Skip to main content
EVIDENCE

[Recorded by Electronic Apparatus]

Thursday, December 12, 1996

.1109

[English]

The Chair: I see a quorum, so I call the meeting to order.

Good morning, ladies and gentlemen. This is the Standing Committee on Human Rights and the Status of Persons with Disabilities. We are continuing our examination of the issues around human rights, privacy as a human right, and the impact of new technologies on privacy.

.1110

It's a broad field, as those of you who have been following these issues on your community channel know. We're covering physical surveillance, personal identification, and biological surveillance through a variety of different focuses, such as the smart cards, the ID cards, biometric technologies, fingerprinting, what we used to call spying and what that means now, genetic testing, and the whole field of biometrics. How far can we stretch the vision and the conflict between the right to management of the state and the right to maintain one's personal privacy, one's personal integrity? I think those are the issues. They're quite complex and that's where we're at.

Prior to opening the meeting, which is a meeting of the standing committee, I will have the various members of the committee introduce themselves.

I see a hand raised. The Hon. Warren Allmand.

Mr. Allmand (Notre-Dame-de-Grâce): Madam Chair, since this is our last meeting before the Christmas recess, I'm wondering if at the end of the meeting - I don't want to spend time while our witness is here - you could let us know how we're going to continue this into the new year and when we're going to prepare a report. I'd just like some direction on that.

The Chair: That's fine.

Mr. Allmand: I'd rather do it at the end, because this poor witness came the last time and was washed out by two votes and I don't want to take his time right now.

The Chair: This very kind witness is used to presentations before committee. Mr. Reddick, we have just a couple of housekeeping matters, and as the other two witnesses unfortunately can't be here today, I think you'll get the full time with the committee. There are two or three issues I think we will deal with and then we will move on to the interview with Andrew Reddick, who's the director of research of the Public Interest Advocacy Centre. I would appreciate your patience for a few moments.

In response to your question

[Translation]

and in this regard, Mr. Bernier, you must know that there has been a small problem.

[English]

The House read into the record the fact that this committee will travel and we will continue our examination of these issues, visiting five cities across Canada. Those investigations and that contact with the general public, which are to ascertain their views based on the three or four case studies we will develop and distribute to the invitees so that they have a chance to study it beforehand, will start approximately February 10 to run that week. I would ask the members to clear their calendar for the week of February 10 to 14.

There is one question that remains. As this is both an educational and a consultation process, we had asked that we be allowed to broadcast. Somehow or other the word ``broadcast'' was not in the motion to the House where you have to have permission to travel. We got permission to travel, but we did not get a final hearing on whether we have the right to broadcast. That is being cleared up, but the dates and the right to travel have been accorded, as has the budget for this undertaking.

[Translation]

Then, we'll be travelling from February 10 to February 14 from east to west, or is it the other way around?

A voice: In the West.

The Chair: We'll be starting in the West, in Calgary,

[English]

and then is it Calgary or Edmonton?

The Clerk of the Committee: Calgary.

The Chair: So it's Vancouver, Calgary, Toronto, Montreal, and Fredericton. We will be inviting witnesses or members of the general population who wish to attend. They can come from other parts of the provinces or the regions we will be visiting, and they would have to be in touch with our clerk, Mr. Wayne Cole, at the House of Commons. So invitations will go out.

.1115

We did interview and are in the process of hiring the consultants necessary to complete the task. I look forward to meeting and testing how people see the invasion of their personal privacy, DNA testing, reproductive technology, video cameras - all the new things we've been learning about, some of which are very important, some of which give us certain constraints. That's why we're very pleased to be hearing from you today, Mr. Reddick.

There's one other point I wish to bring to your attention. The members have taken their vote and the determination has been made as to the Centennial Flame Research Award. I would like to announce that Mr. Wayne Westfall of Kingston, Ontario, has been named the recipient of the 1996 Centennial Flame Research Award.

Mr. Westfall proposes to write about the life and work of Ms Francine Arsenault. Madame Arsenault is a woman well known to Canadians with disabilities and to the Standing Committee on Human Rights and the Status of Persons with Disabilities. Her tireless efforts, both nationally and internationally, to achieve the full and equal participation of persons with disabilities in the social and economic life of our country deserve great and much greater political and public recognition.

Mr. Westfall is the fifth recipient of the Centennial Flame Research Award, an award that celebrates both Canada's international commitment to the rights of persons with disabilities and the symbolism of the eternal flame on Parliament Hill.

The Centennial Flame Research Award Act was originated by Mr. Patrick Boyer, the former chair of this committee and of the 1985 parliamentary committee on equality rights. When he saw federal workers scooping up coins from the centennial flame's fountain one morning, he came up with the idea of using the flame's message of life, hope and continuity to raise awareness of the achievements of Canadians with disabilities.

In initiating this piece of legislation, Mr. Boyer was mindful of Canada's international commitments to ensuring the full participation of individuals with disabilities, commitments such as the 1983 Declaration of the Decade of Disabled Persons, which states that:

I'm really very pleased that this piece of legislation was enacted and this work was done in March 1991. The Centennial Flame Research Award Act promotes broad recognition of the achievement of persons with disabilities by annually funding a Canadian to research and produce a project aimed at publicizing the contribution to public life of persons with disabilities. The award comprises money collected from the Centennial Flame Foundation, plus any private and corporate donations made to the Centennial Flame Research Award fund.

We will be receiving our guest at some future date, and we look forward to welcoming someone who has removed the barriers and assisted disabled people.

This committee has been very active in the promotion of the rights of the disabled, and you have written two very important reports out of this committee. We are presently awaiting the findings of the task force, which will hopefully be able to implement those kinds of actions and activities on a political level that will enable better access and the removal of barriers for people in our society who have the right to full and equal citizenship, and our enabling of their reaching that goal.

I thank you all for your contribution in evaluating the participants who were good enough to send in their requests for consideration. Your thoughtful undertaking has resulted in Mr. Westfall being appointed.

We will be speaking to the Speaker of the House and the Senate to arrange a mechanism to honour Mr. Westfall very shortly.

.1120

Mr. Bernier.

[Translation]

Mr. Bernier (Mégantic - Compton - Stanstead): Do you want to raise another point?

The Chair: No, that's all. Do you have anything else?

Mr. Bernier: Did I get it right? Will we have as much time as we want to hear Mr. Reddick since the other witnesses asked to be excused?

The Chair: Yes.

Mr. Bernier: Mr. Reddick told me that Ms Vallée was here or would be arriving within a few minutes. Is that right?

[English]

Mr. Andrew Reddick (Director of Research, Public Interest Advocacy Centre): She expects to be here about 11:30, but she said to start without her and she will join me when she arrives.

The Chair: Okay.

[Translation]

We'll be very pleased to welcome her when she gets here.

[English]

Excuse me, do I have something that I have to deal with? No. Okay. It was a resolution for later, folks.

Mr. Reddick: Thank you for inviting me back again today.

Today I'm going to speak about the three areas of concern for the committee: surveillance; advanced cards and biometrics; and biological surveillance. Before addressing each of these areas, though, first it's important to establish a context of Canadians' views on data activities and practices.

As I mentioned last time, across both research studies with which I've been involved Canadians have continued to exhibit a significant level of concern about their privacy and their personal information. The hierarchy of concern for Canadians is affected by a number of factors. These include the types of information involved, the types of institutions involved in the transaction or activity and the level of trust accorded these, whether there is a social or personal benefit in a transaction, transparency about why the information is being collected and how it will be used, and the informed and ongoing consent about the collection, storage and primary and secondary uses of information.

While there are no absolutes about how these play out in everyday life, there are some very strong consistencies. Canadians differentiate their personal information in two fairly clear categories. They are general identification data, such as name, age, address, and so forth, and sensitive data, such as financial and health information.

I've passed out some charts. Please refer to the first one showing the personal information graph from 1992. The fairly innocuous information, such as name and age, did not exhibit a high level of concern by the majority of respondents. Age elicited extreme concern from 8.5%, while home phone and name were about 24%. However, there were very high levels of extreme concern about sensitive personal information, ranging from about 30% for buying habits up to 44.6% for financial information.

On the second chart about the type of data and organization from 1995, the same level of concerns were reaffirmed in this survey. We see that it's not just the type of information that creates concern but also the institutions involved and how that information is used. Buying habits, health information and the associated practices of selling or trading information led to responses, whereby over 80% of respondents not only felt that such practices were an invasion of privacy but were also unjustified. Where information transactions were confined to a single organization, for a specific practice and for which there was a clear benefit or trade-off, such as child support payments, charity calls or catching UIC cheats, there is much less concern. Even when sensitive information was involved, there was less concern.

The third 1992 chart relating to types of organizations also indicates that Canadians are very concerned about the use of personal information by some types of institutions over others. There's a greater comfort level with public institutions, one's employer or doctor than with businesses, particularly where there is no clear benefit, such as companies selling to people at home. Where there is some benefit, such as retail goods, telephone or cable service, concerns are mitigated somewhat.

In general, Canadians consider practices such as uninvited calls or those involving the use of general information such as name and address more as minor privacy violations, intrusions or nuisances. Other practices, such as the trading, buying and matching of personal information, especially sensitive information, even when done by the public or private sector, are considered as major or serious violations. These are most troubling for Canadians.

Consent, control and the desire for anonymity are the cornerstones of Canadians' perceptions, attitudes and expectations with regard to their personal information and privacy.

.1125

Looking at the next graph, featuring some of the attributes of consent and control, Canadians have been consistent and clear across both studies about the importance of these factors. In 1995 there were 95% who wanted to be informed about why information is being collected and how it will be used; 80% wanted to be informed in advance before information was collected; 94% wanted to be able to give permission before their information was passed along to another organization; and almost 80% are willing to have their information used by business as long as they know about it and have the ability to stop it. There was little change in these numbers from the 1992 survey.

The Chair: Andrew, how many people would be involved in this kind of information that you've sought out? Would they be focus groups?

Mr. Reddick: No, these were national polls. I believe they were both a 2,500 sample size. I can check in the surveys here afterwards for you.

The Chair: Isn't 2,500 considered a fairly large sample size?

Mr. Reddick: Yes. It was stratified for Statistics Canada census, so it's representative of the population.

The Chair: Thank you very much.

Mr. Reddick: You asked the other day about measuring. There are many ways one can attempt to measure the different types of information transactions that are justified and those that are invasive from Canadians' points of view. Where furnishing personal information is a precondition for full participation in society, the question is one of balance of what other reasonable procedures and constraints there are for different types of information and transactions. Levels of concern often depend upon the type of information sought, how that information is collected or used and who is doing the asking.

Ms Vallée has just joined me.

One option is to categorize the type of information, for example general or identification data, or to categorize the sensitive data. This may take the form of a continuum, such as general, moderately sensitive, or sensitive data. General could include name, address, age and phone number; moderately sensitive could include what you buy, employment status and public activities; and sensitive would include financial information, health, DNA, fingerprinting and personal activities.

Controls on levels of consent will need to be increasingly rigorous as sensitivity increases. You could categorize by user or collector, as for example public or private sector, or by personal service, as for example a doctor. Similar controls should be applied to all, but given government's overall responsibility for the management of society, greater latitude for some activities may be required.

One could categorize by use. The primary and secondary uses of information should be unbundled, separated and clearly defined. General categories could include governance issues, proprietary benefit of a business, or the personal benefit of an individual.

One thing we checked off in both surveys was awareness, to see how that had changed over the two periods of time. While Canadians have major concerns about their privacy, their actual awareness of the means available to protect their privacy, whether technical or institutional, is low. The majority of Canadians do not feel well equipped to deal with privacy problems. In 1992, 61% of Canadians did not know who to turn to if they wanted to do something about their privacy. Only one in five knew of any legislation or any agency that helps Canadians deal with privacy issues.

The results of the 1995 survey were very consistent with these findings. In addition to similar findings with regard to public institutions, in this study only 14% of respondents knew of any private business initiatives protecting personal information and fewer, one in twenty, could actually cite an example.

There's also a class dimension to awareness and concerns about privacy. The less powerful in society, such as the elderly, low-income and less educated, tend to have higher levels of concern and have fewer resources to deal with privacy concerns - for example, being able to afford new technologies to protect their privacy or knowing who to turn to. Those in the more affluent and better educated segments, who as consumers and early adopters of new technologies are often better able to deal with privacy issues, may have more experience in dealing with the serious privacy-related transactions and know where to turn to resolve problems. In the 1995 study, those with higher education and income were three times more likely to be aware of privacy programs or legislation.

With respect to new technologies, Canadians were fairly evenly split about how these might affect their privacy. In 1992 there were 23% who thought they had enough information about how new technologies may affect their privacy, while 24% felt they did not.

Part of the problem in assessing new technologies is that people have not had a lot of experience with these. Research on computer users indicated that those with more technological literacy had somewhat higher levels of comfort and confidence than others, 54% as opposed to 63% of non-users. Interestingly, while those with more technological awareness were less concerned about abstract fears, they were more alert to specific threats, such as matching data in databases.

In general, there's much work to be done by government and its agencies to better educate the public on privacy issues, options to protect their interests and rights and information about technologies and legislation, agencies and programs available to inform and assist Canadians.

I'm now going to return to the specific issues of this committee, which are surveillance, advance cards, and biological surveillance. I want to begin by observing that while important, it is not the particular technologies associated with these information activities that are the key focus or should be the key focus. Instead, it's the underlying practices. These underlying practices cut across a range of technologies, information transactions and management activities. These three have particular importance, however, because in varying degrees, in addition to the economic and human rights issues related to privacy, each also raises questions about democracy, ethics and morality.

.1130

Physical surveillance, whether in the workplace or in public, such as using cameras on the street, tracking database users on computer systems, monitoring communication systems among other methods, is becoming a very pervasive activity in society. Both research studies looked at different types of surveillance, such as employers monitoring telephone calls, employee drug testing, people monitoring cellular telephone conversations, companies monitoring consumer buying activities or utilities usage.

Canadians are very divided about surveillance and monitoring. Drug testing and taping phone calls by employers were considered largely not justifiable in the 1995 survey. However, the levels of concern were lower than other types of activities. While still a concern, a reasonable level of surveillance at work is likely considered part of the exchange process between labour and management. There tended to be less concern with more transparent and open types of surveillance and where there was a reasonable justification for the activity, such as drug testing, where 46% found it an invasion of privacy, as opposed to hidden taping, where 80% found this practice an invasion of privacy.

Canadians feel very strongly that general surveillance, which means not being watched or listened to without permission, is not appropriate. In the 1992 study 75% considered this to be extremely important. With a specific example, such as monitoring using cellular phone calls, a large majority, 77%, responded that they felt the practice was unacceptable.

With database marketing, where people recognize the benefit of being able to receive marketing information about goods or services, they are divided on the practice. In a 1995 study 48% found this to be an invasion of privacy and 46% thought it was unjustified. So it's about half each way.

What we're talking about in all these examples is the importance, desire and expectation for a reasonable amount of anonymity and control over information.

Let me provide you with an example of another new technology, the Internet. When surfing, there's an assumption by users that when they access web pages they are anonymous. In fact, as reported by The Toronto Star on December 5, this is in fact a myth. Many web sites track the identity, address and activities of users on a web site without the knowledge of users. Interestingly, a new technology, an electronic mask called the anonymizer, which this article will show you, has been developed for users to restore anonymity.

The point is that the expectation, the default if you will, of Canadians for their privacy and personal information is anonymity and protection or common rules of the road where information is provided for any transaction.

For surveillance, when we look at examples such as England and the hundreds of thousands of video cameras set up in public to monitor peace, order and good government, it begs questions such as how much surveillance is too much and when and where it is appropriate. Given a choice of reducing crime with surveillance, many in the public would be in favour at least abstractly. But if the clear trade-off was an erosion of democracy, their answer is likely to be different. This is a most important issue. With surveillance, biometrics, smart cards, and so forth, the question is does not the price of democracy imply a certain level of crime, a certain level of abuse of programs and a certain level of anonymity and the protection of individual rights?

Specifically with advanced cards and biometrics, smart cards, electronic fingerprinting and similar new technologies are often discussed in light of how they are able to increase the efficiency of management to reduce costs, reduce abuses or provide increased convenience for consumers, among others. These can do all these things. Some, such as digital cash cards, can do so with total anonymity. However, these raise the same basic issues of privacy, such as the pooling of information, data matching, unauthorized access by others, information security, informed consent, as well as fundamental questions about whether these conserve to stigmatize or marginalize certain members of society or lend themselves to surveillance and social control.

Some of the problems inherent in these technologies can be overcome through the design of technologies themselves, though this may require policy direction to achieve this. For example, optical coding using random numbers for fingerprints instead of identifying a person with a constant number can achieve some privacy. However, underlying problems such as data matching may still exist.

.1135

Any kind of unique identifier or single number and linked or common storage system filing, whether a smart card or other means, runs counter to the expectations of the public, as described earlier about the collection, storage and use of their personal information. The segmentation of different types of files and the segregation of data based on how sensitive it is, its type, with informed individual consent about who can access this and under what terms, should not only be the guiding rules and practices involving these technologies but should be an integral part of their design to meet the expectations of the public. As such, biometrics and smart cards have the potential to enhance or destroy our privacy. It's a question of a policy commitment to ensure that the expectations of the public are in fact met.

The privacy framework set out for smart cards, as proposed by the Privacy Commissioner of Canada in his 1995-96 annual report, addresses the many concerns and expectations Canadians have shown in these studies about the different uses of the different types of their personal information. I think that's a very useful policy guide for this committee.

Another area of concern for the committee is biological surveillance and genetic testing. This is something we have not tested explicitly with the public. However, some of the same underlying information issues apply.

The benefits, such as medical advances, could be exceptional for us all. At the same time, the potential for abuse and catastrophe is also enormous. Given the concerns by the public about much less innocuous information activities, I will say that this is an area where the government has a responsibility to be most rigorous about the protection of personal information and the rights of individuals.

The question here is who owns a person. This area of work goes to the heart of the issue of what it is to be human.

I'd like to share with you some of the research that has been done in this area by Optima Consultants. That's the last chart on genetics that you have. This research was done in 1994 with a sample size of 1,000. Canadians were questioned about genetic testing on genes, as to who should have access to the information, what procedures should be followed in the release of this information, and whether codes or laws should be used to protect this information.

Canadians were evenly split on whether they would actually have genetic testing done to determine if they were susceptible to hereditary diseases. The study showed that 34% would, 23% would not and the rest fell in between.

When asked who should have legal access, 68% of Canadians thought their doctors should have access and 56% thought other family members should have access. The majority, however, felt such organizations as insurance companies, banks, provincial ministries of health and employers should not have access and they were all fairly strong, most well over 50%, some over 60%.

In terms of procedures for the release of genetic information, 62% preferred a signed consent form approach and 27% felt the information should not be released to anyone.

In a comparison of codes and a legislative approach to protection of this information, the majority, 55%, preferred a law that required consent from the individual for release and 30% felt that codes of ethics for doctors would be sufficient. Only 9% supported industry codes. I think Canadians, given how new this technology is, were quite clear about how they feel about this area.

I think the committee should also be aware that a major study will be starting in January on biotechnology. It is my understanding it will be conducted in Canada, the United States, Japan and Europe, and the results may help you. I can provide you with the name of the University of Calgary contact who is involved in this study.

The Chair: That would be very helpful for our committee.

Mr. Reddick: I just want to finish up here today with some comments on policy preferences of the public that we tested off in the studies.

First, it's a fact that one must give up a certain amount of personal information in order to participate in society. Canadians are saying they want this done under clearly defined rules. The bottom line on privacy is that Canadians believe the current system does not provide adequate safeguards and they seek a greater sense of control, consent and protection. While Canadians may not be as enthusiastic about government and how it manages some of our affairs and activities in society, they clearly want government to pass legislation that applies to both the public and private sectors to protect their privacy.

In 1992 over 75% of respondents supported this idea and in a 1995 study 87% of Canadians felt that government should treat privacy as a priority. They also felt strongly that government should work closely with the public and private sector in developing such protection.

Some of the core themes drawn from the research are that prior informed and ongoing consent are cornerstones to the privacy of individuals. The processes of the collection, storage, primary and secondary use of personal information must be unbundled and segmented, and a process of informed consent must be applied to these. We must break apart the pieces of the chain. Consent should be increasingly rigorous. In other words, it should be expressed as opposed to implied, as the sensitivity of different types of information used for different purposes increases. For the most sensitive data, these should be stored separately, using different identifiers and written consent should be required when access is desired by others.

National privacy legislation is required and should apply to both the public and private sector. There should be rigorous oversight and privacy audits of how personal information, especially sensitive information, is used by both public and private institutions. As well, there may be some types of information that have been entrusted to government, such as health information, that should not be made available to the private sector, or only provided in part.

.1140

With regard to new technologies, at a conference in September here in Ottawa, the Office of the Privacy Commissioner of Ontario spoke to the need of a tool kit approach to privacy, where an array of technology as well as legislation would be a useful way of proceeding. Technology in such an approach must have privacy built in during the design stage, not afterwards, and must maintain and enhance protection and not undermine it.

Generally, much of Canadians' concerns about legislative protection are addressed in documents, such as the OECD guidelines and the CSA model privacy code. These include other important issues that I have not touched on today, including accuracy, correcting data, time of storage, and so forth. What tends to be weak in such documents is specificity. The vagueness of some principles or codes amounts to flexibility for some and weasel words for others.

The interest of the public can be well served if the more detailed recommendations of such experts as the Privacy Commissioner of Canada and others in the field are used to create more clarity and specificity about information practices. I would also encourage the committee to lean towards specificity rather than vagueness in dealing with these issues.

As a final note, there needs to be better funding of the Office of the Privacy Commissioner of Canada and other existing privacy commissioners, as well as the creation of such offices in provinces where they do not exist. This is necessary not only to help Canadians be more aware of privacy issues and recourse but also to enable these custodians of the public interest to better do their jobs as we move into an information society.

Thank you.

The Chair: It's a very enlightening approach and I thank you very much for that.

Committee members, do you wish to hear the next witness,

[Translation]

Ms Vallée, before going any further? Ms Vallée, I'd ask you to please introduce yourself and say a few words about your background.

Mme Marie Vallée (Telecommunication Analyst, Fédération des associations de consommateurs du Québec): Madam Chair, I won't be making a presentation. I am only here as Mr. Reddick's partner. I represent the Fédération des associations de consommateurs du Québec. I cooperated with PIAC's representatives on the survey. I'm also a member of the CSA committee that developed the privacy code.

I was closely associated with the development of the Quebec Privacy Act in the private sector. We keep working on issues related to privacy protection since, as Mr. Reddick indicated, they are a big concern for all Canadians. In Quebec, even though there is legislation to protect their rights, citizens are still very concerned.

I'd like to apologize for being late, but the virtual human being hasn't been invented yet.

The Chair: Thank you, Ms Vallée. We are very pleased that you are here. We have many questions regarding the consumers and their views on this. Before going to the questions, I'd ask the members of the committee to introduce themselves.

Mr. Bernier: Maurice Bernier, member for Mégantic - Compton - Stanstead. I am also the vice-chairman of this committee.

[English]

Mr. MacLellan (Cape Breton - The Sydneys): I am Russell MacLellan, member of Parliament for Cape Breton - The Sydneys in Nova Scotia.

Mr. Allmand: I am Warren Allmand, member of Parliament from Montreal.

Ms Augustine (Etobicoke - Lakeshore): I am Jean Augustine, member of Parliament for Etobicoke - Lakeshore, Ontario.

Mr. Godfrey (Don Valley West ): I am John Godfrey, virtually late, from Don Valley West in Toronto.

[Translation]

I am very sorry.

The Chair: It is perfectly alright. Mr.Bernier.

Mr. Bernier: I'd like for you to tell us about what the experience was in Quebec with the implementation of the act. Did you notice any beneficial effects and, if so, which ones? You said at the start that people are still very concerned. Did the enactment of the Act mitigate those concerns?

.1145

I'd like to listen to you for a few minutes and ask you some more questions after that.

Mme Vallée: First of all, I must emphasize that before the bill was passed, the Quebec government was very much concerned about the many fears expressed by companies which believed it would turn out to be extremely costly. The Act has now been in force for two years and I'm happy to let you know that no private company in Quebec has gone under because of the Privacy Act. Some of them would even be willing to testify before this committee that the Act has enabled them to put some order into all the data they held and into the way they have been collecting and using them.

The level of concern has now been shown to be somewhat lower among the public. We realize that our privacy commissioner doesn't have all the necessary tools at his disposal to enforce the Act and, to this day, his chosen approach has been to convince and to educate. Some day, he may have to take another approach. We are currently researching and reviewing all decisions involving this Act rendered by the Commission d'accès à l'information and the courts.

We realized that some companies have implemented the principles of the Act on their own accord. All customers of the big chain stores are being handed a small form stating that the company holds some information on them and asking them whether they consent to those data being traded or sold. The customers don't have to do anything if they give their consent, but should they oppose such uses, they are being asked to inform the chain accordingly. We'd like to dig further into this, but we know at least that companies have been implementing the Act. You can find everywhere people who are still reluctant, but, as far as Quebec citizens are concerned, at least the ones who know...Mr. Reddick was telling us about the problem with information and education.

Regarding the protection of personal information, it's not like what happens when a bridge falls off or when there is an accident. Everything takes place in a virtual world; it's instantaneous. It's pretty difficult to check what decision has been made on behalf of a citizen when that citizen can't find out what information the decision was based upon. It happens often. Just think of the credit agencies which may have four people named Marie Vallée in their files. Try to find out which part of my file is in the file of another Marie Vallée.

The Chair: I can tell you that people will want to ask you some questions after hearing that.

Mme Vallée: I'll be pleased to answer them if I am able to do so. There have been some mistakes, but we know that credit agencies tried very hard to close those gaps. However, such efforts must be ongoing. I think therefore that the rules of the game have to be made very clear, which will be to the advantage of not only the citizens but also all companies. I'm very proud of what we have accomplished thanks to the privacy code. My english-speaking friends say that there must be a level playing field. If we want all companies to implement some legislation based upon that code that we worked so hard to develop and about which we have been fighting for some time, the level of competition between companies will be more equal.

The Chair: I'd like to know whether the cards we are now asked to sign are a new thing. I was told recently by my bank that I had to sign a new card to indicate that I didn't want my name or any other personal data to be made available to anybody any more.

.1150

[English]

I was never asked by my bank. I didn't know such a letter existed. I didn't know I was supposed to sign one. How could I know? It's true that this is Montreal and this is in the province of Quebec. I don't know if this happens in the rest of Canada. As far as I know, there are no provincial privacy acts in the rest of Canada - perhaps Mr. MacLellan can pick up on that. You may have all these things in place, but if I don't know about it... And I'm not exactly an undereducated person, yet I certainly am known to my bank. How is it that they never sent it to me, and I was unaware of it? Is it just that I missed it, or was there an active campaign of information? How did it take place?

[Translation]

How was the Quebec population made aware of this?

[English]

Ms Vallée: Well, Ms Finestone, is there any CBA representative in the room?

The Chair: No, but maybe they're watching on the camera.

Ms Vallée: Okay, good for me. So I can pick on them again.

As you may know, the banks are a federally regulated sector. That's not to say that I can quote them as saying they will not apply the Quebec law. The fact is, however, that they they do not apply it because they're a federally regulated sector.

They do have a privacy code that has just been revised, but that's a CBA code that any bank can tailor to its need, or whatever they wish to call it. They haven't really been making public the fact that they have this code. If you go from branch to branch and ask your teller what the privacy protection policy of the bank is, your answer may be big eyes: ``Oh, I didn't know we had such a policy.''

So if you're talking about education, it's internal education in each industry or shop or whatever. It's also a general awareness that needs to be raised within the public. I don't think the banks have that clause up front, whether it's when you apply for a credit card or when you're a client for a mortgage.

Mr. Reddick: I would like to add that in my talk I mentioned the need for specificity. In the CSA code, while the overall framework was good, there was one line that said that organizations shall make their employees aware of the importance of maintaining the confidentiality of personal information. That may mean... This is a pamphlet -

The Chair: It says ``shall''?

Mr. Reddick: ``Shall''.

The Chair: Well, ``shall'' is a very strong word in legislation.

Ms Vallée: But this is a code, Madam Chair.

Mr. Reddick: Right, but ``to be aware'' can mean a lot of things.

The Chair: Yes, you're right. Well, I think I'll let our lawyers on this side of the table...

Please, Mr. MacLellan.

Mr. MacLellan: Thank you, Madam Chair.

To our witnesses, as we say in law, this seems like a reverse onus. The onus really should be on the bank to not disclose personal information concerning its customers. The customers should not have to sign a paper to say they don't want this information disclosed. We've already seen the public's reaction to that with respect to cable television when the cable companies decided that if customers didn't want new channels they had to write and tell the companies, otherwise they were going to be charged for them anyway. There was a tremendous backlash from the public in Canada on that.

Frankly, I find it very offensive that, firstly, I would have to be aware the banks were doing this; and secondly, that I had to find out that there was a form I had to sign to stop them from doing this. I want to talk to their witnesses to get their opinions. I find that very much an affront.

Mr. Reddick: Yes, I think it very much comes down to a question of negative and positive freedoms in the sense that some take a view that they can do anything with your information unless you tell them they can't, whether it's to government or to individuals. On the other hand, the public and many advocates for privacy are saying no, it should be the other way around: they must get permission and then can do all sorts of things.

But they must unbundle the process and must get an individual's permission. It should be ongoing consent, people should be informed, and they should have opportunity to stop that. And the banks are a good example. I haven't looked at the recent forms, but at one point when you walked in, if you wanted to open an account, you signed a form and you gave up all rights, all secondary transactions. They could do what they would with the information.

The point behind much of what we and others advocate is that you must unbundle that. You must say ``I want to set up an account, and my personal information should be used for that only. If you want to sell me insurance, if you want me to buy mutual funds, if you want to put me on some car program, then get my consent for each of the different activities.'' That's the way most of the public feels about this, rather than the negative freedom.

.1155

Ms Vallée: I can tell you, being seated at that table for four or five years, that the banks in particular - not only banks; you can also take the insurance sector as an example - are really resistant to that kind of opting in instead of opting out. They say, well, you know, it costs money, and so on. They have all sorts of reasons.

I really concur with Andy here, and you, that it should be an opt in instead of an opt out. With banks and insurance companies expanding their activities they could use your personal information for all sorts of purposes they weren't initially meant for. You may not be aware, but some day you could receive something from somewhere, and there it is.

Mr. Reddick: There's a good example here. I love bringing props. You guys don't mind, I hope.

The Chair: I bet we'll all want copies of your props.

Would the camera carry a focus on the prop, please.

Mr. Reddick: This is an advertisement for VIA Rail.

Recently I took a trip to Montreal. They were passing out these forms if you wanted to apply for a VIA Preference card. This is a travel point type of thing. The nice thing is that on the form there's a check-off box where it quite clearly says they will collect your information, but you have a choice. They can either keep the information confidential with the VIA Preference program or it can be shared with other sponsors or other service providers. The check-off box indicates whether you want it kept confidential or you want to make it open. So in this instance you do have prior consent over the primary and secondary use of the information.

This is the type of general information and general kind of consent that people want. You don't need rigorous details for the consent, but it's fairly straightforward.

Ms Vallée: As you can see, the box is shadowed, or highlighted, so it's really easy for consumers to see it.

The Chair: Does that deal with the bundled/unbundled question Mr. MacLellan was dealing with?

Mr. Reddick: That's part of it. Exactly.

Ms Vallée: That's part of the answer. There is no perfect solution. You have to use a range of tools. We don't want to interfere with proper business transactions or add too much to the cost, but it should be fair. Most of the time my job is as a telecommunications analyst. I could give you the colour ID example. People who know me know I always use this.

When Bell and other phone companies developed that product, they came to us and asked us our opinion before selling it. We told them, well, you may have these kinds of problems with privacy.

You have to remember that initially, blocking the display of your phone number was going to cost 75¢ each time. We told them they had a charter problem here, and this and that.

They went on anyway with their initial submission. It took two years, a few CRTC proceedings and at least a couple million dollars to change the feature in their computer. Every Canadian is now entitled to free per-call blocking. But guess what? Less than 0.01% of phone calls are actually blocked, because people don't know, basically.

Mr. MacLellan: I agree. I'm listening, I think very much appreciatively, to the comments of the witnesses. I agree completely.

Two things come to mind. The first is not only that you have to opt in rather than opt out; the onus should be that your information is private unless you give full consent to it being otherwise, and that you know for what purposes that information will be used. As well, if you're giving this waiver, that waiver has to be stated clearly, not on page 17 of a form that has print so small you can't read it, which they shove in front of you saying, ``Sign here'', and as an addendum to something else. I mean, this is so important it has to be flagged, in my opinion.

The other feature is this. So we say no, and we don't expect this information to be made public. Is there any way we can find out that personal information is being used without our consent? How do we know?

.1200

Second, what's being done to regulate this, to make sure that inappropriate and unauthorized use of personal information is not taking place?

Ms Vallée: Let me take the first crack at this. You have the right to access your file anytime - or you should have the right. Let's say you have a file with the bank. You should be able to go to the bank and tell them you want to see what information they have on you. You should be able to do that with the Credit Bureau. In almost all the provinces, I think, you have a right to access that is quite easily exercised.

So this is one thing. For the Credit Bureau in... Well, as far as I'm aware, they have regulations and you have access. You have the right to ask for a correction. If you can prove it, they will do the correction.

In other jurisdictions or in other sectors that code was accepted in September as a Canadian standard. So far we have no code that has been audited, except the latest CBA version of their privacy code, which was verified by Price Waterhouse. But that's it, that's all. We haven't investigated their procedure, their complaint mechanism, or how they resolve their complaints. That's why we advocate having a bill that clearly states what is the way to go.

Mr. Reddick: Two other things. One way in which you know your name has been sold or traded is when something shows up on your doorstep or in the mail, or you get a phone call. You then wonder how they got your name - not the nicest way to find out.

I think the whole notion of data audits is very important, whether it's through a commissioner or whether there's a controller point in an organization. Just to give you an example, there may be circumstances, if DNA testing becomes more prolific in society, that somebody does have a genetic disease. Without those kinds of controls, somebody may be denied insurance, may be denied a job. If you find out you have some disease that is going to cost your employer extra money in insurance or in benefits -

Ms Vallée: It could go down to your kids too, if you have it.

Mr. Reddick: Yes. You may not get the job based on that.

So there is a certain amount individuals can do for themselves. They can request to see what information is being held and how it's being used.

The Chair: Where would you find out? Will the insurance company give you that information? Is that what you're saying?

Mr. Reddick: They should be able to, but that may need to be part of the legislation. You should have the option of going to any organization to ask if they have information on you. Let's say you're an insurance company, and my insurance is with you. I should be able to ask you what you have on me. You should be able go to the Credit Bureau or go to government. You should also be in a position where people disclose information to you. If you're dealing with a bank and they're using your information in such a way, there should be some type of reporting where they tell you they had this information and used it this way.

We're in a society where it's extremely difficult. It's a very complex society. People are all very busy. You need a certain level of expertise and time to be able to track who's doing what with computers and databases and information management. I think that's where there's a very important public role for the custodians, whether it's privacy commissioners or what have you, where they do privacy of information audits to find out in the chain of information transactions in different organizations, whether it's government or the private sector, who is doing what.

Whatever method used, however frequently it's done, I think it's a very important step in making sure that things are being done in the proper way.

Mr. MacLellan: On the question of pertinent private medical information with insurance companies if there is a person who has a preponderance toward a certain disease or illness and if it does affect their insurability, the whole system really ceases to work for the public, as far as I'm concerned.

You have the insurance company saying, well, we understand; we're not going to push it if somebody has a defective gene that would allow them to get cystic fibrosis, for instance; we understand. But my experience has been that there may be all sorts of goodwill to begin with but the competition in the marketplace and the edge to make a profit is not going to allow that to happen.

I want to get the feeling of the witnesses on that, Madam Chair.

.1205

Mr. Reddick: Yes, I would tend to agree with that sentiment. Insurance companies gamble that not everybody is going to die at once or have a traffic accident at once. There's a certain built-in level that way. I suppose ideally, given the opportunity, it would be very attractive if you could weed out the people you may have to pay a claim on and just insure those who never get sick or never have an accident, which is pretty good for the bottom line.

You're touching on some very important issues that are just starting to come to the fore now. I've heard a lot about contracting out. For instance, in New Brunswick I understand the government is talking about contracting out to private companies the data management of files on who uses what prescription drugs and perhaps on billing for doctors. All of that requires that you know what the person is sick with, what drugs they're taking and what their potential for recovery is.

At the same time, these may be the same organizations that are insuring you or certifying you for different programs and what have you. It's very dangerous to be pooling that kind of information. You make a very good point that where there are other objectives or proprietary interests involved that are not for the public benefit, the government's benefit or the individual's benefit, you may run into some very serious problems.

The Chair: Ms Augustine.

Ms Augustine: Thank you, Madam Chair.

This work and this discussion are very important. I'll give two examples and ask for your comments.

A couple of mornings ago I was listening to the CBC here in Ottawa, and I'm not too sure if it was Ottawa Hydro, but one of those companies is now asking for the social insurance numbers of individuals who are their customers. This man was protesting: ``Why do you need my social insurance number when you have my address and you are able to track me in case of poor credit?'', etc. Someone from the company was there defending the call for social insurance numbers, explaining why the social insurance number is significant and important to the company. I'd like you to comment on that.

My second question is on a personal case study, one that is very frustrating to a constituent of mine. Somehow or other, the wrong date of birth got into the system, and it got into so many different places in the system that the individual is saying ``This is who I am; this is the time at which I was born; this is my date of birth'', and we cannot get the system cleared to give him his true date of birth. They keep bringing up all of the other pieces along the line where that incorrect date of birth got registered.

It has been a nightmare. I've been trying, as his member of Parliament, to assist, but even within the government bureaucracy, the business of accepting his birth certificate when so many other things show a different date of birth is still an unsolved but very stressful situation for that family.

Ms Vallée: I'll have first crack at the Hydro PIN, because this is a decision of the Commission d'accès à l'information that I'm not very proud of.

There hasn't been any public discussion about the need in this country for a personal identifier. It's more and more the case that a PIN is being required, and this is not only with Hydro. All the phone companies are now asking for your PIN when you want to get a phone. If we are to use a personal identification number, let's have a public general debate, or let's not use it.

As you said, they do have my address and generally they do have my phone number. If it's for collection purposes, with this information they are usually able to track me for a very long time.

I'm not really proud of what happened in Quebec, and I know it's more and more the case in other provinces that every public utility is asking for the PIN.

Mr. Godfrey: Can I ask a follow-up question?

If you don't go along with it as an individual, what right do you have to resist? In other words, what if you say ``No, I'm not going to give you my PIN number'', and they say ``Well, we're not going to give you any hydro''?

Ms Augustine: That was the situation.

Mr. Godfrey: Is there any court of law that you could then appeal to and say this is outrageous and abusive behaviour by a monopoly? Is there any recourse, if you really have the means?

.1210

Ms Vallée: That's why I'm not proud of the Commission d'accès decision. Some people brought it to the Commission d'accès à l'information because they thought Hydro was abusing their business rights. The Commission d'accès ruled that it was okay for Hydro to ask for a PIN.

Mr. Godfrey: Could you then make a charter case out of it?

Ms Vallée: Give me the money and I'll gladly pursue it.

Some hon. members: Oh, oh!

Ms Augustine: No, it was not a PIN; it was the SIN, the social insurance number.

Ms Vallée: SIN, yes, sorry.

Ms Augustine: They argued that a PIN could be changed. I can go to the bank tomorrow and say I want a different one.

Mr. Allmand: Yes, but the company representative said that if the individual refused, they would still provide electricity - that they could not force them. I was listening to the same broadcast.

Ms Vallée: Yes, but for Bell Canada, I had a few phone calls. In July in Montreal everybody moves out and in, and the company representative resisted the persons who said ``You don't need my SIN number''. She had to go a couple of steps more.

You know what happens? We're not, here in this room, representative of the general public. People just cave in; they don't complain.

Mr. Reddick: I'd like to add one thing about the SIN issue. The biggest problem with using the SIN is it is a number that can link a lot of different databases and a lot of different types of personal information. I remember in Sweden there was a law - and it's probably still on the books - that even within government they had to have separate identifier numbers for different types of files.

Ms Vallée: I know that's the case in Germany.

Mr. Reddick: Yes.

They did not have a single common identifier, so different departments could not call up on the screen all the files from the different activities or relationships a person may have with government. That kind of separate identifier is very important.

I suppose another option is to have an identifier the individual controls, so you have that anonymity again, and nobody actually knows your number.

Mr. Godfrey: That would be like the biometric, which actually had the effect of scrambling -

Mr. Reddick: Yes, total randomness each time.

Mr. Godfrey: As we heard previously.

Mr. Reddick: All they need to know from those kinds of cards is that you are solvent, that you can afford to buy. They don't know who you are or anything beyond that. They don't need to know your data background, but they know that you are a person, that you belong in the country and that you have enough money to buy this toaster. That's it.

The Chair: We've heard about analogue versus digitized information as a block, sort of like building the wall. Isn't that what we heard yesterday, committee members? I think so, from somebody or other.

Mr. Godfrey: The point is how the new technology can actually work to your advantage, so you become the controller, through the equivalent of a PIN, that is to say, but established through hand structure biometrically.

Mr. Reddick: As long as it's designed that way.

Ms Vallée: I would like to also raise the point you raised about when there is a mistake in the information and that mistake has been there for three days or thirty years. With the society being more and more reliant on computers, it's going to be difficult, and it will increase like une toile d'araignée.

If there is a mistake somewhere, it takes so much effort from the individual to get it corrected that you end up with a situation like your constituent's. You have to spend so much time, energy and money to get the proper correction.

We need rules for these people. We need easy corrective action.

The Chair: What was the second case you presented, Jean?

Ms Vallée: It was a wrong birth date. Because there were third parties using the data and decisions were made, the information was given there, but there was so much downstream usage. You could make the correction there, but without the obligation of the first user to make the correction all down the line, that man was in big trouble.

Mr. Godfrey: He disappeared.

Ms Augustine: Thank you, Madam Chair.

The Chair: Thank you.

Warren, please.

Mr. Allmand: My questions have been answered. Thank you.

The Chair: I'm going to come back to you, John. Are you satisfied? You outlined for us some problems one of your constituents had and some personal problems with respect to getting access to your credit information.

Mr. Allmand: That was me.

Some hon. members: Oh, oh!

The Chair: Oh, all right. I didn't wish to identify you. You're self-identifying, you see?

.1215

Mr. Allmand: That was a mistake with respect to a date of birth. They had made a mistake on a debt that had been paid and when I went to buy something they said I was a bad credit risk. I said what do you mean I'm a bad credit risk, I've been paying my bills for years. So it took me a lot of trouble and finally I found out they had a debt that had been paid but they didn't have it as paid. It took me a lot of time and I had gone all around the network. This was a credit agency.

What happens with all the outsourcing or contracting out now is that governments and companies use private firms to do what used to be done by government. When it was done by government at least we had some stricter control. We could get the official of the government before the committee. Now with the outsourcing it's little private firms all over the country that do these things, and often they don't have the same stringent requirements you put on the government. They're not investigated by the Auditor General, blah, blah, blah.

Anyway, I finally got it corrected, but it sensitized me to the problems that ordinary people have. I'm a lawyer, I'm a member of Parliament, and I'm able to deal with these things much more effectively, but it took me one hang of a lot of trouble. I appreciate the point that Jean raised about her wrong date of birth being in the system.

The Chair: Can I ask you a question, Warren? This would be very upsetting. You went to buy something and so it's also embarrassing. You went to all this trouble and probably some financial cost to get it cleared up. Is there an obligation on the part of the company, the credit bureau who made this mistake in the first place and didn't clear it up, to inform that whole line of people they've blackened your name with?

Mr. Allmand: No. Not only that, but we're so busy with our work and our families and so on that once I got the thing straightened out I was angry but I let it go. I didn't have the time. I really should have reported them to the Better Business Bureau or to the consumers'... In those days we used to have better, more effective channels. We had a department of consumers' affairs; I used to be the minister. It is no more. How much time can you spend on these things, even if you're a trained person?

Ms Augustine: Then the people you're dealing with are faceless.

Mr. Allmand: That's right. When you phone them they say oh well, we have this in here. How did it get there? We don't know how it got there. These are private firms. The profit margin is there; they're operating for a profit so they cut corners and they do whatever is easy for them.

That was a few years ago. Thank God we're getting more focused on these problems. This committee is focusing on the problems. I appreciate what the witnesses have said.

[Translation]

Mme Vallée: That is the reason why it is absolutely necessary that credit agencies, but also all companies using those data bases for many transactions keep track of everybody who accessed the information. They must know when it was collected, who gave it to them, whom it was passed on to, so that, should there be a problem or a mistake, all other users can be notified that a correction has been made.

For instance, in Mr. Allmand's case, if it happened in Montreal, it would go through Equifax and all banks, credit unions and companies that deal with Equifax and that have accessed his credit file would need to be made aware of the correction immediately.

[English]

The Chair: Is it in the proceedings they have outlined that the correction be made?

Mr. Allmand: It wasn't then.

The Chair: Is it now?

Mr. Allmand: Probably these witnesses would know. It's in the private sector and I don't think we have a way of forcing them.

[Translation]

Mme Vallée: I'll check, Mr. Allmand et Ms Finestone, but I think that the Quebec legislation...

Mr. Allmand: Yes, the Quebec legislation.

Mme Vallée: If Quebec could do it, the federal government could do it just as well in its own sphere of jurisdiction and so could the other provinces.

Mr. Allmand: But we have no such legislation at the present time. We might have to legislate so that...

Mme Vallée: No, but I definitely heard Mr. Allan Rock state that we'd have some legislation by the year 2000.

Mr. Allmand: Madam,it is precisely what this committee is aiming for.

Mme Vallée: Yes.

Mr. Allmand: Once the investigation has been completed, I hope that we can come up with a report including some recommendations, stating perhaps that we should pass a bill modelled after the Quebec legislation to cover federally regulated industries such as banking, air transportation, etc.

Mme Vallée: Telecommunications, cable TV.

.1220

[English]

Mr. Reddick: Section 4.9.6 of the CSA code deals with that issue, and as I -

The Chair: Can you say what CSA is?

Mr. Reddick: It's the Canadian Standards Association model code on privacy. But again -

The Chair: Just a second. We'll be back, because we have a motion we have to move.

Mr. Reddick: While the principle and intent are good, again there is a certain vagueness about ``should'' and ``when appropriate'' and those kinds of things. So even though you may have corrected your problem, it doesn't necessarily mean it will be transmitted to other banks and institutions. It should be and it could be, but it may not be.

Again, it's that whole question of how much specificity or vagueness there is to the principles as opposed to concrete actions, that this must happen or that must happen. It's a very important point. It's something I find in both OECD and this - while useful as guides, if we're really serious about this it must be much more stringent, as you would know being a minister in the past.

The Chair: When you get this kind of information and you have the sondages in front of you, do you write the Minister of Justice and say that it's been brought to your attention and therefore you have a concern? We will be doing that in our own report, but when you do this kind of thing as the head of the federation of Quebec consumers, do you let them know that you're concerned about the language in this code, which the minister announced may well be his guideline in this piece of legislation that may come down in the year 2000?

Ms Vallée: Well we certainly did a lot of lobbying in the past two years to make people here on the Hill and the bureaucrats aware that no one has run out of business with a bill in Quebec. You must remember that when we started that process, we were here telling the federal government that we wanted a law. At that time, I guess the Conservatives were here and the ball game was that you go sit at that table and you develop a code.

As vague as this code is, it's at least a good starting point. We need touch-ups. We need to transform the ``shall''s to ``must''s in some of the wording, but it is a very good starting point.

Mr. Reddick: If I was going to do legislation, I would start from something like this and say okay, this work has been done, it's very good, it's very useful, and it just needs a bit more work and fine-tuning here and there. It's a good place to start from, but it needs to go further in terms of specificity and redress.

Ms Vallée: We spoke to John Manley many times about that.

The Chair: Mr. Godfrey.

Mr. Godfrey: Have you actually done a detailed criticism that you could pass on to us? Has anyone who shares your concerns done that kind of critique that would be helpful to us?

Mr. Reddick: I don't know.

Ms Vallée: Since that code has just been since September this year, there is no critique whatsoever, no articulated critiques.

Mr. Godfrey: If you hear of one or feel inspired by a lack of other activities over the Christmas season, you might want to pass that along. It would be helpful.

Ms Vallée: We are aware that a white paper or whatever you would call it is going to come out of Industry Canada by mid-January. We will use that opportunity to bring some precision to our best wishes.

Mr. Godfrey: I want to ask about two things. One is the whole concept of a privacy audit and the other is the notion of an information chain, both of which have been raised.

The privacy audit sounds like an exciting and useful concept, and I have a whole series of questions. With current technology and current know-how, how doable is it? Is this a frontier activity like an environmental audit, or is it well established? If a person has the right skills and is given the right access, can a person go into an establishment, get on the computer and figure out how this works? That's the first issue.

Who should be in charge of such privacy audits? Should it be a government affair like the privacy commissioner, or should it be a commercial activity? Who should fund it? When should it be done? Should it be a voluntary thing if a company wants to get the Good Housekeeping seal of approval, or should it be triggered by complaints? Are there other models? Are there countries in which there are privacy audits so that we have something to go by?

That's only one question, of course.

.1225

Ms Vallée: I'll take a first crack at it, and I'm sure Andy will add to my comments.

Privacy audits in North America are not very well developed and this is a big concern for those of us who are still on the implementation committee for this code. I can turn myself into a privacy auditor overnight, but who knows if I'm doing the right thing? So you're quite right to raise that question.

In North America this is a starting business, but let's go and see Germany, Sweden, etc. They all have all kinds of procedures that have been developed. It could be done by someone from the privacy commissioner's office, but if you go with people like CSA or Price Waterhouse or whoever, you would need them to have the proper training, to be stamped by the Standards Council of Canada to show that these guys have passed the exam and we can certify that they know what they're doing when they come into your business.

Mr. Godfrey: So far that doesn't exist.

Ms Vallée: No.

The Chair: CSA standards doesn't exist? I thought it did.

Ms Vallée: The standards exist, but not the auditing part.

Mr. Godfrey: How do you know whether the person is competent to undertake the audit, that they have been certified and are not just making it up?

Ms Vallée: There are a few people in Quebec who do business in this sector and they're helping the companies see if at least their process, their procedure, the way they make decisions about people, respect the principles of the law. Certainly as we're talking today, this is developing.

Mr. Godfrey: This sounds like jobs, jobs, jobs to me.

Ms Vallée: Sure. We're discussing turning ourselves into consultants, those of us who have been sitting at that table for four years. It's something that needs to be developed and that needs oversight. We don't want someone to turn himself into a privacy auditor overnight and just pretend and say I'm an accountant and I can do audit for your books and I can do audit for your privacy procedure. No, no, no.

Mr. Godfrey: Mr. Reddick, did you want to add anything to that?

Mr. Reddick: I think Marie's done a good job. I would just observe that we have the Highway Traffic Act and we have police who enforce it and do their own sort of audits along the highway, and if we're going on the information highway we also need to make sure there's some means of enforcement, whether it's on the road or somebody doing audits in a general sense.

It could work at either level. The European director talks about controllers within companies and it could be done at that level, but I think at the same time you must also have an independent public body, whether it's the privacy commissioner or whoever, who is able to do audits on both government and the private sector and have the means to do that properly.

The Chair: There's something I'm worrying about as I'm listening to all this and I'm asking your opinion in this regard. We're looking at human rights and privacy rights from a human rights perspective. I think we're now dealing with a situation where should an industry code come down, there are certain aspects of that industry code that cross the line of peace, order, and good government from a personal and individual perspective. Therefore, we're sort of intervening or interceding in what is seen as an industrial matter and we're seeing it from a human rights perspective.

Mr. Godfrey: I think we have a couple of angles into this. One would be that certainly the federal government could set the example by doing a privacy audit of its own activities, just to make sure that in fact dreadful things aren't happening. We have an Auditor General who looks at the books and points out scandalous things. We are more sensitive to gender-based analysis, for example, about budgets and all the rest of it or to environmental audits. We have to ask whether this activity will cause some kind of damage.

I don't think there's anything wrong conceptually with the notion of a privacy audit. It seems technically doable and the government is the starting place.

Now, when it comes to the commercial sector, first of all there does seem to be a framework in Quebec, which is a bit of a model. We have the Canadian Standards Association and we're going to have the response from government in January. This gives us a way in and it seems that the concept of a privacy audit is simply an extension and a precision of something that is already in motion, if you like. So I don't think we're violating anything. I'm not a lawyer, as Jean Chrétien once said, but I don't think we're violating anything.

.1230

Ms Vallée: You either have a right or you don't have it. If you do have a right, it applies all across your activities as a citizen. So whether you do business with the government or with the Bank of Montreal or with the auto dealer, your right to privacy is a right, it's not a commodity. So the business sector has to apply it as well as the government.

Mr. Reddick: I think it's important we don't categorize a separate public sector and private sector as fine lines any more. The lines of mixed delivery are now blurring so much that if we're talking about a privacy audit it has to apply to both, especially where the private sector may be delivering public services or partially delivering services. I don't see how they can divide those cleanly. So I think there have to be different levels of audit, depending on the circumstances.

Mr. Allmand: I was going to say there are precedents. A very good precedent is the Employment Equity Act. As a matter of fact, prior to the bill that passed a year or so ago, the Employment Equity Act only applied to the private sector and not to government organizations. There were audits done. There's a reporting requirement in the Employment Equity Act and auditing is done by the Canadian Human Rights Commission for employment equity. So if it can be done for employment equity in the private sector, it can be done for privacy in the private sector too, as a human right.

So I see no difficulty at all. It's not as if we were breaking new ground. The precedent is there.

A voice: So why an extension?

The Chair: It took eight years to get there, but you're right.

Mr. Allmand: It was started under the Conservatives. It took the Liberals to finish the job.

[Translation]

The Chair: The Bloc québécois would like to intervene and it is entitled to do so.

Mr. Bernier: Yes and I precisely want to follow up on the question raised by Mr. Godfrey regarding the ways to monitor any measure that might be put forward.

I would obviously want to hear your comments on this, but I'll make a statement first. I am certainly in favour of governments introducing some measures to control any intrusion into privacy such as the Quebec legislation. However, I fear that people might feel that entrusting this responsibility to the government will solve every problem.

It is rather the opposite of what you have told us. You even told us about a decision by the Commission d'accès à l'information du Québec concerning Hydro-Québec which, to say the least, is not what you would have wished it to be.

I believe that there should be several agencies in the public sector and also others in the private sector - without making a plug for your organization, I'd mention it as an example - which not only could survive, but would also be just as able as any public institution to follow up on such matters. We might have the best laws in the world, but if nobody is there to enforce them, they will become totally useless. An ordinary citizen, or even an extraordinary citizen such as Mr. Allmand, can't find the time to follow up on this. It is a fact.

I'd like to have your comments on this because I'm not someone who thinks that the whole responsibility should be entrusted to government.

Mme Vallée: I don't think that the whole responsibility should be entrusted to government. However, government is increasingly setting up partnerships. I think that, among the mechanisms that will be created by the federal government and the provinces when a Privacy Act is enacted, there must be some agencies that would be entitled to check into these matters. Some of those agencies already exist and others could be created with some community representation, such as consumer associations or stakeholder groups.

There is also a problem with appointments; some conflicts are bound to happen where arbitration will be necessary. The utmost care will have to be exercised in making adequate appointments. A choice will have to be made between many experts. There are some in the consumer associations. The time may have come to acknowledge that, not only to ask them to come before the committee, but also when arbitrators have to be appointed. It applies to privacy and several other sectors as well.

Unfortunately, I don't think that organisations such as ours will be able to do any monitoring. We are experiencing tough problems. I don't want to complain about it; it is just an aside. I never miss an opportunity to mention it.

.1235

However, I think that times are very tough. I had to apologize for not having a virtual existence, but I also should be working on some files in Montreal. I had a meeting this morning and I had to leave. I must attend three more meetings before returning to Montreal tonight. It would be good to have two people to do all this work instead of just one. If you say that, on top of that, I should sit on the ombudsman's committee... All right, but you should pay us.

Mr. Bernier: Mr. Godfrey raised this question earlier, but we still are faced with the same dilemma. Whenever a legislation that will necessarily create additional costs is being contemplated, people, especially in the private sector, start complaining about being forced to pay new taxes. However, if the public feels that protection of privacy is an important matter, as the surveys indicate, we will need to find ways to give such a protection.

I, for one, think that we ought to think seriously of involving the private sector in the financing. I agree with you that you can't attend every hearing across the country on your own, do all the investigations and also celebrate Christmas and the New Year.

Mme Vallée: Oh my God! Is that also on the agenda?

Listen, we were very lucky to be able to do that survey. It is a combination of circumstances. When we draft the legislation, we'll need to develop transparent principles and companies will need to be very transparent in their reports to their supervisory agency.

It will make our task easier. If we get a report every six months or every year telling us that 2 450 out of 2 500 complaints have been settled and that the remaining 50 are going through the process, it will be less necessary for us to be involved on a daily basis.

If there is no transparency, the public, the government and even the private companies will run into problems.

I have a friend in British Columbia who tells me that nobody will budge and that companies won't recognize that privacy protection is beneficial to them until there is a privacy Chernobyl. I hope it won't have to happen.

[English]

The Chair: Mr. MacLellan has one small question that he wishes to ask, I believe, Mr. Godfrey.

I just want to advise the committee that there are two motions that must be passed. You have two choices. I know some members have other responsibilities and must leave, but we could continue with the witnesses.

If you would allow us to... Witnesses, it's up to you. We'll either pass these two motions, and you'll know when you're watching that the business of Parliament goes on and there are things we have to do...

Mr. Godfrey: They're not private?

The Chair: They're not private at all. Would you mind staying another few moments and we'll just pass the draft motions. Is that all right?

A voice: We could come back.

The Chair: No, we will stay. It will take exactly one minute. We just have to read them into the record.

Mr. Allmand: I'd hate to delay the proceedings. If the questions that Russ and John have are very brief, why don't we do them, because I have some questions to raise on one of these motions.

The Chair: Fine. We will complete the questioning of our witnesses.

[Translation]

Are you finished, Mr. Bernier?

Mr. Bernier: Yes.

The Chair: Russell, please.

[English]

Mr. MacLellan: I would like to follow up on a couple of points that Mr. Reddick mentioned. One has to do with hidden cameras. In the question of shopping centres and so on, where you have surveillance cameras, there's a difference between having them hidden and having them readily positioned so that you know they're there, which is a better way of doing it. Perhaps there should also be a notice that the area is surveyed by cameras. I just want to get a feel for whether there was any information on the sampling you did that would indicate a person's preference for hidden cameras.

Mr. Reddick: What the committee needs to do is to consult some of the work by Simon Davies, who's done a lot of work on this in England. The U.K. is much more advanced in terms of public surveillance.

.1240

I would point out, though, that this is where we get into that confusion of what the public thinks. There are some circumstances, some settings, whether it's in private industry...where there are surveillance cameras for obvious reasons. People would say that's fine, we expect to have some surveillance in shopping centres, whether it's to stop thieves, to protect our children, or what have you.

Where the problem in England is starting to develop now is that on every street corner there are cameras. So everything you do, everything that happens is now under surveillance. That's where you cross over that line in democracy, where you ask what kind of society are we working into. Is this a Jeremy Bentham type of society of the Panopticon, where everything is seen all the time throughout society. That's where people have a lot of problem with going too far. There are some justified circumstances. Whether the camera's hidden or not may depend, again, on the circumstances, but I think people are more comfortable if they know the camera is there. But we have to be very careful that we don't take this too far in terms of surveillance. That's where people are not willing to make the trade-off.

Ms Vallée: What is actually happening in Britain is they are putting the cameras in poor areas, but they are not putting them in the rich areas. So it's really targeted at a particular segment of the population. The police are starting to use a case of evidence: I saw that guy coming out of this place, going there and I lost track of him for ten minutes; in the interim something happened. Oh, we haven't seen you for ten minutes; where have you been?

If you can track down some of Simon Davies' articles on this case, I would suggest it's very scary.

The Chair: You should know that Simon Davies was here, and he also told us that you can digitize a person's face.

Mr. Reddick: I have the same kind of concern as Marie about how they could put cameras in the lower-income areas of town. This is the same kind of problem you may run into with smart cards and electronic fingerprinting. Are we doing it because somebody's poor, because of low income? Are we doing it because they are receiving a government program or benefit? Do we do just UIC, or do we do pensions? Do we do it to people who ride GO trains in Toronto?

This whole question of democracy and what the purpose behind the technology is and who's introducing it is very important towards human rights as well as privacy rights and the whole question of democracy. We have to be very careful about asking why it has been done to this population as opposed to that. Is it just because they're on welfare or UI? Is it because they are a senior drawing a pension? Should we not therefore fingerprint people riding GO trains in Toronto, because they receive government money indirectly as well as a subsidy. What's the justification is what it comes down to.

I'll pass it back to you.

Mr. MacLellan: This would fit into the crime question too.

Mr. Reddick: Very much so. What level is acceptable?

The Chair: Do you have a question, Mr. Godrey?

Mr. Godfrey: I have a comment first of all. That is, it's interesting to note that at least in Britain the class system is alive and well and technologically advanced - but it may apply to ourselves.

Just going back to the information chain for a moment, I have a technical question and then a ``what you do about it'' question. Do you happen to know - perhaps there's no reason you should know - when a credit bureau, for example, starts to feed out that information, are those requests automatically tracked now? Are they trackable by the current system? I assume the answer's probably yes.

What's the best way of speeding up the problem we heard of here of one wrong birthdate, and wham! Would it be by legislation? How would you actually put the onus of changing the whole chain back where it belongs, which, it seems to me, is with the credit bureau?

Mr. Reddick: I don't know to what degree they track, but -

Ms Vallée: They do have the obligation to track it now.

Mr. Godfrey: Who they give the information to -

Ms Vallée: Yes, who accesses the files...

Mr. Godfrey: - so that they can then go back and correct the birthdate...

Ms Vallée: Let's say, for example, I went to the Bank of Montreal for a loan. This is my entry point. I give them all the information. There is a mistake on my form. Someone types it up wrongly. So what should be the path if I want a correction? I go back to the Bank of Montreal and I say when I gave you the information you made a mistake, please correct it and tell everybody who has accessed the file afterwards that they should correct it. What will happen is the bank will tell Equifax. They will tell everybody else. This is the case for the banking sector.

.1245

My suggestion would be that whoever collects the data should be responsible for changes.

Mr. Godfrey: Wherever the entry point is.

Ms Vallée: Whatever.

Mr. Reddick: Technically, it is possible. If you can create it with technology, you can fix it with the same technology. It's just in the design. If you say in the legislation you must do this, then it will be programmed in.

Mr. Godfrey: Is legislation the best way of getting at this?

Ms Vallée: If you don't make it too complicated and too costly. There are ways to do that.

Mr. Reddick: I think the European approach on legislation, where you have a general framework and then you apply it sectorally... You have to be flexible. You have to look at the reality of the real world, and input levels of information and sensitivity. It's a very complex area, but you have to get the basics right and then implement it fairly.

The Chair: To hitch-hike on that, is it in the OECD guideline that's being used in Europe?

Ms Vallée: We do have a privacy policy that is applied across -

The Chair: Have you checked it against your own privacy bill?

Ms Vallée: It's pretty similar. The basic principles are all the same. Sometimes the wording -

The Chair: All right. I think the question Mr. Godfrey just placed before you would be important to us as a preventative measure right now, if it was possible to pass this information on. If you could verify, in your own analysis of the OECD versus the CSA, if there is something absent in there that would be effective in making sure that a point of entry makes the correction and has the obligation, then Mr. Allmand won't feel so guilty that he was too busy.

Mr. Allmand: I don't feel guilty - more mad than guilty.

The Chair: Mad - okay. We'll fix all that up.

Ms Vallée: We'll do our best, but you have resources within the federal government. I would point you to Andrea Neill at the Department of Justice and Stephanie Perrin at Industry Canada. They're both knowledgeable people who know everything about privacy protection.

The Chair: Great. Thank you very much.

On behalf of the committee, I want to thank both of you for a very enlightening exchange and for being helpful to us. We're looking forward to having your material, Mr. Reddick. I think it's very helpful to be focused in and have that analysis.

We'll call this part of the meeting to an end.

I would like to move on to two aspects. The first is the draft motion that the clerk, on the instructions of the steering committee, make the necessary contractual arrangements for consultant services in relation to the committee's cross-country hearings on new technology and privacy rights.

[Translation]

That the Clerk, on the instructions of the Steering Committee, make the necessary contractual arrangements for consultant services in relation to the Committee's cross-country hearings on New Technology and Privacy Rights.

[English]

This is to advise the committee that we had a fairly lengthy two-hour meeting yesterday. We interviewed the four candidates. Your executive committee, following an evaluation of those four candidates, has selected two candidates who will share the responsibilities in English and in French. We would suggest to you that they are both qualified, but this at least gives us the right to continue our investigation and the right to hire.

Warren.

Mr. Allmand: So you've done it before you have approval from the committee.

Mr. Godfrey: You can do it until -

Mr. Allmand: My question -

The Chair: We're not giving the contract out until you give us permission, because we finally got it in our budget. It was not relevant for me to raise it, as you are all aware, because not only did we need the budget approved, which we got, we needed the travel approved. Otherwise we weren't going to hire the consultant and we weren't going to go forward. We got the travel approval yesterday.

Mr. Allmand: Why are outside consultants necessary when we have clerks and people from the parliamentary library?

The Chair: Mr. Allmand, I don't know where you were, but we had a long discussion about this. The parliamentary library people are not the on-the-ground people who are going to get the grassroots people to attend our hearings.

Mr. Allmand: I never heard any discussion on this.

Mr. Godfrey: Can you remind us what the task is that folks are going to undertake?

The Chair: Certainly. It was a threefold task. We outlined for you the case study framework that we would use in approaching the general public in our meetings across the country, to have a threefold approach to this information.

.1250

First, in each city we visit we would have a town hall meeting format. We would have some experts who would lay the groundwork and have some exchange in the first hour, I believe. After that there would be three copy stations in the room, because we want to keep this in one room and to a manageable group of people. Before they get there each will be given - that's why we needed these consultants - the case studies, which we are going to develop from real problems and cases that exist in front of us.

What is the yardstick or marker - how far can that marker be moved from what is a fundamental right under human rights, where privacy is defined, versus the impact new technology has in moving the goal posts further from our sense of who we are as individuals and our right to control access and give the right to intercede in our lives. In other words, to opt into sharing that information rather than opting out of sharing that information would be the way it has been put this morning.

Mr. Godfrey: Sorry to interrupt, but to delineate the work of the regular folks versus the work of the additional folks, the additional folks would function -

The Chair: I was just going to read it.

Mr. Godfrey: Okay, good.

The Chair: I think you have to know the format we are laying out and why we needed the consultants, which this committee agreed to.

The format is a specialists discussion, followed by a break and round table or informal discussion with three different groups of people, studying case studies relevant to physical surveillance, personal identification and biological surveillance. They would then come back and place questions and get answers. In the interim they would have been given two pieces of information - an evaluation sheet and this background documentation. They would be asked to fill this in following the session so that we can have a tool to work with.

So the preparation tasks to be performed would be: preparations for the meetings, identify experts and see the facilitator for each meeting; contact the experts and the grassroots groups; identify possible participants and construct an invitation list for targeted interests; encourage targeted participants to attend and confirm their attendance; coordinate all mailings, including the preparation of an expert facilitator information package, with the goals and structure of the consultation, the role of the facilitator, the agenda, the background information package and the case studies, and a participant information package, which would include the above.

The research staff will be preparing the background papers, the case studies and the evaluation paper. The evaluation papers will be used to help us expand on our report, and to indicate that we will have tested the pulse of society as to how far is too far in abridging privacy rights in the interest of adapting to new technological advances.

That was the structure that we had determined would be the focus and the modus operandi of this task force. I stand to be corrected or clarified in any way.

Mr. Allmand: Madam Chair, I remember us setting that out as the framework for the committee, but - maybe I missed the meeting - I don't remember a long discussion on the fact that we required outside consultants to do these things. Maybe we did on a day when I wasn't here.

The Chair: It was also in our budget, Warren.

Mr. Allmand: Yes, I know. I knew the budget provided for consultants, but I didn't think for consultants to do this specific thing. In any case, if you think it's necessary, it's necessary, I suppose.

.1255

I hesitate about contracting out too much because I feel the more we contract out in committees - I'm talking in general now - the more we undermine our permanent staff. I mean the permanent staff in the clerk's and the committees branch and in Parliament. It allows the internal economy committee to say that they don't need all those guys, so they'll cut some more. You know what I mean. We keep on getting a smaller and smaller committees branch and a smaller and smaller research branch in the library because we're relying on outside consultants.

In this case, I'll vote for this, but I just have to put on the record that I look very closely at the need for outside consultants, and where we don't really need them, I would be opposed.

The Chair: Okay. I was just speaking to our clerk again to make sure that we're not undermining, because I agree with you that there are lots of things we have done, such as cuts, that have been inefficient in the long run.

Wayne, you might express it yourself, please.

The Clerk: Ordinarily the work the consultants are doing is work that would be undertaken jointly by the research staff and the clerk. However, because of the decision to use the town hall format, we envisage over the course of the five-day trip to be inviting somewhere between 150 and 200 witnesses and community groups. An operation across the country on that scale I'm afraid exceeds our current capacity.

Mr. Allmand: I'm convinced in this case. I shall vote for it.

The Chair: Can I get a motion of approval for that motion?

An hon member: I so move.

Some hon. members: Agreed.

The Chair: Thank you.

Is that your wine or is that water?

Mr. Bernier: Yes, my wine.

The Chair: The second draft motion is that the deadline for applications for the 1997 Centennial Flame Research Award be March 31 and that the amount of the award for 1997 be $2,500. Do I have to read it in both languages?

A voice: No.

The Chair: Number two, that a press release be issued inviting candidates for the 1997 Centennial Flame Research Award and that the press release be posted on the committee's Internet site.

Mr. Allmand: The name announced at the beginning of the meeting was for the 1996 award.

The Chair: Yes, that's right.

Mr. Allmand: Agreed.

Some hon. members: Agreed.

The Chair: Thank you.

Thank you, committee. I hope you have a very pleasant holiday. I hope you have time to get much of your reading caught up before we start back at the beginning of February and are ready to clear your calendars for February 10 to 14.

Mr. McClelland: You're a slave driver, Madam Chair.

The Chair: Do you want your report in before Easter?

Thank you. The meeting is adjourned.

Return to Committee Home Page

;