Government Response to the Fourth Report of the Standing Committee on Access to Information Privacy and Ethics

Definition of "Government Institution"
Recommendation 13

"The committee recommends that the term 'government institution' in sections 7(3)(c.1) and (d) be clarified in PIPEDA to specify whether it is intended to encompass municipal, provincial, territorial, federal and non-Canadian entities."

Response

The government recognizes the benefits of providing clarity on the term "government institutions" and notes that a provision already exists in PIPEDA to grant the Governor-in-Council the power to make regulations in relation to such matters. As such, it would be possible to define "government institution" in the Act through regulation.

Industry Canada will examine the possibility of proceeding with a regulation that will further define the term "government institution" for the purposes of the Act.

 

Section 7(1)(e)
Recommendation 14

"The Committee recommends the removal of section 7(1)(e) from PIPEDA."

Response

The Government of Canada notes the recommendation of PIPEDA arising from the Public Safety Act, 2002 (s.7(1e)), and acknowledges the concerns expressed by the Privacy Commissioner and others respecting the potential impact of this provision on the privacy of Canadians. However, given the important public safety interests it is designed to address, the government is not prepared to remove s. 7(1)(e) from PIPEDA at this time.

 

Personal Information of Minors
Recommendation 15

"The Committee recommends that the government examine the issue of consent by minors with respect to the collection, use and disclosure of their personal information in a commercial context with a view to amendments to PIPEDA in this regard."

Response

The government recognizes that the privacy of minors can be vulnerable, particularly in an online environment. In support of the Committee's recommendation, the government will consult with relevant stakeholders to examine the issue of consent by minors, and to consider the necessity and feasibility of amending PIPEDA in this respect.

 

Transborder Data Flows
Recommendation 16

"The Committee recommends that no amendments be made to PIPEDA with respect to transborder flows of personal information."

Response

While the government agrees with the Committee's recommendation that legislative amendments are not necessary, it is also important to recognize the privacy concerns raised by transborder data flows and the importance of addressing these challenges through international cooperation. As such, the government has long been committed to working with its international counterparts on these matters, and continues to do so. For example, Canada was involved in the conception of the Organisation for Economic Co-operation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, adopted in 1980. More recently, Canada participated in the development of the Asia-Pacific Economic Cooperation (APEC) Privacy Framework and continues to be actively engaged in cooperative efforts to develop cross-border privacy rules in compliance with the Framework. Finally, the government is currently working with Mexico and the United States to address issues of transborder data flows in a North American context through the Security and Prosperity Partnership (SPP).

 

Personal Health Information
Recommendation 17

"The Committee recommends that the government consult with members of the health care sector, as well as the Privacy Commissioner of Canada, to determine the extent to which elements contained in the PIPEDA Awareness Raising Tools document may be set out in legislative form."

Response

The government welcomes the support expressed by the health care community and other stakeholders for the PIPEDA Awareness Raising Tools (PARTs) document. In concurrence with the Committee's recommendation, Industry Canada will work with Health Canada, the Privacy Commissioner of Canada, the health care community, as well as provincial and territorial governments to discuss the possible options for according the PARTs document more formal status.

 

Order-Making Powers
Recommendation 18

"The Committee recommends that the Federal Privacy Commissioner not be granted order-making powers at this time."

Response

The government agrees that the Privacy Commissioner should not be granted order-making powers at this time. This position is supported by the general view expressed throughout oral and written submissions to the Committee that PIPEDA is working quite well. In addition, the relatively short time for which the Act has been in existence warrants a cautionary approach to making significant amendments to the enforcement powers of the Privacy Commissioner. Rather, the Commissioner should be given additional time to make full use of the enforcement powers that are currently at her disposal.

 

Naming Names
Recommendation 19

"The Committee recommends that no amendment be made to section 20(2) of PIPEDA with respect to the Privacy Commissioner's discretionary power to publicly name organizations in the public interest."

Response

The government agrees with the Committee's recommendation that no legislative change is required in this regard. The Privacy Commissioner currently possesses the ability under PIPEDA to publicly name organizations that are subject to complaints, and should retain the discretion to determine when it is in the public interest to use this power.

 

Sharing Information with Other Data Authorities
Recommendations 20 and 21

Recommendation 20

"The Committee recommends that the Federal Privacy Commissioner be granted the authority under PIPEDA to share personal information and cooperate in investigations of mutual interest with provincial counterparts that do not have substantially similar private sector legislation, as well as international data protection authorities."

 

Recommendation 21

"The Committee recommends that any extra-jurisdictional information sharing, particularly to the United States, be adequately protected from disclosure to a foreign court or other government authority for purposes other than those for which it was shared."

Response
(to Recommendations 20 and 21)

The government agrees with the need for the Privacy Commissioner to cooperate in multi-jurisdictional investigations. The global nature of the modern economy requires that the Privacy Commissioner be able to work with other authorities responsible for the protection of personal information, both in Canada and abroad, in order to fulfill her mandate under PIPEDA.

It further agrees that the Privacy Commissioner's current power to share information with her counterparts is too limited and therefore constrains her ability to work effectively in this manner. However, any agreements to share information with foreign authorities should include appropriate constraints to stipulate that information only be used in fulfilment of the purposes for which it is shared. This Committee recommendation is directly related to ongoing work within the Organisation for Economic Co-operation and Development (OECD), the Asia-Pacific Economic Cooperation (APEC) and the Security and Prosperity Partnership (SPP) directed at improving cross-border enforcement of privacy rules. The federal government and the Privacy Commissioner of Canada are both actively involved in these initiatives.

 

Solicitor-Client Privilege
Recommendation 22

"The Committee recommends that PIPEDA be amended to permit the Privacy Commissioner to apply to the Federal Court for an expedited review of a claim of solicitor-client privilege in respect of the denial of access to personal information (s.9(3)(a)) where the Commissioner has sought, and been denied, production of the information in the course of an investigation."

Response

The government acknowledges the Committee's recommendation in respect of the ability of the Privacy Commissioner of Canada to verify claims of solicitor-client privilege. The government also notes that in October 2006, the Federal Court of Appeal ruled on this matter in Blood Tribe Department of Health v. the Privacy Commissioner of Canada. Given that in March 2007, the Privacy Commissioner was granted leave to appeal before the Supreme Court of Canada, the government would submit that any legislative action to address the issue of solicitor-client privilege would be inappropriate at this time and that it will await the decision of the Supreme Court on the matter.

 

Data Breach Notification
Recommendations 23, 24 and 25

Recommendation 23

"The Committee recommends that PIPEDA be amended to include a breach notification provision requiring organizations to report certain defined breaches of their personal information holdings to the Privacy Commissioner."

Response

The government recognizes that identity theft is a significant and growing problem and that the increasing frequency of large data breaches involving personal information is a contributing factor. It is also recognized that the majority of businesses act in good faith, and notify those affected in the event of breaches as a matter of course. Some, however, do not. In this light, the government agrees with the Committee that a legislative requirement for notification of data breaches would establish a consistent approach across the marketplace and encourage all organizations to take the security of personal information seriously.

As the Committee's Report acknowledges, public notification of data breaches is a complex issue with significant implications for organizations and individuals. There is a general recognition of the need in certain circumstances for notification to individuals or organizations who are impacted by a breach so that they can take steps to mitigate their risk of harm. However, as many breaches pose no real threat to the personal information of individuals, a requirement for public notification in all cases would be burdensome and costly to organizations and might even diminish its value to the public (through notification "fatigue"). Therefore, in the case of certain defined breaches, where a high risk of significant harm to individuals or organizations exists, the government supports a legislative requirement for the prompt notification of those affected by the loss or theft of personal information.

In addition, as the Committee recommends, a requirement to report any major loss or theft of personal information to the Privacy Commissioner of Canada within a specified time-frame, including the details of the incident and steps taken by the organization to notify individuals (or justification for not doing so), would allow for oversight of organizational practices. This will allow the Privacy Commissioner an opportunity to track the volume and nature of breaches, and the steps taken by organizations respecting the notification process when required. This would be particularly useful to small and medium-size enterprises (SMEs) that may lack the internal resources necessary to make notification assessments.

 

Recommendation 24

"The Committee recommends that upon being notified of a breach of an organization's personal information holdings, the Privacy Commissioner shall make a determination as to whether or not affected individuals and others should be notified and if so, in what manner."

Response

The decision as to whether or not individual notification is required in the event of a breach must be based on an analysis of the level of risk of harm on a case-by-case basis. Assuming appropriate oversight by the Privacy Commissioner of Canada, the organization experiencing the breach is well positioned to understand and assess the risks involved and to make a prompt determination regarding whether and how to proceed with notification of their customers, business partners, and/or the general public. Assigning the Privacy Commissioner the responsibility to decide on notification, as proposed by the Committee, would be a less effective alternative, as well as more burdensome for that Office from a resource perspective.

 

Recommendation 25

"The Committee recommends that in determining the specifics of an appropriate notification model, consideration should be given to questions of timing, manner of notification, penalties for failure to notify, and the need for a 'without consent' power to notify credit bureaus in order to help protect consumers from identity theft and fraud."

Response

The government recognizes that the determination of the specifics of the model, including "triggers" and "thresholds" for notification (to both the Privacy Commissioner and affected individuals) will be a critical element in the breach notification provision. Research, analysis and consultation will be required to arrive at the best model for Canada.

An important part of consultations will pertain to specifics for the purpose of developing effective and practical notification parameters as well as for the purpose of determining whether specific offences are appropriate. The issues considered will include the timing, form, content and mode of notification to individuals, and in addition, identification of which organizations, such as credit bureaus, should be notified in addition to the Privacy Commissioner. Clearly defined, industry-wide guidelines and standards would be particularly useful to SMEs that may lack the internal resources necessary to make notification assessments.

 

Conclusions and Next Steps

In a modern, information-based economy, a solid, efficient regime for the protection of personal information is vitally important for both consumers and businesses. For this reason, the government is committed to ensuring that Canadians continue to benefit from one of the highest standards of privacy protection in the world. It further recognizes the valuable role of PIPEDA in meeting this objective, and the importance of fine-tuning the Act where necessary.

The ETHI Report underlines the complexity and sensitivity surrounding many of the issues that relate to Canada's laws and policies for the protection of personal information. The government appreciates the efforts of the Committee in developing proposals for consideration which will significantly advance the goal of improving the legislation and its implementation. While stating its position on many of the ETHI recommendations, the government believes further work and consultation is needed in several critical areas before a full range of legislative and policy proposals can be presented for parliamentary consideration.

In moving forward, the government intends to conduct further consultations to ensure that any changes to PIPEDA and its implementation are the most effective possible. The government will consult with the Canadian public, other government departments and agencies, as well as provincial and territorial governments, and will take special note of the views of the federal Privacy Commissioner.

Further consultations will help establish a consensus with respect to issues where disagreement exists. In areas where a general consensus exists, consultations can help determine how they could be most effectively implemented. This process will also provide a final opportunity to raise any issues not reflected in the Committee's Report, and seek to address concerns expressed by law enforcement and national security agencies with respect to provisions in PIPEDA designed to protect their investigations.

Lastly, the public consultations will allow provincial and territorial governments to provide input into the review process, as changes to PIPEDA will have implications for the protection of privacy in all provinces and territories.

On the basis of the views received, the government will return to Parliament in the near future with specific proposals for both legislative and non-legislative action.