Chair:	* Rick Kasper (Malahat-Juan de Fuca NDP)
Deputy Chair:	* John Weisbeck (Okanagan East L)
Members:	* Pietro Calendino (Burnaby North NDP) Glen Clark (Vancouver-Kingsway NDP) Gerard Janssen (Alberni NDP) Steve Orcherton (Victoria-Hillside NDP) * Erda Walsh (Kootenay NDP) George Abbott (Shuswap L) Geoff Plant (Richmond-Steveston L) * Katherine Whittred (North Vancouver-Lonsdale L)
Clerk:	Kate Ryan-Lloyd
* denotes member present

[ Page 25 ]

The committee met at 1:26 p.m.

R. Kasper (Chair): Good afternoon. My name is Rick Kasper, and I am the Chair of the Special Committee on Information Privacy in the Private Sector. I apologize for the delay in starting. It was due to the fact that some of the members of the committee had a later arrival in Vancouver from Victoria.

I'd like to open with a few remarks. This committee was established by the Legislative Assembly of British Columbia to inquire into the possibility of regulating privacy protection for personal information held by organizations in the private sector. One major recommendation of the Special Committee to Review the Freedom of Information and Protection of Privacy Act, which reported in June of 1999, was that a committee of the Legislature undertake such an inquiry. This committee is a result of that recommendation.

Members of the committee are committed to consulting widely with private sector enterprises and interested individuals on privacy regulation for the private sector. To that end, to date the committee has scheduled three public hearings: today, tomorrow in Richmond, and one in Victoria on Monday, January 24. Please note that in addition to hearing from witnesses at our public hearings, we will also be accepting written submissions.

I'd also like to mention that when the committee did its deliberations on the public B.C. Freedom of Information and Protection of Privacy Act, we did have a number of submissions that encouraged the committee and government to look at this matter.

The other issue raised was the fact that the federal government had brought forward a piece of legislation which was reintroduced into Parliament in the fall, in October, entitled Bill C-6. We felt, as a group, that because that legislation would deal strictly with federally regulated private companies in British Columbia, we should look at the issue also.

Some of the questions that the committee is addressing are the following. What are the responsibilities of private sector enterprises in the use of individual's personal information? How does new information technology, such as that used in e-commerce and data mining, impact the private sector use of personal information? What form of regulation is most appropriate: self-regulation through organizational or sectoral codes, or legislation? What type of oversight mechanism is necessary to enforce the protection of personal information collected, used and disclosed by private sector organizations?

These are just some of the issues the committee would like you to address in speaking today. For more information, we also have a discussion paper -- which I'm assuming that most of you have had a chance to pick up or have actually received prior to making the decision to appear here today: "Protecting Personal Privacy in the Private Sector." That discussion paper, which was referred to the committee for consideration by the Minister of Advanced Education, Training and Technology, provides additional questions for your consideration and also for our consideration.

I'd now like to introduce committee members who are here. We have Katherine Whittred, MLA. We also have our Clerk, Kate Ryan-Lloyd; and John Weisbeck, who is the Deputy Chair of the committee. Also in the building are Erda Walsh and Pietro Calendino, and they will be coming shortly.

Now we'll go on to our first presenter. We have Mr. Dennis Prouse, who is a government relations manager with the Insurance Bureau of Canada.

[1330]

There are three appendices that I have given. Appendix 1 is contained within the main report, and it just walks through how our industry uses personal information. The members may find appendices 2 and 3 useful to read, as well, at a later time. It gives our 1992 model privacy code and then gives our 1996 model privacy code, the most recent one. What we have given you is all the same information that we gave to the House of Commons and Senate committees that were examining this issue, in addition to specific responses to the paper that was put forward.

I should spend a minute telling people what the Insurance Bureau of Canada is. If we're not a household name, it's okay; we don't take offence at that. But we are the trade association that represents property and casualty insurers. I have to tell you that before I joined IBC, I didn't know what property and casualty insurance meant either. To simplify that for laypeople, it's home, business and auto insurers. That covers the larger spectrum of what our member companies do. We are very different from the life and health insurance industry.

I understand you'll hear from Charles Black, from the Canadian Life and Health Insurance Association, later on in the afternoon. Their issues just tend to be very different, and they tend to be very different industries. The name "insurance" is common, so we often do get inquiries at our office that are life- and health-related, and we do refer them on. But the issues just tend to be very different, so that's why there are separate associations. There isn't even very much common ownership anymore between P and C companies on the one hand and life and health on the other.

We're a fairly inclusive trade association, in that we now represent about 95 percent of the non-government private P and C insurance that's sold in Canada. That's pretty good for a trade association. Some tend to be fractured, and we're, fortunately, not in that position.

We view our mandate pretty simply. Number one is to maintain a dialogue with government, doing things like I'm doing today. Number two -- and I think this is very important as well -- is to listen to consumers and the public and to

[ Page 26 ]

[1335]

We paid out about $850 million in claims in 1997 in B.C., which is a fairly large figure, keeping in mind that we don't handle the bulk of auto here. We paid about $188 million in taxes to Victoria in terms of corporate capital taxes, PST and premium taxes.

How does our industry use personal information? As I say, in the main report itself, we go into a great bit of detail about that. There are really two main occasions on which we do that. Number one is in underwriting the risk. It's a fancy way of saying that when you go to buy insurance for your home, your business or your car. . . . It's basically understanding the needs, taking in information from you to analyze and assess the risk and then going about determining an adequate premium. The second time is in claims handling, and that is probably a little more involved an area and a little more detailed in terms of taking in personal information. That's verifying the loss, determining the proper amount of compensation and preventing fraud. That's an important element that I'll get to a little later.

We feel very importantly that consumers have rights and that those rights ought to be recognized. I'm going to talk a little bit about our model codes in a moment, but our IBC privacy code that's now been adopted by well over 80 percent of our member companies has three basic tenets: (1) that only essential information is requested or obtained from the consumer, (2) that the personal information is treated in complete confidence, and (3) -- I think this is very important as well -- that consumers can review and correct any information that's held by their insurers. That should be their right, and our code ensures that they do in fact have that right.

I mentioned the area of insurance fraud, and that is an important element of when we look for personal information. This was a bit of a sticking point in the original version of Bill C-54. When that was originally tabled, it was so rigid that it essentially would have put us in the position of asking a person suspected of fraud if we could have their permission as to whether we could investigate them for fraud. In the first draft we also couldn't share information amongst companies. You can imagine (a) the rampant amount of fraud there would be, and (b) the number of people skipping from company to company.

To give you a quick snapshot of the impact of insurance fraud that's out there -- it's a crime that's not talked about much -- we estimate it at about $1.3 billion a year across Canada, plus about $1 billion in what we call societal costs. That's police, fire, health care.

You're probably seeing about 10 to 15 percent of all claims containing some element of fraud. We didn't pick that figure out of thin air; that came from a forensic audit of a number of closed claims files about three years back. This is what was determined.

I think what's most important to note here is that our industry has largely been left to fight this problem alone. Police will quite candidly tell us that they don't have the resources to address this issue. The courts. . . . I'll contain myself and say that they maybe don't have the resources to address this issue to the extent that we would like. Sharing data is obviously vital to be able to fight fraud -- and the implied consent, when people do a buy a policy, that we are able to do that.

Having said all of that, we think that our industry's record in protecting privacy is fairly good. Why we do that is because it's good business. The property and casualty insurance industry is a very fragmented, highly competitive business. What you're looking at is about 230 companies competing across Canada. There isn't one company that has any more than 10 percent market share. So that's a pretty fragmented, very competitive industry. There are about 40 companies, incidentally, that are active in B.C. As a result of that, customer lists and information are guarded fairly jealously. Nobody goes about selling or distributing customer lists or customer information. Why don't they do that? It's because those lists are very, very important to them and are far more valuable in their own hands than they would be if sold elsewhere.

The other issue to keep in mind is that the marketplace would punish a company that trod on the wrong side of privacy. I think that we would come down on them fairly hard, because it's such a competitive industry and because there's such competition for customers to have brokers representing you, etc. To give an illustration of that, we have consumer centres across Canada. IBC operates in every region. We have a toll-free number and a dedicated consumer desk where people experienced in the industry handle complaints, questions, comments, inquiries, etc.

We just started our Pacific region one, and we had 581 cases that were handled last year. Not one concerned privacy -- a privacy concern for a P and C insurer. Now, across Canada the number was approximately 10,000, and the total privacy concern on that was about 0.5 percent. So we are not overwhelmed by questions or concerns on privacy, and I think that speaks to what we've done to protect the privacy of customers.

[1340]

As a result of that, we put it forward, and it was approved by the Quality Management Institute, which is an institute accredited by the Standards Council of Canada. So we are able to put forward a model privacy code that does meet those standards. We think that's a fairly good example of an industry that's behaving in a responsible manner, under

[ Page 27 ]

For a wrap-up, I do want to touch on the issue of regulatory harmony. That's addressed in our paper. We think this is a really, really critical issue for all industries operating across Canada. What we discover on a lot of other issues is a real patchwork or hodgepodge of regulations, depending on what province you go to. We have member companies that operate, by and large, in a multitude of provinces; they will sell the same product either across Canada or certainly in a large number of provinces. What we discover -- not just on the privacy issue necessarily, but on a host of others -- is a real patchwork of regulations. We're working very hard to try to address that.

There is a Canadian Council of Insurance Regulators. Mr. Hobart, who's our regulator, is a member of that. The CCIR -- we're an industry that loves acronyms, incidentally -- is working really hard to try to find areas where they can create harmony. To give you an example, an issue would be classes of insurance. Every province seems to have different numbers of classes of insurance. You'll go to Alberta, and there'll be X number of classes. When you come to British Columbia, there'll be Y number of classes. It's the same product being sold in different provinces being treated in a different manner by regulators, which means companies then have to go file again. Our nightmare, obviously, on the issue of privacy would be ten provinces, three territories and a federal government all with different laws on privacy. We don't think that needs to happen; we don't think that should happen.

In fact, we think the Canadian Council of Insurance Regulators is probably a pretty good vehicle to ensure harmony both on privacy -- what the companies are doing -- and on compliance and ensuring compliance. I want to be clear. When I talk about having a model code, we're talking about a model code that works within the context of the legislation. We're not talking about having a model code that's not impacted by the legislation.

Finally, I'll just talk about the impact of Bill C-6, which, as we know, is now back in the House of Commons. It underwent fairly detailed scrutiny by a wide, wide range of parties, and I guess that process went on for about 18 months. We were obviously one of them. But it wasn't just the business community. There were a fair number of people involved in that.

[1345]

What has happened in Alberta, which we think might be a decent model for British Columbia, is that they're going to wait for three years, I believe it is, to basically review the impact of the federal legislation before they act to see if there's a need for a mirror provincial law. Given that Bill C-6 is about to come down and given that we're not really certain of all its impact -- we are into some uncharted waters -- we think it would be rather prudent for British Columbia to monitor the impact of Bill C-6 on the private sector before rushing forward with a mirror provincial law. Bill C-6 addresses a lot of that, and we think that this is an issue that is crying out for harmonization and effort amongst provinces to find some common ground.

That is the thrust of my presentation today. I did want to leave a little bit of time for questions and answers. As I say, we have given you the formal written submission, which you can go through at your leisure. We're happy to reappear, if questions come up on this. We want to be part of the process. We'd be happy to take any questions that committee members might have.

R. Kasper (Chair): Thank you very much.

Any committee members?

J. Weisbeck (Deputy Chair): You made a comment about shared data. Are you saying that you're not sharing data within the industry? Or is that data being shared with industries, say, that are complementary to the. . . ?

D. Prouse: That's largely within the industry. I should have gone into greater detail on that. There is an agency known as the Insurance Crime Prevention Bureau. Again, probably nobody has ever heard of it. There are about 100 people working across the country. Here in British Columbia there are about ten officers who do nothing but investigate insurance fraud and maintain a database and work with the. . . . They are contracted by the companies to investigate claims.

What we're talking about is the companies having the ability to give data to the Insurance Crime Prevention Bureau and then to access that data about claimant X or Y: what the claim's history is, what the result of those claims was, details of past investigations, etc. That's largely what we're talking about with data-sharing -- knowing someone's claim history, dating back with a number of different companies.

J. Weisbeck (Deputy Chair): So how secure is that system? I mean, can other industries access that information?

D. Prouse: Not at present. That's simply for ourselves. The federal legislation recognizes the Insurance Crime Prevention Bureau as a legitimate data-collection point.

P. Calendino: Just on the same line, when you have this criminal investigation bureau doing some investigating for you, do they then go out and access other information outside of the insurance industry?

D. Prouse: They can. They will attempt to, and that's part of what needed to be addressed in Bill C-6. There is implied consent, when you purchase a policy, that when you make a claim, the company may then go out and investigate and obtain information that's pertinent to the claim. We can only investigate what's pertinent to the claim.

P. Calendino: But you can go out and investigate the credit history of people, which is not necessarily within your domain.

[ Page 28 ]

P. Calendino: The other issue is: you just said that there is implied consent on the part of your client when they sign a contract with you. The reality of it is that a very high percentage of the population has no concept that they're signing away implied consent. I'm wondering whether you will disclose all that information to the customers when they are signing policies with you -- what implied consent means. This is a big issue here.

[1350]

P. Calendino: Well, I've signed policies in the past, and it was never explained to me, for example, that you have a criminal investigation bureau that can go out and investigate all my past life, my past credit and my past history. That's never explained to us. That's part of the implied consent, and the average person does not know that.

D. Prouse: Well, that's on the claims section. Nobody's doing a background check on you to purchase the policy itself. In fact, that was part of our little tussle with the banks over the whole bank insurance issue, when they wanted to sell insurance directly out of their branches. They had access to information on consumers that we didn't have -- deciding whether you were the right kind of person they wanted to pitch an insurance policy to, depending on what your past history was on your Visa, for example. We don't do that when we sell the policy; let's be very clear. When we're investigating claims, that's a different area, and that's where most of the data collection comes in.

As I mentioned before, the issue is fraud. There's a fair whack of it, and we don't get any help to investigate it. That's our job. That has largely been downloaded to us, because the police and court systems are too occupied to do it. Now that we've taken it on, we do need the ability to collect data. Are we turned down often, if we're asking for somebody's credit history? We could be. But if we don't have that, a company may choose to deny the claim.

P. Calendino: I think the intent of my question was that the average person, when they sign a policy, has no concept that you have the ability then to transfer your data, your information, to this criminal investigation bureau. What I'm saying is that your industry should inform customers at the beginning that there is this possibility in case of suspected fraud. . .

D. Prouse: That's a fair point.

P. Calendino: . . .because that's a very invasive investigation afterwards.

D. Prouse: Yeah, it can be. You know, it can be a difficult process. I should point out that 98 percent of claims are settled routinely. When you take a look at the number of claims that the Insurance Crime Prevention Bureau looks at in the course of a given year, up against the number of claims that are paid on a routine basis, we're talking about a very small number of cases. But we do have to have the ability to look at them. Most claims are paid routinely without any tussle or any difficulty. The public has a hard time buying that, but the statistics back it up.

But you make a fair point. Should the public be told exactly what they're signing or what could potentially happen in investigating claims? Yeah, they should -- no doubt about that.

R. Kasper (Chair): Okay. My question relates to how the industry has been able to work in the province of Quebec, because they have their piece of legislation that covers the private sector. So can you give me any indication?

D. Prouse: I don't know of any specific difficulties that they've encountered in Quebec as a result of the Quebec legislation. You may be more familiar with the Quebec legislation than I am; I know it's there. I know the fact that it is there was a cause for the Bloc québécois to oppose C-54 and then C-6 simply on principle. The Insurance Crime Prevention Bureau is active in Quebec; they're there. The practices and our code certainly apply to all consumers in Quebec. I'm not aware of any difficulties that have cropped up. It's a good question, though; it's one I'll endeavour to find out for you.

R. Kasper (Chair): Okay. And if you could, get back to us with an answer.

D. Prouse: I will, yeah.

R. Kasper (Chair): Problems: how does the piece of Quebec legislation perhaps differ from C-6? Did the industry raise that?

[1355]

R. Kasper (Chair): No further questions? Thank you very much for your presentation.

D. Prouse: Thank you for giving me the opportunity; I appreciate that.

R. Kasper (Chair): You're welcome.

Moving along, our next presenter is Dr. Scott Cornell, director of the B.C. Freedom of Information and Privacy Association. I've just been informed that Dr. Scott Cornell can't make it. But Darrell Evans, executive director, B.C. Freedom of Information and Privacy Association, is here. Welcome.

[ Page 29 ]

R. Kasper (Chair): Okay.

D. Evans: Great. I'm known to some of the members of the committee. I'm the executive director of B.C. Freedom of Information and Privacy Association, known as FIPA. FIPA is a non-profit society which was established in 1991 as a public interest advocacy group for freedom of information and privacy rights in Canada.

In my presentation today I would like to make a few general comments on the subject of privacy and privacy legislation for the private sector. But I'm going to focus particularly on the subject of health information privacy and how this fits into that picture. Although FIPA is interested in all the issues of privacy protection, we chose in 1998 to specialize in the cause of health privacy in Canada simply because somebody needed to do this. We assessed the forces that were working determinedly against privacy protection in the health sector vis-à-vis the voices speaking out for people's privacy rights in the sector, and we decided that we had no choice but to take this issue on particularly, as best we could.

Any legislation that protects privacy in the private sector will have to grapple with the issue of how it applies to the personal health information held by medical practitioners, medical labs, pharmacies and private health care facilities. The application of privacy law to health information has proven to be the single most controversial aspect of private sector privacy legislation in Canada. As it has made its way through the House of Commons and the Senate, this was the case. I will explain why that is shortly.

First I would like to take just a minute to give FIPA's response to the most fundamental questions posed by the B.C. government's discussion paper. The question we put is: how should B.C. proceed on privacy protection? We believe that the government of British Columbia should pass privacy legislation for the private sector and that the legislation should be based on the CSA code as it appears in the discussion paper and on the federal Bill C-6, with some improvements. The B.C. Civil Liberties Association and the Canadian Bar Association are going to be talking later about their view of what those improvements might be later, so I'm not going to go into that today.

But I would ask the committee to beware certain trapdoor phrases as they mull this issue over, one being "implied consent" and the other being "consistent purposes." These are trapdoors through which privacy protection can easily fall.

FIPA also advocates that additional legislation be developed specifically for personal information in the health care delivery sector, because of the particularly sensitive nature of this information and the unique structure of the sector itself, which is public and private, and there's a lot of grey areas.

[1400]

I know that many Canadians are offended with organizations that seek more and more information about citizens. FIPA, for instance, and also B.C. Civil Liberties receive many complaints during the week -- complaints every day -- about considered privacy infractions. Citizens are also offended and fearful, I may add, of people in government who think that it is inevitable and proper that the state should collect more and more information about citizens.

The federal government recognized this anxiety about personal privacy in the private sector and how it could impede electronic commerce, and responded by passing Bill C-6 -- which, as you know, has gone back right now to the House from the Senate with a couple of amendments suggested. So it's kind of in limbo right now. If you're looking for a perfect bill, Bill C-6 is not it. You've probably already come to that conclusion. But Bill C-6 is a huge and necessary step forward for the rights of Canadians. It's my belief, and the belief of my organization, that a great deal of our future freedom, dignity and autonomy will depend on legislation like Bill C-6, because it is our only hope of preventing what David Flaherty has called the surveillance society.

Now, just to do a little bit of blue-skying here, I ask the committee to imagine what kind of a society we will have if the state or private sector corporations have unlimited capacity to collect and process information about us -- for example, all our health information. When we look at exactly what kind of information we are talking about here, this would include predispositions to diseases; mental health background; drug prescriptions; sexual history, including such things as abortions; serious illnesses; sexual orientation; personal habits; and soon to come, genetic information, which is where it really starts to get scary.

What if they, after gathering this information and having access to it, could match that with the other information they access about us -- say, about our racial origins, educational background, family history, employment history, you name it? For one thing, in the first place, just in having that information, a huge power imbalance develops between those who possess it and those who are the subject of the information. That creates an intimidation factor or a factor of the unknown -- "What do they know about me? How much do they know about me?" -- which really equates to "How much power do they have over me because of this great imbalance?"

Now, in a federal report about the plans for government on health information, it may surprise you to know that that scenario is exactly what is being planned right now. The report I'm referring to is called the "Health Information Road-map," which is basically a roadmap for sharing of personal health information among private sector and public sector health institutions and government. Add to just this possession of information the potential threat of what the state and

[ Page 30 ]

In addition, the state is also going to the private sector to complement the information it automatically gathers. It's not enough -- the information government already gathers about us -- because every agency of government clearly wants it and wants more of it. They're also going to the private sector to complement that information for government purposes.

My view is that this information is not going to be just sat on. Government and private sector corporations are inevitably going to want to do something with this information. If they're an insurance company, they're going to want to limit risk. If they're banks, they're going to want to limit their risk and exposure. In the case of government, it's clearly the same thing. They want to better manage government programs, they want to catch fraud, and they want to allocate government resources -- all of which are good purposes. But the question here is: at what expense?

[1405]

Just to create a few little scenarios for you. We know that the B.C. government shared information with the B.C. Cancer Agency to alert women over 50, and as they become 50, to a program that the B.C. Cancer Agency offers, which is the mammography breast-screening program. Every woman who reaches 50 now gets a personal letter addressed to her from the B.C. Cancer Agency, urging her to go for a mammogram.

This was one of the most controversial issues for us two years ago, with some women saying, "How did they get my name? How did they get consent to use my information in that way?" and other women saying: "Well, this is in the public interest." Clearly there's a health issue here, and it's a good thing. It's a good way to reach women and convince them that this is important. But it's a really good example of the kind of privacy issue that can develop.

Now, is the next step that the people who smoke get a letter from the government? Or is the next step to perhaps start conditioning programs so that people who are into risky behaviour get different kinds of health insurance from the government? All these things are potential and even have been suggested.

I just give that to you as a sense of the threats that might exist for the use of information. I'm only going to use one other example of the possible use of health information, which occurred in the U.S. It might be known to some committee members. Time magazine reported a particularly shocking and offensive use of health information. A banker who sat on the governing board of a cancer treatment centre in the United States used his position to access the files of patients receiving treatment at the agency. He matched the information against the bank's client files and pulled all the loans of the clients who were patients at the clinic. You have the overlap of the health sector with the private sector. Potential for this kind of thing does happen.

The inevitability of human error and human abuse comes into this as well. We saw cases in Quebec of civil servants selling people's income tax files for $50 each. I don't know if committee members have heard about this. It happened, I believe, in 1998. They were dismissed, of course. These things do happen, and error inevitably does get into files, which are other reasons for strong privacy legislation.

Specifically on to more about health information, which I call the primary battlefield of the struggle over control of information. It's the belief of my organization, FIPA, that the most serious, consequential and desperately fought battle over control of personal information in the western democracies will be the battle for control of health information. The debates over Bill C-6 in both the House and the Senate have proven this to be true. By the time the bill reached the Senate, it was almost completely about health information, with the sides very clearly drawn. As a result, the Senate basically threw up its hands and is now asking for a delay of application of the bill to the health sector in order that the health sector -- including organizations like ours, the Canadian Medical Association, etc. -- fight this out. In effect, that's what they've asked us to do over the next two years -- fight over this and try to convince government that either side is right and work out possibly a special arrangement for health information or perhaps just include it in Bill C-6, as it was originally intended.

When Bill C-6 was being debated in the House, what the Senate witnessed was an intense lobbying effort -- primarily motivated by the Ontario Ministry of Health, but also including private health organizations like the Canadian Pharmacists Association and the Ontario Association of Medical Laboratories and others -- to either have personal health information exempted from Bill C-6 or have the private health care sector exempted from the bill. Now, why on earth would anyone lobby to have the most sensitive personal information of all exempted from a bill that is supposed to protect privacy? Such a result would be ludicrous.

[1410]

Legislation is currently being developed in Ontario and other provinces that will expropriate -- and I use that word advisedly; in other words, take without permission -- the property of another from all existing sources to create an

[ Page 31 ]

The federal government, together with the provinces, is planning to create what is called the national health infostructure, on which these electronic health records and other information will flow under the control of delegates that they call custodians or other similar names. It is because Bill C-6 threatened to interfere with these plans that the House of Commons and the Senate became a battlefield and received such determined representations from health interests. The committee members here may be aware that the Ontario Ministry of Health came before the committee in the House to ask that personal health information in the private sector be exempted from the bill.

Now to specifically get into why the Ontario Ministry of Health opposes Bill C-54. As I say, the central issue about Bill C-6 that most offends the Ministry of Health in Ontario is the bill's requirement that the patient's consent be obtained for the sharing of personal information. I'm going to briefly quote the Ontario submission that was made to the House of Commons:

"Bill C-54" -- which is now Bill C-6 -- "focuses almost exclusively on consent. This approach to protecting personal health information makes it difficult to share information for" -- and I put this in quotes -- " 'appropriate purposes.'

"Under Ontario's proposed personal health information legislation" -- which is still being discussed -- "information-sharing for purposes of health care, management of the health system, including fraud detection, and research would be permitted without consent but with strong safeguards to ensure that the information is shared only in very limited circumstances."

When I listened to the presentations in front of the Senate, the fear of the ministry and other interest groups of allowing Canadians consent over secondary uses of their information. . . . That's anything besides primary health care. In other words, what we all understand the normal sharing to be when we give our information to a physician or other treatment. . .is that it can be given for immediate treatment, for what we're asking for, to certain other providers and to a medical lab, for instance. We expect this. This is the kind of circulation of information we expect.

[1415]

This issue came up with a vengeance in B.C. about four years ago, and the minister over the College of Pharmacists actually got a special bylaw passed in the governing regulations forbidding a sale to a pharmaceutical information company -- forbidding the sale of personal information about either patients or doctors to a private sector company. So specific legislation in response to public concerns was passed in B.C. regarding that.

So my question is: are these things that these private sector health interests and the government is doing so intrusive and so offensive that people would deny consent? If so, then they do have a problem. Obviously they're not things that the public would consider appropriate. The question, then, is: are we going to have less protection for health information than we have for other kinds of information in the private sector or in the public sector? The right of privacy for health information, including our right of consent to the collection, use and sharing, is perhaps more vital than for any other kind of information. But if these governments and the private sector health interests have their way, we will have less protection for health information.

As Prof. Valerie Steeves, who I wish could appear before this committee. . . . She facilitated a Senate process gathering information on these very issues a couple of years ago and produced an excellent report. As Professor Steeves said: "The Ontario government's proposed weakening of Bill C-54" -- now C-6 -- "would result in the curious situation whereby our most sensitive information is least protected. We would end up with fewer privacy rights when we confided in our doctor than when we bought a toaster from Sears."

A few final words. I believe that we -- organizations like ours -- clearly have a fight ahead of us over the next two years, because the Senate, for one thing, is creating that scenario. But I also believe that Canadians, if they're able to be reached, will insist that their right to decide who can have access to their health information will be preserved.

There are certainly merits to a seamless sharing of information through an electronic system. But my organization, FIPA, maintains that privacy does not have to be sacrificed to obtain the benefits of a system like that. There may be greater costs involved in a consent-driven system and perhaps less efficiency, but these are quite simply the costs of our privacy in a free and democratic society. These are challenges to which we can easily rise. That concludes my comments to the committee. I'll be happy to take any questions.

R. Kasper (Chair): Thank you very much. Any questions from the members?

P. Calendino: Do you see any instances where medical information could be made available -- for example, from the doctor's office to the pharmacy or to the hospital -- in case of emergencies? Or does that happen now?

D. Evans: There are safeguards. In particular, the strongest safeguard is the code of the B.C. Medical Association and the Canadian Medical Association. The laws limiting this -- that's why we're here today -- are at a very early stage. There are codes; there are some laws about sharing of information.

[ Page 32 ]

As far as physicians go, we're currently actually getting a study done on exactly what laws exist. There's a total patchwork, and I don't think anyone can at this stage authoritatively state what exactly is covering this. But the strongest safeguard is the medical industry's own code.

P. Calendino: Alberta, I think, passed legislation recently. . .

D. Evans: That's right.

P. Calendino: . . .allowing some flow of medical information from one office to another, from hospitals to hospitals, etc., with certain limitations. Are you familiar with that?

D. Evans: I can't say I'm familiar. I'm familiar with some aspects of it. I've got it in my briefcase; I just had it couriered yesterday. It also allows a minister of the Crown to view a personal health file.

P. Calendino: What's your perspective on that?

[1420]

This information does not belong to the state, and the state has no right to it. Supreme Court rulings that have been passed over the past ten years are making a stronger and stronger case that the state does not have the right to intrude into that personal relationship in which you have, with consent and knowledge, given your information to a practitioner -- not for further sharing. I don't think that's anyone's understanding of how that traditional relationship is, how the laws that govern privacy protection function and also the common law behind this.

You'll hear more about this later today from a study from the Public Interest Advocacy Centre -- which, by the way, is being commissioned by us -- and, lastly, Supreme Court rulings that are strengthening privacy -- the last case being the Mills case, which was decided about two months ago. In that case the Supreme Court of Canada decided that a defence attorney or a client defending himself in the court does not have a right, for instance, of access to counselling records of the defendant. Oh, sorry -- I'm getting mixed up. The case there was that the defence wanted access to the counselling records of a young child of 12, and part of that, I believe, was her personal medical diary that she'd been keeping. That went all the way to the Supreme Court for the rights of full and fair defence. The Supreme Court, with very strong language, ruled that people do have a right of privacy. That drew a line on the ability of the defence to access those kinds of files. So the Supreme Court is laying a stronger and stronger foundation based on traditional things protected in the Charter of Rights -- for instance, freedom from search and seizure. You know, it's extrapolated from that.

P. Calendino: I raised the question of the Alberta legislation because the freedom-of-information and protection-of-privacy commissioner, who gave us a presentation at a conference in Toronto, seemed to think that they had found the right compromise between the protection of privacy and allowing certain information for emergency cases, for example, for research into certain diseases, where you need collection of some medical information. . . . And, of course, he feels that there is enough protection in that flow of information to make the system work okay.

D. Evans: Don't get me started on information and privacy commissioners. We have many arguments with commissioners across the country on how they interpret it and the relationship they develop with governments and their defence of the rights of citizens. I mean, I don't want to tar them all with the same brush, but we do have problems in that area, especially with this particular commissioner, for making that ruling. Now, he did not approve the legislation. You'll find he didn't use those words. He neither approved nor disapproved. His original concerns were that he had major concerns with it. But the relationships that commissioners get into with the government. . . . When they start mediating and negotiating -- that kind of thing -- they find they're drawn into compromise, etc., which we frankly don't believe in.

[1425]

For what they call the health surveillance program of the federal government, which is a federal government program which collects emergency epidemiological information on contagious diseases, etc., that's another thing I think we would agree with, you know.

The question is: where do you draw the line? We're obviously drawing it a lot. . . . We say "emergencies" is the word -- you know, in severe health crises or that kind of thing. That's about where we draw the line -- not for health research, although we have no problem with anonymized information for research, providing it can't be reidentified. In other words, if your information is going to be used for research, there's no reason you should not be asked for your consent. Most people again would agree. Health research is a wonderful social benefit. So why not ask consent?

R. Kasper (Chair): Any further questions?

Darrell, my question is: how does the province of Quebec deal with the issue you raise with us here, around health information, especially in the hands of the private health care practitioners?

D. Evans: You're asking an excellent question. I posed that same question to Industry Canada when they were developing Bill C-6 -- well, a similar question. I asked, "Has

[ Page 33 ]

You know, the response from the government official was that, yes, an attempt had been made to do that -- and dropped. It seems that the development of the legislation, especially in an area like this, is so complicated. An analysis of what really goes on is so expensive that no one's willing to do it. I urge you, if you really want to do something good, to send someone to Quebec to have a look at this legislation. I don't know if you want to delay it or take that long with this. But we urge that this happen.

As soon as Industry Canada put out word that it was going to do a discussion paper, we asked, "Is this going to happen? Is anyone. . . ?" because we're concerned about an onerous impact on small business, for instance. No one wants to overlegislate; no one wants to create unnecessary regulatory burdens or even unnecessary needs for training. I think, from the discussion paper, that's the approach the government will be taking.

But no -- the short answer is no, no one knows. No one I know can give an easy explanation about that. However, Industry Canada did do an excellent study on how Bill C-6 would impact on the flow of health information in Quebec specifically. I can't refer to the specific title of that. But you're meeting Stephanie Perrin tomorrow, and maybe she will even have brought a copy with her. It's an excellent study.

R. Kasper (Chair): Is there an organization in Quebec similar to who you represent here today?

D. Evans: No, we're the only group of our kind in Canada.

R. Kasper (Chair): Has there been any feedback from the public or consumers that's drifted this way?

D. Evans: If I can paraphrase Winston Churchill, an iron curtain has been drawn across Europe. There's really such a strong filter on information coming from Quebec, even though we have a listserv that has people from Quebec on it. There just doesn't seem to be. . . . I know the Quebec commissioner. "But everything's hunky-dory" is the message I get. No businesses have collapsed. Indeed, I know that Paul-André Comeau, who's the commissioner, has a very light touch and is very careful about the use of his powers. As far as I know, there have been. . . . I haven't heard of problems, but that's all I can say. I've not heard of problems.

K. Whittred: Darrell, I want to ask you: in a perfect world, from the perspective of your organization. . . ? You've obviously expressed a very great concern about health information. In a perfect world, do you see that best protected within the kind of acts that the federal government is having? Or there has also been some suggestion that health information should be treated separately and that there should be a meshing of the private and the public and the pharmaceutical and all the genome stuff? So that's my question.

[1430]

But we're also suggesting and saying it's totally necessary to pass a special health information protection act or whatever we want to call it, because it is such a unique sector. The problems are not easy; the consent issues around it are difficult. You know, if someone's being admitted to Riverview in a psychotic state, what kind of consents are you going to get for that person?

That's why I wanted -- we arranged to have -- Dr. Scott Cornell. Dr. Scott Cornell is the director of surgical pathology at Royal Columbian Hospital; he is also a very strong privacy advocate. But he's associated with a medical lab; he's a personal practitioner. He also is attached to a public institution. So he can give you anything regarding the actual medical profession and the problems that do exist with it. So if you do want to see Dr. Cornell at some point, I'd be happy to help you arrange it. But yes, it needs sector-specific legislation, in our opinion.

R. Kasper (Chair): Okay. No further questions. Thank you very much, Darrell.

D. Evans: Thank you. I appreciate it. Thanks very much to the committee members.

R. Kasper (Chair): Our next presenter is Susan Prosser. Susan is from the B.C. Public Interest Advocacy Centre. Go ahead, Susan.

S. Prosser: Good afternoon. I'm here on behalf of the B.C. Coalition of People with Disabilities and the B.C. Freedom of Information and Privacy Association.

What I will focus on is also privacy protection of personal health information in the private sector and, specifically, the constitutional right to such protection. The objectives of my submission are twofold: to discuss what the Supreme Court of Canada has identified as the highly private nature of personal health information and why it is deserving of the highest standard of privacy protection; also, to make the constitutional argument for creating legislation that will adequately protect the right to privacy of personal health information, as guaranteed under sections 7 and 8 of the Canadian Charter of Rights and Freedoms -- from now on, the Charter.

While we believe that the CSA model code, which is incorporated in Bill C-6 as schedule 1, provides adequate protection for most personal information in the private sector, its principles with respect to consent and to collection, use and disclosure of personal information are insufficient to guarantee the privacy of personal health information.

I'd first like to turn to the unique character of personal health information. As far back as 1928 the Supreme Court recognized -- and that is the Supreme Court of Canada, which I will continue to refer to as the Supreme Court -- that although a patient may make personal information available

[ Page 34 ]

The Supreme Court emphasized that personal health information is "information that goes to the personal integrity and autonomy of the patient." Regardless of where it is recorded, it remains, in a fundamental sense, one's own. Because personal health information is highly private and personal, individuals retain a right to the control of this information about themselves. In a context in which individuals cannot obtain health services without divulging information about themselves, consent then is the primary mechanism of control over personal information. Because health information is highly private, it is disclosed to physicians and other health care workers in confidence.

The fundamental respect for confidentiality is reflected in the Hippocratic oath and the codes of ethics of virtually all the health care professions. Confidentiality forms the backbone of the health care system. As the Supreme Court has said, the ability of a doctor to provide effective treatment is closely related to the level of trust in that relationship. The therapeutic relationship is characterized by trust, an element of which is confidentiality. Thus privacy is essential to effective patient treatment.

[1435]

In our opinion, the nature of personal health information and the confidential environment in which it is disclosed is categorically different from other personal information and ought to be subject to specific rules, both in the public and private sectors, which protect the confidentiality on which the therapeutic relationship depends.

With regard to the collection, use and disclosure of personal health information, the Canadian Medical Association's health information privacy code provides an excellent model. Specifically, it is founded on the principles of informed and voluntary consent to the collection, use and disclosure of one's personal health information, whether individuals disclose that information in the public or private sector.

Given the unique character of personal health information -- one that creates in the individual a high expectation of privacy -- and given that other jurisdictions have failed to adopt adequate privacy protection for personal health information, we consider it appropriate to bring the constitutional arguments for a fundamental right to privacy before you, the committee. Our aim is to encourage the government of B.C. to adopt a human rights-based framework for the protection of personal information, one that is compatible with an individual's fundamental right to privacy.

I'll turn now to the Charter and the constitutional right to privacy. It's important, from the outset, to state the interest of constitutional rights. Whereas legal rights to privacy, in this case, are protected by common and civil law rules and by federal and provincial statutes, which are always vulnerable to encroachment by federal and statutory enactments, no law or rule may derogate from constitutional rights. This is true because section 52(1) of the Canadian Constitution Act provides that the constitution of Canada is the supreme law of Canada and that "any law that is inconsistent with the provisions of the Constitution is. . .of no force or effect."

Turning specifically to privacy, the Supreme Court has stated on numerous occasions that privacy is fundamental to the notions of dignity and autonomy of the individual. While the Charter does not explicitly provide for individuals' right of privacy, the Supreme Court has found that privacy rights are guaranteed by both sections 7 and 8 of the Charter. The function of the Charter, according to the Supreme Court, "is to provide. . .for the unremitting protection of individual rights and liberties." Specifically, section 7 of the Charter states: "Everyone has the right to life, liberty and security of the person and the right not to be deprived thereof except in accordance with the principles of fundamental justice." Privacy, the Supreme Court has said, is at the heart of liberty in a modern state. The limits that the Charter imposes on the government to pry into the lives of its citizens go to the essence of a democratic state.

In the O'Connor case, one of a series of Supreme Court cases dealing with privacy rights under section 7 of the Charter, the accused sought disclosure of the complainant's therapeutic records. Madam Justice L'Heureux-Dubé held that the witnesses have a right to privacy in relation to private documents and records. She stated that section 7 guarantees of liberty and security of the person must be interpreted broadly to ensure individuals' personal autonomy over important decisions intimately affecting their lives. Infringement of the right to privacy, she stressed, "undeniably impinges upon an individual's 'liberty' in our free and democratic society."

Regarding the right to privacy with respect to documents and records, the Supreme Court stated in the Plant case:

"In fostering the underlying values of dignity, integrity and autonomy, it is fitting that s. 8 of the Charter should seek to protect a biographical core of personal information which individuals in a free and democratic society would wish to maintain and control from dissemination to the state. This would include information which tends to reveal intimate details of the lifestyle and personal choices of the individual."

[1440]

In the Osolin case, Madam Justice L'Heureux-Dubé confirmed that:

". . .the interest in the privacy of medical records was recognized in [the Dyment] case as a broad and independent value, separate and distinct from considerations about the fairness of the trial process. Thus the privacy interest discussed in Dyment may be seen as an interest that pertains to all of us, which may arise in a number of different circumstances. Indeed, it would be odd if the protection of medical records were to be available only to those accused of criminal offences."

[ Page 35 ]

Regarding control over one's personal information, Mr. Justice La Forest stated in Dyment that while "[w]e may, for one reason or another, wish or be compelled to reveal such information. . .situations abound where the reasonable expectations of the individual that the information shall remain confidential to the persons to whom, and restricted to the purposes for which, it is divulged must be protected."

In Regina v. Mills, the most recent Supreme Court case to deal with the constitutional right to privacy, the Supreme Court further broadened the scope of interests that the right to privacy protects. Where previously it had focused on human dignity, liberty and personal autonomy, in Mills, Madam Justice McLachlin considered the right to security of the person under section 7 of the Charter. At issue was the relationship of privacy to the therapeutic relationship. She found that the therapeutic relationship is characterized by confidentiality, an element of which is trust. She concluded that the protection of a complainant's reasonable expectation of privacy in his or her therapeutic records protects the therapeutic relationship and that unless the confidential nature of that relationship is protected, an individual's trust may be shattered and the security of his or her person undermined.

Mills confirmed an earlier decision handed down by the Supreme Court in 1999 in which a mother claimed that the province of New Brunswick must provide her with legal aid in order to challenge state apprehension of her children. A majority of the Supreme Court, in that case, affirmed that the right to security of the person protects "both the physical and psychological integrity of the individual." Recognition by the Supreme Court that confidentiality is essential to trust in the therapeutic context and that breach of confidentiality may compromise the mental security of the patient are, we contend, vital components of the constitutionally protected right to privacy of personal health information.

Another relevant facet of the constitutionally protected privacy rights is that they must be protected from the outset. As Madam Justice L'Heureux-Dubé said in O'Connor: "The essence of privacy. . .is that once invaded, it can seldom be regained." She quoted from the Dyment case with approval, saying: ". . .if the privacy of the individual is to be protected, we cannot afford to wait to vindicate it only after it has been violated. . . . Invasions of privacy must be prevented, and where privacy is outweighed by other societal claims, there must be clear rules setting forth the conditions in which it can be violated."

[1445]

In the Mills case, the Supreme Court found that a court order to produce records -- in this case, the therapeutic records of a sexual assault victim made under the Criminal Code -- is a seizure within the meaning of section 8 of the Charter. The court upheld an amendment to the Criminal Code which provides that to order production of medical, therapeutic, counselling or other records, a court must be satisfied that the record is necessary in the interests of justice. This is an important finding, as it sets a high standard for what the Supreme Court considers to be reasonable infringement of individuals' constitutionally protected right to privacy of their therapeutic records.

With regard to information that has been stored electronically, Madam Justice McLachlin found that computers should be private places, where the information they contain is subject to the legal protection arising from a reasonable expectation of privacy. Again, it's the same test of a reasonable expectation of privacy. In this case, police had received a tip that the accused was growing marijuana. They gained access to a terminal linked to the utility computer that allowed them to check electrical consumption at this specified address -- that is, the address of the accused -- confirming that the energy consumption was extremely high.

Whereas the majority found that one's electricity record does not reveal intimate details of one's life and thus give rise to a reasonable expectation of privacy, Madam Justice McLachlin found that in each case, the question that must be asked is whether the evidence discloses the reasonable expectation that information will be kept in confidence and restricted to the purposes for which it is given.

Finally, the Charter guarantees of equality are relevant to the issue of privacy protection. In both the Osolin and O'Connor cases, Madam Justice L'Heureux-Dubé recognized that a failure to govern disclosure of the therapy records of victims of sexual offences with the same rigorous rules of disclosure by which other confidential records are governed would infringe on the victim's equality rights. Similarly, those who have the most contact with a networked health care system -- women and people with disabilities, for example -- will have their privacy disproportionately infringed should the government fail to provide stringent privacy protection for all personal health information.

In conclusion, it's apparent that a constitutionally protected right of privacy is not monolithic, nor is it absolute. Rather, privacy may be described as a bundle of rights that are integral to human dignity and autonomy -- two of the fundamental principles on which the Charter guarantees of liberty, security of the person and equality are built. By making Charter protection of privacy contingent on a reasonable expectation of privacy, the Supreme Court has created a sliding scale of privacy protection that recognizes that the more sensitive the information, the more compelling is the right to privacy. Significantly, in the McInerney, Osolin, O'Connor and Mills cases, the Supreme Court has consistently emphasized the highly private nature of medical records.

The government of B.C. has an opportunity to pass legislation that will set a Canadian -- if not world-class --

[ Page 36 ]

[1450]

Those who have argued before the Senate committee, as Darrell mentioned -- particularly the Ontario government and elsewhere -- that the CSA code is too stringent to allow the Health Infoway to proceed fail to acknowledge that the very technology they wish to exploit to create a more effective and efficient health care system, and not abridged privacy protection, provides the solution for information-sharing. Anonymous records should be the sine qua non of linked databases. It is not necessary to sacrifice individual privacy, and indeed we argue that it would be unconstitutional to do so.

[J. Weisbeck in the chair.]

J. Weisbeck (Deputy Chair): Thank you very much. Do committee members have any questions of Ms. Prosser?

E. Walsh: I thank you for the presentation. One part of the presentation that I read with interest -- and though I understand and acknowledge that protection of an individual's privacy extends beyond health care, health issues and personal health records. . . . It was interesting when I read here, with regard to information that is stored electronically, that computers should be private places and that the information they contain is subject to the legal protection arising. . . . That's a real challenge, I think, today. Because of the wide use of computers and the storage of information on computers, specifically with your health, and the effects that it can have on someone who has access to your health records, I think that. . . . I might ask you: how does one go about putting in place regulations or legislation that do in fact enforce -- or any legislation or regulation that can be enforced -- electronic information-gathering?

It's not just British Columbia that has access to those records, so the legislation or regulations that we put in place wouldn't necessarily address just British Columbia. Other than international agreements or court systems, I'm not sure how one could address the electronic information-gathering and the enforcement of that. What are your suggestions, especially when it comes to computerization and the gathering of that information on computers?

S. Prosser: Your question has several components. In terms of international sharing of information, as you're probably aware, the CSA code was developed to conform with the OECD guidelines -- which are the European communities' guidelines -- on data protection, particularly transborder flows of information. How that affects Canada is that they've said that unless Canada -- or any other country, for that matter -- adopts similar kinds of data protection, then they'll refuse to allow data to flow into those countries not offering the same level of privacy protection that they have. So that's one component.

How you oversee that is a question of oversight -- what kind of mechanisms you put in place to ensure that the various actors are conforming to the laws that you put into place. At this point we have a passive system of oversight, meaning that in most provinces in Canada and federally, if a person has a complaint about the way their personal information is being dealt with on a privacy level, they can lodge a complaint with a privacy commissioner. A more active way to ensure oversight would be to have a system of compliance or registration, where any of the players would be required to register their health information practices. Then the government would have the possibility of going in and monitoring in an active way as opposed to a passive way, waiting for a complaint -- in an active way, going in and in fact ensuring that people or companies or government departments are complying with the regulations or the laws.

[1455]

Those are technological questions about how you use technology to protect the privacy laws and regulations that you've put into place. Our point is to say that we shouldn't bow to the players out there who are saying that we can't have adequate flow of information if you make privacy protections too stringent. That isn't the case. The technology exists to render records anonymous so that they can be traded back and forth and, on the one hand, to allow information -- for instance, in the interests of research -- to be used and, on other hand, to protect people's privacy. That becomes a technological issue.

I think that we have to push the information technology industry to make those kinds of technologies available. In fact, it's happening in the private sector, because people vote with their feet, as the first speaker mentioned. In the private sector, people go elsewhere as they start to learn that their privacy may be compromised. They'll go elsewhere if the company that they're dealing with doesn't offer them adequate protection. But with respect to health care and health information, you're in a different situation. People can't vote with their feet, because they have to divulge their information in order to get services.

J. Weisbeck (Deputy Chair): Any questions, Katherine?

K. Whittred: Well, actually, yeah. Your last remark made me think of something that is a concern to me, and that is that

[ Page 37 ]

S. Prosser: In terms of the private sector, I think that, again, even people on the Net. . . . One thing that's come out in terms of Net commerce is that it's largely been a disappointment. People aren't using it to the degree that, five or ten years ago, companies expected that they would. They're not receiving adequate privacy assurances from the companies that they're dealing with, so they're refusing to make transactions over the Net. They'll make transactions over the telephone but not over the Net, because they're concerned about data trails left by any kind of transaction that they make on the Net. So in terms of the private sector, I think that in our dealings with companies in the United States, individuals have a choice whether or not to deal with those services, whether or not to log on to a site and to engage in receiving information from a Net doctor. I think that in that situation, market forces will be at work in terms of privacy and that if people are concerned about privacy, they won't go where they don't have privacy assurances. I'm not sure if that addresses your. . . .

K. Whittred: Well, yeah. It's a very complex issue.

S. Prosser: It is complex.

[1500]

S. Prosser: No. I don't think that they are aware. I also think that the fact that Bill C-6, formerly Bill C-54, got as far as it did. . . . It wasn't until about six months ago that the health sector kind of realized what was coming down the pipes with Bill C-6, and they started to engage in the debate about where that legislation was going. Similarly, I think that the public is largely ignorant of the privacy implications of information technology. That goes for their simple logging on to sites which can all be traced at this point, to transactions, to -- as we're speaking about -- health information, which can and will be available on the Net if we don't provide adequate legislation and oversight for that legislation.

J. Weisbeck (Deputy Chair): Actually, to carry that one step further, we're talking about treatments on the Net.

S. Prosser: Yes. Health Canada and Industry Canada are in fact promoting that idea with the Canada Health Infoway, in that one of their interests is in serving remote communities. Still, we can argue that there are technological ways to ensure that those kinds of transactions are safeguarded. So the issue is not: can they be safeguarded? It is: do we have the will to safeguard them by forcing the various public and private sector players to adopt the practices by passing legislation?

J. Weisbeck (Deputy Chair): Is it safe to assume, as the previous speaker said, that you're more concerned about consent than you are about some of this information-sharing? Is it safe to assume that?

S. Prosser: Well, information-sharing is about consent, yes. The fundamental way that you have of controlling your information is by consent. But if you can't withhold consent because legislation doesn't acknowledge your right to consent, then you have no control over your personal information.

J. Weisbeck (Deputy Chair): Thank you very much. I'm assuming that Hansard will have the transcripts of this discussion, and you'll get a copy of Hansard.

S. Prosser: Thank you very much for allowing me to speak.

J. Weisbeck (Deputy Chair): Next speaker, please. Mr. Black, I wonder if you could introduce yourself, please, and who you represent -- and I see you have someone else here as well -- just for the purposes of Hansard.

C. Black: I'll be happy to do that. My name is Charlie Black. I'm on staff with the Canadian Life and Health Insurance Association, or CLHIA, as I will refer to it. I'm joined today by a colleague, Doug Carrothers, who is the vice-president, law and investments, of North West Life, based here in Vancouver and one of our member companies. I apologize to the committee and to Doug that I neglected to notify the committee staff in time to have a nameplate made up for Mr. Carrothers, but I trust that will not impact on our discussions.

It's certainly a pleasure to meet with the committee this afternoon. I was able to meet several of you a few weeks ago at a conference on Bill C-6 that you attended. It is a pleasure to be here in Vancouver and pursue some of the discussions that we undertook at that time.

The CLHIA is the main industry association of life and health insurance companies. The first presenter this afternoon very effectively drew the distinction between the property and casualty insurance industry and the life and health insurance industry, which in many ways are fairly separate industries. Our colleagues in Quebec, or our colleagues in the francophone community, have a habit sometimes of expressing concepts well in the French language. If you focus for a moment on the letterhead of the letter that has just been handed out to you and look at the French wording there, you'll see that in French they refer to the life and health insurance area as insurance of persons; on the other hand, the property and casualty area is referred to as insurance of biens, or insurance of goods -- automobiles, homes, etc. This isn't a perfect distinction, either, but I think it does indicate that the life and health insurance function is very heavily concerned with persons and with individuals.

[1505]

[ Page 38 ]

The types of insurance that are covered by life and health insurance companies include life insurance, which pays off a benefit when someone dies. A unique feature of that type of insurance is that those contracts can exist for decades or perhaps even for over a hundred years, can be taken out when someone is an infant, continue in force during that person's lifetime, pay a benefit at death -- and that benefit itself can be paid out in instalments to survivors, again stretching over several decades. So they tend to be long-term relationships between the insurance company and the individual.

Another important type of benefit or type of insurance is disability income insurance, which pays regular income payments to someone when they are disabled. In many cases, that type of insurance is sold through the employment mechanism -- sold either to the employer or to the union -- as a plan sponsor in covering all employees of that firm or all members of that union for disability income insurance.

A third type of insurance that is particularly relevant in the discussion of health information is the health care insurance vehicle, which covers the cost of health services that are not covered under our provincial health plans in Canada. The nature of this coverage varies by province but typically includes prescription drugs, some nursing services, semi-private differentials for hospital care, dental care, etc. This involves reimbursement to the individual for the costs of those health services or, in some cases, payment directly to the health care provider for the cost of providing those services.

The final area I would mention, because it is an important component of life and health insurance, is the retirement income area either through group pensions -- where again, through the employment connection, moneys are set aside to provide income in retirement -- or through individual contracts, where people invest in registered retirement savings plans and other types of annuity products and then receive benefits in their retirement years.

By its nature, life and health insurance involves a great deal of use of personal information. Generally, this is a complex area. This area of protecting the privacy of personal information is very simple in concept, but when you get into the detail, as I'm sure you members are appreciating, it does become rather complex. The personal information could be health information or financial information; it could be family relationships. It's basically the raw material that life and health insurers work with. It is vital to the conduct of a voluntary insurance system in Canada and around the world. It is a longstanding area. In many ways, I think the issues surrounding this use of information are much simpler than in some of the other areas where personal information is used, but it is nonetheless complex.

[1510]

Reference was made earlier to the legislation that emerged in Quebec in 1994. Again, our industry was very active in working with the regulators in Quebec, particularly with the information access commission, to gain an interpretation of that legislation and to ensure that any adjustments in the industry guidelines were made. In general, those adjustments were made across the country. Our companies are, generally speaking, operating on a national basis and, for obvious reasons, prefer to work with one set of rules rather than with several. Both the Quebec legislation and the CLHIA guidelines -- and Bill C-6 and much other legislation -- and a self-regulatory approach to this issue are largely based on the principles of the Organization for Economic Cooperation and Development that were adopted in Canada in 1984.

The initial industry guidelines were based on an early draft of those principles but have been revised to reflect the later versions of the OECD principles. As I say, those principles have been incorporated into the CSA code. On that point, our industry was very heavily involved over the development period of the CSA code, and I personally served on several of the committees there in developing that code -- which, of course, did reach full consensus of the over 40 groups that worked on it. Certainly there were some substantial discussions in that development process that related to health information. So, contrary to any other comment, that area was not ignored in the development of the CSA code.

[R. Kasper in the chair.]

We have also worked very closely in reviewing the federal legislation -- Bill C-54, now Bill C-6. Attached to the material I gave you is a copy of the submission we made to the Senate committee at the end of November. I provide this to you for two reasons. One is that I thought you might be interested in the types of comments we have made about the federal legislation, and secondly, it does provide more fulsome detail on our industry profile in one of the appendices and on some of our background in working in this area of protection of personal information. Also, we have found it very useful to follow seven key criteria in this process, which are set forth both in that Senate committee presentation and in the letter that I have provided to you. We commend these criteria to you as you conduct your work and as you look at various approaches to protecting personal information.

The current outlook, from our crystal ball, is that the federal legislation will be passed some time early this year. We don't know exactly what form it will take -- whether the amendments proposed by the Senate will find their way into the final legislation or whether there will be some other approach to deal with the issues raised there by the health care sector -- but we believe that that legislation will be passed. We also believe that it will apply, virtually in its entirety, to the entirety of the operations of life and health insurance companies. We have never doubted that. We have never disputed that. We have never objected in any way to the general concepts of Bill C-6.

As you will see in the submission to the Senate committee, we do have a number of reservations about this legislation, mainly in terms of practical details, including some of the drafting that. . . . If we had our preference, we feel that some improvements could be made to the drafting of this bill. Nonetheless, as some previous witnesses have said, we believe that it is a good piece of legislation. We believe that in conjunction with the industry guidelines, it will provide further protection to insurance consumers. We also are somewhat

[ Page 39 ]

[1515]

The protection of personal information is an extremely important area. The conduct of commerce in this nation on an efficient basis is also very important to residents of Canada, and we don't see any conflict between these two. But to properly balance the protection of personal information and the creation of an environment where commercial activity can proceed on a reasonable basis in our widespread nation, we believe that careful attention needs to be given to the coordination and harmonization of legislation in all jurisdictions. This certainly was a major part of our discussions in Edmonton on Tuesday in the briefing session on the Alberta legislation.

Mr. Chairman and members of the committee, those are the comments I want to make to you. I also want to assure you that if additional information would be helpful and if we can assist in any way as you continue your activities, we would be most pleased to do so. Thank you very much.

R. Kasper (Chair): Thank you, Mr. Black. Any questions from committee members? Okay. What impact has the Quebec legislation had on your industry, if any? What has been the working relationship to date?

C. Black: I would say that the impact has been modest. The Quebec legislation, simply in its terminology, presented some difficulties initially in understanding what was meant by some of the provisions and how those provisions would apply. But through discussion with M. Comeau, the commissioner in Quebec, particularly, his staff and others there. . . . Our industry has been very active in that sort of discussion. We have been able to obtain interpretations and better understanding. The requirements of that legislation are very, very close to the requirements in our industry guidelines. Some of the aspects probably prompted an update of our industry guidelines that would have been done anyway, but some minor changes were made.

As I indicated, those changes were made across the country wherever our member companies operate, but in general, it has been a positive experience. We have not encountered any difficulty in complying with the legislation in Quebec. We believe it will be possible to comply both with that legislation and with the federal legislation. They're reasonably comparable in many respects, and we believe that, again, our industry guidelines may play a role in that by bringing in the requirements under both pieces of legislation and helping our member companies in complying with both.

[1520]

C. Black: We believe that the CSA code is a good basis to work with. We believe that focusing on that coordinated approach would be serving your constituents in British Columbia very well.

R. Kasper (Chair): Mr. Carrothers, do you have anything that you want to present to the committee?

D. Carrothers: Really only to reinforce the concept that as an enterprise operating in many jurisdictions in the world -- we operate throughout North America -- it's helpful to have a certain degree of harmonization. It makes it easier. I could echo the comments Mr. Black made. As we do operate in Quebec, we comply with the Quebec legislation. As we worked that through our organization, we found that very little had to be changed. It proved to be quite straightforward. Our existing practices complied, really, in full with that legislation, so it was not a difficult piece. If you're looking for a model, it certainly seems to be working quite well.

R. Kasper (Chair): How about your clients, your customers? Is there a degree of comfort there from them? Is that the feedback?

D. Carrothers: I think the customers have always had a high degree. . . . Complaints would come to me. We have not had any. You normally get issues of inaccuracies in files and that sort of thing. We find very little trouble in that regard. It's not been a problem area with our client base.

R. Kasper (Chair): Okay. Do any members have a question?

E. Walsh: In your presentation here, in your book, on page. . . . Where are the pages?

D. Carrothers: Page numbers are on the side margin in that black bar.

E. Walsh: On page 19 there's a statement that consent. . . . We've heard some comments here on consent and on the importance of a person's consent on release of their information, because that's tantamount to protecting people's privacy and the information on the person. In the second paragraph, it says: "Life and health insurers obtain the consent of their customers for the vast majority of transactions involving their personal information. However, that is not always possible or appropriate." I know that it does say that there are some examples in the bill. But can you give me some where it would be appropriate not to get consent of an individual to release information on that individual, by that individual?

D. Carrothers: The most common situation would be when it's an investigation of fraud. This could be an investiga-

[ Page 40 ]

These are extremely rare situations, because usually in the claim forms, in the consent that would be obtained at that time, situations like this are anticipated to some degree. First of all, there aren't that many situations where there would be an investigation of that nature, but it can happen. We don't believe that anything that in any way makes it easier for fraudulent activity to go undetected is in the benefit of anyone, and we don't feel that privacy legislation should inhibit that. That is the main area, and that was recognized in Bill C-6, as Mr. Prouse indicated. Indeed, it was recognized by Mr. Manley in comments he made as the minister responsible for that legislation in the closing stage of the debate in the House of Commons. That would be the key area.

[1525]

R. Kasper (Chair): Do we have any further questions? Katherine?

K. Whittred: Mr. Black, just at the end of your presentation, you mentioned about the health information acts in Alberta, Saskatchewan and Manitoba. I wonder if you could give the committee a specific example of the impact of those acts on your industry.

C. Black: Okay; I'll be happy to. The Alberta act applies in a very specific part of health care. I differentiate between health care and health insurance; they're closely linked but not quite the same thing. The Alberta legislation applies to all health services that are paid for in whole or in part under the public health insurance plan. Also, the Alberta legislation applies to any services provided by pharmacists, whether those services are paid for under the public plan or under a private insurance plan such as I was mentioning a moment ago, with the drug card.

When the Alberta legislation is applicable, there are specific provisions in it with regard to the type of consent that is needed when information is to be disclosed by someone who is a custodian -- a pharmacist, a doctor, a hospital. If they are disclosing information about health services that are within that limited definition in the Alberta act, they must make sure the appropriate consent is given. So an insurance company seeking that information -- whether it's for payment for those services, whether it's because that information is needed in the processing of a claim for disability income benefits -- must meet those consent requirements. That would be an example where the terms of Alberta's Bill 40 are applicable to the insurance company.

At the same time, the insurance company has to meet the terms -- at least, we anticipate they will have to meet the terms -- of the federal legislation, Bill C-6, which sets out very specific criteria as to consent to collect information. The flow of information is always at least a two-party system. You've got the person disclosing information; you've got the person collecting it. And I think this is a good example where, even though those two pieces of legislation are distinct in many ways, the flow of the information goes from one to the other and as a result has to satisfy both. So the need for coordination, for harmonization, is very strong.

R. Kasper (Chair): Thank you very much. We greatly appreciate your presentation.

Our next presenter is Michael Rodenburgh, president of the B.C. chapter, Professional Marketing Research Society. Did I get the pronunciation right?

[1530]

M. Rodenburgh: Yes, you did. Thanks a lot.

R. Kasper (Chair): Great. I'm sure you've witnessed that we're fairly informal.

M. Rodenburgh: Yes. I'll be very brief too, actually. I just want to thank both the Chair and the committee for the opportunity to make this presentation today.

I come here today representing an industry that has had a long relationship with privacy issues -- that is, the marketing, social and public opinion research industry. I am the president of the Professional Marketing Research Society, British Columbia chapter. For those of you who are unfamiliar with our industry, I'll just give you a really brief background.

Our industry has its roots in the social sciences. That is, we actively study the behaviour of people in order to measure, understand and sometimes predict future actions. In the information-driven world in which we now live, the skills and abilities to execute this type of research have manifested themselves in many industries. Just as a side note, because of our skills and abilities, we've found that the growth of our industry mirrors that of many other industries that are experiencing high growth rates as well, such as high technology. In short, we're collectors, analyzers and disseminators of information

[ Page 41 ]

Most of you will be familiar with the popularization of telephone surveys, and the media in the past four years has made a household name of some of our industry's largest companies. In addition to this common method of collecting information, our industry uses a wide variety of other techniques, all pursuing the common goal of measuring, understanding and predicting behaviours. The common thread binding these techniques together is the participation of members of the public in our research. We rely on their participation to basically support our industry.

Unlike many of today's new information-based industries, our industry has long recognized the need for protecting the privacy rights of the public. In Canada there are three industry bodies that uphold a very similar set of standards and ethics, all designed to encourage the competent and ethical conduct of marketing, social and public opinion research. One is the Professional Marketing Research Society. One is called the Canadian Association of Marketing Research Organizations, or CAMRO. The third is the Canadian Survey Research Council.

The Professional Marketing Research Society -- I'll start using the acronym PMRS -- is a member-based organization comprising over 1,500 research professionals in Canada. In our industry, PMRS has the widest coverage and largest membership base in Canada. For this reason, for the rest of our presentation we're going to focus on the standards as set out by the PMRS. But just let it be known that the standards as stipulated by CAMRO and the CSRC are extremely similar.

Membership in PMRS is at the individual level. Companies providing research services themselves are not eligible for research. As members of PMRS, professional research practitioners must act in accordance with the society's rules of conduct and the principles they embody. Members must refrain from any activity likely to impair confidence in research in general. Further, the society strives to do everything possible to extend and maximize the appropriate use of marketing and social research, while discouraging the inappropriate or inadequate use of research that could provide misleading information.

The essence of our professional standards is embodied in the booklet entitled "Rules of Conduct and Good Practice." All members are provided with a copy of this book and are required to subscribe to the rules contained within this volume. Our submission to this commission, incidentally, includes copies of these standards. Of interest to this commission, our professional standards require that members abide by rules of privacy towards the members of the public.

Issues of privacy are not new to our society and have included for many years the key principles of informed consent, anonymity and confidentiality. In preparing for this presentation today, we compared our existing policies toward privacy of information to the code for the protection of personal information as issued by the Canadian Standards Association. We found that our existing policies are based on very similar principles as found in the CSA code. Briefly, I'll just address each of the CSA principles with a short description of how industry has already tackled these issues.

First, the issue of accountability. Members of our association who are in decision-making roles with respect to how information is handled are accountable to the rules as stipulated by the rules of conduct and good practice.

Second, identifying purposes. Upon contact by a research firm, participants in our research studies are given a short description of the general purpose of the study. We do this for many different reasons. Essentially, we're not out to misrepresent ourselves to members of the public upon contact.

Third, consent. The issues surrounding consent are complex. However, let it be said that consent is always obtained for participation in a research study. In cases where personal information collected by a research firm must be provided to a client, members of our society are required to obtain consent from the participants. If I may take just an example, when we call a potential respondent on the telephone for a telephone survey, members of the public are always given the opportunity to have us call back later, to refuse, to not answer the questions -- or (d), all of the above. We pride ourselves in not forcing participation in these types of research studies.

[1535]

Fifth, limiting use, disclosure and retention. Personal information that is collected is never revealed to anyone outside the research organization. In addition, the information must not be used for any other purposes other than the original study. Limiting use, disclosure and retention does extend to revealing personal information that we collect back to the client's organization. For example, if we do some work for a bank and the bank gives us a client list for which we conduct a telephone interview, we can provide that data back to the bank, but we are required to delete all identifying information that may identify respondents. So at no time is the information that we collect ever revealed to our clients.

Sixth, accuracy. Whenever possible, members confirm the accuracy of the information. Live monitoring of interviews is standard to ensure that interviewers correctly record information provided by the respondents.

Seventh, safeguards. It is the ultimate responsibility of the researchers to ensure that any identifying information collected during a study is deleted as per my earlier comments. In cases where the data may reveal the identity of the individual who provided it, it is the researchers' responsibility to delete that information to protect the anonymity of the information. There are certain instances where we work with finite populations. If we have a certain piece of information -- let's say a postal code -- and we also have some information that may indicate someone over 80 years old lives at that postal code. . . . Well, in that instance, it's very easy to identify the particular respondent, because they may be the only person in that location over 80 years of age. So it is up to us to ensure that disaggregated information -- that is, identified at the respondent level -- does not get passed along to our clients.

[ Page 42 ]

Ninth, individual access. Members of the PMRS, unfortunately, are not required to provide respondents with access to the information as provided during a research study. However, I've personally permitted this when respondents have made this request. In this case, only the respondent's personal information was provided. I'd like to think that my colleagues would do the same thing in this type of situation. We constantly struggle with members of the public for their cooperation in our research. Going out of our way to do these types of things only serves to solidify the public's trust in how we manage their personal information.

Tenth, challenging compliance. Reviews of research practices are sometimes engaged when a member is undertaking a study of questionable design. Further, many members submit the existence of their research studies to the Canadian Survey Research Council, or CSRC. Respondents who participate in a study that has been registered with CSRC have access to a 1-800 telephone number that can be used to verify the legitimacy of the study and can also use this form to lodge a complaint.

I hope I haven't been too brief with our presentation, but I'd like to think that our presentation does show that we've been proactive in dealing with rules of privacy. I'd like to think that our existing rules of conduct and good practice are extensive and cover many complex privacy issues that are specific to our industry. On behalf of PMRS, I'd just like to say thank you very much. Incidentally -- I'm going off my sheet now -- one of the things that I did forget to add here is that we are currently rewriting our existing policies with respect to how we collect information on the Internet. Of an interest to the committee, there is a society in Europe called ESOMAR -- a society of marketing and research professionals -- that is a comparable industry body to ourselves. At the last annual general meeting in the fall of 1999, we adopted ESOMAR's guidelines for how we handle conducting research on the Internet. ESOMAR is based on the OECD rules of privacy, which you're probably familiar with already. I'd like to thank you very much for this opportunity.

[1540]

M. Rodenburgh: In our industry?

R. Kasper (Chair): Yes -- or members of your organization.

M. Rodenburgh: Well, our membership is 1,500. Our internal estimates suggest that we cover about 60 percent of the research industry. In terms of the number of companies, I'd have to peg it at 250, maybe -- yeah, give or take 50.

R. Kasper (Chair): Okay -- 60 percent. I ask this question of everybody: what about the Quebec experience?

M. Rodenburgh: We are a bilingual organization. We have a good penetration of membership in Quebec. We haven't found any issues with respect to privacy in Quebec that haven't arisen elsewhere in Canada. It hasn't presented itself as an issue to us.

R. Kasper (Chair): So the business members. . . . Has it had an impact, you know, since it's been in place?

M. Rodenburgh: Not that I know of at this point in time. The thing that concerns us the most is what we are required. . . . There are a couple of things that concern the research industry. Our industry solely relies on the free participation of the public. We know, for example, that some people sometimes refuse to participate in a telephone survey. We know that probably 90 percent of those people don't respond every time. However, given the choice, they will put themselves on a list to be deleted from a list.

Now, because most non-responders are not habitual non-responders, we have some concerns about the representativeness of what we do when we, say, do a telephone survey. As soon as you start limiting the source of the population from which we draw our random samples, our information becomes less accurate, and that only hurts our clients, actually.

R. Kasper (Chair): What do you think of -- what is it? -- data mining and the brokering of databases that perhaps your member firms may do? Is there a strict policy on that?

M. Rodenburgh: Yes, there is. And yes, our member firms do data mining. I cannot say we deal with brokering of information. The information that we collect is guaranteed to go no further than us. Moreover, we're not allowed internally to use that information for other purposes. We have done studies with, let's say, very small populations -- let's say male impotence, for instance, to take one example. We can't use that sample that we've compiled of men who are impotent to turn around and then go back to those same people. We have to use the same procedure to generate a list of impotent men the first time that we do it, the second time, the third time and the fourth time, unless we obtain prior consent from those people -- right?

[1545]

Data mining is something that we're struggling with; it's a much newer problem for us. With respect to issues of privacy, data mining has become complex enough that we can predict things at an extremely accurate level regardless of whether we've collected personal information or not. But sorry -- I'm going down the wrong road. More importantly, clients give us databases from which we do data mining and conduct telephone surveys, say. We link the information together. We use those to build models to help make decisions. If the data is ever passed along to a client organization, again, the identifying information is always deleted.

[ Page 43 ]

M. Rodenburgh: Well, it can be findings in an aggregate form. So we can say that 50 percent of the people said this, 25 percent of them said this.

R. Kasper (Chair): Right.

M. Rodenburgh: But there are. . . . In many instances, our clients are sophisticated enough to take a database and analyze it themselves. So it's up to us to ensure that anything that we pass along to them in terms of the database content does not reveal the identity of the respondents, regardless of if they gave us the list or not.

R. Kasper (Chair): So do Bill C-6 and Bill 68 further restrict your organization -- how you would operate or conduct business?

M. Rodenburgh: In its current form, no. It does not.

R. Kasper (Chair): So it's not a problem.

M. Rodenburgh: No.

R. Kasper (Chair): And you've supported it.

M. Rodenburgh: To be honest, I don't know if we have supported it or not.

R. Kasper (Chair): Would you have a problem if the province embarked on a similar process?

M. Rodenburgh: We wouldn't have a problem per se. We would certainly have a stake in how we were regulated. Part of our concern is. . . . We understand the requirement to have some greater teeth. I think this has even been popularized in some of the recent media. Of our three organizations. . . . Our industry really lacks teeth in the sense that there's nothing legislating how our membership controls information. Interestingly, because our membership only extends to about 60 percent of the industry. . . . There are companies out there that, say, do research and then broker the information. You know, we have some serious concerns about that, because not only does that violate the privacy of that person's information, it also puts our industry in a bad view with the public. Because we require participation from the public, it's self-defeating.

We strongly support regulation to a certain extent so that we can maintain a certain amount of dignity and respect in front of the public.

R. Kasper (Chair): Okay. Very good. Any questions? Well, thank you very much.

M. Rodenburgh: Thank you.

R. Kasper (Chair): Our next presenter is Murray Mollard, policy director at the B.C. Civil Liberties Association. So Murray, you've seen the routine. It's pretty. . . .

M. Mollard: I think I've been here before you in a previous incarnation when you were reviewing the act. I've been here long enough today to see how things go. So what I'll. . . .

[1550]

M. Mollard: Well, I certainly would like to open by thanking you for the opportunity to appear before you. Indeed, you have embarked on a very important task and have a very important role in considering whether there should be greater protections for British Columbians' privacy within the realm of the private sector. I should start our presentation by saying squarely that we are in favour and would urge the committee to recommend to the Legislature that there should be legislation with strong oversight protections. I'm going to get into the details of that in my submission.

I want to just briefly introduce you to the B.C. Civil Liberties Association. We've been in existence since 1962, working to protect and promote the civil liberties of British Columbians. That involves taking complaints from individuals out there in society who have concerns about civil liberties. It involves public education. It involves law reform, such as what we are doing today. And it involves occasionally going to court.

The privacy file is a file that has occupied more and more of the resources of our organization. We are devoting greater and greater time. We are receiving more and more complaints. Indeed, it's a major portion of the work that the association does these days. To that extent, I think we've also been able, because of the work that we've done, to develop a certain amount of expertise and knowledge with respect to privacy issues. We were extensively involved in the consultations regarding the Freedom of Information and Protection of Privacy Act. We developed a handbook called The Privacy Handbook in association with Darrell Evans and FIPA in 1994.

Most recently we've been involved -- again, extensively -- in consultations regarding Bill C-6, the Personal Information Protection and Electronic Documents Act. That has included consultations with Industry Canada. We have also made submissions to the Standing Committee on Industry and the standing committee that considered this matter in the Senate. So we have a fair amount of expertise to bring before you. I'd certainly entertain and want to reserve time for your questions.

My first submission. . . . I'm going to follow the outline I have in the paper that I've given to you. I should say that this paper is essentially a reworking of the submissions that we made to Industry Canada a couple of years ago when they also created a discussion document, with some changes and variations. Our first submission is that privacy is a fundamental right.

When the federal government put out its discussion paper two years ago, it talked about a variety of reasons why it might be useful to protect privacy of individuals in the private sector. They outlined ideas such as promoting consumer confidence. Indeed, the whole idea of electronic commerce and promoting electronic commerce was, I think, essential to Industry Canada's initiatives -- things such as technology's ability now to manipulate massive quantities of personal information. The private sector in reality, of course, is a very large collector of personal information now. It's not just

[ Page 44 ]

They also noted in their discussion paper that voluntary initiatives are apparently not enough. We have had the Canadian Standards Association code for some time. I'll talk about some of the principles that are enunciated in that code. But it is a voluntary measure. There have been difficulties with getting organizations, businesses, associations, etc., to sign on in order to provide some teeth and oversight and enforcement to those obligations.

[1555]

These are all great reasons -- very good, important, practical reasons -- but at base the reason for protecting privacy is because privacy is a fundamental value in society. I think Ms. Prosser with BCPIAC reviewed the constitutional aspects. We pointed to that in our discussion paper as well.

If I can take a moment to point out, on page 3, three important reasons for protecting personal information and privacy generally. One is to avoid harm. I think Darrell Evans spoke about the risk where organizations or other individuals hold your personal information -- and very sensitive information. The damage and harm that they can do to your life can be significant -- whether it be in a professional capacity or personal ways -- if that information is revealed to the public or others who may have some reason to know that. It can cause significant harm. That's one reason for protecting privacy.

Privacy is a central value within a free and democratic society. We are able to call ourselves a democracy because we're able to operate, undertake activities, interact or just be alone in ways in which the state can't interfere with those activities and indeed doesn't know about them. It's a hallmark of a democratic society where there's the absence of surveillance, the absence of the state or private institutions monitoring our personal behaviour.

The third important reason for protecting privacy is that it's important to our own psychological well-being, and I think everybody can understand that concept. Privacy is important to our own dignity and self-worth. It is important to being able to develop our own sense of identity -- who we are, what is important to us, etc. Being able to be alone, being able to experiment with ideas and practices, is what privacy is about. It's essential to our own identity; it's essential to our humanity.

As I said at the outset, the association is foursquare behind the idea of actual legislation to protect personal information in the private sector. One of the important principles that we would urge be included in any legislation is the application of a law to employees and not just organizations who are dealing with consumers, etc. There is a tremendous amount of technology today that allows employers to survey, to collect personal information about their employees. Indeed, the association consistently receives complaints -- in fact, probably more complaints from employees of businesses and organizations about the practices that are invasive of personal information and privacy of employees than general complaints with respect to consumers, for example.

Unfortunately, when we receive these types of complaints, there is really not much the association can do to assist them. We are often willing to contact their employer and say: "We'll raise this issue with your employer and raise the problems of this particular invasive practice." But not surprisingly, employees will say: "Well, that will jeopardize my job. Quite frankly, I don't want you to do that." The answer is: "There's no legislation, and there are no real protections for you. You're going to have to abide by the invasive practice of your employer or perhaps forgo the employment." Quite frankly, that's unacceptable.

So we would urge you as a committee to ensure that employees are protected in any future legislation. There's a precedent for this. Bill C-6 does include the application of its obligations to organizations and their employees.

[1600]

Just take a moment to look at this; it's quite astonishing. "The purpose of this medical questionnaire is to obtain necessary information. . .to have at our disposal. . . ." Well, it doesn't really say why they need this information. "Candidate's consent." The candidates must give their consent. They cover off consent. I'll have more to say about consent later. Consent is critical to protecting personal information. In our submission, though, it's not adequate. It's not absolutely a safeguard with respect to privacy.

If you look at the next page, "Personal history," just go through the questions. It's astonishing, the types of information that may be asked. "Did you ever consult a doctor, psychiatrist. . . ? Were you ever hospitalized? Date? Reason?. . . Did you ever use tobacco, alcohol, drugs? If so, in what quantity? Did you stop the use?"

Under family history: "Is there a member in your immediate family who suffers from particular illnesses? "If you answered yes to. . .the above. . . ."

"Additional information. Have you ever suffered from or have you been treated for one of the following illnesses?" It's extremely sensitive information. "Are you presently being treated by a doctor?"

I can say that with respect to the types of employment that these types of questionnaires are sometimes used for, the types of questions and the information that is sought bear no real relevance to the ability or the need of the employer to make a decision about whether the employee is qualified to do the job. It's not just medical information. It can be credit histories, etc. In our submission, there's a real need to ensure that legislation protects employees as well.

I mentioned briefly a moment ago that consent is an important and vital principle of fair information practices. But, in our submission, it alone is not adequate. On page 4 of our submission, we support the use of the Canadian Standards

[ Page 45 ]

Indeed, its use as a basis for legislation is relevant in this sense as well: there was an extensive degree of consultation among various businesses and organizations and private sector organizations and associations. The fact that there was consensus on these principles is important to note, I think. It's an important starting point for legislation. In other words, you have buy-in from the organizations that are going to be subject to these obligations.

But consent is not enough. I go back to the point that I have just made: that is, for prospective employees who have to consent to an invasive practice or not receive the job, consent may not be enough. But it may also occur in the consumer context. If there is an industry practice that certain personal information is sought, it's not necessarily an option for the consumer to go somewhere else, to go to another business, in order to receive the service that they're seeking.

We've suggested here that there be an additional principle added to the CSA code, and that is the principle of justification. However you want to word this, there must be some ability to assess whether the information being sought is reasonable, legitimate in the circumstances, appropriate in the circumstances. We think this is an important principle.

Indeed, there are precedents for this principle. If you look to the Quebec legislation, there is a provision in there that deals with the fact that information can only be sought where the information is needed for a serious and legitimate reasons. Article 6 in the European Community directive also refers to the fact that there should be legitimate purposes. The purposes, although they need to be identified, must also be legitimate. Again, there are some tests about what's reasonable, some tests about justification.

But most importantly, Bill C-6 has incorporated this principle. It actually did not in its first reading draft. After the industry committee deliberated, they made recommendations, and amendments were made to the bill. Now the bill states under section 5(3): "An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances." We think there is sound precedent out there for including such a principle.

[1605]

[J. Weisbeck in the chair.]

I won't take too much more time to go over in detail the points I've made in my submission. I will let you read them at your leisure. I will just cover off generally a couple of things. We've indicated that legislation must cover intrusive processes as well as records. We have a discussion about sectoral codes and about how a sectoral code would work -- whether it would have the force of law or be guidance to those that are interpreting the law. We have for you fairly extensive submissions on oversight. Indeed, this is a very important part of creating legislation.

I think the choice that your committee has. . . . If your committee decides that personal information in the private sector is worth some sort of protection, you have a choice between sort of a laissez-faire approach -- letting industry regulate itself, which of course it can do now. . . . You've heard from some groups who say that we've been doing this for many years. Interestingly, those groups have no problem with the legislation, which I think is important to note. But the fact is that there are many industry organizations and businesses out there that aren't necessarily regulating themselves to the extent that we would like.

Indeed, there's not much in the way of oversight or enforcement when an individual has concerns about the intrusive practices of an organization. That's the linchpin of any new regulatory scheme: what the enforcement mechanism will be. We've offered some suggestions about the principles that should animate an enforcement and oversight regime. We've suggested some models with respect to a combination of an ombudsman-like agency, such as the information and privacy commissioner, with an actual tribunal or indeed a court that would be able to actually pronounce on claims about violations of obligations in an act.

Just to close -- well, not quite to close -- we've made some miscellaneous submissions on page 11. Any regime that is created is obviously going to require adequate resources and funding. I think that's a clear message that you as legislators understand. If you create law, even if it has the legislative teeth, if those that are charged with the administration of the law don't have the ability to undertake, for example, proactive audits with respect to organizations and businesses, it's going to be difficult to ensure that privacy is really protected.

The thing to remember about privacy is that individuals in society, citizens, often don't know that their personal information has been violated, disclosed or shared until much after the fact. That's one of the reasons why we think there actually needs to be a significant authority to do proactive audits and to make sure that there is prevention, before any inappropriate practices occur or before there is a violation of obligations.

Public education is important. I think British Columbians are just beginning to become aware of the extent to which their personal information may be floating around amongst businesses. Personal information is an extremely valuable commodity these days. Legislation would actually provide a very important public education tool. Once legislation is created, there needs to be public education amongst the organizations that will be subject to the obligations but, as well, to the individuals who have the rights within that law.

Harmonization. I note that there's a couple of good reasons for harmonization. We're certainly empathetic to businesses that want to make sure that there is some consistency about rules across jurisdictions. That makes sense. Secondly, you should note -- if you don't know, and you probably do -- that Bill C-6 permits exemptions from the legislation where a province has created legislation substantially similar to the federal law. So there are good reasons for harmonization.

A couple of points in conclusion. There was a suggestion from the very first speaker that. . . . He preferred the idea, which is being followed in Alberta, of waiting three years until the act -- Bill C-6 -- will be applicable to the provinces. He cited Alberta, again, as the idea of a way to go. I would urge you not to follow that approach. It's not clear to me, especially after the discussion that we had about health information, that Alberta is a leader in this field. I would think that the British Columbia government, which is considered a leader with respect to its public sector legislation, would want to be a leader on the private sector side as well.

[1610]

[ Page 46 ]

I do have, and this may be. . . . I see that Mr. Kasper is not here, although he seems to be very interested in the Quebec experience. I did want to. . . . A question that was noted earlier -- and I think I'll just make a note of this -- was: what about the Quebec experience with respect to health information? Something for you to think about, which I have learned, is that Quebec actually undertook a legislative review of its private sector privacy legislation within, I believe, the last year or two.

Interestingly, with respect to health information, there was no submission to the committee that was reviewing that legislation made from a private sector health organization that objected to the fact that this law exists and imposes obligations on private organizations in the health care field. So I think that's a telling remark with respect to those that want to raise the bogeyman of legislation in the private sector.

Thank you. I'd be happy to hear your questions.

J. Weisbeck (Deputy Chair): Thank you very much. Any questions from the committee? Katherine, do you have a question?

K. Whittred: Yes. I'm just trying to think of how to word this question. I am interested in your recommendation that one more thing be added to the code, which is justification. I just want to ask you: how would you define justification, and who would then determine whether that information is in fact justified?

M. Mollard: Well, it's a good question. Remember here that there are three aspects to regulating personal information or privacy, and they are collection, use and disclosure. Collection is the key -- right? It opens the door. Once you open the door, you can create protections for use and disclosure. But those really are, in a way, subsidiary to the ability of an individual -- and this is what we're talking about here, self-determination for individuals -- to make choices about with whom they want to share their personal information. So, in our submission, it's very important that there be some additional principle about justification.

What would be justification in any particular circumstances? My guess is that in the vast majority of cases, there will be a good reason for requiring personal information in order to provide a service of some sort. But there may be grey cases.

The question is: who's going to make that judgment? In the suggestions that I have with respect to oversight, there ultimately would be some sort of adjudicative body -- whether it be a tribunal or a court; there are options there -- that would make a decision with respect to whether a private sector organization has made a case that there is a reasonable justification.

Let me give you an example. One of the issues that we come up against is drug testing in the workplace. It's not uncommon; we get quite a few calls on this. Indeed, part of it is because the practices in the United States are rampant with respect to drug testing in the workplace. There could at least be a debate about whether, with respect to safety-sensitive jobs -- truck drivers, airplane pilots, railway operators, heavy-machinery operators and what have you. . . . There is an arguable case that there may be a need for some sort of assurance that someone is impairment-free -- certainly impairment-free -- and substance-free. We actually don't think it's a compelling argument. But at least there's an argument there with respect to safety-sensitive positions.

Drug testing in the workplace has expanded much beyond safety-sensitive positions and in some cases applies to employers requiring people who work at desks and who have desk jobs to provide urine samples in order to do an analysis. We would say that there is a real question there about whether that seeking of personal information can be. . . . Indeed, drug testing can provide an incredible range of very sensitive personal information. We'd say that there's a real question about whether that's an appropriate practice.

We think that if you're going to be serious about protecting privacy and making personal information rights effective, you're going to have to give some sort of adjudicative body the ability to make a judgment call about whether, in any particular case, there will be a justified reason for that collection. That was a long-winded answer to your question. I apologize.

J. Weisbeck (Deputy Chair): Just one comment: it's sort of an interesting dilemma here. We're talking about harmonization. In one case, some provinces are talking about waiting for the federal government to come up with a plan and then maybe adopt the plan -- maybe not. Yet you're suggesting that as a province, we should carry on and develop our own. We may come up with a very, very good option that everybody else might adopt. But by the same token, it's obviously a dilemma to get some sort of standardization across the country.

[1615]

J. Weisbeck (Deputy Chair): Go ahead.

M. Mollard: Yeah. I mean, Bill C-6 has obviously occupied the field in a sense, in that it's providing a set of provisions that provide a blueprint, I guess. Indeed, there's the clause about substantially similar legislation in the provinces that would exempt an organization from the application of Bill C-6. Clearly I would think that there's an opportunity to meet or beat Bill C-6, if this committee thinks that there are some deficiencies with Bill C-6. I actually think there are -- with respect, for example, to oversight. The privacy commissioner of Canada, for example, will only be able to undertake audits where he has received information on reasonable grounds to undertake an audit. I think that is inadequate with respect to being proactive to ensure obligations.

There is a blueprint there. I think there is now a blueprint for provinces to follow. I mean, there's going to be disagreement. Indeed, this is a very new field, and there's going to be a learning process. I don't think Bill C-6. . . . There is actually quite a bit of consensus about it being a workable piece of legislation. You'll get lawyers talking about why the obligations are in a schedule instead of the actual body of the act, etc. You know, there may indeed be -- and I'm sure there will be -- the need for adjustments to it. I think there is a four- or five-year legislative review built into that act.

I can tell you, as someone who receives complaints from individuals, that I don't want to wait any longer. For example,

[ Page 47 ]

J. Weisbeck (Deputy Chair): Do you feel this requires a separate act, or could we take our existing Freedom of Information and Protection of Privacy Act and modify it to include the private sector?

[R. Kasper in the chair.]

M. Mollard: I think you're going to need a different act. You might be able to provide the office of the information and privacy commissioner with roles under both acts, but I think you're going to need a new act. For example, one of the interesting points about the Freedom of Information and Protection of Privacy Act is that, as I was discussing earlier, it in fact gives you as government the final say with respect to collection. There is no principle of reasonableness or justification. We've had our fights with you as government about the collection of personal information -- for example, the area around the consent forms with respect to social assistance. There have been real debates about that. The information and privacy commissioner has no role except to make sort of public comment, perhaps moral suasion.

We think, in the private sector, it's worthwhile having some sort of adjudicative body. At least you as elected representatives are accountable in some way to the public. There is an argument there that at least, you know, there is a means for public accountability. There would be no such means with respect to the private sector.

R. Kasper (Chair): I have a question: what's your view on this kind of self-regulating entity?

M. Mollard: Unfortunately, you probably missed some of my submission, and I'm happy to repeat it.

From the outset, I think we're foursquare behind the idea of legislative protection. You may want to talk to some people who have been involved with the Canadian Standards Association code. There was hope that there would be a great deal of buy-in, in the sense that once the code was developed, groups would sign on, and there would be some ability for, in a sense, enforcement. I think the reality of that has been mixed at best. There haven't been that many associations or organizations or businesses that have actually signed on so that there is some enforcement. The linchpin of protecting privacy and personal information will be a system or a regime of oversight and enforcement, and quite frankly, voluntary codes, etc., aren't going to do it.

[1620]

R. Kasper (Chair): Okay. What I was really driving at is that you could have legislation, which is what you're advocating, but then there has to be a sort of police mechanism. You know, under existing provincial legislation, you have self-regulating bodies that do their own internal policing -- have a kind of complaints division. Then it's been suggested that perhaps the role of the existing information and privacy office would be the sort of court of last resort -- failing to get resolution at self-regulating. . . .

M. Mollard: Let me sketch. . . . On page 9, section 6, "Oversight," we've sketched a little bit of a skeleton of how an oversight regime might work. We don't want to make this burdensome for business; we want to make it as efficient as possible. One of the principles we've suggested is that anybody who has a concern about businesses' practice with respect to collection of personal information ought to go -- there might be some real exceptions, if there are really bad relationships -- and make their concerns known to the organization in the first instance and give the organization an opportunity to resolve that. If that's not satisfactory to the complainant, then you can go elsewhere -- the information privacy commissioner, perhaps. Failing that, we've suggested that you can actually go to sort of an adjudicative body.

We've also suggested, though, that not every complaint necessarily go to an adjudicative body. I mean, one can think of relatively trivial complaints versus relatively significant ones. So there might be an argument that there be a scheme set up in which you have some responsible authority deciding where complaints are of a serious enough nature that they should be permitted to go forward to an adjudicative body. I tried to sketch something there. I mean, obviously there's lots of details to be worked out, but I think it gives you an idea of our thinking, anyway.

R. Kasper (Chair): Okay. Great. Thank you very much.

M. Mollard: Thank you for the opportunity. And good luck.

[1625]

Just before you start, we're pretty informal here. You have anywhere between ten and 15 minutes to make your presentation, and then the committee members may choose to ask questions. I think you're our last presenters before we break, and you're early as opposed to late -- considering we started half an hour late. So go ahead.

A. Macdonald: I would like to thank the committee for having the Canadian Bar Association appear before it. What I intend to do is basically follow my submissions to you. . . . Perhaps I could get some indication whether or not you've had an opportunity to look over the submissions previously. If you haven't, I'll pretty much follow them verbatim.

At page 1, then. On May 19, 1999, the Canadian Bar Association Subsection for Freedom of Information and Pri-

[ Page 48 ]

With impending passage of the federal legislation and the apparent necessity to implement a provincial counterpart, we hope it will be productive to share the reasoning for our view that the institution of a regulatory office and framework is prudent and even necessary. Our reasoning is that implementation of such a framework is likely necessary in order that members of society can, in this so-called new information age, continue to enjoy certain values and practices often taken for granted but, once unveiled, claim status among our society's fundamental building blocks.

We think it important to take positive focus on these values and practices. This is no mere academic enterprise. The consequences and implications of implementing legislation regulating information about ourselves -- our pasts, our aspirations, our hopes and failures -- are breathtaking. Among other things, legislative committees contemplating proposed legislation are charged with the responsibility of informing constituents regarding the consequences and implications of this legislation. These will only be communicated and understood with reference to the values and practices according to which these constituents actually conduct their lives.

Implementation of provincial legislation raises questions regarding jurisdiction and the exercise of discretion. To what degree should the province be prepared to implement and administer legislation nearing the proposed federal regime? To what degree should provincial regulators, rather than the private sector, have power to determine the purposes for which private sector organizations can collect personal information? Answers to these and similar questions must ultimately be answerable with reference to the values according to which British Columbians live their lives.

It is noteworthy that an important component of the debate regarding the federal government's now renumbered Bill C-6 is that the import and significance of the proposed legislation has gone largely unnoticed. This reflects something about what the cognoscenti anticipate about the public's response to the proposed legislation. It is reasonable to anticipate that the public will be somewhat shocked. There is reason to be shocked.

Both intuitively and jurisprudentially, there is something ominous about this proposed legislation. Constitutional theorists in Canada have never pressed very strong on arguments regarding what the framers of our constitution intended -- arguments, that is, regarding the intended role of our government and the limits placed thereupon.

More than a few Canadians, though, will legitimately wonder aloud whether government should be in the business of regulating the private sector's retention and use of what is termed personal information. Similarly, constitutional theorists will wonder how the distinction between public and private -- between where government can claim a legitimate state interest and where it cannot -- can be maintained once the government embarks upon this modality of regulation.

[1630]

It is likely, though, that neither policy explanations nor survey data will prevent the inevitable public outcry about data policing that will follow upon the implementation of this legislation. If there are any doubts that the legislation will be deemed draconian at least by some, we only have to consider that the net effect of sections 18 to 20 of Bill C-6 is that the federal privacy commissioner will have power to enter any place of business without a warrant to audit a private organization's personal information management practices and, if happening upon any information relating to an offence under any law of Canada or a province, may freely disclose that information to the relevant Attorneys General.

Other serious consequences lie in how the legislation will be administered and enforced. For example, paragraph 4.2 of the code, attached as schedule 1 to Bill C-6, entitled "Identifying Purposes," provides enormous scope for regulators to review and circumscribe the purposes for which private sector organizations collect personal information.

I should add there that I'm a little bit hesitant about the word "circumscribe." It may be a little bit strong, in that the commissioner has powers of recommendation. I do feel, though, that the drafting is serious enough that we should at least consider the possibility of circumscription, given that the federal court will have plenary powers of review and can potentially provide its views upon what are legitimate and illegitimate purposes for gathering information. That said, whether or not the actual power is there on the part of the commissioner to circumscribe is, I think, an open question. I think it's a serious question, though. I'll continue.

It is not hard to see that regulators and private sector organizations will be divided about the legitimate purposes for collecting personal information. It is more difficult to determine which of the two in any given circumstance should prevail in the debate. Deciding which interest should prevail over the other will be a delicate task, like the decision to implement the legislation itself. This task must be premised upon an understanding of our practices and values, which render the legislation a necessary and productive step in our regulatory evolution.

What is it about the norms and values that we embrace in this social order that makes this proposed legislation necessary and productive? Regulators and politicians alike require a well-developed understanding of these norms and values in order to exercise their judgment and, in turn, to explain to the public how it is and why it is that they have done so.

The significance of privacy and personal information in the information age is apparently self-evident, though it has

[ Page 49 ]

The test will come when all private organizations are forced to allow in regulators with the power to audit and circumscribe the powers for which personal information is gathered. More likely than not, substantial members of the private sector will loudly raise the concern that there can be no privacy when public authorities have such all-encompassing powers. By allowing government to review and regulate personal information, it will be asked what is left of this information that is personal at all. Anticipating this collision of concepts, it is useful to bracket the concepts of privacy and personal information to consider what practices in our lives these concepts attach to and why it is that these practices are useful in conducting our lives.

[1635]

Many small towns have been subsumed into more densely populated urban centres. Small-town inhabitants now engage in and depend upon international trade. Despite this demographic shift, however, we largely harbour -- and I mean we in this society -- the same outlook as do small-town inhabitants, who expect to be treated by merchants and politicians alike according to their reputations and do not expect that treatment to change haphazardly on a day-to-day basis. We residing in more complex societies expect to enjoy similar treatment based upon a similar foundation of integrity -- integrity not based so much upon our reputations known by those familiar with us but on the integrity of the information about us. This is available to innumerable persons with whom we have dealings, some of whom we will ultimately form personal and business relationships with that will help secure our welfare and that of our families.

The simple truth is that the lives we enjoy today and aspire to have in the future are predicated upon maintaining the integrity of the personal information retained and disseminated in the information networks that we have built around us. Consider for a moment the dangers of failing to maintain the integrity of this information. If not properly reminded, the small-town butcher may forget to set aside a special cut of beef. In highly populated urban centres, a failure to provide timely and accurate data can result in utility or health services being dangerously interrupted.

On the information highway, the accuracy of personal information will be a key, if not the central component, to the success or failure of every participant's endeavours. In order to continue to enjoy the integrity of our personal information, we need to institute a system designed to protect that integrity. The goal of protecting information integrity does not, however, prescribe that we institute a particular regulatory format.

It should be noted here that the subtext of much of the debate regarding this proposed legislation pits the individual against the faceless, voracious and untrustworthy information conglomerate. This is unfortunate, because it obscures the fact that so much of what we expect to enjoy by embracing informational integrity is actually the product of private sector actors who have risked, innovated and created new economies of scale, ultimately enhancing our standard of living. Increasingly, our expectations will be trained upon the information industry, where the configuration and delivery of data will, we hope, have a positive impact on our future standard of living. Successful implementation of a regulatory system requires a keen awareness that a balance must be struck between the need for informational integrity and the demands of risk-taking innovation which are thrust upon and assumed by the private sector.

The immediate concerns for those interested in maintaining a productive balance when implementing a provincial counterpart to Bill C-6 are as follows.

(a) Reviewing the scope and purported application of Bill C-6. Section 30(2) of Bill C-6 is drafted such that the legislation will purportedly apply to the province three years after coming into force. Section 30(1) is drafted such that the legislation will purportedly apply immediately to the collection and use of personal information by the provincial private organizations, where that collection and use occurs out of province.

These sections require immediate attention by provincial regulators in order to determine whether they are satisfied that the federal government has jurisdiction to impose this legislation as drafted upon the provinces. If provincial regulators believe that the federal government lacks jurisdiction -- of course, what I mean is if that's what your lawyers are telling you -- then you're more or less responsible to consider what and if and how the province should respond to this federal initiative.

[1640]

Constitutional jurisprudence currently requires that a person has standing in order to challenge a search warrant executed to seize information and/or property. In order to claim such standing, an individual must have a legitimate expectation of privacy, any information and/or property and

[ Page 50 ]

(c) Educating British Columbians. This is obvious. While regulators ponder the policy questions, they must spend most of their time in efforts simply educating British Columbians about the potential impact of the federal legislation. The more time and money spent educating the public, the lower the transaction costs will be for the transition from one regulatory regime to the next.

I have one thing to add here. In my view, this committee should be very interested in putting its mind to adopting or obtaining some methodology by which it could consider the transaction costs involved in implementing the legislation. People that I talk to in the community often observe that there's no such model -- no concern about costs and benefits. The transaction costs are so potentially serious here that the committee should, in my view -- and with respect -- do its utmost to consider what could possibly be an adequate model to consider what those transaction costs might be.

(d) Balancing interests productively. Integrity in personal information collection systems is a social good. So too is an efficient market. Whatever the legislative framework regulators impose on the private sector, transaction costs will also be imposed. The costs imposed upon the private sector must be seriously considered when finalizing policy on the administration and enforcement of any proposed legislation.

To what extent should a publicly appointed commissioner be empowered to review and influence the purposes for which private organizations collect personal information? In the ever-burgeoning information economy, to what extent will this power allow the commissioner to effectively determine a private organization's business purposes? To what extent should the definition of the purposes of private information gathering be delegated to industry groups? And to what extent could such delegation result in industry groups imposing standards themselves which prevent robust industry competition by preventing market entry by new visionaries who have reconceived how and why personal information should be gathered?

These questions of policy must be asked and answered with this province in mind. Our federalist system allows for many things, including competitive federalism. Whatever model the federal legislation takes, it may not be the optimal model for our province to adopt; our provincial regulators should adopt and administer a model optimal for British Columbians.

Those are my submissions.

[1645]

S. Rennie: No.

R. Kasper (Chair): Questions from the committee? Just out of curiosity, when Quebec brought in their legislation, was there a similar presentation or something presented to the Quebec government?

A. Macdonald: Are you asking: on behalf of the Canadian Bar Association?

R. Kasper (Chair): Yes.

A. Macdonald: I'm going to ask my colleague if he. . . .

S. Rennie: The national CBA did provide submissions to the government, and the provincial branch of Quebec did provide submissions as well. I haven't read them, but I know that they've been made. If the committee would like, we could certainly provide those in support of our submission.

R. Kasper (Chair): Okay. I only ask that because Bill 68 in Quebec is operating, or it's there, and Bill C-6. . . . We don't really know what impact, if any, it's going to have. This committee can only make recommendations, and we wouldn't want to assume anything.

On the question of international law, Canada had to comply as a signatory to the European Union directive that brought us to where we are now. Do you have comments relating to the legal obligations of countries like Canada or the United States or any other countries that have signed the directive and have taken the steps to bring in either regulations or legislation to comply with what is happening in Europe? What do you think is going to happen to, or do you have comments relating to, those countries that may not want to either be signatories or fulfil any obligation for regulations or legislation which could create havens for those who don't want to comply -- the corporate entities that would operate outside of the country but have direct access to consumers in the country with no barriers in place? Do you have a comment on that? It's a mouthful, but. . . .

A. Macdonald: I think my general comment is that this initiative to regulate personal information -- or where we stand vis-à-vis this initiative, I should say -- is similar to a time when, say, we didn't have chartered banks. As I recall, there was a bank called Macdonald's bank in Victoria in the 1800s, and it was a big, successful bank. It was wiped out by bank robbery. But that said, as we know, when there were small banks, there was money circulating around the banks or in the neighbourhood. When you got further outside of those neighbourhoods, it was harder to get rid of that money, and it didn't have as great a value. There was more competition, and bigger banks came in and wiped out those banks. Then, finally, we got into central banking.

[1650]

[ Page 51 ]

R. Kasper (Chair): Are you suggesting that the province of British Columbia should do that? Bill C-6 won't kick in -- what does it work out to? -- for three years.

A. Macdonald: Three or four years.

R. Kasper (Chair): Yeah, three to four. So a lot can happen in three to four years, either through technological advancements or whatever.

A. Macdonald: Could I ask you what you are referring to when you say that British Columbia should do this? Do you mean pass legislation?

R. Kasper (Chair): Well, to do the same thing as Canada or Quebec have done.

A. Macdonald: I think that we should dedicate a serious amount of resources to becoming expert in this form of regulation and that that should be done as soon as possible. Any moneys spent now will serve us well, because we have to be prepared, in any event, to meet this challenge -- the challenge faced by both the federal legislation and what the rest of the world presents to us.

K. Whittred: I am interested in your almost very last remark. It's right on page 11, the paragraph above the conclusion. You talk about the extent to which regulation prevents new vision in the market, and so on. I'm just a little bit befuddled about exactly where you're going with that argument. Could you enlarge a little bit, please?

[J. Weisbeck in the chair.]

A. Macdonald: Sure. I don't mean to sound like a real woolly priest type; I'm more your meat-and-potatoes kind of person. That said, my idea is this. It should at least be considered or. . . . I'll try to make the point as simply as I can. One wonders if there's going to be sufficient power, or if power will be claimed, on the part of regulators. I include the federal court because the federal court is mentioned in the bill. Let's say a superior court, a section 96 court -- the Supreme Court of B.C., for instance. We should consider whether or not there is sufficient power there for the public authorities to review and start to develop a jurisprudence about what a legitimate business practice is.

[1655]

K. Whittred: Okay. I'm still unclear. Are you talking about innovation in the information-gathering sector?

A. Macdonald: Absolutely.

K. Whittred: In other words, you're talking about businesses that would be the ones that gather the data, mine the data -- as we say -- warehouse the data, and all of that stuff.

A. Macdonald: Yes.

K. Whittred: Okay, I understand that. So what you're suggesting here is. . . . You're implying that you feel that there's too much regulation and that that would. . . .

A. Macdonald: I do not lean one way or the other, saying that there is too much or too little. All I'm interested in conveying is that it should be a serious concern -- whether the public wants to take steps in imposing parameters and dictating what is and what is not a legitimate reason for obtaining personal information, because there is a danger that we're going to lose out on the innovation. In theory, there are people in the future who will dream up ways of configuring and obtaining personal data that may be of great benefit to society. They may achieve great economic efficiencies not yet dreamt of -- and, I might add, it won't be dreamt of -- by the federal court or regulators, because there's no particular incentive for the federal court or the regulators to develop these efficiencies in the way that there is in the private sector. We've got to be concerned that resources are allocated efficiently and that the private sector can operate efficiently.

J. Weisbeck (Deputy Chair): There's been a lot of discussion today about harmonization standards and that sort of thing across the country, yet you've suggested that the province should have its own act. How do you do that? You're suggesting individual. . . . Yet how do you arrive at some sort of standard that works for everybody?

A. Macdonald: I'm not Mr. Harmony. I think that federalism is premised on inequality of a sort and also competition. I think it's generally recognized that the provinces are always going to be competing with each other. If we didn't have that sort of competition, we would never have had Canadian health care. I think we try to adopt the view that competition is a healthy thing.

I think that we shouldn't quickly adopt the view that harmony is the be-all and end-all. I'm concerned about being led by the federal government into a new regime without considering balancing the values that I've tried to address in my submissions. I think that we should be doing that. I don't think that we can be satisfied that the federal government is particularly interested in doing it for us, so I urge you not to be too easily persuaded by people urging that this all be a harmonious regime.

[1700]

Thank you very much. We appreciate that. You'll be getting a copy, I assume, of the proceedings from Hansard.

That concludes our witnesses for this afternoon, so we're going to take our dinner break now, a little bit earlier. Then we'll reconvene at 6:30 -- okay? That's great. Thank you.

The committee adjourned at 5:01 p.m.

[ Return to: Legislative Assembly Home Page ]

Copyright © 2000: Queen's Printer, Victoria, British Columbia, Canada