of medical information is protected. But if it were to be left to the industry -- the medical profession or private enterprises related to health care -- can anybody actually be assured that privacy will be protected? I doubt it.

[1600]

J. Moehr: A very interesting question. I am a medical doctor by basic training, and I have worked in the health information field for 30 years. I am personally of the opinion -- and that was, I think, the unified result of our conference -- that the medical profession is not able to be the appropriate guardian for privacy, because the experience is that, particularly, medical professionals are of the attitude that they do guard privacy. They usually haven't sworn the Hippocratic oath, as is always presumed. I haven't done it; I don't know of any of my colleagues who have sworn it, specifically. But we all feel committed to the Hippocratic oath, and we all feel committed to guarding the privacy of patients. But it's a fallacy.

The other point is that it is not, by any means, only an issue of the medical profession. The issue reaches far beyond the medical profession -- the insurance industry, the legal industry. Lots of lawyers try to get or request access to medical information for all kinds of reasons unrelated to the health care of the people involved. So it's a problem which reaches far beyond. This is why we stress that the educational efforts really should reach everybody and should involve public media, not only medical schools but also law schools and schools for insurance companies and so on. It's a very, very comprehensive general problem.

R. Kasper (Chair): Thank you very much, Dr. Moehr. Now I'll ask David Loukidelis to do a brief commentary, noting the hour. The committee has a very minor bit of brief business to do after, so carry on.

D. Loukidelis: Thank you, Mr. Chair. I think that consistent with what I did earlier, I'll simply pick up on a few points more or less at random. The first is that -- this has been touched upon in Dr. Moehr's presentation and earlier as well -- the policy context as it regards health information is very much, these days, being driven by the burdens on the health care system generally in Canada, so the joint federal-provincial initiatives and other initiatives that are being taken towards electronic patient records -- the so-called health information highway -- have a lot to do with cost savings.

I met the other day -- socially, I might add -- a cardiologist who, at a guess, said that if he could, for example, have access in an emergency-department situation to an electronic patient record for someone who, say, presents with chest pain, he could probably save 30 or 40 percent of the time necessary in terms of getting from that patient, where it's possible, the information that allows him to assess and treat. Similarly, the idea of using health information for epidemiological and other research is very much driving this. The idea that, for example, you can identify cost savings, new ways of providing health care to Canadians, by using their health information through data mining, data matching and epidemiological research -- that is an issue that is very much driving a lot of these initiatives.

Now, obviously the possibility of cost savings and the push to be pragmatic about these things should not, many would argue, be the sole driver of what's being done in this area. The idea that privacy -- especially when it comes to sensitive health information -- should very much be factored in at the outset of project design and policy formulation is, I think, very broadly shared across a wide spectrum.

[1605]

The next point is that we have to be careful, I think, to distinguish between health information about an identifiable individual and so-called aggregated or stripped health data,

[ Page 162 ]

bearing in mind the point that Dr. Moehr made, and Professor Rosenberg as well -- namely, that it is quite widely agreed that it is impossible to truly anonymize data. Nonetheless, it has to be borne in mind that the notion of legislating in the private sector or public sector with respect to use of health information is driven by the premise that we're talking about information about an identifiable individual.

The next point that I would make is that the security issues that Dr. Moehr has touched on -- the challenges of PKI, for example -- are very real and, I would fully agree, very important issues in terms of designing information systems. Obviously, however, the remaining question is what kind of regulatory regime there should be. Ought there to be, for example, private sector legislation that -- either on its own or in concert with personal information generally -- governs how personal health information is collected, used and disclosed? Or should it in fact be left up to policy-making at a more sort of institutional level? There's broad support for the former approach.

In the context of Bill C-6, the Canadian Medical Association actually had concerns about that legislation. It felt -- consistent with what Dr. Moehr was just saying -- that the private health care sector couldn't be depended on to regulate itself. The CMA thought legislation was necessary but that Bill C-6 did not go far enough, that it had to actually be tougher when it came to private sector uses of personal health information. I think that is pretty noteworthy when you consider what a good code of privacy the CMA itself has. And it, again, didn't feel that the approach of voluntary self-regulation, if you will, was sufficient.

The last point I would make is to pick up on a point made about the training of staff. I think that whatever legislation, if any, is adopted -- and it should, I would suggest, be an enabling kind of legislation that doesn't try to prescribe technical details of PKI or other security issues -- is going to require consistent, vigorous and informed, if you will, education of staff who actually implement these rules in the private sector, as it is already important in the public sector.

Ongoing education is a very important thing in terms of ensuring that the awareness of these rules is high and that the appropriate practices are implemented consistently and in an appropriate fashion. At the end of the day we do come down to a situation where, regardless of the security measures you implement, there will always be opportunities for malfeasance or inadvertent, if you will, breaches of privacy through the sharing of passwords and things of that sort. So education will in fact be a very important role, whichever legislative approach is taken, whichever oversight mechanism is adopted.

R. Kasper (Chair): Do members have questions for David with regard to that?

G. Abbott: I don't know if it's a question. Well, obviously it's an interesting exercise. It's going to be an interesting exercise to somehow find that appropriate balance between the protection of privacy and the opportunity to access necessary information. I would not want to see what I term the law of unanticipated consequences come to bear here, where one day the cardiologist needs to access, in short order, the medical information of an unconscious patient and because of the unintended consequences of a privacy provision we've put in place in British Columbia, that does not occur. I just suspect there's a huge challenge to be met there.

D. Loukidelis: Can I just briefly comment?

R. Kasper (Chair): Yes, carry on.

D. Loukidelis: That's a very good example. You know, when you're talking about the collection of my health information for the purpose of my medical treatment, I think it would be a perverse individual who wouldn't countenance the use of that information if I gave it to my own GP in the confines of that physician's office, who wouldn't consent to it being used at an emergency department in situations where I'm not able to give that consent. I think that life-threatening situations can be dealt with in the legislative design.

[1610]

I think it's another question, however, whether information I give to my physician for the purpose of my own treatment should then, without my consent and often without my knowledge, end up in a database somewhere in Ottawa and then be used, potentially in identifiable form, for the purposes of health care research -- at least, unless there's very strong provision for ensuring the ongoing confidentiality of that information in those other hands. Again, it is a very big question, I think, in terms of policy, about those secondary disclosures and whether or not consent shouldn't in fact be the strong default in that kind of situation as opposed to the personal care situation.

R. Kasper (Chair): What I'll do, then, is thank the witnesses for coming here today and also thank you, David, for your commentary. I think what we would do next is as previously discussed this morning. There's some information that Wynne has put together for the committee members, and I don't think we need to make a decision today on that information. Perhaps members may want to get back to Wynne on that item we were discussing, and the Chair and the Deputy Chair would discuss the matter further. Is that acceptable? Okay.

Could I have a motion to adjourn?

The committee adjourned at 4:12 p.m.

[ Return to: Legislative Assembly Home Page ]

Copyright © 2000: Queen's Printer, Victoria, British Columbia, Canada