Today marked the fifth day of PIPEDA hearings with the Canadian Marketing Association and FETCO (Federally Regulated Employers Transportation and Communication) taking centre stage. The gist of today's discussion from the witnesses – no order making power, cautious approach on security breach disclosure, and cut back on employee privacy rights. The MPs have begun to settle into specific issues with the Conservative members focused on the compliance costs, while the opposition members more receptive to enhanced privacy rights within PIPEDA. Shiran Sabari provides a complete look at the discussion:
John Gustavson (Canadian Marketing Association)
The CMA believes that PIPEDA is good for both consumers and marketers as the knowledge of how a business is able to collect and use personal information is important for the industry. He also noted that it is to all business benefit to respect their clients privacy and conduct their information fathering in a respectful way.
The CMA believes that PIPEDA has been successful in achieving a balance and that it is too early to determine if major changes are needed. There does, however, need to be greater awareness and compliance from small and medium size businesses. The current model is appropriate and that the privacy commissioner should not be given the ability to enforce binding orders. With regard to security breach disclosure, there needs to be an organized and predetermined method of dealing with it. Organizations have a duty to inform the public however it would not be beneficial to alarm them every time there is a small breach. One needs to consider the impact of the notification.
He suggested that perhaps there should be a consultation with all the stakeholders to decide how this can be managed effectively. In general he felt that consumers expect more and more from businesses and in order to meet the needs and expectations of the of the public certain information needs to be gathered. However this process of collecting information needs to be done in a respectful manner. Ultimately it is a balance and a compromise of personal information and growth of businesses.
Don Brazier (Federally Regulated Employers Transportation and Communication (FETCO))
Employee rights are covered by several pieces of legislation including the Human Rights Act and Employment Act. Although PIPEDA may look like a commercial legislation, there are a lot of labour issues that arise. In particular:
1. The definition of Personal Information.
He expressed a concern of how personal information can be defined by PIPEDA. He said that there needs to be a distinction between personal information and business information. He gave an example of an employees fax number and email address. He believes that email addresses and phone numbers belong to the employer and not the employee and should therefore not be viewed as personal information. He recommended that work email and phone numbers should be excluded from personal information and that new definition should be created. A similar concern is that PIPEDA seems to define personal information to include opinions or evaluations made by a party in the course of their employment. He believes that this type of information should belong the business (not the evaluator or evaluatee). He also suggested that PIPEDA adopt a similar approach to that taken by the privacy act in BC or Alberta. Where the employee is deemed to give consent on the types of personal information discussed above. Similarly in the BC legislation personal information does not included work information or product.
2. Formal Dispute Resolution Process
He is concerned that the information that needs to be provided to the employee (because of the PIPEDA legislation) makes it difficult to conduct an investigation that would be required by the Human Rights Act if there is a complaint of a violation. He believes that the definition of formal dispute resolution is too restricted and that this ultimately affects the confidence in the process. He believes that during the information gathering stages there needs to be confidentiality. He claims that individuals may be reluctant to disclose information if they fear that information will be given to the other employee.
Mr. Jim Peterson (Liberal)
Q. How does BC and Alberta Legislation differ in terms of there effect on businesses?
A. Barbara Mittleman: Where personal info is actually employment information, business related information or necessary for the purpose of business information is not seen as personal.
Q. In regards to the fact finding issue. Although I understand that certain employees will be reluctant to disclose information if they believe that it will be given to the other employees I also think that if I am an employee who has been accused of something I should be able to refute it.
A. Brazier: It is a judgment call as well as a balancing act. On the one hand we want to encourage people to come forward and express their concerns but if they do not feel confident in the process they are less likely to do so. Once information is confirmed than info needs to be given to the employee, the confidence should only be given in the fact finding stage. He gives an example of sexual harassment complaint and expresses a concern about a chilling affect if there is no confidence in the process.
Q. What happens in situations where there is a complaint but the company does not have enough proof to deal with the issue? Would the company keep the information and the accused never informed?
A. Cody-Rice: The law states that you can only collect information for the time that you need it. You are not allowed to keep information on file unless it is necessary.
Mr. Jean-Yves LaForest (Bloc)
Q. The committee wants to improve the protection of employees. Don’t you think that the Act should have a provision that makes companies who breach the act become public?
A. Gustavson: There are breaches and there are breaches. I gave someone else email address last week did I breach the act. If we get into the major privacy breaches perhaps disclosure would be justified. In general employers have to deal with many statutes however if there is harm to the public then perhaps disclosure should be allowed.
Q. What about those companies that continually make privacy breaches?
A. Gustavson: There are policies that deal with this issue. I believe that you need to use the power of publicizing breaches carefully. You should also note that the threat of making information public is a huge power. The privacy commissioner does have the power to release that type of information and often informing the company that that is what will occur if they do not comply is enough.
Ms. Carole Lavallee (Bloc)
Q. In almost every other legislation when someone breaches an act the public becomes aware of it. Why do companies receive this huge privilege? Why do they have chances?
A. Cody-Rice: It is not an automatic privilege, it is up to the privacy commissioner. Even if the privacy commissioner does not reveal at the outset they can change there mind. Making the information public will affect everyone and there are certain areas where PIPEDA is very vague and companies may be unaware of there breach.
Q. I am bothered that it is a one person decision whether information of the breach becomes public.
A. Gustavson: It is important to remember that disclosing names can do so much harm to the company. It is very economically damaging and it is a balancing act to determine whether information should be publicized.
Mr. Pat Martin (NDP)
Q. Recently there has been a do not call bill, has this been implemented?
A. Gustavson: We have had are own since 1989 and it is free.
Q. Is the sharing of lists a regular occurrence?
A. Gustavson: Yes, but it is done with consent of consumers. There are two levels of consent depending on the level of sensitivity. If the information is not sensitive consent is deemed and there is an opt-out formula which is suppose to be easy to see and understand. For more sensitive information there needs to be express consent given.
Q. Have you heard of lists being sold based on religion or ethnic background?
A. Gustavson: No but they probably exist.
Q. As far as do not call lists are concerned – marketers can not do sequential dialing. Correct?
A. Gustavson: It is not appropriate, you never know when you will be calling a hospital emergency line.
Q. What regulations are there aside form code of ethics?
A. Gustavson: You need consent to acquire disclosure and to use it.
Mr. David Tilson (Conservative)
Q. Is Legislation doing enough to facilitate business compliance?
A. Gustavson: The problem is lack of awareness. More education is needed.
Q. Aside from the penalty of disclosure of a company when they breach PIPEDA, are there any other penalties?
A. Cody- Rice: An individual can get an order from the federal court and obtain damages.
Q. Should Privacy Commissioners have these powers?
A. Gustavson: Giving order making powers to the privacy commissioner is not appropriate and it should not occur.
Q. Brings up an article from Front Line Security that deals with transborder data flow. He poses a question about whether there is a conflict between legislation that allows access to information and PIPEDA
A. Cody-Rice: We have not found conflict because if the information contains personal information we claim an exemption.
Q. Should the government or business categorize individuals in order to determine access?
A. Cody-Rice: The law forbids categorizing people. Everyone has the right to access of information.
Mr. Jim Peterson (Liberal)
Q. Recommendation #11 deals with ridiculous requests? How does one define that?
A. Brazier: If a person asks to receive everything with there name on it. It is not a fishing expedition. It is difficult on employers to find all the information.
Q. If I am an employee is it not to my benefit to find out all the information about benefit.
A. Cody-Rice: At times it may be appropriate to make that request. But how often will it be acceptable (e.g.: 20 times in one year may be too much)
Q. In regards to recommendation 13 – if an employee sues a company why would the company need consent to receive company information to defined itself.
A. Mittlemen: There have been situations where union arms itself with the information and the employer has difficulty receiving it.
Mr. Wappel (Liberal) (Chair)
Seems a bit of a stretch can you provide a specific example of when this occurred and send it to the committee.
Mr. Ronald Stanton (Conservative)
Q. Recommendation number 2 deals with permitting employers to use information without the consent of the employee when dealing with routine business and relationship matters. Can you define the parameters?
A. Mittleman: We are not talking about selling personal information. We are only interested in labour situations. We are discussing situations where it is legitimate for business purposes.
Q. PIPEDA is an amalgamation of various stakeholders interest. Some have said that is a weakness. What are your thoughts?
A. Gustavson: I think it is a strength. Privacy advocates are not looking to shut down businesses and businesses believe it is in their interest to build public confidence.
A. Robins: A law that finds a balance is defiantly a strength.
Ms. Carole Lavallee (Bloc)
Q. To use an employee’s personal information when would you need consent?
A. Brazier: When we are talking about personal information we are only talking about using it for business purposes nothing more.
Q. Is there a process where when you get hired you have to sign a consent form to release information.
A. Cody- Rice: Yes it is a mandatory consent form for information that the employer needs.
Mr. Mike Wallace (Conservative)
Q. Should there be an extension before PIPEDA is reviewed? Have you had enough experience with it?
A. Brazier: Yes we have had enough time with PIPEDA. We do not think that enough thought went into the employee relationship. Currently all the obligation that the employer has does not blend well with PIPEDA.
A. Gustavson: A lot of companies have not had the 5 years to use PIPEDA. Currently lots of learning of the provisions need to be done. The amendments necessary are only to further explain the intent of the act.
Q. How much does it cost business implement the act.
A. Cody-Rice and Mittleman: Explained that it costs a lot of time and energy.
Mr. David Van Kestern (Conservative)
Q. We have talked about employer responsibility and rights. Have we put together an organization where there is a "ring of terror" because the policy commissioner can implement anything? What are the safe guards?
A. Gustavson: The commissioner has the ability to publisize and make recommendations. She can not enforce any change. The most she can do is initiate an investigation and bring an issue to the federal court.
Q. Must there be a source to the request?
A. Cody-Rice: Yes