Archived — Government Response to the Fourth Report of the Standing Committee on Access to Information Privacy and Ethics
Archived information is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)
Mr. Tom Wappel, M.P.
Standing Committee on Access to Information, Privacy and Ethics
House of Commons
East Block, Room 115
Ottawa, Ontario K1A 0A6
Dear Mr. Wappel:
Pursuant to Standing Order 109 of the House of Commons, I am pleased to respond on behalf of the Government of Canada to the recommendations made by the House of Commons Standing Committee on Access to Information, Privacy and Ethics in its report on the Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA), tabled in the House on May 2, 2007.
The Government of Canada extends its gratitude to the members of the Committee for their comprehensive review of PIPEDA. The Committee's thoughtful recommendations provide valuable guidance as the government continues to ensure that personal information is protected in a manner that reflects both the values of individual Canadians, as well as the needs of business in the information age.
The government would also like to express its appreciation to the many stakeholders, including the Privacy Commissioner of Canada, privacy advocates, law enforcement and victim groups, industry associations and individual businesses who appeared as witnesses and provided written submissions to the Committee. The views expressed throughout the review offer valuable insight as to how PIPEDA has functioned throughout its first five years of existence, and how its effectiveness can be improved going forward.
Overall, the government shares the Committee's observation that PIPEDA is not in need of significant change at this time. The Committee report usefully points to a few specific areas where the Act can be improved. Of equal importance however, the Committee has highlighted the need for greater education and awareness of privacy protection among both individuals and businesses.
I look forward to consulting further on a number of issues raised during the Review, including the proposed legislative improvements that will ensure that PIPEDA continues to merit its long-standing reputation as a world-class model for the protection of personal information in the private sector.
Minister of Industry
Government Response to the Fourth Report of the Standing Committee on Access to Information Privacy and Ethics
In May 2007, the Standing Committee on Access to Information, Privacy and Ethics ("the Committee") concluded its review of the Personal Information Protection and Electronic Documents Act ("PIPEDA"), pursuant to section 29 of the Act. During the process of the review, the Committee heard from 67 witnesses and considered 34 submissions from individual Canadians and Canadian organizations. In its Report, the Committee presented 25 recommendations to the government, addressing key issues raised during the review. The government has taken full account of the Committee's Report and its recommendations, as well as the full range of opinion presented as part of the Parliamentary Review, in considering what actions might be taken in relation to the Act and its implementation.
The Report of the Parliamentary Committee, consistent with the submissions it received, has underlined the critical importance of an effective legal framework for the protection of personal information in Canada. As the Committee points out, privacy represents a fundamental value for Canadians, and the management and use of personal data is crucial to the conduct of business, trade and commerce in a modern, information-driven global economy.
Moreover, the importance of privacy protection has dramatically increased in recent years with the emergence of the Internet and online commerce. As of 2005, 68% of Canadians use the Internet, and more than 82% of Canadian businesses are now online. According to Statistics Canada, the total value of online commerce in Canada in 2006 was $49.9 billion. These developments have thus greatly enlarged the capacity to collect, transfer, and process large quantities of personal information, creating new challenges for both industry and governments. Consequently, more than ever before, consumers and businesses can benefit from clear and effective safeguards for protecting and securing personal data, especially in relation to online business and electronic commerce.
Canada has responded well to these challenges. Internationally, Canada's privacy regime is recognized as one of the best in the world. In 2001, the European Commission recognized PIPEDA as providing "adequate" privacy protections for the purposes of the EU Data Protection Directive, thereby allowing the personal information of Europeans to enter into Canada without restrictions. In a 2006 study by Privacy International, a privacy advocacy group located in Great Britain, Canada's privacy regime was ranked second only to Germany in a survey of 37 countries. In particular, PIPEDA, alongside related federal and provincial legislation, has achieved an appropriate balance between privacy protection and the efficient management and use of information in a business environment.
We agree with the Committee that radical changes to the legislation are not warranted at this time, especially in light of the relatively short period of time the Act has been fully in force. The government further agrees with the Committee on the need and value of "fine tuning" the legislation and its implementation in a manner that strengthens the overall effectiveness of privacy protection in Canada. In this respect, the Committee's proposals for selective legislative changes and other actions are extremely helpful. In particular, the government commends those recommendations that are especially designed to:
- improve clarity and certainty with respect to key definitions and provisions in the Act;
- increase education and awareness of privacy protection measures among individual Canadians and organizations, especially small businesses; and
- maintain a flexible, "light-handed" approach to privacy regulation and oversight.
The government is committed to protecting the privacy of Canadians and, in concert with other interested parties, will take whatever steps are necessary to ensure Canada's laws and policies are meeting the highest possible standard of privacy protection. To this end, the government has reviewed the Committee's general findings and each individual recommendation of the Committee, noting below those which it believes merit priority attention in future work.
Response to Recommendations
The following section addresses each of the Committee's recommendations individually, pointing to where the government agrees with the Committee's conclusions either in whole or in part, and to those issues where further work or consultation is required.
Business Contact Information
"The Committee recommends that a definition of 'business contact information' be added to PIPEDA, and that the definition and relevant restrictive provision found in the Alberta Personal Information Protection Act be considered for this purpose."
This recommendation reflects the widespread view expressed to the Committee that the current approach to "business contact information" in PIPEDA is too narrow and is, therefore, inadequate in meeting the requirements for business communications in the information age. The government agrees that an amended definition of "business contact information", which is inclusive of business email and fax numbers, and which is sufficiently broad to account for changes in communications technologies, could provide more certainty about the business use of this type of data without detracting from the protections given to other types of personal information.
In this regard, the government will explore ways in which the protections established in the Alberta Personal Information Protection Act for business contact information can be incorporated into PIPEDA in such a way as to ensure that business contact information is excluded only if collected, used or disclosed for the purposes of contacting an individual in their business capacity.
Work Product Information
"The Committee recommends that PIPEDA be amended to include a definition of 'work product' that is explicitly recognized as not constituting personal information for the purposes of the Act. In formulating this definition, reference should be made to the definition of 'work product information' in the British Columbia Personal Information Protection Act, the definition proposed to this Committee by IMS Canada, and the approach taken to professional information in Quebec's An Act Respecting the Protection of Personal Information in the Private Sector."
The government recognizes that the issue of work product information is of great significance to a number of stakeholders. In its Report, the Committee has acknowledged the call from private sector interests to provide more clarity and certainty to PIPEDA in this area in order to facilitate business planning and to assist them in their efforts to comply with the Act.
At the same time, the government must consider the concerns expressed by the Privacy Commissioner and others regarding the risk of any unintended negative consequences to privacy that may result from an exemption of work product information.
In keeping with the general approach of PIPEDA, it is important to balance the need for a business-friendly privacy regime with the need for maintaining the existing level of privacy protection currently provided by the Act. In light of this, the government will commit to consult further and consider how organizational needs respecting collection, use, and disclosure of work product information can be accommodated in a manner that poses the least degree of risk to privacy protection.
As proposed by the Committee, consideration will be given to various approaches, including those proposed in submissions to the Committee and those contained in provincial privacy laws.
Destruction of Data
"The Committee recommends that a definition of 'destruction' that would provide guidance to organizations on how to properly destroy both paper records and electronic media be added to PIPEDA."
The government notes the Committee's recommendation to include a definition of "destruction" in PIPEDA. Recognizing a need for greater clarity in this area, a variety of provisions already exist within PIPEDA that provide direction pertaining to the destruction of personal information.
Consequently, it may be sufficient to develop non-legislative guidance to further assist organizations in disposing of personal information in accordance with PIPEDA's existing requirements. The government will work with the private sector and with other stakeholders to develop tools that can provide organizations with further clarity in this area.
Consent: General Principles
"The Committee recommends that PIPEDA be amended to clarify the form and adequacy of consent required by it, distinguishing between express, implied and deemed/opt-out consent. Reference should be made in this regard to the Alberta and British Columbia Personal Information Protection Acts."
The Government of Canada fully acknowledges the importance of meaningful consent to effective privacy protection. To this end, PIPEDA establishes a flexible legislative approach that takes into account the divergent needs and practices of the many organizations it captures.
In accordance with her mandate to develop information products to educate the public on the Act and its purposes, the Privacy Commissioner of Canada has produced guidance material that aims to assist organizations in better understanding and implementing PIPEDA's consent requirements.
To supplement these valuable tools, the government commits to consulting with stakeholders to identify possible areas where further guidance may be necessary, and develop tools in this respect. The government would welcome the participation of the Privacy Commissioner of Canada and her provincial counterparts in these and similar efforts.
Consent: Employee/Employer Relationship
"The Committee recommends that the Quebec, Alberta and British Columbia private sector data protection legislation be considered for the purposes of developing and incorporating into PIPEDA an amendment to address the unique context experienced by federally regulated employers and employees."
The government agrees with the Committee's recommendation and with a number of stakeholders, including the Privacy Commissioner of Canada, regarding the need to better account for the unique circumstances regarding consent in employee/employer relationships.
In studying privacy protection for employees of federally regulated organizations, consideration should be given to the provisions in the laws of Quebec, British Columbia and Alberta, as well as the recommendations of the Privacy Commissioner, to ensure that the privacy rights of employees continue to be protected under PIPEDA.
"The Committee recommends that PIPEDA be amended to replace the 'investigative bodies' designation process with a definition of 'investigation' similar to that found in the Alberta and British Columbia Personal Information Protection Acts thereby allowing for the collection, use and disclosure of personal information without consent for that purpose."
The government recognizes that the current process for designating investigative bodies has proven to be lengthy and cumbersome for applicants who need this designation under the Act to conduct investigations. The government also agrees with the Committee that the lack of consistency in s. 7 of PIPEDA with respect to exemptions for collection, use and disclosure of personal information is a source of frustration for some organizations in their efforts to detect and prevent fraud, particularly within the financial sector. However, consideration must also be given to the support expressed by the Privacy Commissioner and privacy advocates for the transparency of the current process, which provides for a public listing of designated organizations.
However, further consideration is required on the best alternative to the current process of designation. The government agrees that there is merit in examining the approaches taken by Alberta and British Columbia, which define the term "investigation" and allows collection, use and disclosure without consent for that purpose. In addition to making the process more efficient, and in accordance with the Government of Canada's Paperwork Burden Reduction Initiative, this approach would allow greater harmonization with the provinces. Therefore, the government will give further consideration the issue of how best to streamline the Act's provisions in respect of private sector investigative activity.
"The Committee recommends that PIPEDA be amended to include a provision permitting organizations to collect, use and disclose personal information without consent, for the purposes of a business transaction. This amendment should be modelled on the Alberta Personal Information Protection Act in conjunction with enhancements recommended by the Privacy Commissioner of Canada."
The government agrees with the recommendation, which reflects a general consensus among those who appeared before the Committee that PIPEDA should be modified to allow organizations to collect, use and disclose personal information as necessary for the conduct of business transactions, such as mergers and acquisitions.
The Alberta and British Columbia Personal Information Protection Acts provide models that can be drawn upon to accommodate the information needs of organizations engaged in business transactions while ensuring that individuals' personal information continues to be protected.
"The Committee recommends that an amendment to PIPEDA be considered to address the issue of principal-agent relationships. Reference to section 12(2) of the British Columbia Personal Information Protection Act should be made with respect to such an amendment."
Recognizing the Committee's observation that there may be confusion regarding the application of PIPEDA to situations where organizations engage third parties for activities that involve the collection, use and disclosure of personal information, the government proposes education and guidance as an alternative to legislative amendments. Therefore, the government will work with the Privacy Commissioner and other stakeholders to develop tools to provide further clarity on this matter.
Litigation Process / Legal Proceedings
"The Committee recommends that PIPEDA be amended to create an exception to the consent requirement for information legally available to a party to a legal proceeding, in a manner similar to the provisions of the Alberta and British Columbia Personal Information Protection Acts."
The government notes the Committee's recommendation and acknowledges that it was made in response to concerns expressed by certain stakeholders regarding the need to ensure that PIPEDA does not impede litigation procedures. However, the government does not share the Committee's view that such an amendment is necessary at this time.
"The Committee recommends that the government consult with the Privacy Commissioner of Canada with respect to determining whether there is a need for further amendments to PIPEDA to address the issue of witness statements and the rights of persons whose personal information is contained therein."
The government agrees with the Committee's recommendation to consult with the Privacy Commissioner, the legal community, as well as other relevant stakeholders, to determine whether an amendment to PIPEDA is needed to address issues of witness statements.
Individual, Family and Public Interest Exceptions
"The Committee recommends that PIPEDA be amended to add other individual, family or public interest exemptions in order to harmonize its approach with that taken by the Quebec, Alberta and British Columbia private sector data protection Acts."
The government agrees with the Committee's view that certain limited exceptions to PIPEDA's consent requirements may be warranted in order to address the concerns expressed by stakeholders regarding the disclosure of personal information in cases of natural disasters, elder abuse and other similar circumstances. However, in the interest of maintaining strong privacy protection, any amendment to PIPEDA should be narrowly defined to ensure that it will be used only for the intended purposes.
In considering options, the government will study the approaches taken in the Alberta and British Columbia Personal Information Protection Acts, as well as Quebec's legislation, An Act Respecting the Protection of Personal Information in the Private Sector.
Law Enforcement / National Security Interests
Recommendation 12 contains two related, but distinct, proposals for legislative amendment. The first pertains to the definition of lawful authority, and the second pertains to s. 7(3) and its exceptions from consent for disclosures of personal information.
"The Committee recommends that consideration be given to clarifying what is meant by 'lawful authority' in section 7(3)(c.1) of PIPEDA[.]"
The government considers the safety and security of Canadian citizens to be of utmost importance. In meeting this objective, it firmly believes that the information needs of law enforcement and security agencies can be met while respecting the right of privacy of Canadians.
The government wishes to confirm that the purpose of s. 7(3)(c.1) is to allow organizations to collaborate with law enforcement and national security agencies without a subpoena, warrant or court order. Organizations who share information with government institutions, including law enforcement and national security agencies, in accordance with the requirements of this provision, are doing so in compliance with PIPEDA.
The government acknowledges the concerns expressed by those engaged in protecting the safety of Canadians, regarding the current interpretation of s. 7(3)(c.1) by the certain private sector organizations, and the challenges that this has at times caused to the investigation and prevention of criminal activity in Canada.
The government therefore agrees with the Committee that there is a need to clarify the concept of "lawful authority" for the purposes of s.7(3)(c.1) of the Act.
"[The Committee recommends that] the opening paragraph of section 7(3) be amended to read as follows: 'For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization shall disclose personal information without the knowledge or consent of the individual but only if the disclosure is […]'"
As noted above, a clearer definition and understanding of what constitutes "lawful authority" would address the current ambiguity regarding organizations' right under PIPEDA to disclose personal information for the purpose of law enforcement or national security. The proposal to include in PIPEDA a further provision designed to require organizations to disclose personal information would be difficult to implement, given that the purpose of PIPEDA is not well-suited to such a requirement. For this reason, the government does not propose to implement this aspect of the Committee's recommendation.
- Date modified: