Proceedings of the Standing Senate Committee on
Science and Technology
Issue 2 - Evidence
OTTAWA, Monday, November 29, 1999
The Standing Senate Committee on Social Affairs, Science and Technology, to
which was referred the subject matter of Bill C-6, to support and promote
electronic commerce by protecting personal information that is collected, used
or disclosed in certain circumstances, by providing for the use of electronic
means to communicate or record information or transactions and by amending the
Canada Evidence Act, the Statutory Instruments Act and the Statute Revision
Act, met this day at 1:00 p.m. to give consideration to the subject matter of
Senator Michael Kirby (Chairman) in the Chair.
The Chairman: Honourable senators, we will do something relatively unusual
today. We have an extraordinarily large number of witnesses, so we will
actually need to stay on time. I will try to enforce time limits as rigidly as
Our first set of witnesses is a panel consisting of representatives from the
British Columbia Civil Liberties Association, the B.C. Freedom of Information
and Privacy Association, the Public Interest Advocacy Centre and the Canadian
Health Coalition. Consistent with decisions made by the steering committee last
week, each of the witnesses has been asked to state their views succinctly,
which means approximately five minutes each. I will ask Mr. Mollard to start.
Mr. Murray Mollard, Policy Director, British Columbia Civil Liberties
Association: Thank you for inviting me to speak with you about Bill C-6. I
should briefly introduce you to the association. We have been in the business
of protecting the civil liberties of British Columbians in the context of B.C.
and in Canada for the last 35 years. From personal experience, having worked
there for over five years, I can say that the privacy file is consuming more
and more of our resources. We are receiving more and more calls from
individuals concerned about privacy intrusions.
The British Columbia Civil Liberties Association is a strong supporter of Bill
C-6. We testified before the House of Commons Industry Committee and made
suggestions on amendments. We are happy to see some of those amendments, as we
feel the bill has been strengthened from a privacy point of view. We, like
others, think there could be more improvements; however, the bill as it stands
represents a good compromise, one that has been forged after significant
consultations with organizations that represent privacy interests as well as
organizations and associations of groups that will be subject to the law. In
the tradition of democracy, this is an example of a bill that has been put
together with a great deal of consultation and compromise. For that reason, we
support the bill.
The federal government, of course, will sell this bill to various interests as
being good for e-commerce and good for preventing problems with international
trade, but our organization thinks that the moral justification for Bill C-6
has to do with the importance of protecting Canadians' privacy. Privacy is
important and critical to the autonomy and integrity of Canadians, and it is an
important value for democracy.
There may be objections to the law from various interests in the health sector.
We are ready to answer those. I put some of those objections and responses in
our written brief and will not touch on those any further. However, I would say
that there is an urgency to pass Bill C-6. I know you have a responsibility to
consider carefully legislation that comes before you. However, we say it is
urgent, not because of some legislative timetable restrictions or politicians'
personal agenda, but, rather, because another day without Bill C-6 in force is
another day of demeaning and intrusive privacy practice that Canadians must
endure, and must endure without recourse, quite frankly.
Our organization regularly receives calls from individuals concerned about
practices that they are having to undergo, for example. This is an interesting
aspect of the bill, touching on the health information exemption for which some
are arguing. We receive calls from employees and potential employees of
organizations where, as a condition of employment, the employer wants to obtain
very sensitive personal health information -- things such as your family's
medical history, your psychiatric history and, indeed, even at times your
sexual history. We are astounded that those kinds of questions are asked and
made part of the employment application process. When people call us, we can
say that we could write to the organization, but potential employees are
reluctant to do so because they do not want to be singled out and cause trouble
even before they get a job.
My point here is that people are left really without anything that they can do.
The urgency for you as the Senate is to consider how this bill affects
Canadians in a very personal way. Our organization cannot do much about it, but
you can, and we urge you to do so.
Mr. Darrell Evans, Executive Director, BC Freedom of Information and Privacy
Association: My group, FIPA for short, was created in 1991 as a public interest
advocacy group for freedom of information and privacy issues. That is our
exclusive focus. We are currently the only society in Canada devoted to that,
but we are hoping to change that shortly by developing, along with some other
people at this table, a group called the National Privacy Coalition and actually
forming a real privacy group for Canada.
I should like to talk a bit about Bill C-6 in the larger social context of
privacy today. There is a battle going on in the Western World over access to
and control of personal information. This battle is being fought in both the
public sector and the private sector. At stake is how much privacy individual
citizens will be able to preserve in the face of the growth of government and of
information technology. The question Canadians must resolve is how much access
the state and corporations should have to information about us.
The legislation that is before you today is one result of the battle over
personal information. Bill C-6 represents a victory for the movement to
guarantee citizens some privacy rights and a recognition by the Canadian
government that citizens fervently desire and should have these results.
The most controversial part of Bill C-6 turned out to be the inclusion of
personal health information under the bill. I will devote my remarks to that.
It is my belief that the most serious, consequential and desperately fought
battle over personal information in the western democracies will be the battle
for control of health information. The debate over Bill C-6 has shown that to
When the directors of my group heard that there was an intense lobbying effort
by the Ontario Ministry of Health, the Canadian Pharmacists Association, the
Ontario Association of Medical Laboratories and others to have the private
health sector exempted from this bill, they asked that I do everything I could
to appear before you today.
Provincial governments, the private health care sector and much of the public
heath sector desperately want access to and control of personal health
information, and they do not want to ask the permission of individual Canadians
to get it. In other words, they do not want to have to ask you and me for our
consent as to what will be done with that information.
What does the Canadian public think about that? I have not seen much good
research on that, with the exception perhaps of a Canadian Medical Association
study, which I found to be excellent. However, our group, like Mr. Mollard's,
receives hundreds of complaints on privacy each year, and I have reached some
Most Canadians have confidence that their physicians will not betray their
privacy. That is, a physician will share information only for the purposes of
immediate care and with the patient's consent. That is what patients expect,
and that is what they assume is the reality. They have this trust because they
assume that physicians abide by a strict code that guarantees patients'
confidentiality. Moreover, patients still assume that they will be consulted
over disclosure, even with that guarantee.
Patients have no such trust relationship with pharmacists, laboratories or other
private health care providers, or even with hospitals or health researchers for
that matter. However, I believe that people expect the same standard of conduct
from those groups.
One indication of this is a U.S. survey that asked the following question: "Even
if you are not personally identified, should your permission be required before
your medical records are used for research, or is that not necessary?" The
response from 64 per cent was "Yes, permission should be asked." That
was for research with de-identified information. That gives you an idea how
strongly the public feels.
The part of Bill C-6 that most offends the Ontario Ministry of Health and the
private health care sector is the requirement that patient consent be obtained
for the sharing of personal information. Most of us would be shocked or
offended if a physician gave our medical records to someone for a purpose we
did not approve. Yet, that is exactly what many provincial governments and
health care interests are proposing by asking that Bill C-6 exempt health
Legislation is currently being developed in Ontario and other provinces that
will expropriate personal health information from all existing sources to
create an electronic health record for every Canadian. The federal government,
together with the provinces, is planning to create what is called "the
national health info structure" on which these electronic health records
will flow, along with other information, under the control of whomever they
designate as custodians. It is because Bill C-6 threatens to interfere with
these plans that the Senate and the other place have received such determined
representations from health interests.
The Ontario Ministry of Health assures us that information sharing would be
permitted without consent but with strong safeguards to ensure that information
is shared only in very limited circumstances. However, consent is the essence
of health privacy. It is not a side issue. It is the core issue.
If I leave anything with this committee, I hope it is the opinion of my
organization that the "strong safeguards" that the Ontario ministry
refers to do not constitute privacy rights. They may be confidentiality. They
may be called security. But they are not privacy rights. Personal consent and
control are privacy rights.
Ms Philippa Lawson, Public Interest Advocacy Centre: Thank you very much for the
opportunity to speak on this important bill. I should like to address briefly
four points: one, why the matter is an urgent one; two, why the bill is a good
one; three, why amending it is not advisable; and four, why you should not
succumb to pressures for a health carve-out.
I will speak first to the urgency. We are all aware of the tremendous ease with
which personal information is now being collected, stored and traded in the
marketplace without the individual's knowledge or consent. A whole new industry
has developed for data collection, data warehousing, data mining. It is growing
by leaps and bounds. The problem is that there is nothing to ensure that this
industry develops in accordance with the principles of privacy and human dignity
on which our civil society is based.
Some of you may recall the case a few years ago of a Montreal woman who been
diagnosed with cancer. No sooner did she get home from the hospital than she
received a telephone solicitation from a funeral home. New mothers who give
birth at hospitals are frequently inundated with the marketing of baby
products. While this may seem harmless, it is not appreciated when the baby has
died. In one reported case, a man who had consulted a medical clinic for sexual
dysfunction later received direct mail advertising cures for impotence. He felt
terribly exposed and humiliated.
A few years ago, a bank in Maryland was found to have recalled loans from a
number of individuals whose names it obtained from a list of cancer patients.
Not too long ago, a number of American states compiled a list of
African-American men at risk for sickle-cell anemia. Once insurance companies
obtained this list, many of those men were not able to get medical insurance and
some were turned down for jobs. A recent survey of Fortune 500 companies
indicated that over half admitted to using medical information in employment
decisions, often without the individual's knowledge or consent.
Honourable senators, we have allowed technology and market forces to get ahead
of our laws and our social expectations. It is time to act. The longer we delay
this bill, the more business cases will be built on the unrestricted sharing of
personal information, the more vested interest in opposition to fair
information practices will have been created, and the more difficult it will be
for you to put in place a fair and sensible regime for data protection in
Why is this particular bill a good one on which to move forward? Bill C-6
represents a reasonable set of fair information practices. It has the broad
support of businesses precisely because it is not too onerous. It has the
strong support of consumer and public interest groups because it gives us some
protection where now we have none. It is based on the fundamental principle of
informed consent, but it provides exceptions in appropriate cases. It takes a
common sense approach to the question of when such consent needs to be
Some say that this bill is not good enough, that we need stronger protection,
especially for medical records. We agree. But we do not think that Bill C-6
should be held up in order to for these sector-specific protections to be put
Why is amending this bill a bad idea? This bill represents a very delicate
compromise reached among a number of competing interests. If you take it apart
now, there is a good chance you will not succeed in reconstructing it. Sending
it back to the House could be fatal for data protection in the private sector.
Yet we need these protections and we need them now.
Finally, why should you reject the arguments that Bill C-6 is unworkable in the
health care sector? First, there is widespread misunderstanding of the consent
requirement in Bill C-6. The bill in fact takes a common sense approach. It is
based on reasonable expectations and it does not require explicit consent for
every use or disclosure.
Second, the fact that it is limited in application to commercial activities is
perhaps regrettable, but it is a constitutional necessity. It is a far cry
better than no protection at all, and it captures the bulk of the mischief we
are seeking to address.
If the health care sector is as integrated as its advocates' claim, then the
application of the bill should not be such an issue. All health care
organizations potentially subject to it should comply. However, that is not the
real complaint of those calling for a health carve-out. When you peel away the
various arguments you will find that what the pharmacists, hospitals,
administrators and others want is a regime based on their determination of what
is consistent use or what they think is in the best interests of the patient.
Bill C-6, on the other hand, gives some measure of control to the patient,
recognizing that the paternalistic model of "provider knows best" is
no longer appropriate in the increasingly commercialized environment.
Honourable senators, let us not delay these badly needed protections any longer.
Let us get on with building a society that puts human dignity first, ahead of
Mr. Michael McBane, National Co-ordinator, Canadian Health Coalition: The
Canadian Health Coalition strongly supports the purpose of Bill C-6, which is
it to provide Canadians with the right of privacy with respect to their
personal information. We support the guardian leadership of Industry Canada.
Our big question is this: Where is the Minister of Health on the question of
selling personal health information without consent? Surely there is a guardian
role for the Department of Health. Yet, in the debate around Bill C-6, we see
ministries of health arguing the case for exclusion from privacy protection on
behalf of pharmaceutical companies. That, to me, is a symptom of what Jane
Jacobs calls "mixing your guardian role with a trader role." When
governments get into that kind of scenario, it is a very dangerous situation.
We applaud Industry Canada for their guardian role in introducing this privacy
The application of the legislation, as you know, is much wider than the health
sector, but obviously it has direct implications on commercial activities in
the health sector. We would remind you that the business of drug stores selling
information on prescribing practices, gleaned from physicians and then sold to
multinational pharmaceutical information companies, is not a charitable
educational exercise. Those companies have fiduciary duties to maximize
profits. They are not benevolent health charities and they should be subject to
commercial legislation, such as Bill C-6.
Health care industries must not be exempt from the privacy rules. Fear about the
misuse of health information technology, as Ms Lawson has laid out, is well
documented. This is happening now. These are not theoretical concerns. What has
been surprising in the debate around Bill C-6 is the revelation of the lack of
protection for medical records. I believe Canadians assumed that the records
were, in fact, protected from commercial use and from hospitals selling their
records. This, of course, is not the case. We are now seeing the health
institutions intervene and try to argue for a carve-out.
One argument they are using, which you will probably be hearing about, is that
if we were to go ahead with this, Canadians might lose their confidence in the
current business practices. Therefore, it is better to leave Canadians in the
dark, and not let them know how this information is being sold and traded. That
is very bizarre reasoning.
I should point out, too, that at this very moment, in Seattle, the Minister of
International Trade has put health services on the trade table. It is a
peculiar logic that this same health services industry argues for
non-application of commercial legislation, yet is commercial enough to be part
of international trade negotiations. That is incredibly inconsistent and does
not stand the test of any examination on behalf of the public interest.
Where are the guardians of the medical records? That is the big question. Where
is the Department of Health on the question of distinguishing between
commercial use and use in the public interest for public health? I would hope
that you would pursue those questions with the appropriate authorities at
Health Canada. The debate on Bill C-6 has revealed the lack of protection and
the intervention on behalf of business interests who are currently not subject
to any regulations and rules on privacy.
You should be aware, too, that the federal government is currently planning to
set up a national health information system. The Department of Health has a
health advisory committee which has a number of health information companies on
the board, and they do not distinguish between commercial use and public
interest use in health information. That should be cause for concern. It would
be another argument as to why Bill C-6 would apply in this area. If the
industry does not distinguish and Health Canada does not distinguish in health
information, then surely this bill would apply to them.
We should remind you that one of the largest interests in the carve-out for
health information in Bill C-6 is the IMS Canada, which purchases customer and
physician information from 4,000 retail pharmacies in Canada. This same firm
has a detailed database on daily activities and the prescribing practices of
1200 Canadian physicians. The client is not the provincial ministry of health.
These pharmaceutical companies are not registered charities, they are
commercial businesses with a duty to maximize profits for shareholders.
We would argue that the ambitious plans of Health Canada for electronic patient
records and the national health information system should not go ahead without
stringent and strict privacy legislation and other measures to protect citizens
from inappropriate disclosure without consent. When the guardian of Canada's
health care system fails to distinguish between public and private interests in
health information technology, alarm bells should ring. In essence, health
industry critics argue that because the lines between public and private are so
blurred in these private-public partnerships, the entire sector should be
excluded from commercial rules. That is simply not a credible argument.
We would argue that Bill C-6 is an important first step in establishing privacy
rights for personal information, but it is only a first step. Other legislative
measures are also required. For example, Canada is one of the only countries in
the developed world without a legislated code of ethics and privacy for health
Finally, I would add that the Minister of Industry is to be commended for
guiding leadership in the health privacy field, and we would urge that the
government see that the Privacy Commissioner is given the adequate resources to
fulfil this important new mandate that will be given to them in this
Senator Murray: Mr. Mollard, as a matter of principle, what is your view of the
exemption for personal information collected for journalistic, literary and
Mr. Mollard: This is when freedoms collide. The association does a great deal of
work with respect to freedom of expression and also with respect to privacy.
That exemption is a perfect example where those freedoms collide. In our
Charter of Rights and Freedoms, freedom of expression is protected and freedom
of the press is made to be a specific example of freedom of expression. We go
along with that exemption, recognizing that there is a tension between the two.
Senator Murray: What would you say to a right of privacy entrenched in the
Charter of Rights and Freedoms?
Mr. Mollard: In the Charter, section 7 and section 8 have some aspects of
privacy. Therefore, it is not as if it were non-existent. Nevertheless, I
believe the association would certainly welcome further enhancements, further
protections, because, of course, search and seizure is a narrow parameter and
life, liberty and security of the person does not focus specifically on privacy
but has many elements. It would be unique, and I know that some interests have
called for an actual protection of privacy in the Charter. I believe that the
referendum proposed back in 1992-93 may have included a right to privacy, or
there was some call for that, anyway.
Senator Murray: On this issue, where these freedoms collide, do you come down on
the side of freedom of expression?
Mr. Mollard: Yes.
Senator Murray: As a matter of principle, what is your view of paragraph
7(3)(h)? I referred to it the other day. It is the provision that personal
information collected for commercial purposes may be disclosed 20 years after
the death of the person about whom the information has been collected.
Mr. Mollard: I do not think we have an official position on your question. It
may have something to do with the ongoing census debate.
Senator Murray: No, it has nothing to do with the census. You understand the
ambit of the bill. It has to do with the personal information collected for
commercial reasons. It relates to your mortgage, your credit card applications
and your business with the bank. This clause says that 20 years after you die,
if a case can be made that that information should be disclosed to the public,
then that would legally be possible.
Mr. Mollard: My intuitive response is that 20 years is not a long time. Why 20
years was chosen, I do not know.
Senator Murray: Why should that information ever be disclosed? As you know,
reasons like the investigation of a crime or some overriding purpose of
national security are covered by the bill. We are talking here about some day
in the future 20 years after you have gone, when someone doing a history of the
British Columbia Civil Liberties Association might want to know what credit
cards you held or the amount of your mortgage, if you had one. This proposed
legislation relates to personal information collected for commercial purposes.
I am asking for someone to defend it in principle.
The Chairman: I am not attempting to defend it in principle. The question is
where the 20 years came from. The 20 years is the same figure that appears in
the archive rule and in history. That is not to defend it, it is just to
explain why it is there.
Senator Murray: I know what you say is true. I think it is irrelevant.
The Chairman: I was clarifying the figure of 20 years for the witness.
Mr. Mollard: Perhaps my colleagues have something to add. I do not understand
the justification for that. The figure of 20 years strikes me as being not a
Senator Murray: I do not wish to hold things up. You and other witnesses have
argued against the exemption for the health care sector. It is not for me to
speak for colleagues, but I have not detected any support around the table for
the proposition that the health care sector should be exempted. However, some
of the organizations that you have referenced have made quite an argument,
coming from quite different perspectives, about the impact of this bill on
their sector. We must take that seriously, and they will have an opportunity to
speak for themselves.
What do you have to say about organizations like the Canadian Medical
Association and the Canadian Dental Association, whose position is that this
bill will weaken privacy protections? They say that rather more stringent
requirements, based essentially on the Canadian Medical Association's own code,
ought to be written into the law. What is your view of that?
Mr. Mollard: Again, they must speak for themselves, but I would be surprised if
they would say that this bill would weaken existing protections. Quite frankly,
in the commercial field, there are no protections right now. I do not see how
the proposed legislation would weaken the present state of affairs. My
understanding is that they are calling for further protections based on
secondary and tertiary uses. For that reason they wish to see improvements in
the bill. Obviously, you must hear from them to determine their points of view.
I am glad you made a distinction between those organizations and the
organizations such as the Ontario Ministry of Health that speak about a
two-tier system. When they talk about a two-tier system, as if two tiers were a
bogeyman, the assumption, which they perhaps do not make explicit, is that
protections that might be there for organizations involved in commercial
activity will be stronger than protections for the public health institutions.
From our point of view, that is a good thing, not a bad thing.
Senator Murray: The CMA and the dentists have a series of draft amendments.
Mr. Mollard: I am sure they do. Indeed, we could have made suggestions here
today about a bunch of amendments as well. We pursued that in the Industry
Committee, we saw some of our concerns responded to. However, we are aware of
the reality of give and take in the creation of legislation.
Senator Murray: I should like to turn to Ms Lawson on this subject as we have
had this conversation before. Your position has been that you got the
amendments that you could get out of the House of Commons, and that the Senate
really ought not to amend; is that not it?
Mr. Mollard: Not necessarily. However, I have spoken about the urgency involved,
and I will repeat that.
This also gives me an opportunity to say something that I did not have time to
say in the opening statement. The leadership role that the federal government
is showing here in terms of a national standard is very important and it is
making a difference. It is making a difference in this way: In British
Columbia, in October of this year, our minister, Andrew Petter, introduced a
discussion paper involving extending protections of privacy to the private
sector. In my opinion, without Bill C-6, we would not necessarily have seen the
political will and impetus to do that. That is very important and that
leadership role needs to be shown by the Senate as well.
Senator Murray: I agree with that. I turn now to Ms Lawson. You have told us
that we really must not amend, we must not send the bill back to the House of
Commons, because it might get lost. There might not be enough legislative time,
I have been listening to that argument for 20 years in various governments and I
may have made it myself, on occasion, but I wish to tell you that, if there
were a consensus in this committee that an amendment or several amendments were
needed, that would be it. We would do everything we could, in the committee and
in the Senate, to accommodate the schedule of the House of Commons. We would
try to get the amendments over there in good time so that they could deal with
them, yes or no, before Christmas. I think we could do that.
I ask you not to be carried along by these strategic considerations. There are
always ways to achieve an end. If this is a priority of the government, and I
have every reason to believe it is, then improvements to the bill suggested by
the Senate would not cause the loss of the bill, I assure you.
Ms Lawson: Thank you, Senator Murray, for that reassurance. The point I was
trying to make earlier was more that this bill really is a delicate compromise.
I was part of the process of drafting the Canadian Standards Association code
on which the bill is based. I can tell you that the extent to which you try to
fiddle with that and change that may lead to other interests popping up and
saying, "Wait a minute. We supported this bill before, but we do not now."
That is just a warning.
Senator Murray: It is a seamless web, is it? Around this table, we know about
political trade-offs and we understand that. We may take different views on
whether a particular trade-off is necessary and desirable, but we all
understand the phenomenon and the process.
Mr. Mollard: Put it this way: If you think you can make improvements to protect
privacy better and you are assured that this bill will get through the House
again, we would like to see that.
Senator Murray: That is the only kind of improvement that senators on this
committee would be interested in.
Senator Carstairs: As you know, the Canadian Medical Association has developed
what they call the health information privacy code. They would argue
strenuously that their privacy code is tougher than the code that is in this
bill. That is a concern to me. If by this bill we are going to be asking
physicians actually to weaken the code that they have already bought into, then
I say privacy is not adequately protected. I want all of the privacy I can
possibly get for that information. I have no truck with the other groups who
are arguing for weakening exemptions and so on. However, I do have genuine
concern that we may not have adequate amounts of privacy control in this bill.
You have all spoken eloquently saying that this is the best we could get.
However, the CMA is saying: "Give us time. Do not give us an exemption."
There are already provisions in the bill that give them almost four years --
one year after the introduction and three years after that.
Would you object to the same kind of stipulation for the medical community?
Ms Lawson: I agree that the CMA's code is stronger than this bill, but I would
not agree that that means that doctors will provide less privacy protection to
their patients. They will abide by their code which sets a stronger standard.
The code sets out minimum standards that apply across all sectors. It is clear
that within health we need stronger protections. We expect our health care
professionals to adopt codes, like that of the CMA, which set out stronger
protections. We will expect provinces to establish legislation that is at least
as strong as this but, unfortunately, we are currently seeing provincial
legislation that is weaker than what Bill C-6 proposes.
Mr. Evans: I agree with that. We believe that we will not get better legislation
than this in the House of Commons. We are looking forward to lobbying at the
provincial level for stronger legislation, because we believe that there will
be sector-specific privacy legislation for the health sector; although, as they
have been developing these bills, they have taken the word "privacy"
out of them. They are now calling them "data protection" or "health
information" acts. That has happened gradually over the years.
Citizens' groups have an inferiority complex. We think that groups like the
Ontario Ministry of Health and the Canadian Pharmaceutical Association have
more clout in Ottawa than we have. That is why we scrambled across Canada in
order to present our position. If we thought there was a chance of getting
stronger legislation, you can bet that we would be there, but we have already
been through this fight. Provincial governments have a strong interest in
getting more access to personal information without consent. That is what we
must fight and where we hope to make some gains.
Senator Carstairs: You were obviously participants in the process in the House
of Commons. Do you honestly think that members of the House of Commons would
object to tightening restrictions on the privacy of health care and only health
We are talking about a political dynamic. Senator Murray has outlined it very
clearly. If we amend this bill, it will be in very narrow areas and it will be
tougher, not weaker.
Do you believe that members in the other place would put up an argument about
greater protection of health care records?
Mr. McBane: We would all support any move by you to improve privacy provisions
in Bill C-6, with the condition that its passage is not delayed beyond this
session. Time is one thing we do not have. I disagree with the CMA that we have
time. We do not have time.
The Manitoba department of health has already contracted health information
management to the Royal Bank, which turned around and sold a 51 per cent share
to a Texas-based company. This health information is now being managed outside
the country. We do not even really know who owns it, and we have no federal
leadership. We do not have time.
I should like the Privacy Commissioner to seek a process for stronger
protections. Bill C-6 is much better than ongoing debate without any
Mr. Mollard: We must remember that there is a five-year legislative review built
into the proposed act. You referred to the three-year exemption. There was some
discussion about a year-long delay in the application in order that
organizations could comply. Be it a three-year, a four-year or a five-year
legislative review, there is not much difference. However, I am tired of telling
people who call our office that there is not much that our organization can do.
We can write to employers or to organizations, but often people are reluctant
to have us do that because they are fearful that they will draw the wrath of an
organization for having blown the whistle. I do not want to tell people that any
more. I want protections now.
Ms Lawson: The Reform Party did introduce some amendments in the House to
strengthen protection for personal health information. We supported those
amendments, but they did not pass. I understand that one problem is the
limitations of our Constitution, and I caution you on that point.
Senator Beaudoin: Obviously, this matter is partly provincial. What do you
expect from the provinces: legislation or compliance with federal legislation?
Mr. Mollard: In British Columbia, Minister Petter has introduced a discussion
paper. Bill C-6 will apply only to employees of federally regulated
organizations. We will be pushing hard in the province for legislation, rather
than just a code or some guidelines, to protect employees in the provincially
We tried the CSA code as a guideline. There has been some disappointment because
there has not been enough buy-in, and that is why we want to have legislation.
Senator Beaudoin: Sometimes the problem with federalism is that some provinces
use their powers and others do not. The temptation is great for the federal
authority to invade that field. I am the first to understand that it is not
easy and that we must legislate. I have no objection to legislating in that
field, but obviously privacy is not only federal; it is provincial. If a
province is occupying the field in the right way, we are thankful. If they do
not do that, what can we do and what do you intend to do?
Mr. McBane: Bill C-6 gives the provinces three years to come up to standard and,
if they do not, the federal legislation applies. If Quebec has a higher
standard, obviously their legislation will reign.
There is a strong constitutional responsibility of the federal government,
especially in cross-border trade in information. That is not a provincial
jurisdiction. With this technology, that is increasingly what we are dealing
Under the Canada Health Act, only the Government of Canada has the national
guardianship responsibilities for the national health system. No group of
premiers has the ability to guard the national system. We still have a national
country and we should have a national government protecting beyond just
provincial legislation. The federal government has an essential role, even in
health privacy, which would ideally be supplemental to and compatible with
provincial legislation. When it is not, there is a fundamental duty on the part
of the federal government to ensure that the standards are maintained.
Senator Beaudoin: I am not worried about Quebec. I am sure that they will occupy
that field. However, other provinces may think otherwise. We always have that
problem and we have to solve it.
The federal Parliament may try to cure the non-occupancy of the provinces in
that field. However, that is not always possible. In other words, if the
provinces do not do their jobs, how can Parliament do it on their behalf?
Mr. Mollard: Obviously, one is limited by constitutional restrictions. I am sure
there will be some debate among some constitutional lawyers who will suggest
that there is not enough power in this bill. The commerce power is
significantly large for the federal government to do what they are doing here.
It is somewhat restricted. It is restricted to commercial activity and employees
in the federal field.
In British Columbia, we now have discussions about extending privacy protections
into the private sector. I believe this has a lot to do with the political will
and impetus set out by the leadership role the federal government has played in
terms of Bill C-6. We urge you to endorse that.
Mr. Evans: The federal government is setting a standard here. Once the standard
is set, there will be a real desire and drive on the part of commercial
enterprises and other organizations to be consistent. That is because
information flows across borders in the nation and outside the nation. An
international desire for consistent standards is growing.
The European Union set the first standard, which Canada has picked up on. The
U.S. now has thousands of pieces of privacy legislation at different levels of
government. There is an incredible explosion of privacy legislation. The
federal government has taken the leadership here. B.C. has followed. Other
provinces will have to fall into line.
Senator Beaudoin: Do you think they will?
Mr. Evans: Yes, they will. It is a tidal wave. It is not a short-term trend. It
is made inevitable by the growth of technology.
Senator Finestone: This is a very ambitious and challenging undertaking, one
that I think is courageous on the part of the Government of Canada and the
minister. Are you aware of any promise to put enough financial commitment
behind this bill so that the Privacy Commissioner, in his role as ombudsman
whose workload will be more than doubled, will have the kind of financial clout
that he needs not only to follow up on the complaints but to undertake the more
important role as educator of the public? Members of the public will have to
learn how to maintain and control their right to privacy.
Ms Lawson: No, we are not aware of any such public commitments. We feel strongly
that this bill must be made meaningful. The only way that will happen is by
giving the Privacy Commissioner's office the resources they need to administer
Mr. McBane: As a member of caucus, you would have a lot of influence in terms of
encouraging the allocation of resources to meet these duties. If we do not do
it, the health information system will fail. It will crash, and for good
reason. The British Medical Association has called for a boycott of any
national health computer system that does not adequately protect privacy. That
will be the same in this country. There are no short cuts here. There should be
no race to the bottom. We should follow the lead of the European Union.
Governments have a big role to play in setting standards, including in health.
Resources are required to police them.
Senator Finestone: There is an area in the bill with regard to which legislation
will be required to define public property and public lists. There are millions
of lists. Who owns them? How do we use them and to what do we have access? Do
you have any observations in that regard?
Mr. Mollard: A big issue popped up in British Columbia a year or two ago with
the assessment rolls, that is, lists that set out the assessed value of real
property, along with addresses. The Information and Privacy Commissioner wrote
an investigative paper on the issue. There will be some debate about what is a
legitimate public list and what is not because, of course, people are required,
by legislation, to provide certain personal information. By law, they are
required to do so, and for some legitimate reasons.
Technology is driving this. Inherent protections come into play when one goes to
the assessment office to look up this type of information. However, with
technology, one can sit at home and search that on a database.
Senator Finestone: I wish to turn to Quebec. I heard Senator Beaudoin on the
subject, who is our expert in this area. In terms of Quebec, are those matters
not covered under paragraph 26(2)(b) and clause 31? Those clauses concern those
provinces that have legislation in place dealing with this issue. Paragraph
The Governor in Council may, by order,
(b) if satisfied that legislation of a province that is substantially similar to
this Part applies to an organization, a class of organizations, an activity or
a class of activities, exempt the organization, activity or class from the
application of this Part in respect of the collection, use or disclosure of
personal information that occurs within that province.
Subclause 30(1) states:
This Part does not apply to any organization in respect of personal information
that it collects, uses or discloses within a province whose legislature has the
power to regulate the collection, use or disclosure of the information, unless
the organization does it in connection with the operation of a federal work,
undertaking or business or the organization discloses the information outside
the province for consideration.
That makes it clear that it would be in the interest of the provinces to develop
legislation that, in many ways, would be a mirror image of the legislation that
is before us. In effect, such legislation would cover those institutions,
organizations, professional associations and agencies that are concerned. Would
you agree with that assessment?
Mr. Mollard: Absolutely.
Ms Lawson: Yes.
Mr. Mollard: It is a great example of the federal government taking a role but
allowing room for the provinces to buy in.
Senator Finestone: With regard to the Heenan Blaikie opinion and paragraph
7(3)(f) concerning health care and Health Canada, do you have any observations
Ms Lawson: The clause to which you refer permits the use of data, without
consent, for research when anonymous data cannot be used. In those cases, the
organization still has to inform the commissioner.
One of the amendments made by the House committee, and we certainly recommended
it, was to add the requirement that researchers should have to use anonymous
data where it will suffice. Only where they really need personal information
should they be using it. We were happy to see that amendment. Because of it, we
are now supportive.
However, we still have concerns about research, particularly medical research in
the commercial sphere. I am not sure what is driving the Heenan Blaikie
opinion. We think this is an absolute minimum protection which should be in
Mr. Evans: Some of us wish that provision were much stronger. We feel that they
should not have access to your personal information without consent, even for
research purposes, unless it is anonymous.
Senator Finestone: I have examined this closely. I have an abiding concern about
privacy and privacy rights and my personal rights.
If researchers can show reasonable justification for why they need personal
information, what holds them back? Why is there this abiding concern? An avenue
has been presented, and that is the Privacy Commissioner. He can give an
opinion and, frankly, if the Privacy Commissioner thinks that a certain request
for personal information is out of order, that reasonable justification has not
been disclosed, he can deny the request. Therefore, what is the problem?
Mr. Evans: There is research and then there is research. For instance, the
Ontario Ministry of Health says that one reason for their research would be for
management purposes. What are we talking about? Are we talking about pure
scientific research? They do not make that clear.
Ms Lawson: I think I should try to clarify this. We do not have a big problem
with the clause as it is presently drafted. We certainly do not have the
problem that the Heenan Blaikie opinion expresses. You will have to ask them
why they are taking that position.
Senator Gill: If it is not a problem, I will speak in the other language. My
concern is for those who cannot manage their own affairs, that is persons under
public trusteeship as well as those who depend on the national health care
system, such as First Nations. Do you feel that the proposed legislation
adequately safeguards the privacy of these individuals? The department is in
fact administered by the federal government and the legislation will be managed
and administered by the federal government as well.
Mr. Mollard: Can I get a clarification? You were concerned about people of the
First Nations, and what was the other category?
Senator Gill: Those who are not capable of managing their own affairs.
Senator Finestone: Those who are under public trusteeship.
Mr. Mollard: By reason of mental disorder and so on?
Senator Finestone: Yes.
Mr. Evans: In the case of disabled people who cannot exercise their own rights,
they will have people to exercise their rights for them. I would think native
citizens would have the same rights as anyone else under this bill.
Mr. Mollard: This bill applies only to commercial activity, so I am not sure how
far it goes. There may be other questions. I think that is what you are asking.
The issue of infirmity or mental disorder is probably an area of provincial
jurisdiction. This is again why we need the leadership role of the federal
government to create a baseline and to try to pull the provinces along.
Mr. McBane: Because there are areas of exclusive federal jurisdiction, if there
was a health carve-out, then there would be no protection for aboriginal
people. There would be no protection for employees covered by the federal
jurisdiction. There are more implications of a carve-out, because the federal
government is an employer and has fiduciary duties directly with Canadians. You
will not hear about those from the health industry lobby.
The Chairman: I thank you all for coming, particularly Mr. Evans and Mr.
Mollard, who took the trouble to come from British Columbia.
Senator Murray: Mr. Chairman, before these witnesses leave the table I want to
draw the attention of the committee to page 6 of the brief from the British
Columbia Civil Liberties Association. That organization, which one might have
thought would have some concerns for fairness and objectivity, does not
hesitate to attribute motives of partisan political interests rather than any
real concern for the good administration of the laws of Canada.
Some of us have argued that this is really two bills and ought to be split. I
will not take the time of the committee to try to explain to the witness why it
is that, in the Westminster and Canadian systems, Parliaments have insisted
that there be one clear principle to a bill. If you want to go to the other
extreme, you can look at the United States congressional system where every
congressman gets to tag on his own favourite project to every appropriations
bill going through. We have been through this. It is a rather arcane subject
for outsiders but it is very important. We cannot have governments putting all
their projects into one bill. That is what we are afraid this is leading to,
unless we insist on a clear principle in a given bill.
The proof of what I had to say in the Senate about this being two bills is the
fact that we have not heard a syllable from any of these witnesses about the
e-commerce issue. They came here to discuss their bill.
Mr. Mollard: Fair enough. Perhaps I could respond to that briefly. Senator
Murray has raised a good point about the bill involving two distinct concepts.
Again, our concern here is about the delay and all the problems with that, and
the fact that I have to go back to Canadians who call us and say to them, "No,
sorry, we cannot help you yet because the bill has not been passed."
In this circumstance, the test would have to be this: Would having the various
parts under this one bill prevent the good administration of those various
parts? Our submission is that it will not. That is why we urge you not to
recommend or suggest an amendment to split the bill and cause all sorts of
difficulties with getting the privacy protections in place.
Senator Murray: That is not the test, but this is not place for that argument.
The Chairman: Honourable senators, our next witnesses are from the insurance
Welcome, and please proceed.
Mr. George D. Anderson, President and Chief Executive Office, Insurance Bureau
of Canada: It is a pleasure to be here. In all the years I have been coming to
committees of this kind, this is one of the more difficult subjects that I can
recall a parliamentary committee having to deal with. The ramifications are
extensive, and the problems are not simple of resolution. We will try to be
helpful, if we can, in moving through this process.
I want to restrict my comments on the question of the protection of personal
information of individual Canadians in the private sector. I am speaking on
behalf of the property and casualty insurance industry. I think many of you
know we are the people who provide auto, home and business insurance. There are
230 companies operating in Canada in this field. It is a highly competitive
environment. We employ about 100,000 people directly and indirectly across the
I want to say at the outset, as did the previous witnesses, that we support
efforts to protect privacy rights of Canadians. In our opinion, the bill that
you are in the process of studying represents a reasonable balance of the
legitimate interests of the groups who have come to the table around this very
In particular, we support the provisions of the bill that will enable us to
continue to fight insurance fraud. This is essential to us, as many of you
know, and to Canadian consumers, because insurance fraud has been estimated to
cost about $1.3 billion per year in premium leakage. That cost is paid by all
honest policyholders in extra premiums.
Our support, however, is not unqualified, as one might expect of a bill this
complex. We do have two key concerns with the bill.
Our first concern is the failure of the bill to assign a clear role to what I
will call "tailored" versions of the model privacy code, that is the
code that is appended to Schedule 1. By "tailored", I mean a privacy
code that is certified as being in compliance with the model code, but which has
been modified to take into account the realities of conducting business in a
particular sector of the economy, such as property and casualty insurance.
We are very proud of the role that our industry's tailored code has played. I am
referring to the Insurance Bureau of Canada's model personal information code.
However, we are disappointed that there appears to be no clearly defined
recognition in Bill C-6 to codes like ours. At the government's request, we
actively participated in the development of a national standard model privacy
code and were the first financial institution to receive certification that our
code is in compliance with the national standard. Yet, the only mention of
industry codes in the bill is in clause 24 which says that the privacy
commissioner shall "encourage organizations to develop detailed policies
and practices, including organizational codes of practice, to comply with
sections 5 to 10" of the bill.
However, there is no indication of the use or the weight to be given to such
codes by the privacy commissioner. That is a problem. We would like to see an
obligation on the part of the commissioner to recognize that, in the making of
decisions, compliance with a tailored industry code constitutes compliance with
the provisions of the bill. I would think that would make his or her job a lot
easier than the daunting task facing the commissioner now.
Our disappointment is greater because the property and casualty insurance
industry has a solid track record in guarding the confidentiality of customers'
personal information. We do not sell customer information.
The most sensitive personal information, the information related to health and
financial affairs, is obtained by property and casualty insurers only in the
process of settling a claim. It is obtained with the explicit consent of the
customer under applicable provincial laws. It is used only in resolving a
claim, and it is destroyed seven years after the claim file is closed.
In effect, Mr. Chairman, as I said before, confidentiality is the coin and the
currency of the insurance business. Insurers would not survive for very long,
if customers felt we were treating their information in a cavalier or offhanded
Our second concern with Bill C-6 is the failure to address the need for
consistency and harmonization. You had a long talk about that with the previous
witnesses. Obviously, we are concerned with the possible proliferation of bills
which may occur as a result of the process triggered by Bill C-6. To have a
different privacy law in each province and, furthermore, to have a "carve-out",
with health care being treated separately, could leave us with as many as 23 or
24 separate acts dealing with the privacy of personal information.
In that context, it would be very difficult to know, if, when and how one was
complying with any particular piece of legislation. It would certainly be
expensive to do business under a regime of that kind. The possible
inconsistencies in privacy laws, from one jurisdiction to the next, could mean
that Canadians could not necessarily rely on the protection afforded by a
uniform law applicable right across the country.
We have heard that there are four years to consider the implementation of this
legislation. I would urge those in government to take that time to work with
the provinces to try to get the most consistent set of legislative provisions
we can across the country.
Mr. Chairman, I would end by saying that we do support the broad provisions of
Ms Mary Lou O'Reilly, Executive Director, Canadian Coalition Against Insurance
Fraud: Our organization was founded in 1994 with a mandate to curb the growing
cost of home, car and business insurance fraud for honest policyholders in this
At that juncture, we defined insurance fraud in three ways. You may already
know, of course, that lying on an application for insurance is considered to be
fraudulent behaviour. Submitting an entirely false claim to an insurer is also
identified as insurance fraud. Lastly, exaggerating on an otherwise legitimate
claim for the purpose of securing funds that are not contractually held is also
described by our organization as insurance fraud.
When we faced this daunting problem, which was illustrated in these three ways,
we brought to the table, understandably, the insurance community, that being
insurance companies, brokers, and adjusters. However, more to the point, we
brought to the table the other stakeholders who were dramatically affected by
insurance fraud. We include the Canadian Association of Chiefs of Police and
the Canadian Fire Marshals Association on our board of directors. The Consumers'
Association of Canada is also represented, and even the Canadian Cycling
Association is a member of our organization. We have also, since our inception,
cobbled together, community by community, alliances with Crime Stoppers
organizations in more than 150 communities across the country.
We did all of this to solidify the message that we have been repeating now for
five years, which is that insurance fraud is a very costly crime in this
country. As a matter of fact, it costs honest policyholders $1.3 billion
In addition, there are societal costs, such as a fire fighter risking his life
rushing to a fire that may have been set by an arsonist; medical costs of
administering care to a person who is not injured; and costs of police
investigating a crime that never occurred. Another $1 billion in societal costs
per year should be added to the $1.3 billion annual costs.
As an organization, we have brought together the stakeholders who are well aware
of this costly crime. Fighting this crime, in other words the investigation and
prosecution of insurance fraud, relies on the collection, use, and disclosure
of information among insurers.
We support Bill C-6 because it will provide for the use, collection and
disclosure of this information, so central to the fight against insurance
fraud. Insurance fraud is a crime that thrives on misinformation, and, of
course, on lack of information.
I will give you an example of what I mean. When I first joined the coalition,
the first individual I met was an adjuster who was working for an insurance
company. That adjuster was ready, at that point, to pay out $35,000 on a claim
for a ring that had been stolen. The insurance adjuster recalled having seen a
similar claim when working for another insurance company five months earlier. He
decided to investigate a bit further only because of that happenstance. As it
turned out, senators, five brothers had made five claims for $35,000 to five
different insurance companies for the same ring that had been lost. Without the
capacity to use, collect and disclose information, that fraud would have gone
undetected. The claims would have been paid, and they would have been paid by
honest policyholders who would never think of committing such a crime.
In the course of our work, we have been successful in raising the awareness of
insurance fraud, which is the purpose of my presentation to you today. When we
began, 20 per cent of all Canadians, or one in five, told us that they thought
insurance fraud -- that is, specifically, home, car, and business insurance
fraud -- was perfectly acceptable behaviour. Through our efforts and, I assume,
the efforts of other diligent organizations, only 4 per cent of the population
now believes that this is acceptable.
We need your help in continuing our fight against insurance fraud, and we
applaud the drafters of the bill before you today.
Mr. Charles Black, Senior Advisor, Insurance Operations, Canadian Life and
Health Insurance Association: It is a privilege to be with you today and
contribute to the committee's study of the subject matter of Part 1 of Bill
C-6. Let me begin by saying that I read with great interest the thoughtful and
informed interventions made by the honourable senators during the second reading
debate of this bill in the Senate chamber. This is an important and complex
bill. In this context, we hope that our participation today will provide a
constructive contribution to the Senate's study of this bill.
Part 1 of Bill C-6 is relevant and important to life and health insurance
companies. In many ways, personal information is the raw material that makes it
possible to provide life and health insurance services of various types to
Canadians. We cover life insurance, income replacement in the event of
disability, retirement income, and reimbursement for the cost of prescription
drugs, dental services and other health care which is not covered under
provincial health care plans.That varies from province to province.
The need to protect the confidentiality of that personal information has been
recognized by insurers for many years. Some 20 years ago, life and health
insurers became the first industry to introduce a privacy code at the industry
level. The industry has also actively participated in the development of the
CSA model code, much of which appears in Schedule 1 of this legislation.
Mr. Chairman and honourable senators, I am pleased to say that CLHIA strongly
supports this legislation with respect to the principles of privacy protection
which it embodies. This framework reflects the long consensus-building exercise
that led to the unanimous adoption of the CSA code, and is closely linked to
the OECD principles that underlie our industry's privacy code, that underlie
Quebec's legislation for the private sector, and that underlie much other
legislation in this area. We believe that these principles provide an excellent
basis for protecting the personal information of all Canadians.
The submission we have presented to you today reviews the industry's long and
active background in this area, and the results of its review of the subject
matter of Part 1 of Bill C-6 on the basis of that background. As indicated, we
are very supportive of the bill in general.
Unfortunately, however, we do have numerous questions regarding the detailed
provisions of the bill, and our submission contains a number of constructive
recommendations to improve the proposed legislation. Many of our
recommendations are very detailed. However, when one considers that this
legislation will, potentially, affect millions of insurance consumers, and
several tens of thousands of insurance transactions each and every week, I
believe it is clear that the details are important and that it is most
desirable to get them right to the extent possible.
Our submission also expresses concerns about several broader issues, such as the
lack of clarity in many provisions of the bill, which make it difficult to
understand how the legislation will apply and which could complicate the
implementation process. In many instances, the necessary clarification could be
provided without modifying the text of the bill through open, effective
communication and an effort to continue to work together, given the effort that
was made on the CSA process with all stakeholders. Certainly CLHIA is willing
to participate in this process.
Chapter III of our submission attempts to provide an overview of the review we
conducted, and it highlights three areas of concern: the detection and
deterrence of fraud; health care; and the harmonization of legislation with
other jurisdictions. These three topics were discussed at considerable length
With respect to efforts to control fraud, the amendments already made to clauses
7 and 9 of the bill represent substantial improvements. However, as noted in
chapter III, some troublesome inconsistencies and gaps remain. For example,
four provisions in clause 7 deal with investigations, but only two of them are
applicable if the investigation involves the law of a foreign jurisdiction, as
could be the case with travel health insurance, for example, which affects many
Canadians. These inconsistencies could invalidate an effort to control fraud.
We believe these inconsistencies and gaps should be corrected.
You are hearing and have heard many concerns with regard to health care and
health information. I submit that it is helpful to separate those two areas:
the health care sector, and personal health information. Let me assure you that
such information is and will be protected fully to the extent that it is in the
custody of life and health insurers. Personal health insurance is collected by
insurers, used by insurers, and disclosed by insurers only with the consent of
the individual, in the vast majority of cases. We are concerned, however, that
legitimate transfers of information from one sector to another could be
complicated unnecessarily and unproductively if the concerns that are being
raised currently are allowed to continue without resolution.
The need for harmonization of legislation in various jurisdictions is somewhat
related, indeed closely related to the health care area. If, as appears likely,
some sectors such as health care and human resources will be largely outside
the scope of Bill C-6 but are subject to other privacy legislation at the
provincial level, the need for national organizations such as life and health
insurers to have that legislation closely coordinated is critical. In CLHIA's
view, substantially more attention needs to be paid to this issue, and we
encourage that focus.
In closing, let me repeat that life and health insurers strongly support the
objectives of this important bill. However, we do hope that further
improvements can be made to some details. In any event, I assure you that
insurers will continue to protect the personal information that is entrusted to
them, and will work with all interested parties to successfully implement this
The Chairman: I have one question. You state a few times in your brief and in
your opening statement how supportive you are of the bill in general. You then
proceed to provide a significant number of pages of complaints, including a
recommendation on page 17 which suggests that, before proceeding with the bill,
there be further consultations with provincial governments and the private
sector to develop a more satisfactory approach to coordinating alternative
systems of protecting information in order it avoid duplication and confusion.
You will pardon me if I wonder if you are making this statement of principle
about being supportive because that is the politically correct thing to do, and
then suggesting, in particular, a whole series of changes that would be
designed to delay the bill sufficiently that it would never come into force. I
say that particularly with respect to your comments in relation to attempting
to seek federal-provincial agreement on a subject -- indeed, in your case,
federal, provincial and industry agreement -- which has been the subject of a
massive number of consultations.
Pardon my cynicism, but it reflects the fact that I ran federal-provincial
relations in this country for a while from the federal point of view. I know it
is unbelievably difficult to achieve agreement on anything. I cannot tell
whether or not to accept at face value your statement on how important you
think it is, or to accept your criticisms which would lead me to quite a
different conclusion. Can you assist me?
Mr. Black: I shall try. Honourable senators, it is not our intention to delay
passage of this bill. Indeed, this bill has been delayed for too long already.
There has been a long process since the introduction of this bill. It has been
a longer process since the deliberations to develop the CSA code began.
The members of our association realize that this is a complex process, but we
strongly believe it is worth the effort. Those efforts must be continued and
they can be continued during the implementation period of the legislation.
Senator Murray: Mr. Black, I need more time than I have this afternoon to go
through your brief and the recommendations that you have made.
However, eyeballing it quickly, I believe some of these matters have been
covered already, perhaps in amendments by the House of Commons. There is
reference to detection and prevention of fraud. I am sure there is a provision
that provides an exemption for the investigation of a crime. In that instance,
the right to privacy of personal information is lifted.
Mr. Black: Senator Murray, I would be pleased to be proven wrong on any of these
points, believe me. These recommendations reflect many questions that we have
raised and have not had answered.
On that point, my understanding is that there is protection to the extent that
the information is obtained through collection without the individual's
consent. That is only a small part of the information that would be used. I do
not believe there is any protection for other information in the private
Senator Murray: I will stand corrected if that is the case.
Mr. Black: As I say, I would be delighted to be proven wrong.
Senator Murray: Let me turn now to a point that I think you share with Mr.
Anderson. I invite one or both of you to comment on it. You suggest that the
committee recommend that provision be made for a greater role for sectoral and
organizational codes of practice. In Mr. Anderson's case, he spoke of the need
to clarify the role of organizational codes of practice and criticized the bill
because it makes no provision for a privacy code that would be in conformity
with the CSA code, but modified to the circumstances of the particular
It strikes me, unless I am missing something, that what you are suggesting is an
entirely different approach from the one the government has taken in the bill.
If we were to amend the bill to incorporate your recommendation, namely, that
compliance with various industry codes that are in conformity with the CSA code
would be considered compliance with the bill, we could write a one-page bill
consisting of two or three clauses, could we not?
Mr. Anderson: I do not know. I have never seen a three-clause bill, senator. We
do think that leaving the question of what is an acceptable code up to the
privacy commissioner without some form of guidance leaves too much in the hands
of a small group of people to decide.
Senator Murray: Where is that done, Mr. Anderson?
Mr. Anderson: It is done through the lack of specificity on the basis that the
Privacy Commissioner is to decide whether or not you are in compliance with the
Senator Finestone: Just on that very point, I should like you to address clause
23 (1). Senator Murray has asked a pertinent question. Clause 24 indicates the
role and importance of the commissioner. Clause 23(1) states:
If the Commissioner considers it appropriate to do so, or on the request of an
interested person, the Commissioner may, in order to ensure that personal
information is protected in as consistent a manner as possible, consult with
any person who, under provincial legislation that is substantially similar to
this Part, has powers and duties similar to those of the Commissioner.
Why are we not given a sense that the commissioner will certainly follow through
to ensure that the other codes that are being presented, like the medical and
dental codes, are not in conformity with this bill which will be basic law?
Mr. Anderson: Senator, this clause deals with how the commissioner is to consult
Senator Finestone: It also deals with persons.
Mr. Anderson: My point is that we have a code that exceeds the basic code in the
proposed legislation. Why can we not get the commissioner to say that it does
and move on and look at other sectors of the economy?
Senator Murray: Even if he says it is, I do not think he has any authority to
say that a code is in conformity with or even better than the act and,
therefore, can deem it to be in conformity with the act. I do not think he can
The Chairman: Mr. Anderson, you seem to be saying that you have a higher bar. If
you have a higher bar, why do you care about federal legislation that has a
lower bar since your own association is presumably committed to sticking to the
higher bar? Regardless of what the Privacy Commissioner says, why do you have a
Mr. Anderson: In some sense we do not. I am only impressing upon you that we
have a higher bar. We have completed a process of working with the CSA for over
three years, and having our code approved by an independent certification body.
We have no assurance now that this code -- other than our own assertion that it
is acceptable -- is acceptable.
The Chairman: Who is your certification body?
Mr. Anderson: The Quality Assurance Institute. That body works with the CSA to
independently certify CSA programs.
Senator Murray: What you seem to be suggesting is an entirely different concept,
which would mean drafting an entirely different bill. You are suggesting that
the federal government would state some principles, and that various sectors
such as yours would table their privacy codes and the commissioner would decide
that, since those are in conformity with the principles in the act, and so long
as you stay within those codes, you would be in conformity with the law.
It is an entirely different concept from the concept in this bill.
Mr. Anderson: I do not deny that.
Senator Murray: You talk of the failure to deal with consistency and
harmonization and the danger that we could be looking at 28 different regimes.
The federal government has introduced a bill which, after it receives Royal
Assent, one year will pass before it is effective in the federal jurisdiction.
Three years after that date, it will be effective for intraprovincial commerce,
commerce within the borders of a province in provinces that have not enacted a
law that is substantially similar to this law. How could that create 28
Those provinces that have enacted a law substantially similar to this will be in
substantial conformity with this law. Intraprovincial commerce in those
provinces that have not will be subject to this law.
Mr. Anderson: It does not prevent provinces from adopting legislation that is
not substantially similar and then insisting that businesses within their
jurisdiction adhere to it. We have seen this many times in federal-provincial
regulation. Our plea is straightforward and practical. We have four years after
this bill passes to work out some issues. Our appeal to the politicians is to
make this legislation, which is important and necessary, as effective as
possible for those of us who have businesses in every jurisdiction across the
country and must comply with it.
Senator Murray: I readily take your word that that could happen, and there is
some experience to demonstrate that it could. However, let us get down to
Perhaps Mr. Bernier would like to join us at the table.
I believe that the position of the federal government is that the Quebec law is
substantially similar. Therefore, there is no question of this bill, when it
becomes law, ever becoming effective in respect of intraprovincial commerce in
Quebec. At the same time, I believe I read somewhere in the deliberations of
the other place that the government has indicated that the Ontario law,
certainly as it affects health care information, will not pass muster. Am I
correct in that?
Mr. Black: Ontario has not even introduced a bill yet. They do have a
consultation paper available that relates only to health information.
Senator Murray: I stand to be corrected, but I believe that government officials
or the minister has taken the position that it will not.
The Chairman: I believe that is correct in relation to the draft Ontario bill.
Senator Murray: What about the Quebec act? I understand that there is the Civil
Code and another privacy act. Do you agree that their laws are substantially
similar to what is contained in this bill?
Mr. Jean-Pierre Bernier, Vice-President and General Counsel, Canadian Life and
Health Insurance Association: They are, indeed, very similar. There are six
motherhood provisions in the Quebec Civil Code and the bulk of the privacy
legislation in Quebec is in an act better known as "Bill 68". It
covers consent, notice, redress and access; all the same principles.
Senator Murray: Yes, but I believe that there is something quite different about
the approach. There must be. When this bill, under a former number, was at the
Commons committee, I heard it said that the Quebec act was greatly superior to
this. I had a conversation with representatives of an organization, from which
we will be hearing later, who are greatly opposed to this bill and in favour of
an exemption for the health care sector. They represented to me that they get
along just fine with the supposedly superior and more stringent Quebec
Is there a different approach in the Quebec legislation? Is disclosure the
Mr. Bernier: Disclosure is one of many focuses of the Quebec privacy
Senator Murray: Is collection not the focus?
Mr. Bernier: Collection is part of the focus of the Quebec legislation, as are
consent, redress and access to information to correct wrongful information.
Senator Murray: Before we finish here, I want someone to compare the Quebec law
with this bill, if that can be done, Mr. Chairman.
The Chairman: Mr. Bernier, have you made a comparison of the two bills?
Mr. Bernier: We have done so only with respect to the broad principles of the
legislation, not with respect to the details. We will do that when this
legislation is enacted.
The Chairman: Would you share with us your information on broad principles?
Mr. Bernier: Yes, we will.
Mr. Black: The Quebec legislation is more comprehensive in that it applies to
all personal information within the province. It applies to health care
information, within the health care sector and elsewhere, and it applies to
employer-employee records of provincial employers.
It is my understanding that the bill is substantially similar, although the
wording is different and the implications are different. We believe that it
will be relatively easy to comply with both the Quebec legislation and Bill
The difficulty comes when information crosses the provincial border. Some claims
may be administered in Ottawa or in Winnipeg, whereas others may be
administered in Montreal. It is difficult for both consumers and the
organizations to know which legislation applies in all cases.
I believe that we can bridge two pieces of legislation. If there were 23 or 24,
that would be a much bigger challenge.
Senator LeBreton: Mr. Anderson, in layman's terms, what do you mean by "premium
Mr. Anderson: Premium leakage is when people claim a premium to which they are
not entitled: for example, losing a Timex and claiming for a Rolex; or losing a
Timex and claiming for a slightly more expensive Timex.
Senator LeBreton: How do insurance companies know that the person did not in
fact have a Rolex?
Mr. Anderson: Many times we do not, and therefore many times that type of
representation succeeds. We are trying to tighten that up. In fact, surveys
have shown that a few years ago a substantial proportion of the population
believed that that was acceptable behaviour. We are now working very hard to
produce documents to help claims managers recognize suspicious claims.
A good example is when someone backs up all the information on their computer
and removes all his or her valuables from a place of employment the night
before a fire. You would be surprised how many people do that. That would be an
indication that perhaps you should look further.We have begun to develop ways
in which we can stem the leakage in order to keep more premium money for people
who are entitled to it.
Senator LeBreton: I recognize the enormous cost to honest citizens. You used the
figure $1.3 billion with another $1 billion in related societal costs. Your
membership includes the insurance industry, consumers' associations, fire
marshals, police chiefs, et cetera.
How is the information disseminated? The person who committed fraud will not
consent to share this information. How do you protect the right of the
individual to privacy while, at the same time, sharing information about
fraudulent claims made on an insurance policy?
Is there a time limitation after which this information can no longer be shared
without the consent of the person who committed the fraud?
Ms O'Reilly: In point of fact, I may not be the right person to whom to direct
the question. The Canadian Coalition Against Insurance Fraud raises awareness
and provides tools to the industry and does work in other areas analyzing the
legal and regulatory environment in which fraud is fought. However, we do not
actually investigate fraud. There are industry organizations, such as the
Insurance Crime Prevention Bureaus, which do.
Perhaps Mr. Anderson would be in a better position to talk about how the
organizations in the Canadian association of special investigative units
Senator LeBreton: I was thinking of a situation where someone, years ago,
committed some type of insurance fraud. If that is discovered 20 years later,
they may be denied a credit card or a mortgage or a job because of it. What
protections are there for the individual in a case like that?
Mr. Anderson: Under the notes and interpretations related to the model code
which is appended to Schedule 1, explanatory issues deal with how to handle the
question of fraud. Obviously, you cannot ask the permission of someone you are
investigating. Asking someone for permission to investigate them may not be
In the case of an allegedly fraudulent application, you are not required to
reveal that information except at the point at which it becomes a civil
litigation matter; then the rules of civil litigation take over. Under
discovery rules, there are provisions for information to be shared. In one way
or another, most of the time, if the case goes forward, the person would know
they had been investigated and would know what evidence had been gathered.
In our industry -- and some of our companies would like to do this sooner rather
than later -- once a claim is dealt with and closed, the file is destroyed
seven years later. The Superintendent of Financial Institutions requires us to
keep the information for that length of time.
We have a set of provisions which define the purposes for which one can ask for
information. We do not collect financial information on our customers. We do
not collect medical information on our customers except in the course of paying
a claim. In a situation, for example, where someone wants an income-replacement
benefit, we need to know what they are earning. To cover medical treatment, we
need to get information on the extent of their injuries. Those would be the only
cases in our industry where that information would be collected.
Senator LeBreton: I was referring to investigated but unproven information which
may be on someone's file. Because of this whole new territory of electronic
data communication, that information may still follow that person. What rights
would that person have?
Mr. Anderson: In our code, everyone has a specific right to challenge what is on
his or her file and have it amended if it is incorrect.
Senator LeBreton: Is the onus on the customer to do it?
Mr. Anderson: The onus is on the individual.
Senator LeBreton: You expressed concern about consistency and harmonization on
this issue. You envisaged a proliferation of bills. You mentioned a figure of
23 or 24 separate acts which made me think of the small, independent
entrepreneurs who may not be able to implement even the provisions of this
bill, let alone the other 23 or 24. How great is the risk that personal
information they hold will slip through without consent?
Mr. Anderson: There will always be exceptions. Despite our best efforts, we have
government documents showing up in dumpsters in the back of Maple Leaf Gardens.
In the track record of our industry, not one single case has occurred in the
eight years that I have headed this association. That is the best answer I can
Will it ever happen? There are no guarantees in this complex world in which we
now live. We cannot even contemplate the next evolution of e-commerce and what
that might do to privacy. It is hard to give assurance. This bill, however,
gives some guidance which is badly needed, and it is an excellent basis on
which to proceed.
Senator Finestone: There has been much concern about the merging of insurance
companies, banks and trust companies. What kind of encryption is used so that
data is not shared in these mergers? You say it does not happen. The Privacy
Commissioner was here and told us some horrible stories about data-matching.
What steps do you take in that regard?
Mr. Black: Currently, the regulation of financial services is conducted on a
functional basis. Banking functions are regulated under the Bank Act and
insurance is regulated under the Insurance Companies Act at the federal level
and under various pieces of provincial legislation.
Each of those acts contains prescriptions on what can and cannot be done with
personal information. To date, I think some of the tightest restrictions on the
use and transfer of personal information exist in the financial services
Senator Finestone: Mr. Black, we have heard testimony about a merger of an
insurance company, a trust company and a bank. It was not long before the bank
suddenly called in the loan of everyone who had a heart concern.
The Chairman: In fairness, that was an American example.
Senator Finestone: Canada does not do that?
Mr. Black: No.
Mr. Anderson: We came through a long battle on financial services legislation to
prevent banks, in particular, from mining information from other parts of their
Senator Finestone: There no mining, no data-matching, and no data-tracking that
we should concern ourselves with.
Mr. Black: That is correct.
Senator Finestone: Mr. Eugène Bellemare is a colleague of mine in the
other house. He recently showed to Mr. Bruce Phillips, the Privacy
Commissioner, an insurance form from his insurance agent in which he was asked
to sign away his privacy rights. He asked Mr. Phillips to speak to the
Have you checked all your forms to ensure that people are not being asked to
sign away their privacy rights in the course of signing an application?
Practically no one can really understand the legalese contained in those forms.
Are customers asked to allow the company to transfer and share information? If
someone applies for insurance coverage, is there an implied consent that the
company can do whatever it pleases with the information that is provided on that
form? Where does that information go?
Mr. Anderson: Instances where that has happened probably apply to bank insurance
The Chairman: At least you are true to form, Mr. Anderson. You have returned to
a topic on which we have been arguing for decades.
Mr. Anderson: It is hard to let go.
Senator Finestone: I am the new girl on the block so I want answers.
Mr. Anderson: I would be surprised in respect of property and casualty if such a
form existed at all. Certainly, when you apply for auto insurance in Ontario,
as an example, the form is prescribed by the government and not by the
Senator Finestone: We will send you Mr. Bellemare's form and the Privacy
Commissioner's answer. Perhaps you will find one little mistake sneaked into
Mr. Anderson: Perhaps it is a travel insurance application. He has already
spoken to me about it.
Senator Finestone: Yes, one of you was at that hearing. You will know what it
Senator Beaudoin: My question is addressed to Mr. Bernier. I am glad to hear
that, in your opinion, the bill before us is flexible enough to allow a
province -- let us say Quebec -- to occupy its own field in the law of privacy.
Is that what you said?
Mr. Bernier: Yes.
Senator Beaudoin: This domain is not very different in the other provinces. To a
certain extent, there are no problems, but some questions still remain. If you
say that this will be reconciled in the provisions in the bill, that is a good
enough answer for me. How do you reach such a conclusion?
Mr. Bernier: Quebec is the only province with privacy legislation which is
applicable to the private sector. When the Quebec privacy legislation was
enacted, it was not tailored to insurance; it was tailored to be a general
piece of legislation. We had many questions as to its application and
implications on the insurance business. As a result, we collected a number of
questions from our member companies across Canada who do business in the
Province of Quebec. We formed two groups of lawyers, an anglophone group in
Ontario and a francophone group in Quebec, to answer all the questions. When an
answer from both groups was the same, obviously, we had a consensus on the
answer to be given to member companies and their staff across the country doing
business in Quebec. Where we had a conflict of views, we tried to settle the
matter among ourselves. We had a great deal of consultation with the Quebec
privacy people. We came up with a little guide, which we called "Guide 68",
which is based on the name of the law in Quebec. This guide for Quebec can be
easily applied to the new federal privacy legislation.
In some areas, privacy legislation goes a little bit further, which is not a bad
thing, particularly in the area of compliance. For example, you have to have a
designated compliance officer to ensure that the law is complied with. There
are duties and functions imposed on the compliance officer to do certain
things. However, that is a part of compliance with all general laws. As a matter
of fact, recently, the Office of the Superintendent of Financial Institutions
at the federal level, approached the insurance industry to have a compliance
program in place by December 31, 2000. This is to ensure that insurance
companies are in compliance with all laws and regulations applicable to them and
their operations in any jurisdiction. Thus, we will be able to tailor the
application of Bill C-6 to the compliance program that insurance companies must
have in place by year end 2000.
Senator Beaudoin: It may be reconciled.
Mr. Bernier: Yes, in my view it will.
The Chairman: Mr. Bernier, when I hear your relatively enthusiastic support for
the bill, I have difficulty dealing with that and the much more negative spin
that is in the brief presented by Mr. Black. Can you help me understand the
difference? I do not hear any negative tone or complaints from you. Indeed, I
hear a significant degree of enthusiasm. Mr. Black's position is somewhat
Mr. Bernier: There are many uncertainties with respect to this bill, and I could
draw up a list in that regard. We have outlined some of them in our submission,
but more has to be defined to ensure that we are fully in compliance with the
intent of the legislation. At times, it will be difficult to define "commercial
activity". What is "commercial information" as opposed to "personal
The Chairman: Having been through so many other pieces of legislation, I cannot
believe you are suggesting that there could be a piece of legislation which has
no uncertainty. Your profession would not do nearly as well as it does if all
uncertainty were eliminated. It is the reality that most pieces of legislation
have significant degrees of uncertainty, particularly in new areas such as this.
I think you have to live with uncertainty just as we do.
Mr. Bernier: The greater the uncertainty, the greater is my job as it relates to
The Chairman: I take that to be a ringing endorsement of the bill. I thank you
very much for attending this afternoon.
Our next panel is composed of Dr. Peter Vaughn, Secretary General and CEO of the
Canadian Medical Association; Dr. John Diggens, President of the Canadian
Dental Association; and Dr. Winston Dykeman, Co-Chair of the Committee on
Health Information, Privacy and Security, College of Family Physicians of
Thank you all for attending. You may proceed.
Dr. Peter Vaughan, Secretary General and CEO, Canadian Medical Association:
Thank you, Mr. Chairman.
The Chairman: I would like to know why the Ontario Medical Association and your
organization have such conflicting views on this issue.
Dr. Vaughan: Mr. Chairman, would you like me to answer that question now or
The Chairman: Later is fine.
Dr. Vaughan: The CMA is the national voice representing physicians in Canada.
The OMA recognizes that and will not be making any representations on this
The CMA welcomes the opportunity provided us today to offer our comments and
concerns in regard to Bill C-6. It is our hope that our comments will persuade
the committee to strengthen Bill C-6 to ensure that patient privacy and the
confidentiality of medical records are adequately protected.
Bill C-6 appears to give greater emphasis to promoting commerce than to ensuring
privacy. Because it was written with commerce in mind, it fails to address and
do justice to the special nature of health information. In consequence, there
is confusion and uncertainty about its application to health care.
More seriously, the bill does not recognize that health information requires
stronger and greater privacy protection than other types of information. The
world of health care is very different from that of commerce. Confiding
information to your physician is not on par with giving your address to a sales
clerk when you purchase a toaster or rent a movie video. This information, as
Canadians have told us loudly and clearly in a recent survey, is especially
sensitive. It is also important to remember that patients confide their
information in trust for the purpose of receiving care and in the expectation
that it will be held in the strictest confidence.
Computerization of health information poses unique challenges to patient privacy
and trust. On the one hand, it facilitates easy transfer, duplication, linkage
and centralization of health information. Captured in electronic form,
information about patients is potentially more useful for the purposes of
providing care to them. On the other hand, electronically captured, the
information also becomes much more valuable and technically accessible to
various third parties, private and public, governmental and commercial, wishing
to use this information for other purposes unrelated to patient care.
Today, we are seeing a growing "data lust" for health information and
a "function creep" whereby information collected for one purpose is
used for another, often without the consent or even the knowledge of the
individual concerned, and without public knowledge or scrutiny. As we move
further into the information age, there is a danger that we will become so
spellbound by the promise of information centralization and databased linkages
that we lose sight of the patients who confided this information or reduce them
to impersonal data subjects.
We need to remember that, ultimately, health information technology is not about
bits and bytes or data or even data subjects but about people. People deserve
to be treated with respect and dignity and to have their wishes and choices
valued and respected. To put people first is to give primacy to privacy.
Putting privacy first comes down to the same thing as putting people first. It
does not mean that privacy is absolute. What it does mean is that the burden of
proof must rest with those whose purposes, however compelling they may be,
encroach upon the right of privacy. For health care, it means we value patient
privacy at least enough to demand explicit justification for any proposal that
would diminish privacy.
Putting privacy first also does not mean that secondary use of health
information should not be permitted. The use of health information for medical
research and evidence-based medicine is vital to a quality-driven health care
system, and ultimately helps physicians provide better care. However, not all
secondary purposes -- marketing, for example -- are equally meritorious, and,
for the most part, these purposes can be accomplished with patient consent.
Bill C-6 permits the collection, use and disclosure of information, without
knowledge or consent, on grounds such as expediency, practicality, public good,
research, offence investigation, historic importance, and artistic purpose. The
laxness and breadth of these exemptions, as applied to health information, is
unacceptable to us.
Consistent with what we have found in surveying Canadians, I would refer
committee members to the press release on this polling data conducted for the
CMA by the Angus Reid Group, which is attached to the transcript of my remarks.
The CMA believes that, in all but exceptional and justifiable circumstances,
patient information should be used only under the strict control of the patient.
The patient must be able to exercise control through voluntary, informed
The CMA has developed and adopted a health information privacy code in
recognition of the special nature of health information and to give primacy to
patients and to the right of privacy. In light of the clear deficits in Bill
C-6, and the inadequate protection of patient privacy and health information
confidentiality, the CMA urges this committee to accept the recommendations put
forward in its brief and accept the amendments the CMA has prepared to give
effect to these recommendations.
Canadians desire, and deserve, no less than this as concerns the right of
privacy with respect to health information. Thank you.
Dr. John Diggens, President, Canadian Dental Association: Honourable senators,
it is a pleasure to appear before you in my capacity as President of the
Canadian Dental Association to speak on Bill C-6. The Canadian Dental
Association is the national voice for the profession of dentistry and is
dedicated to meeting the needs of its members and, probably more importantly, to
the promotion of optimal oral health for Canadians.
Our members have collected sensitive health information from Canadians, and
protected it, for well over 100 years. The CDA has recognized the importance of
our participation to date on patient privacy and protection of confidential
health information. We participated in the implementation committee of the CSA
model privacy code, and have submitted numerous briefs to government
consultations on the privacy issue.
You received our position brief earlier this month. I want to compliment you on
your active role on this issue. Our staff in Ottawa have spoken with many of
you and your staff, and it is encouraging to see the Senate performing its role
on this very important piece of legislation. Recognizing your understanding of
the issues, I will keep my remarks brief so that we will have plenty of time for
questions and answers.
The CDA argues that Bill C-6 fails to satisfy the basic requirements to protect
individual Canadians from the misuse of health information by secondary or
tertiary users of this information. The Canadian Dental Association has long
been on record as opposing consent provisions in the CSA model privacy code as
they relate to personal health data. Bill C-6 may achieve many government
priorities in the area of electronic commerce, but the CDA believes that the
bill must be clarified and strengthened as it relates to personal health data.
The model privacy code upon which Bill C-6 is based was drafted largely without
any input from primary health care providers charged with custodial
responsibility to protect confidential patient information. The Canadian Dental
Association was admitted into the implementation committee after the code had
been drafted. The CDA was uncomfortable with the concept in the code of the
collection of health information with knowledge of patients. We have argued that
the collection of health information for secondary purposes must be with the
informed consent of the patient, a concept with which clinicians and dentists
are very familiar. To that end, the Canadian Dental Association board of
governors approved our formal guidelines on personal data protection in
September of 1997, and they form the foundation of our presentation today.
We were successful in having amendments based on our guidelines introduced when
the legislation was at the report stage debate in the House of Commons. These
amendments are included in our position document brief, and I urge you to adopt
As to the timing issue, we would propose six relatively simple or
straightforward amendments, so incorporating them would not lead to a delay in
the implementation of the legislation.
It is important to note the support these amendments received in the House of
Commons. They were supported by the Official Opposition, the Progressive
Conservative Party and the New Democratic Party. With respect, we continue to
be upset at the partisan treatment our interventions have received from the
Liberal government. Let me be clear: We are supportive of legislative action on
this issue. The CDA believes the Senate has an opportunity to provide Canadians
with strong privacy rights and health information rather than settle for the
uncertainty and unease that has been created by Bill C-6 in its current form.
Let me now take a moment to address the concerns of other health associations,
organizations, and special interest groups that have been calling for a "health
carve-out". We want to be perfectly clear in our strong opposition to any
such move. Of all information, personal health records are among the most
private, sensitive and vulnerable to abuse by secondary and tertiary users.
There must be no exemptions in this bill for personal health information. This
would be a wrong message to send at a time when Canadians are seeking assurance
from governments that their information is being protected in a new,
Health privacy is a foremost concern of Canadians. Surveys have shown clearly
that Canadians want to control their own personal information. Citizens are
willing to share the most intimate details of their lives with their caregivers
to ensure continued good health care, but they do not want to see such
information inappropriately used by others without their informed consent.
Canadians deserve to know and to control who has access to their personal
records and for what purposes such access is granted. That is why we want to
see Bill C-6 amended and passed with the protection of health records
specifically addressed in the legislation.
We understand that much of health information comes under the jurisdiction of
provincial law. However, federally regulated organizations that deal with
personal health information also need to be covered. Moreover, there is no
guarantee that all provinces will enact an appropriate protection for health
information without the incentive that a strong, amended Bill C-6 would provide.
There is one other issue I would address before concluding. When the Canadian
Dental Association appeared as a witness before the House of Commons Standing
Committee on Industry during its study of Bill C-54, our role in the
consultation process leading up to the drafting of that bill was questioned. I
am certain that, in your preparation for this meeting, many of you reviewed the
transcripts of the March 18 meeting and the exchange between the government
member Stan Keyes and our presenter. Again last week, when the Industry Canada
officials appeared before you, Assistant Deputy Minister Michael Binder, in
response to a question on health issues, spoke of the extensive consultation
process leading up to the introduction of the bill and questioned the
participation of health groups and associations. Mr. Chairman, I want to be
perfectly clear, and I want the record to show that the Canadian Dental
Association took part in good faith in the formal consultation leading up to
the introduction of Bill C-54 in October of 1998. We responded to the January
24, 1998 notice in the Canada Gazette with respect to the public discussion
paper entitled: "The Protection of Personal Information: Building Canada's
Information Economy and Society". Our position was clearly on record at
that time and, in our response, we stated that the CDA recognizes the basic
right of patients to exercise positive control over their health information and
to advise our members that patients have a right to informed consent in the
release of their personal data.
In conclusion, I want to reinforce our basic support for strong privacy
legislation for protection of personal information based on informed consent.
We recommend that Bill C-6 be amended and passed with protection of health
records specifically addressed in the legislation. Thank you for inviting us to
present this brief today.
Dr. Winston Dykeman, Co-Chair of Committee on Health Information, Privacy and
Security, College of Family Physicians of Canada: The College of Family
Physicians of Canada welcomes the opportunity to express our concerns and make
recommendations about Bill C-6 this afternoon. We represent over 15,000
Canadian family physicians and we are involved directly in patient care on a
As a practising family physician. I have an interest in this bill. I write
computer application programs for my clinical practice. I am the chairman of
the security committee of our health region; one that oversees the use of
computer applications in health care. I have also served on the New Brunswick
Medical Society team in assessing the provincial privacy health act that was
introduced last year. I have an interest across the spectrum on this issue.
Confidentiality and privacy are not new concepts to those in the practice of
medicine. These concepts are part of the Hippocratic oath and a tradition that
goes back 2400 years. This tradition was recognized in the medical code of the
Declaration of Geneva in 1948, and again in modern versions of the oath that
retain the view of transcendence.
We must remember and learn from the serious violations of privacy and
confidentiality that occurred in the first half of this century. In Canada, the
area of eugenics and mandatory sterilization is a dark chapter in our history
that we would sooner forget. Some of those cases are still before the courts in
In Europe, the horrors of the medical databases of the Third Reich, which
defined and identified persons of a lesser value and then exterminated them,
has taught us that the medical profession, the medical ethos, is not immutable.
When its principles are violated or ignored, it can soon collapse, therefore,
privacy and confidentiality are not renewal resources. Once broken, the harm is
done and the damage can never be repaired.
We commend the government for introducing legislation that will begin to control
the gathering and use of personal information. That includes personal health
information on the electronic highway.
Two concepts in Bill C-6 attract our attention. They involve consent and the
secondary uses of health information. Although the bill was not exactly a
masterpiece of clarity in its definitions, it appears from debates and
discussions thus far that the bill now does include personal information in the
commercial setting. There is a great need for clear definitions of "privacy",
"privacy violation", "consent" and "secondary uses"
of personal health information, and these must be established and protected in
The concepts of privacy that were developed by the Canadian Standards
Association's team uses the terms in the context of commerce, and its
interpretation of principles of privacy reflect that. The words "consent"
and "secondary uses" suggest one thing in the realm of the discourse
of commerce, of buying and selling goods and services. The same words mean an
entirely different thing in the realm of medical work in the patient-physician
relationship which involves an element of deep trust.
Based on the OECD guidelines, the CSA privacy code was developed with commercial
input from a commercial perspective. The Canadian medical profession was not
involved, and our perspectives were not embodied in the document. While Bill
C-6 with its Schedule 1 privacy principles may work well enough in the realm of
the commercial sale of dog food, toothpaste, travel, donor mailing lists, and
financial services, it is not precise and specific enough to protect personal
health information. The reasons for this are elaborated in the CMA privacy
code. We, therefore, strongly recommend that the CMA privacy code be considered
as a sectoral code to Bill C-6, or appended as a Schedule 2 for the safe
handling of personal health information in Canada.
Our patient medical records are "linear time" documents: they begin in
one province and move to another, then to another. Each time they pass from one
realm of jurisprudence to another, from privacy code to privacy act and with
varying degrees of protection, some of that information passes to the national
databases of insurance companies and financial institutions. Some of that
crosses international borders to bigger databases, from private to public, from
public to private, and mostly without patient knowledge or informed consent.
Clearly, the time has come for uniform legislation for personal health
information in both the public and private sectors that must include the
provincial and federal arenas.
Ultimately, the College of Family Physicians of Canada advocates the development
of a national health information privacy and security act which would define a
minimum set of standards for all provinces and territories, and include both
the private and public sectors. Since this crosses different constitutional
jurisdictions, we will ask that this be referred to the Uniform Law Commission
for further consideration on an urgent basis. We would prefer to see the
exercise of legislative vision and leadership in this area from our First
Ministers, in lieu of a fragmented, piecemeal approach by court cases in
defining the standards.
Bill C-6, with an appended CMA privacy code, for more precise definition of
consent and secondary uses, would go a long way in starting us in that
direction. The college has already submitted background documents, a
declaration of concern on Bill C-6, and our college's statement on
confidentiality, privacy and security of personal information. I would be happy
to answer any questions from those documents.
Senator Carstairs: I must say that reading the brief presented by your
representatives caused my hackles to rise. Like every other Canadian, including
physicians and dentists, I have privacy concerns about my health care records.
Last week we talked about how much consultation had taken place. I believe
consultation is pivotal and, clearly there was some. I believe Dr. Diggens
acknowledged that. Dr. Vaughan, what is your view on the degree of consultation
that took place? Has your position changed in any way from the moment the
consultation process began, to the drafting of the legislation, to where we are
today? Have you maintained a steady concern about this?
Dr. Diggens: We have maintained exactly the same position throughout the whole
process. The only part in which we did not participate was the initial
development of the code. We did get a seat on the implementation committee, but
by then the code had already been developed and defined. Through our
participation on the implementation committee, we tried to bring some guidelines
forward. Those guidelines are being used, but they are not enshrined in the
code because it is too late for that. Our position has not changed from the
beginning of that process up to now.
Dr. Vaughan: We have been very impressed with the health industry and with
Industry Canada in bringing forward an e-commerce bill which is needed to deal
with the issue of privacy of information. However, we were given five minutes
at the House of Commons Industry Committee, and the health groups themselves,
as a collective, were given just over an hour. The insurance groups were given,
I believe, seven hours of time.
We have not changed our views. In fact, we brought forward our health
information privacy code because Bill C-54 came forward. We believed we needed
to develop, in the information age, a piece of legislation, at least for the
profession, that addressed the important issues of privacy in health
Senator Carstairs: In your debate and discussion, what has been the stumbling
block? Why have they been unwilling to incorporate the needs that you have
expressed for your patients in this legislation?
Dr. Diggens: Our sense is that -- and it is still a view held by some people --
this legislation does not involve the commercial side of health care in the
initial part of the bill. However, I think a very persuasive point has been
made. Any time fees are involved, which are certainly a substantial part of the
dentist's relationship with his patient, this legislation would prevail because
of that commercial relationship between a patient and a physician. If you held
the view that it does not involve health care, then I do not think that having
health care incorporated into it would be seen to be a serious problem.
We came in late in the game and, of course, once we started making presentations
a certain amount of accommodation was attempted after the code had been put in
Dr. Vaughan: I would agree with those comments. There has been no public debate
about this issue, as there has been in the United States and as is going on
there right now. The relationship of the e-commerce world to health information
is appreciated much more in other jurisdictions than it is here. The bill was
brought forward to deal with commerce. Health issues would be dealt with
separately. However, people are now beginning to appreciate that health is very
much a part of the information that is out there.
As we go forward into the future, we must understand that the convergence of
information and biotechnology is rapidly at hand. The ability to be able to
transmit your personal biological material over the internet is at hand. There
is no sense talking about identifiable or anonymous information when dealing
with genetic codes. This is not fiction; this is very close at hand. We are
concerned that we have the correct principles upon which to base the
transmission of information. That is to say, we want to get it right.
Senator Carstairs: I think it is clear that dentists engage in a commercial
activity. However, it has been less clear that physicians engage in a
commercial activity. Something that has concerned me for a great number of
years, particularly when I was a provincial politician, was the number of
doctors who had ownership in either x-ray clinics or in labs, if they were
pathologists. Clearly, there is a commercial side to many physicians'
practices. Does that cause you concern? Do you think it has in any way been
adequately addressed in this piece of legislation?
Dr. Vaughan: We believe it has not been adequately addressed. The intent was to
treat health information separately. That is why we are here; and that is why
we find ourselves in this situation today. At least one-third of health care is
delivered within the confines of commerce or by the private sector in this
country. You cannot separate those two sectors. Detailed information was brought
to you concerning them. To ignore health information is to try to separate an
area that cannot be separated -- that is, commercial information versus health
The Chairman: Dr. Vaughan, given the position you have all taken about the
desire to strengthen the bill by including a number of amendments, I should
like to know your reaction to three options.
The first option would be to delay the bill until all your amendments are in
place. That is doable but, given their complicated nature, it would take some
time, which would delay the application of the bill to other sectors.
A second option would be to pass the bill but amend it so that the applications
to the health care sector would be delayed for the same period of time as the
applications to the intraprovincial sector would be delayed.
The third option might be to pass the bill without amendment but to proceed
immediately to try to agree upon a detailed set of amendments that had been
negotiated with all the various health care interests -- that is, yourselves
I did not put on the table the option that we do nothing. Given your position, I
am assuming that is the worst option. What is your sense of the other three
options, all of which would at some point achieve your objective? I say that
because a few of you were in the room when the first group of witnesses pressed
on us the importance of moving quickly.
Dr. Diggens: With great respect for those presentators -- and, we are
comfortable with the information they put forward -- we would argue strongly to
delay the bill until the health considerations are incorporated. With respect
to the code, we are concerned about the use of information based on the
knowledge of the patient and not on informed consent. If the bill is passed and
becomes part of the Canadian scene, dentists will not know whether they are
operating under their current code -- and, that is administered by their
regulatory body -- their ethics or their CDA ethics, or under new legislation.
I am not saying that dentists at large would do so but, under certain
circumstances, we can see this either being taken advantage of as a new standard
for the profession in Canada or influencing the profession in Canada to believe
that things have changed. With great respect for the arguments that were put
forward this morning, we do not think that risk should be taken. There should
be no signal to the professions in Canada that there has been a change in the
level at which they must deal with patients' confidential information. That
kind of signal is being sent with this profound piece of proposed legislation
which was drafted by the federal government. However, that risk does not
provide a justifiable reason not to delay the bill.
Dr. Vaughan: We think it is important to get it right. In this case, getting it
right is probably more important than expediency. Certainly, lots of public
discussion should take place. There has been no public discussion, yet we know
from our polling that Canadians are telling us that the security of health
information, privacy, and confidentiality are very important to them. A debate
is ongoing in the U.S. on this very subject. If we do not get it right now, a
lot of legislation will be developed around the country in response to it.
Senator Keon: Dr. Vaughan, I have had the privilege of having your suggested
amendments for some time. They are extensive. The briefs you have submitted
have been excellent in the way they have dissected and analyzed the bill.
I am revert to what Senator Kirby said about the real world. It has been
suggested by some that the CMA privacy code be appended to the bill. Today, Dr.
Dykeman also made that suggestion. There are others who believe that all or
most of your amendments, which are extensive, should be included in the bill
before it proceeds further.
There appears to be no priority attached to the amendments as they are listed.
Are they all of equal importance?
Dr. Vaughan: They follow one from the other. It is a bit like taking a piece of
an airplane apart and expecting the plane to fly. Someone would have to select
which parts are unimportant. We think the whole plane needs to fly.
Ms Carole Lucock, Legal Counsel, Canadian Medical Association: The amendments
are set up in such a way that they would form another schedule to the bill
which would cover health information. That would more or less follow the CMA
privacy code, with certain portions removed, so that it would properly be a
Senator Keon: Would you be satisfied if the CMA privacy code were formally
appended to the bill without a number of amendments occurring at this time, and
if some of the arrangements Senator Kirby suggested were made to conduct a
detailed study of the bill and amendments to it at some later date?
Dr. Vaughan: We appreciate the complexity of our code and the amendments. We
would be very supportive of that.
Dr. Dykeman: I would concur with that. As Dr. Vaughan has said, it is extremely
important to get this right. What is at stake here is crucial. Day by day, we
struggle with what we write and record in our medical reports because what
appears today to be confidential medical information tomorrow enters the
commercial scene. I must decide on the weakest link in the chain, which means
that affects what I record and how I record it. I am sad to say that is now a
factor in recording medical information.
I would be pleased to see the CMA privacy code appended as a reference document
and given high priority, particularly in the area of secondary uses. I cannot
emphasize that enough. In order to give intelligent consent, you must know what
purpose your information is being put to. We obtain it under one set of
circumstances, and then a day, a week, or a month later, it is in a different
set of circumstances and both the patient and the physician have lost control.
Senator Keon: Some of the technical people associated with health information
are insisting that they are not having sufficient input. They say that we are
writing legislation and having philosophical discussions while what is needed
is for someone to talk about what is technically possible at this time with
regard to fire walls, barriers and pockets of information.
Has this subject come up in your deliberations? Do you believe that we would
benefit from hearing someone from the technical field on the way information is
protected by the military, for example?
Dr. Vaughan: We believe it is important to get the principles right. Privacy in
a free and democratic society is an important principle. As well, privacy is a
public good, as the Supreme Court reiterated in a recent judgment.
To ask technical people to solve principle problems is not the way to go. We
need to define the principles and then build a system that allows us to do what
Dr. Diggens: I agree.The technological situation is constantly changing and that
is why we are standing on the terminology "informed consent". It is
traditional and well understood by all professionals involved, and is part of
our daily practice. It must be the centrepiece as a principle of the privacy
I would be very interested in participating in the technological changes in
that, over time, but we must enshrine the principle that protection of the
individual is above protection of material.
It is not only a matter of "informed consent" permission. If someone
refuses to participate, there should be no penalty. We are not into coercion.
The principles we adopt must lay these things out very carefully, then we can
take advantage of people who have expertise in technology and how it is
changing to ensure that we retain those fundamental principles.
Dr. Dykeman: I concur with those remarks. I am confident in and prepared to work
with the development of the technology of encryption and the capability of data
security. In fact, I have piloted some of these applications in our area, and I
am familiar and comfortable with them.
The biggest problem, though, is not technological but sociological and
psychological. It is ensuring that the people who use the technology use it
properly. This involves the proper use of passwords, IDs, and keeping track of
who is doing what. That is the major area and we need legislation and
guidelines within which to develop that.
Senator Murray: Dr. Diggens, do you agree with the suggestion of appending the
CMA code to the bill?
Dr. Diggens: Yes, we developed these positions together and we understood each
other. We believe that our suggestions and those of the CMA lead to the same
Senator Murray: The CMA charges that the bill permits the collection, use and
disclosure of information without knowledge or consent on grounds such as
expediency, practicality, public good, research, offence investigation,
historic importance and artistic purpose. They say that the laxness and breadth
of these exemptions as applied to health information is unacceptable.
Would the CMA code solve those problems?
Dr. Vaughan: We believe that it would.
Senator Murray: Mr. Chairman, do you agree that, if we were to do this there
would be required, at a minimum, an amendment to the bill to indicate the
purpose of this new schedule?
The Chairman: Yes, in the same way as it is difficult to have a bill for which
there is a schedule that is not referred to in the bill. Even the non-lawyers
in the room realize that.
Senator Murray: You were talking earlier about passing the bill without
The Chairman: If we were to append the CMA schedule, we would need an amendment,
Senator Murray: There is a schedule to the present bill. You will know that
parts of that schedule are mandatory, that is, things that shall be done; and
parts of the scheduled are not mandatory, that is, things that should be done,
things that may be done. I am unsure as to whether this schedule, as it stands,
has the same force as the bill itself. We will have to get some advice on that
matter. I presume that your position is that appending the CMA code to this
bill would give the code the force of law. Am I right?
Dr. Vaughan: That is right.
Senator Murray: I wanted to clear that up so there is no misunderstanding later.
Senator Finestone: I believe an observation was made that the bill would have to
be amended to make it concur.
Ms Lucock: Yes. In fact, at the end of our proposed amendment there is a
recommended Schedule 2, which is more or less the CMA code with pieces which
apply to governments removed, because it would be inappropriate to include
that. However, to the greatest extent possible, it is the code.
Senator Murray: Dr. Vaughan, you said that the bill as now drafted does not
apply to patient records that you would have as a physician.
Dr. Vaughan: We must understand this is an e-commerce type of bill and in the
world in which we live it is difficult to separate the commercial from the
For example, on a house call, there may be items related to a physiotherapy
visit which are private. There may be items related to nursing care which may
be considered public or private depending on the context. Depending upon where
prescriptions are filled, they could be public or private. It is impossible to
separate this out.
Senator Murray: A few minutes ago, Senator Carstairs said that the
physician-patient relationship is not commercial but that the dentist-patient
Senator Carstairs: I then added instances in which the doctor-patient
relationship was also commercial.
Senator Murray: I thought your point was that the doctor-patient relationship in
this country is part of the public health sector.
Senator Carstairs: No. To my knowledge, anywhere from 30 to 40 per cent of the
activity conducted by physicians in this country is in fact commercial.
Dr. Vaughan: That is correct.
Senator Murray: Your analysis, Dr. Vaughan, about the difficulty of
disentangling commercial from non-commercial is almost identical to that
offered by the Canadian Health Care Association, the organization which, as you
know, represents regional health authorities, hospitals, and health care
agencies. You differ very considerably, however, on the question of consent. The
CMA and the Canadian Dental Association take the position that the provisions
are far too weak and flexible and subject to exemption, and they have taken the
position that the provisions are far too onerous. They go on to ask for an
exemption for the entire health care sector from the provisions of this bill.
I am puzzled why the organizations of physicians and dentists -- and I include
there Dr. Dykeman and his organization -- should adopt such different
perspectives on this bill as compared to the hospitals. I will also ask this
question of the Canadian health care associations when they come before us.
What are they doing now that they could not be doing under the provisions of
Dr. Vaughan: I cannot speak for the health associations.
Ms Lucock: It would be very difficult to answer with respect to their position.
One difference between the CMA code and Bill C-6 is that the CMA code
recognizes a distinction between the flow of information in the therapeutic
context from information for secondary purposes. The CMA code contemplates
collecting as much information as necessary to fulfil therapeutic purposes.
Doctors will have the necessary information to provide care, and that
information will flow to other providers as needed. A very different regime is
set up for secondary purposes.
Bill C-6 treats all information more or less the same. It gives some recognition
to the fact that some information is more sensitive and, in those cases, it
asks for express consent. That may have something to do with the inhibition of
the flow of information, within the therapeutic context, in Bill C-6. That is
all I can see. It is a different regime, depending on the sector involved.
Senator Murray: I am still puzzled. Why should they take a position different
from yours? You are all part of what might be called the public health care
sector. One of their criticisms is the insufficient provision for disclosure of
information for purposes -- I think this is their phrase -- consistent with the
purposes for which it was originally collected.
Ms Lucock: It may be that we differ philosophically; I am not sure. The CMA's
question has been that, to the extent a patient's consent is not required, who
gets to decide whether it can be collected, used or disclosed. Our answer has
Senator Murray: To your knowledge, are hospitals and regional health authorities
and other health care agencies involved in any exchange of information on a
Dr. Vaughan: Once again, it depends how you define "commercial". That
is a very vague term.
Senator Murray: It entails money changing hands.
Dr. Vaughan: There are private rooms and semi-private rooms and fees associated
Dr. Diggens: Our association also represents dental researchers and
epidemiologists. We do not have quite the same argument as hospitals versus
physicians, but we had to struggle in preparing our brief to balance the
research interests with the public's or the patient's interests. We are
persuaded that, in balancing those two, the favour must go to the individual
patient and their privacy. To refer to something softer than informed consent,
such as providing knowledge that information is being transferred, we do not
think is in the patient's best interests. We are coming down on the side of the
patient, even at the expense of the researcher and the epidemiologist whose best
interests are in easier access to information for input to their studies.
It is not the same argument as hospitals versus physicians but, in all of our
worlds, that is a part of our consideration. We have decided where we stand on
that particular balance.
Senator Finestone: I thought the Chair clearly outlined the choices which were
amending, passing, or delaying the bill. However, I believe that this bill is
about individual personal information. It matters not whether the information
comes under the heading of health, financial, financial, mortgage or dental
information. My personal information is my business and I do not care for anyone
to interfere with that information unless I agree, and unless there is
We live in a democratic society which should respect privacy as a personal
right, as a human right. It is not an inalienable right but it is close to
that. No matter what the source of the information -- be it a hospital or group
home or nursing home -- this bill says no one should get my information unless
they have my informed consent.
Dr. Diggens: That is what the bill should say.
Senator Finestone: Frankly, I am not interested in the basis for your opinions.
Many medical people in my background may be upset with me. This is a generic
bill which puts the platform at a midpoint. The Canadian Medical Association
has its own excellent code which I have read from cover to cover. The dentists
and pharmacists also have excellent codes. Why can this generic CSA code not be
branched out in terms of its application whenever a professional organization
has set a higher bar?
You referred to the Hippocratic oath. Never mind who killed who in Germany and
the research and all that stuff that was done. It turns everyone's stomach,
particularly Canadians who do not go that route.
The point is that the bill sets out a basic minimum. The CSA code will direct
the basic minimum. Added to that, you have very strong codes of personal
practice. You have within your codes the right to fire or get rid of a doctor
or dentist and to take him to court.
Frankly, I can find no reason for grafting one code to another code. The CSA
code is appropriate, but the others are important. They must be applied
directly to the use of my personal information. If my doctor sends information
to my pharmacist or my psychiatrist -- or my geriatric specialist soon -- I
take that as being done with my informed consent because I trust my doctor. I
also trust my dentist. If I did not, why would I go there? The consultations
down the line are by informed consent. Practitioners are guided by ethical
practices, by their Hippocratic oaths, all of which are very important.
I am sorry that this is a speech but I am having a difficult time with your
Senator LeBreton: I am glad you apologized for the speech.
Senator Finestone: You described the perceptions of Canadians, 68 per cent of
whom feel that the personal information contained on plastic cards issued by
financial institutions is the most important, most sensitive information. Do we
need a financial code, along with the CSA code, the CMA code, and the dentists'
Let us be practical. I agree with my colleagues that, from a personal
perspective, a public service perspective and a societal perspective, we all
have the best interests of Canadians at heart in legislating our health care
sector. However, we must be practical. How do we cover all the information
regarding financial institutions, medical records, financial records, PIN
numbers, social insurance numbers?
The Chairman: Thank you for the speech.
Dr. Vaughan: That is an excellent point. The issue of trust is crucial in
banking and people conveying their personal information to banks. The banking
industry has done a great deal in this area, and there are regulations
governing it. I refer you to the current situation related to banking
Concerning health information on the Internet, last night 60 minutes aired a
program which detailed how data mining is taking place. Health information is
among the information being mined right now. It is being used to pre-screen
people for employment, which is why we need health protection in this
We think this is a good bill which needs to be strengthened.
Dr. Diggens: Our main problem with the bill is not the knowledge requirement in
order to do commerce but the fact that it says nothing about informed consent
on the health record side. If it did say that, we would be very comfortable
with the bill. There are commercial aspects to medicine and dentistry.
Practitioners, patients and those judging these aspects will say that, because
of the commercial aspect of dentistry and medicine, the bill applies in those
areas with a standard lower than that which we are used to operating under.
That is what this legislation would signal. It is not a good signal to send
out. It is not a signal which should be sent out for a short period of time and
corrected later. At the moment, we have physicians, dentists and other
professionals operating under a code in which you have confidence.We are very
particular about protecting that. That is why we believe the bill should be
passed. We are in favour of the bill. However, it needs to be amended to make
it clear that, when it comes to health records and personal information, the
standard is informed consent, not just knowledge that it is happening.
Ms Lucock: The CMA code does not have the force of law at all. CMA has no
regulatory authority. While it is certainly being used, in particular to
influence legislation at this point, its compliance is not mandatory. CMA
cannot require that. Only the law can do that.
The Chairman: Do you mean that the current code is essentially a set of
Ms Lucock: That is correct.
The Chairman: Does that mean that the CMA itself, in its professional
disciplinary capacity --
Ms Lucock: It has no professional disciplinary capacity.
The Chairman: The provincial associations have such capacity, do they not?
Ms Lucock: That is correct.
The Chairman: Do they regard a violation of the privacy code that you have
described as something which is subject to discipline?
Ms Lucock: To my knowledge, in terms of physicians, I do not think any of the
regulatory colleges have adopted the code as a basis for discipline. There are
certainly confidentiality requirements.
The Chairman: Are you saying that the national association has a privacy code?
Ms Lucock: Yes.
The Chairman: To the best of your knowledge, has that not been adopted by any of
the provincial professional regulatory groups?
Ms Lucock: That is right. They must be distinguished from our divisions, which
would be the Ontario Medical Association and the Alberta Medical Association.
They are not regulators either.
The Chairman: What is the relevance of a national code which everyone can
proceed to ignore simply because you have not adopted it at the relevant
disciplinary level? It has an element of smoke and mirrors to it.
Dr. Diggens: Mr. Chairman, I was the president of the B.C. regulatory authority
for two years and was involved in the discipline of dentists in British
Columbia. The code of ethics of the Canadian Dental Association mirrors the
code of ethics of the British Columbia College of Dental Surgeons. It was a
basis for regulating dentists. Under our rules, they were obligated to conform
to that code of ethics and that code of standards. That is why I am so
concerned that the passage of this legislation will send a message to all of
those regulatory bodies that something is changing. Currently, there is
substantial protection of informed consent under the code of ethics of each
provincial regulatory body.
The Chairman: I have a dilemma with the logic of your position, which is what I
am trying to understand. By definition, the bill before us must be better than
the status quo because it imposes additional restraints. Assuming for a minute
that all the professional codes do not change, then the bill as drafted clearly
imposes additional privacy constraints. Therefore, by definition, it must be
better than the status quo. It cannot be worse than the status quo, unless you
people are planning to weaken your professional codes as a result of the
passage of the bill. If your codes stay in place and there are now additional
legal constraints, how will the situation be worse for the individual?
Dr. Diggens: When you are the president of a regulatory authority over a group
of practising dentists, for example, the some 2,500 in British Columbia, there
is a certain expectation of professionalism that starts in dental school. It is
set out in the code of ethics and in the message given to those whom the
regulatory authorities discipline. People obey it. They live up to it. Even
though it is not enshrined in legislation, it is enshrined in the rules of the
college. Therefore, the standard is there.
When you discipline people, they are very tough about it. They engage lawyers.
They take any advantage they can. I would hate to be setting in place a legal
situation in British Columbia, for instance, where a disgruntled dentist would
hire a lawyer who would say, "But Bill C-6 is not consistent with your
code. " I am worried that it will destabilize the confidence a patient has
in his or her dentist or doctor who are operating under informed consent.
The Chairman: I do not know how you can destabilize it if you as a profession in
British Columbia say that your code must apply to all members of the
profession. If you continue to say that, how can it possibly be destabilizing?
Dr. Diggens: By creating a constant court battle situation between those
regulatory authorities and people who wish to challenge that premise.
The Chairman: I did not say it would be easy.
Dr. Vaughn: Mr. Chair, the issue has to do with the secondary and tertiary uses
of the data. It is not an issue of the doctor-patient relationship, which is
what the provincial licensing authorities are concerned about. What concerns us
is the secondary use of information, as the story on CBS' 60 minutes last night
related. It is the mining and secondary use of data that concerns us.
The Chairman: Do you agree that, at the moment, there are no rules governing
Dr. Vaughn: This will not make it better.
The Chairman: It will not make it worse, will it?
Dr. Vaughn: It will make it worse in that it is an open forum to continue the
use of data mining in health if we do not address this at all.
The Chairman: I always have difficulty understanding how adding additional
constraints can make a situation worse. Mathematically, I do not think it is
Ms Lucock: It is not so much the adding of constraints but the legitimization of
certain practices that is of concern. To the extent that certain things are
exempt in the bill, for example, research as a broad category, then research
and the use of information without knowledge or consent for that purpose now
Senator Finestone: I do not think you can do anything like that. You must have
reasonable justification. You must seek that reasonable justification before or
at the time of use. You must define why you wish to do it that way, and you
must obtain permission from the commissioner.
Ms Lucock: With respect, I think all you have to do is notify the Privacy
Senator Finestone: Yes, and if it is not right, you are not going to be able to
do it because you have not given him reasonable justification.
Dr. Vaughn: I believe that the collection in paragraph 7(1)(a) of the bill is
without knowledge or consent. It is very different, with all due respect,
senator, from what you were saying, if the collection is clearly in the
interests of the individual and consent cannot be obtained in a timely way. I
would put it back to you: Are you content to have others make that decision for
Senator Finestone: It depends on who is making that decision. If it is you as
the researcher and it is in your interest, then no. If it is the office of the
ombudsman whose responsibility it is to say "yea" or "nay",
then yes. It is a question of how you interpret it. I have gone through clause 7
sentence by sentence and, while I could be wrong, I think I am right.
The Chairman: I thank the witnesses for their testimony.
Honourable senators, our next witnesses are from the Information Technology
Association of Canada, from AOL Canada, from Microsoft and from Equifax.
Welcome, and please proceed.
Mr. Gaylen Duncan, President and CEO, Information Technology Association of
Canada: Honourable senators, ITAC is the voice of Canada's information
technology industry. We represent almost 300 of the largest information
communications technology companies in Canada -- 1300 companies if we include
those belonging to our nine provincial affiliates. Together, the 300 companies
that belong to the national ITAC represent 70 per cent of the 500,000 jobs, $100
billion in annual revenue, $3.6 billion in annual R&D expenditures, and $27
billion in exports that IT contributes to the Canadian economy. We work hard to
achieve a policy framework in Canada that protects and promotes these enormous
Our members and the clients they serve are pioneering the new frontiers of
electronic commerce and electronic service delivery. In Canada, it is certainly
off to a good start. ITAC believes that, if we get the formula right, Canada
has the potential to take a strong leadership position in the emerging
Business in Canada and around the world understands that electronic commerce
will never achieve its tremendous potential without a shared set of principles
that establish consumer trust. Customers venturing into the virtual marketplace
need assurances that their interests will be as carefully protected as
possible. One of the most fundamental of those interests is privacy and the
protection of personal information. Therefore, independent of legislation,
there is a growing awareness among private-sector organizations, certainly
among those in our industry, that personal information should not be seen or
treated as a commercial commodity. Bill C-6 provides a valuable complement to
that new awareness.
Here I should like to stress that among Canada's industry associations, ITAC has
been in the forefront on privacy issues. We called for privacy legislation as
far back as October 1994, in a submission to the federal government's
Information Highway Advisory Council. We have consistently advocated that
legislation be passed based on the CSA Model Code for the Protection of
Personal Information. That code was developed by a committee of industry,
consumer, labour and government representatives, ITAC among them. The broad
cross-sectoral representation on the CSA privacy committee gives great moral
strength to the CSA model code -- and also to Bill C-6, which is, as you know,
founded on the model code.
While people around the CSA table had different views, our dialogue was fruitful
and, as you have heard in your hearings, lively. At the end of a long,
generative process of give and take, the committee felt we had achieved a
strong and workable compromise that adequately addresses the range of interests
ITAC, therefore, applauds the introduction of Bill C-6 and recommends its
expeditious passage through the Senate for three fundamental reasons. First, as
I have just said, the bill is based on the hard-won compromise that the CSA
model code represents.
Second, the bill positions the Privacy Commissioner as a positive force for
compliance. Adopting the ombudsman model, where the Privacy Commissioner acts
as an arbiter rather than as police, judge and jury, is commendable. This
positions the Privacy Commissioner as a positive force to work with rather than
as an enforcer to defend against.
Third, the government is attempting through this bill to create uniform law
applying to all companies in Canada, wherever they are located across the
country. In fact, I believe it is a bold step for the federal government to
move on privacy legislation through its trade and commerce power.
We would also point out that industry groups that want what they may call
tougher or higher standards are in no way restrained by the bill from
introducing additional measures into their own practices.
I would also note that ITAC fully supports Parts 2 to 5 of the bill, which
perhaps have not had much debate at this committee. They address the
housekeeping issues, such as the need to modernize existing statutes so as to
recognize electronic documents.
I thank the Standing Senate Committee on Social Affairs, Science and Technology
for allowing us to speak today. In closing, may I remind you of the breadth and
commitment of the impressive consensus of public interest and industry groups
that has brought us this far, and may I urge you to recognize the urgency with
which these groups, including ITAC, view the passage of Bill C-6. In our
opinion, you have got it right after years of work. It is now time to get going.
Mr. Stephen J. Bartkiw, Chief Executive Officer, AOL Canada: Honourable
senators, thank you for allowing AOL Canada the opportunity to share its views
on the privacy provisions of this proposed legislation. I would also be pleased
My company offers the AOL Canada and CompuServe branded Internet on-line
services throughout Canada, serving over 180,000 households with our uniquely
Canadian content and services. Using our Internet on-line services, our members
can work on-line, conduct banking transactions, pay bills, communicate with
friends through electronic mail or instant messaging capabilities, complete all
of their holiday shopping and find information on virtually any topic that you
can think of.
The electronic marketplace is here and Canadians are increasingly enjoying its
benefits. Along with those benefits come risks, such as the risks attendant to
providing personal data over electronic networks. AOL Canada is aware of those
risks and works diligently to protect the personal data of its members. Our
company is an active member of the industry trade association, the Canadian
Association of Internet Providers, or CAIP, and has been a leader in the privacy
field, working to encourage responsible data protection practices. The CAIP
privacy code is modelled on the Canadian Standards Association's Model Code for
the Protection of Personal Information.
The CAIP code, however, tailored the CSA code to match the realities of the
on-line medium, and that is the crux of my testimony today. We should like to
see Bill C-6 amended to provide our industry the flexibility it needs to
continue to flourish while protecting the personal data of its customers. AOL
Canada is concerned about the prospect of drafting rigid restrictions and
mandatory enforcement mechanisms onto the flexible and evolving framework
envisioned in the CSA model code and adapted by the Internet industry in the
As Senator Kirby has noted, Canada's success in the 21st century will depend on
the ability of all Canadians to participate and succeed in the global,
knowledge-based economy. If regulatory barriers slow the development of
e-commerce in Canada, the country's consumers will lose the benefit of rapid
access to innovative services at the lowest prices.
In our written comments, we have identified a number of areas requiring clarity
and amending language from our industry's perspective. I should like to
highlight a few of those areas in my remaining time.
Our fundamental concern is that the tenets of the CSA model code should not be
rigidly applied in identical fashion to all sectors of all industries. As its
name suggests, the model code was intended to provide an example for trade
associations and other industry groups to guide the development of
sector-specific privacy rules. Some sector codes, including the CAIP privacy
code, closely follow the outlines of the CSA model code but streamline and
simplify its provisions to make them suitable for the particular industry.
In the area of electronic commerce, where many businesses are experimenting with
new business models, the need for flexibility to permit experimentation is
especially strong. Subclause 7(2) of the bill provides an example. It prohibits
the use of personal information by the collecting organization except in
prescribed circumstances. Those circumstances do not include a threat to the
property or viability of the business enterprise. In the on-line world, a
disgruntled consumer can wreak havoc on networks, Internet service providers
and other customers. The ISP should have the ability to use information about
their identity to prevent a shutdown of the network and the disruption of
service to thousands of other individuals. Likewise, it should be able to use
personal information to prevent the on-line harassment of other members or
other types of service disruption.
We therefore support an amendment to paragraph 7(2)(b) to add an additional
situation in which personal information can be used by the collecting
organization without the prior consent of the individual to cover threats to
property or the viability of an organization's business, or a violation of its
Another way in which the bill does not anticipate or address the Internet or
other new media is its repeated references to written consents. In the world of
electronic communication, e-mail or electronic requests are the norm, and the
legislation should reflect this.
The clauses pertaining to an individual's right of access to personal
information are a third example. Those provisions do not anticipate some of the
technical limitations that electronic communications present. For example, an
individual using an ISP to search for a particular Web site must, in order to
retrieve that Web site, type in a URL address or search terms that he or she is
seeking. The search engine, that is, the company providing the technology that
scans the web for sites that match the individual's search request, must
collect that information as well as the screen name or on-line address of the
requesting party in order to be able to fulfil the search request and provide
the information the individual requested.
Organizations should not be required in any circumstances to create records that
would not otherwise exist. In addition, they should not be required to sever
information if doing so would be technically impractical or expensive.
AOL Canada believes the best way to ensure that Canada continues to play a
leading role in the new economy is to allow Internet ventures to experiment and
innovate. In order to do so, these businesses must be free to adopt innovative
marketing techniques while continuing to protect consumer privacy. With
appropriate changes, Bill C-6 can strike a balance between the privacy interests
of individuals and the legitimate needs of Internet-related businesses for
flexibility and experimentation to develop new ways of reaching consumers.
Mr. Michael Eisen, Canadian Director, Law and Corporate Affairs, Microsoft:
Honourable senators, Microsoft recognizes the importance of privacy protection
to the continued growth of electronic commerce. Accordingly, it has
consistently supported efforts to increase consumer confidence in the privacy
practices of on-line businesses. As an example, Microsoft is an advisory board
member and premier corporate sponsor of TRUSTe, a widely known certification
program designed to promote on-line privacy protection.
As regards Bill C-6 in particular, however, Microsoft is concerned that clause 7
as presently worded could hinder the ability of software publishers and other
rights holders to combat software piracy. It has been estimated that in 1998
Canada had a software piracy rate of 40 per cent and that the revenue lost as a
result of that piracy exceeded $450 million. Those losses represent hundreds of
potential jobs at software publishers' Canadian subsidiaries. In addition,
hundreds more jobs could have been created in the distribution channels had
those losses been turned into purchases. Support providers suffer as well
since, with fewer legitimate sales, fewer users are legally entitled to support,
meaning fewer opportunities for support providers. Decreased legitimate
software sales also result in lost tax revenue. Finally, a high degree of
piracy hinders the growth of an indigenous software publishing community since
potential Canadian software publishers will be deterred from attempting to
establish themselves, as piracy will make it impossible for them to recover
their development costs.
Microsoft's anti-piracy efforts include investigating reports of the
unauthorized duplication, use and distribution of software and, in appropriate
circumstances, initiating legal action. Those efforts could be frustrated by
the language of subclause 7(3) of Bill C-6, which identifies those
circumstances when personal information may be disclosed without the knowledge
or consent of an individual. Specifically, subclause 7(1), which deals with the
collection of personal information without knowledge or consent, provides in
For the purpose of clause 4.3 of Schedule 1, and despite the note that
accompanies that clause, an organization may collect personal information
without the knowledge or consent of the individual only if
(b) it is reasonable to expect that the collection with the knowledge or consent
of the individual would compromise the availability or the accuracy of the
information and the collection is reasonable for purposes related to
investigating a breach of an agreement or a contravention of the laws of Canada
or a province;
Similarly, subclause 7(2), which deals with use -- so we have moved from
collection to use -- of personal information without knowledge or consent
provides in part:
For the purpose of clause 4.3 of Schedule 1, and despite the note that
accompanies that clause, an organization may, without the knowledge or consent
of the individual, use personal information only if
(d) it was collected under paragraph 1(a) or (b).
I referred to those clauses a moment ago.
Subclause 7(3), however, which, as already indicated, deals with disclosure of
personal information without knowledge or consent, is for no apparent reason
much more restrictive since it is limited to disclosure to an investigative
body, a government institution or part of a government institution in
connection with the investigation of breaches of an agreement and contraventions
of law. Otherwise stated, Bill C-6 could be interpreted to prevent Microsoft or
other software vendors from disclosing information gathered in connection with
their anti-piracy activities to private investigators, potential witnesses or
other cooperating software companies, none of which come within the apparent
meaning of investigative body or government institution or any conceivable
regulation defining those terms.
This flaw in Bill C-6 could be remedied relatively easily by adding a paragraph
to subclause 7(3) permitting disclosure of personal information without
knowledge or consent where it is made for a purpose directly related to its
collection or use pursuant to paragraphs 7(1)(b) or 7(2)(d) which, as I noted
previously, permit collection and use of personal information without knowledge
or consent in the relevant circumstances where it is reasonable to expect that
collection with knowledge or consent would compromise the availability or
accuracy of the information.
Mr. Jackson L. Chercover, Equifax Canada Inc.: Honourable senators, let me begin
by joining the deluge of political correctness by saying that Equifax Canada
also supports this legislation. Equifax was a private-sector supporter of the
principles of the CSA code and participated in its development. It has also, as
indicated in the written submission, participated in all of the consultations
leading up to the bill. In those submissions, both in the other place and here,
we have tried to show the unique nature of the credit reporting industry which
faces the spectre of a second level of regulatory compliance. We have also
attempted to demonstrate that a single, simple amendment would relieve the
industry of that costly burden without depriving a single Canadian consumer of
the privacy and confidentiality provisions of the provincial constitutional
regulatory regimes under which we operate.
The simple amendment we suggest is to subclause 7(3). Equifax has no difficulty
with subclause 7(1), the collection, because all information that is collected
by consumer reporting agencies is collected with direct consent to the credit
granter to whom the information was given. Equifax has no difficulty with
subclause 7(2) simply because Equifax is a repository of that information and
does not use that information.
Subclause 7(3), however, is the area of unique difficulty because there is no
contractual nexus between the consumer and a credit reporting agency. It is
possible to argue that in the absence of a direct consent to disclosure,
Equifax might well be in breach of the legislation. Therefore, the simple
amendment recommended in my written submission, which would go into subclause
7(3), would be that an organization may disclose personal information without
the knowledge or consent of the individual only if the disclosure is in
compliance with the credit reporting legislation of the province in which the
individual resides. By enacting that type of simple amendment, a multi-staged
regulatory compliance problem would disappear.
Of course, the Privacy Commissioner has the discretion, granted in clause 13, to
decline to report on any complaint that could properly be dealt with, in his or
her view, at the provincial level. However, that is a discretion, and the
amendment we have recommended would relieve the Privacy Commissioner of the
investigation in order to make the decision as to whether or not to report.
The industry I represent is mature. It serves the interests of Canadian
consumers and businesses in the purchase and sale of services, and it is a
source of negligible complaints. Accordingly, I respectfully recommend that
this simple amendment would avoid any disruption to that continuing service.
Senator Callbeck: One question I should like to put to Microsoft, Mr. Eisen,
concerns my understanding that there is a way to track Web sites and the pages
of a Web site that are visited. For example, if Ms Jones visits 20 Web sites
this afternoon at certain pages, that information can be stored. I believe the
term applied to this is "cookies". I understand this function is used
by Microsoft's Internet Explorer. Therefore, this results in the collecting of
personal information without the computer user's consent or knowledge.Is that
Mr. Eisen: Let me answer your question as directly as I can. My area of
expertise is not the technology of our products. I am an attorney; I specialize
in other areas, specifically intellectual property law, and I am not capable of
effectively answering your question. I attended today in order to make a
request for a specific amendment to which I feel capable and qualified to speak.
I would be happy to refer you to people who are expert in that area, but I
would prefer not to speculate.
Mr. Bartkiw: If I may, Mr. Chairman, I have a couple of comments on that. As
part of our registration process, AOL provides members with terms of service in
advance so that the consumers have the opportunity to understand what the rules
of the road are and to what they and we are agreeing. We clearly articulate our
information that is provided by the consumer at their approval.
That said, there are also technologies available from AOL and from Microsoft
that give the consumers the choice not to receive "cookies". That is
a part of Microsoft's Internet Explorer technology. It is also a part of AOL
Canada's "preferences". We give the member the opportunity to define
the preferences, marketing and otherwise. Therefore, they can choose whether or
not they receive those cookies.
That technology is used to give consumers the opportunity to provide very
limited information, as I mentioned in my oral briefing, like screen name or
e-mail address and, if the consumer chooses, preferences of what types of
information they would like to receive. That is good news for consumers because
when they go to a specific Web site, that Web site knows what information to
deliver. Again, just to be clear, the consumer has the choice to turn that
Senator Callbeck: How will Bill C-6 affect cookies?
Mr. Bartkiw: Clearly, because of consumer choice, it should not have any impact
on it whatsoever. The contractual relationship we have with our members
addresses the issue, and consumers are able to take advantage of the technology
to ensure, if they so choose, that they do not receive the cookies.
The Chairman: Could you explain the term "cookie"?
Senator Finestone: Actually, Mr. Chairman, I should like to point out that among
the many complaints we receive about the Internet is the fact that it is an
unconscionable service that uses our children, who are learning to be
communication wise and sound, by sneaking these little cookies here, there and
everywhere, thereby identifying where mommy works, what daddy does, the level of
income, whether they have a car, the type of car, how many times you go out
with mommy and whether you go to the movies. If that is not accurate, I should
like you to tell me please what a cookie is.
Mr. Bartkiw: In the technology world cookies are pieces of information that are,
for lack of a better word, provided when a consumer visits a Web site. As I
mentioned earlier, that can be an e-mail address to let the Web site know
specifically the identity of that consumer.
Senator Finestone: What if you are 12 years old? Start there.
Mr. Bartkiw: First of all, I will speak specifically about AOL Canada. Our terms
of service state that you must be 18 years of age or older to register with
what we call a master account. That master account designation is important
because it allows the master account holder, typically the parent, to define
tools that we call "parental controls". Those parental controls allow
the consumer to determine specifically what their children do on line, where
they go, if they choose to designate where they go, and with whom they
I do not want you to get the impression that cookies are out there gathering
information that consumers have not provided. That is not the case. The
consumer can set up their on-line experience and choose the level of
information that they wish to share with either a Web site or a merchant. I
hope I have answered your question.
Senator Finestone: That is clear on the part of AOL. Can you speak for all the
delivery services that are on the Internet? I have heard from Microsoft about
some leakage. I do not know what the leakage is, exactly, but we have heard
that not everyone is as straightforward. Are you the service of choice because
you have the trustworthiness and the confidentiality and because you go by age
and stage? Are there others who need to be covered more carefully?
Mr. Bartkiw: I will answer generally on behalf of the industry. The Canadian
Association of Internet Providers has devised guidelines, specifically privacy
guidelines, to which all members must adhere.
Senator Finestone: What does the word "must" mean?
CAIP. They must be adhered to in order for a member to remain in good standing
with the Canadian Association of Internet Providers. However, it is in the best
interest of any Internet service provider in Canada to adhere to such a policy
and to live up to it. In the on-line space, information is disseminated almost
instantaneously. If a consumer is disgruntled with the way he or she has been
treated by an Internet service provider, rest assured that other consumers will
be aware of that literally in minutes. Quite clearly, the market will take care
of such issues. We have not seen significant issues with respect to Internet
based on how rapidly consumers react in the Internet on-line space, for that to
Mr. Eisen: I would not wish to leave senators with the impression that Microsoft
sites have privacy statements that are one click away from their front-page
screens. These statements outline what personal information is collected, how
it will be used and how users can opt out of any additional uses of their
information. While I was not able to respond to you from a technological
standpoint -- and, I wish to thank Mr. Bartkiw for doing that -- I would not
the greatest and foremost concern to Microsoft.
Senator Callbeck: I have one more question on cookies. I understand that while
Europe has data protection safeguards in place, somehow cookies are able to
Mr. Bartkiw: I cannot speak to that specifically. I am not aware of that being
the case. However, we would be pleased to gather more information and report
Senator Callbeck: There is one other area I should like to cover with Mr.
Chercover: credit bureaus and the credit reporting agencies that provide
consumer credit information as well as a significant amount of personal
information. I should like to know exactly what is collected and how you obtain
that information personally.
Mr. Chercover: A number of the provincial statutes draw a distinction between
credit information and personal information. I cannot speak for other consumer
reporting agencies, but I can speak for Equifax Canada. We do not collect or
disseminate personal information. Credit information is only name, age,
address, place of employment, previous places of employment and payment history.
Where do we get the information? The information comes from our members, which
are financial institutions, major merchants, credit card issuers and, in some
instances -- since many government agencies are also members of the Equifax
network -- unless specifically forbidden by statutes such as Revenue Canada, we
also obtain information from government agencies.
The Chairman: Mr. Chercover, pardon me for not being a lawyer here, but you
prefaced the list of facts you collect by saying that you do not collect
personal information, yet everything you listed was a piece of personal
Mr. Chercover: No. "Personal information", as defined in the various
provincial statutes, includes such things as race, religion and so on.
Senator Murray: Look at the information in this bill, Mr. Chercover.
The Chairman: I have no problem with interjections but it is difficult for the
television audience to hear you if you do not put your microphone on.
Any normal person would have difficulty accepting the notion that the things you
listed, including credit rating and so on, are not personal information. They
are absolutely what most people believe to be personal information. I
understand what you said was technically, legally correct; I just thought it
was incredibly misleading and I was trying to correct the record.
Mr. Chercover: I understand. If it is misleading, I would be happy to express
that to those responsible.
The Chairman: I do not think you were trying to be misleading but for anyone
listening to this it would certainly appear to be misleading.
Mr. Chercover: I am offering to take your complaint to the various provincial
legislatures who enacted the legislation, but the fact is that there is this
distinction in most cases. Let us take "personal information", as
defined here. It is very similar to Quebec's Bill 68. It is any information that
relates to an identifiable individual.
The Chairman: That is the more normal interpretation.
Mr. Chercover: That is the federal interpretation.
The Chairman: Under that definition you do collect information.
Mr. Chercover: Absolutely. You must draw the distinction between determining
whether an individual is credit worthy and looking into what I call "investigative
information" -- what are his or her habits apart from credit worthiness.
We simply do not deal in that.
Senator LeBreton: To what kind of habits are you referring?
Mr. Chercover: Sexual orientation.
Senator LeBreton: That would be personal?
Mr. Chercover: I would think that would be more personal.
Senator LeBreton: No, but in terms of your definition --
The Chairman: He does not do that.
Senator LeBreton: That is not there?
Mr. Chercover: No. When you walk into your bank and say, "I want to buy a
car. I need a loan," your banker will go click, click on a system to
system, and he will see your credit history. If he sees R1s, he will say on the
spot, "Yes, ma'am, you have been approved for your loan." If he sees
R7s or R9s or judgments against you in the local courts, he may say, "I am
sorry. You are declined." If he does decline you, you are entitled to know
why. By provincial law, you are entitled to the identity of the consumer
reporting agency -- that is us. You are also entitled to come to us to see your
information or to receive it by mail at no cost. There are provisions for
correcting any errors in the event that there is an error. The information as
corrected must, at no cost to you, be distributed to anyone who has received it
in the previous six months.
Senator LeBreton: What difference is there between your organization and a
Mr. Chercover: We are a credit bureau.
Senator LeBreton: Are you the Credit Bureau of Ottawa-Hull?
Mr. Chercover: The Credit Bureau of Ottawa-Hull is an affiliate.
Senator Oliver: I wish to return directly to the bill before us, Bill C-6. There
have now been four presentations. One of them was from Mr. Duncan, who gave a
glowing support of the bill; the other three are not from an organization but
from companies. Each of the three has proposed an amendment or two.
Some witnesses come before Senate committees and tell us that it is important
for them and their organizations to put their views forward to the committee,
to get it onto the record and off of their chests and, having done so, they can
go home and have a good night's sleep. It is my impression that the three of
you who have proposed amendments have done just that here today. You made your
proposal for an amendment, but then you side with Mr. Gaylen Duncan that the
bill can now be passed because you have said what you came to say. This is my
question: Are you serious about these amendments, or are you just here to make
Mr. Eisen: I can genuinely state to you, senator, that we are extremely serious
about this amendment. I have been pursuing this amendment for more than a year.
Perhaps my inability to get it is testimony to my shortcomings as an advocate,
but this is a serious matter. I am not here to make a statement for the sake of
the record. Software piracy in this country is a staggering problem and there is
an urgent need to address it. I have serious concerns about this flaw in the
bill. It can potentially cause problems not only for Microsoft but for other
software publishers and for other sorts of rights-holders. My statement was
made in all seriousness. It was a genuine request for assistance. It is not the
first time I have raised this issue.
Senator Oliver: Did you take the matter to the department itself? Did you
discuss it there at the higher levels?
Mr. Eisen: Yes, sir.
Mr. Bartkiw: I would echo Mr. Eisen's comments. Our visit here today is not just
to be clearly on the record. The amendments we requested will have a
significant impact not only on our business but on our industry and on the
growth of e-commerce. E-commerce in Canada today is significantly behind the
U.S. market, somewhere between 18 months to 24 months behind. We must work
diligently to grow the industry in Canada. We must insure that we do not have
any burdensome regulatory framework which prevents it from growing and which
adversely affects the industry. We are serious about the amendments suggested
today. Going forward, we will work to see them implemented.
The Chairman: What was the reaction of the department when you made this pitch?
Mr. Eisen: The department did not agree with me that the term "investigative
body" and the related regulations would fail to address the specific
concerns that I have identified for you today.
Mr. Duncan: Mr. Chairman, this is the result of years of intense negotiations
between groups and individuals, industry associations, government members,
privacy commissioners and consumer protection associations. With trade-offs all
along the way, we finally reached a consensus. It is not perfect, but through
years of intense discussions between individual vested interests -- as you have
seen in the testimony before you -- we have come up with a compromise.
The issue of concern is frequently translated into, "I am not sure how this
will work but if you put my language in, then I will be sure." As far as
possible, through the negotiating process we have put our language on the
table. Both of these points came up during the original negotiations and were
part of the discussions that led to the CSA wording. Fundamentally, the CSA
model code is now being incorporated into this.
Senator Oliver: All three proposals suggest an amendment to clause 7, the same
clause 7 about which the medical witnesses here had grievous concerns. This
clause seems to be causing the most pain to various groups.
Mr. Duncan: That is the case for a variety of reasons. In sum, intense amounts
of detail are required. The position of the industry association was "Great
idea; do that in your sectoral codes but not by legislation." At that
level of detail, another bill and hearings before this committee may be required
to respond if technology changes one of those details. That is the wrong
approach. The bill should contain principles; the sectoral codes should contain
Senator Oliver: Mr. Bartkiw's view, though, is just the opposite. We are now
involved in the Internet. Canada is way behind in e-commerce, as I said in my
statement in the Senate. His hands are now tied. The hands of Internet service
providers are tied by this legislation.
Mr. Duncan: My third point is that solutions are following in other legislation.
For example, changes regarding hackers, viruses and piracy are coming to the
Criminal Code and to the prosecution and court systems. Those are not privacy
issues. There are associated problems and I do not disagree with AOL's position
on that point, but we are looking to other pieces of legislation to solve them.
We will not tie every solution in the technology world to this one bill.
Mr. Bartkiw: Mr. Chairman, if this bill is enacted as currently written,
significant issues will arise immediately in our business and in our industry,
again relating to clause 7 and how we are treating information and how that
might be interpreted based on the language in the bill is it written today.
That is the reason for our suggested amendments. We want clarity so that, when
the bill is enacted, there are no questions or handcuffs on the industry with
respect to growing the e-commerce industry in Canada.
The Chairman: Returning to Mr. Duncan's point, are there handcuffs or is there
uncertainty? There is a big difference between the two. To what extent is this
an issue raised by lawyers who worry about every potential little nuance and
who look for a level of certainty that is very difficult to achieve in the
As Senator Oliver said, all the amendments proposed this afternoon have dealt
with the same clause. Witnesses say they do not mind the broad principles
contained in the CSA. The CSA does not have hard and fast rules. The act says
explicitly that the word "should" need not be interpreted as being
absolutely obligatory. A law based on principles has more flexibility than one
built on a complete set of details.
To what extent are your problems, and those of other witnesses heard here this
afternoon, driven by lawyers who find it more difficult to deal with
legislation that sets out general principles? I know they would infinitely
prefer something that includes every conceivable detail so they can accurately
advise their clients. I understand that desire for certainty; it would make your
lives easier. However, I must understand whether we are facing a real problem
or a discomfort with the lack of absolute legal certainty and your need to
learn to live with some uncertainty.
Mr. Chercover: The answer is both, Mr. Chairman. Yes, a lawyer's function is to
clarify the interpretation of legislation that will affect his client, but it
would be wrong to suggest that we do not share with honourable senators the
same concerns for our country and our public.
The Chairman: I was not suggesting that. I am trying to understand whether the
problem lies with the structure of the bill. The bill sets out principles by
which businesses ought to abide. That is not the normal way of writing
legislation. Usually legislation sets out the hard, fast rules. The Criminal
Code, for example, does not set out a principle against drunk driving: it states
that it is illegal to drive with a blood alcohol level exceeding .08 per cent.
In my 30 years of experience around here, Bill C-6 is unusual in that sense. I
am picking up on Mr. Duncan's point. To what degree are we addressing problems
inherent in the structure of the bill versus addressing other very specific
problems? That is what I am having difficulty with. When everyone zeros in on
the same section, as Senator Oliver said, and everyone says, "My problem
would be solved if you were to include my specific amendment," I am
inclined to think that the dilemma is more with the structure of the bill, as
Mr. Duncan pointed out, which you are finding unsettling, as opposed to there
being a real problem.
Mr. Eisen: With all due respect, sir, it is certainly reasonable to expect
parties, particularly in the case of new legislation, to live with an
acceptable amount of uncertainty. On the other hand, it is equally reasonable
to eliminate clear and visible flaws to the extent that you identify them prior
to the bill becoming law. In my view, while I cannot give a blanket answer to
your question regarding the several concerns, I suggest that they fall into
different categories. I certainly think that a number of those concerns are not
driven by an inability to live with the accepted uncertainty that surrounds new
legislation. I think they are driven by an earnest attempt to better the
legislation by eliminating visible flaws that can be relatively easily
Mr. Bartkiw: Mr. Chairman, I should like to provide a couple of concrete
examples. First, in subclause 7(3), there is reference to the use or collecting
of information with respect to making it available to third parties. Today,
many Internet service providers across the country rely on third parties to
provide customer support. That would include the provision of technical and
billing support. We provide our customer information via our tools, namely, our
customer service tools, to that third party. If the bill were enacted today as
written, we would be in contravention of it. Clearly, we need to provide that
third party the information in order for them to support properly our
A second example is the provision of information to an affiliated organization.
AOL is made up of a community of over 19 million members in 14 countries around
the globe. All those members can communicate with each other. There is nothing
from preventing an AOL Canada member from going off to AOL France and enjoying
the content of AOL France and communicating with its members. As the bill is
drafted today, the provision of such information would not be acceptable.
Senator Murray: Mr. Duncan, one of your reasons for urging us to give
expeditious passage to this bill is the government's initiative in attempting,
through this bill, to create uniform law applying to all companies in Canada
wherever they are located across the country. I agree with that, with emphasis
on the word "attempting". That is what the government is trying to do.
Nevertheless, we must take note of the statement of the Insurance Council of
Canada to the effect that if this bill goes through there will be the
possibility that its members will have to comply with as many as 28 different
privacy laws, if serious efforts are not made to promote consistency and
harmonization of privacy laws between Canada and the provinces and territories.
I take it you do not share that concern.
Mr. Duncan: I do, deeply, yes. In our view, Mr. Chairman, this is a step that
sets out some principles that the provinces must now have as an absolute
minimum in whatever legislation they produce. I do not know if the number will
be 28; however, there will certainly be the new 13 provincial and territorial
privacy laws that will come out. Several of the provinces have indicated that
their health privacy information is being held in abeyance until this bill
clears, in whatever language it finally clears, because they intend to hang
their health privacy legislation off the principles of this bill. We will see
multiple pieces of legislation. This sets a common base.
Senator Murray: Mr. Duncan, a province that enacts a law that is deemed by the
federal government not to be substantially similar will still have a law on its
books with which the citizens or organizations of that province will have to
comply. They will, therefore, have to comply with two laws, the federal law and
the provincial law. They will also have the difficulty of trying to sort out,
for the purposes of the legislation, what is interprovincial and what is
intraprovincial. It is, perhaps, not as clear-cut as we would all like to
Mr. Duncan: Mr. Chairman, this bill as it now stands is the minimum. A province
can pass a piece of legislation that provides less protection, in which case
the courts will not sustain it. They can pass legislation that provides more
protection. I think the fear of the insurance industry is that there will be
ten-plus different and overly onerous pieces of legislation compared with this
Senator Murray: It may not be a question of more or less but a question of
different sets of processes with which an organization must comply. That may be
The Chairman: If the federal government does nothing, it will have the same
Mr. Duncan: That is correct.
The Chairman: I do not see how the federal situation compounds the problem. If
the fear is that you will have 13 different sets of rules, this does not really
compound the problem. I am not arguing that it is a desirable situation in
which to be.
Mr. Duncan: If we can get out of the knowledge economy and return to the
physical economy, Mr. Chairman, there are 12 motor vehicle regimes in this
country. There is a process to ensure that when you are going 60 kilometres an
hour while crossing a provincial border the speed limit is the same. We believe
this sets a framework for a set of principles, the details of which will take
years to sort out.
Senator Murray: Let me move to Mr. Chercover and his suggestion that we have to
amend this bill to add a provision that would exempt the situation where the
disclosure of personal information is "in compliance with the credit
reporting legislation of the province." Credit reporting legislation must
vary from province to province, does it not?
Mr. Chercover: It varies, but not in principle. There are three principles. They
are accuracy and timeliness of information, disclosure of information only for
permissible purposes, and the rights of disclosure to the consumer and
amendment and correction as I spoke of before. This is a very closely regulated
Senator Murray: I do not understand why the amendment is necessary. I will not
invite you to repeat what you said. I will give it close attention when I get a
chance to read it over again.
I turn now to Mr. Bartkiw and Mr. Eisen. My question is with respect to the
provisions of the bill in paragraph 7(1)(b), where the collection would be
reasonable for purposes related to investigating a breach of an agreement or a
contravention of the laws of Canada or a province, or again in paragraph
7(2)(a), where an organization becomes aware of information that it has
reasonable grounds to believe would be useful in the investigation of a
contravention of the laws of Canada, a province or a foreign jurisdiction that
has been, is being, or is about to be committed and the information is being
used for the purpose of investigating that contravention.
Senator Finestone: Where are you getting that?
Senator Murray: Page 5. I went down to paragraph 7(2)(a), senator. Do you see
that? Again, it deals with a situation where a contravention is being, has been
or is about to be committed, and the information is being used for the purpose
of investigating that real or hypothetical contravention. I fail to see why
that is not sufficient for your purposes, Mr. Eisen and Mr. Bartkiw.
That being said, let me say something to Mr. Bartkiw with respect to his
suggestion that a threat to the viability of the business enterprise ought to
be included. I mean, that is not necessarily a crime. A threat to the viability
of the business enterprise could be almost anything, including a lazy executive.
Mr. Bartkiw: That is a valid point, Mr. Chairman.
Senator Murray: It is far too broad for the committee or anyone else to accept.
Mr. Bartkiw: If I might say, there are means with which a consumer or an
individual can, for lack of a better term, attack an on-line service -- for
example, by sending massive amounts of e-mail that have not been authorized or
requested by any of the providers. I do not think that that type of activity
would fall underneath this language, and that can have a severe impact on the
business of an Internet service provider. It can literally cripple a service
and take it down. In our case, in excess of 200,000 people may not have access
to the service as a result of that type of act. That is what we are trying to
Senator Murray: Are you telling us that existing law does not cover that
Mr. Bartkiw: That is correct.
Senator Murray: What would you do with the personal information involved in
Mr. Bartkiw: First, with the personal information we would be able to identify
the individuals in order to contact them.
Senator Murray: You can do that now. We are talking about disclosing. You can
contact them now, I presume, if they are using your service, and ask them what
in the name of heavens they are up to.
Senator Oliver: And cut them off.
Mr. Bartkiw: Obviously that is one opportunity. There is also an opportunity for
them to have access to other consumers on our service without our
authorization. That is to say, you do not necessarily need to be an AOL member
to send e-mail to AOL, and our members can receive e-mail from non-AOL members,
as you would expect. This would potentially give us the opportunity to share
information with another Internet service provider who may actually have this
individual as a customer, so that we could, in fact, stop this individual from
attacking our on-line system and our members.
Mr. Duncan: Mr. Chairman, that is precisely the concern of the consumers' group.
We are opposed to two private companies, both involved in the act of collecting
information, then sharing that information because they are irritated about a
user. AOL could provide that information to the cable company that provide my
Internet service access, and then the cable company will be under pressure to
disconnect me. The belief expressed by the consumers' groups during these
intense negotiations was that the situation Mr. Bartkiw described sure sounds
like mischief, and mischief is something that the police can investigate. We
have no problem with you wanting to cut someone off because your system is
starting to come down. That is a service issue. If you want to provide that
information to the police to allow them to conduct an investigation, and that
investigation results in a regulatory order cutting someone off, then we have
Mr. Bartkiw: That would be great if there were some form of legislation that
specifically prevented consumers from sending massive amounts of e-mail, but
that does not exist today. Therefore, it is far more expeditious, less onerous
and less expensive for all involved.
Senator Oliver: Unless, of course, it is mischief as defined by the Criminal
Code, in which case there is a remedy.
Mr. Bartkiw: Point taken.
Senator Murray: Mr. Eisen, could we get an answer from you?
Mr. Eisen: My concern does not focus on the language relating to collection
found in subclause 7(1), or the language relating to use found in subclause
7(2), which you referred to, but rather to the language concerning disclosure
in subclause 7(3), which does not parallel the language relating to collection
and use and which is much more restrictive.
My only concern is that the legislation be internally consistent. Surely, if you
are allowed to collect for a certain purpose and allowed to use for a certain
purpose, you should be permitted to disclose for that same purpose. I am
perplexed that while you can collect information, pursuant to subclause 7(1),
in certain circumstances relating to the investigation of a breach of a law, and
while you can use that information, under subclause 7(2), you can not disclose
it except as provided.
Senator Murray: I remember you were speaking about private detectives. Could you
read your amendment again?
Mr. Eisen: I am suggesting that subclause 7(3) be drafted in such a way as to
parallel subclause 7(2), by adding the simple language permitting disclosure of
personal information, without knowledge or consent, where it is made for a
purpose directly related to its collection or use pursuant to paragraphs, et
Senator Finestone: Where would you put that in, Mr. Eisen? Would it be directly
under 7(3) before you move to 7(3)(a)?
Mr. Eisen: It would become a part of subclause 7(3), wherever you wish. I do not
know if you have a copy of my submission.
Senator Murray: No.
Senator Carstairs: I have a supplementary question on this. To me, there is a
hierarchy, and the hierarchy is to collect, to use and then to disclose. Surely
there is a greater burden of responsibility to disclose. That leads us to the
issue of the medical situation, where the doctor can certainly collect and
certainly use, but God forbid if the doctor discloses that information.
Mr. Eisen: It is important to realize that we are dealing here not with medical
situations, but with investigations of breaches of the law. We are dealing only
with breaches of contract and contraventions of Canadian law.
Senator Carstairs: With the greatest of respect, we are dealing with subclause
7(3), of which medical information is an intrinsic part.
Mr. Eisen: I apologize for not being as clear as I should be. I am focusing on
the fact that the provision relating to the disclosure of personal information,
solely in connection with investigations of breaches of contract and
contraventions of law, is narrower than the provisions relating to collection
and use. I am suggesting to you that there would not be any of the abuses that
you have highlighted associated with allowing information, collected and used
when investigating contraventions of Canadian law or breaches of contract, to
be disclosed to private investigators who are assisting you, to witnesses who
are assisting you, or to other like-minded organizations with whom you are
working in tandem to eliminate software piracy. It is a very narrow and focused
request aimed at allowing software publishers not only to collect information
relating to the theft of their property and to use information relating to the
theft of their property, but also to disclose it so that, at the end of the
day, there can be civil proceedings, criminal proceedings or reasonable redress.
Mr. Duncan: Mr. Chairman, I do not wish to put words in Mr. Eisen's mouth, but
my recollection of paragraph 7(3)(d) is that disclosure may occur on the
initiative of the organization to an investigative body. The concern is that
the investigative body will include by definition only police forces, security
forces, et cetera, and not a private investigative body.
Mr. Eisen: Even more to the point, I do not think "investigative body"
could conceivably be defined to include a single private investigator with whom
you are working, a witness with whom you are working or, perhaps most
importantly, a like-minded software company with whom you are working. If, for
example, Microsoft and Autodesk were together investigating the infringement of
their copyrights by an organization that was manufacturing and distributing
CD-ROMs that contained bogus Autodesk and Microsoft products, conceivably this
legislation could be interpreted to prevent a sharing of personal information
between the two companies in connection with that investigation because neither
of them would be an investigative body.
Senator Finestone: It would seem to me that you are talking about intellectual
property law, which covers theft of intellectual property. The interpretation
is with respect to the disclosure being requested for the purpose of
administering any law of Canada. If you believe that the fraud is being
committed or the intellectual property theft is taking place, you have subclause
7(3). There is plenty of room for interpretation in that section in order to
deal with fraud, theft and misdemeanours in many different ways.
Mr. Eisen: I am attempting to ensure that privacy law does not unnecessarily
intrude on intellectual property law and make it impossible to effectively
police your intellectual property.
Senator Finestone: Mr. Eisen, did you approach Industry Canada? With all due
respect, our minister is quite a techie and would like to see this area move
forward more quickly. Did you approach him, or did you deal strictly with Mr.
Duncan in the negotiations to have this whole section put together?
Mr. Eisen: I dealt directly with officials from Industry Canada. I will concede
to you that I was not able to persuade them of the merits of my position. I am
attempting to do so in another forum.
The Chairman: We have the minister here on Thursday, so we can ask him why you
Senator LeBreton: Mr. Duncan, you were talking about consensus and not having a
perfect document and having a floor or a base from which to work. What happened
with the health people? There seems to be conflicting views as to whether they
were brought into the process or whether they came in late in the game. How do
you address their concerns? I believe you were in the room when the
representatives of the doctors and the dentists were here. From your
perspective, in hindsight, is there a way that this could have been addressed
Mr. Duncan: As the chair well knows, over 30 years ago, privacy conferences
started to be held in the medical, legal and technical worlds. There has been
huge consultation at the broad level for over 30 years. I have given thousands
of speeches on this topic.
For anyone to say that they have not been consulted on the principles I think
would be misleading the committee. On this particular project, I think they
were brought in late. I also think the consumer groups, the individuals about
whose files the medical people were talking, basically said this is the
framework. We look to provincial legislation on details that will then set the
framework for the governing bodies of the various professions to then set
specific sectoral policies. Now we have an enforcement mechanism. It is not a
privacy commissioner or an ombudsman or an individual going to court. We now
have an individual's licence at risk. I do not think it is appropriate for the
federal government to be intervening in that piece of property and civil
rights. Check the master framework and then see it cascade down until it
becomes a sectoral set of rules as to how patient information will be handled
by a doctor. If he breaches that, his licence is at risk.
Senator LeBreton: What are your views on their suggestion that their code be
added as an addendum to this bill?
Mr. Duncan: From a legal point of view, I do not think that is technically what
you want to do. The next time they wish to modify their code, they require a
bill that must go through the House. The House will rise and prorogue and they
will have to start over again. You will get caught in Senate hearings and
Christmas recesses coming, all because they want to change one line of their
Senator Murray: With respect, again, Mr. Duncan, that is not the case. We could
append their code to our bill by an amendment, and they are still free to do
what they wish with their own code as time goes on.
Mr. Duncan: Why append it?
Senator Murray: What do we do if the CSA changes its code? We have that, in
effect, appended to the bill.
Mr. Duncan: This is the version that will become the rule. This is the law. The
CSA can say they want to propose an amendment, and that is all they can do. We
see the licensing body in Ontario looking at this to ensure that the detailed
rules for the treatment of personal information are consistent with these
principles and probably much harsher. They will apply that, and it will be part
of the licensing process.
The Chairman: Under provincial credit reporting legislation, you can provide
credit information without consent from the consumer.
Mr. Chercover: No, you need the consumer's consent to collect the information,
and the consent is usually on a form that you sign when you apply for a loan.
The Chairman: Which allows you to distribute it.
Mr. Chercover: Exchange of credit information.
Mr. Bartkiw: To clarify the previous misleading statement I made, paragraph
7(3)(j) is the suggested amendment language we have made in our written
The Chairman: We just wanted to show you that we read the bill.
Mr. Bartkiw: That deals with prohibiting information to third parties without
The Chairman: I thank the four of you for attending.
Senators, our final witnesses for today are from the Canadian Bankers
Association and the Canadian Marketing Association. Gentlemen, it has been a
long afternoon, so the briefer you are and the quicker we get into questions,
the happier members of the committee will be.
Mr. Alan Young, Vice-President, Policy, Canadian Bankers Association: Mr.
Chairman and senators, we have provided you with our rather lengthy submission
on the bill. We have also given you a two-page summary. In my brief remarks I
will focus on our key issues and commend to you for your consideration our more
fulsome submission. Given our time constraints, I will not give you our usual
preamble on the importance of privacy to the banking industry. Suffice it to say
that the banks take great pride in the leadership position they have taken in
the protection of customer information.
The first issue I will focus on is the exemptions built into subclause 7(3) of
the bill. I understand that this has been the subject of considerable
discussion and we will be extending that discussion, Mr. Chairman. We believe
that the circumstances under which an organization can disclose personal
information without consent are not comprehensive enough.
Bill C-6 does not include many situations in which disclosure without consent is
currently allowed under the law today. For example, the common-law case of
Tournier allows banks to disclose personal information where there is a duty to
protect the public interest. One example would be where a banker suspects elder
abuse when a customer withdraws money from his or her account under pressure
from a family member or an acquaintance. Elder financial abuse, I believe, is a
significant public policy issue.
We believe that under this bill banks would be prohibited from disclosing the
suspicion of elder financial abuse unless they met the standard of having
reasonable grounds to believe that a crime has been or is about to be
committed. We are concerned that this test may be too high and that it places
bank staff in the difficult position of trying to determine if a crime has been
or is about to be committed.
We are also deeply concerned about financial fraud. Fraud targeted at financial
institutions is a multi-million dollar business. In order to thwart those
activities, and to protect the funds of depositors and shareholders, banks need
systems that share information among members within a financial group of
companies and they need to communicate with other financial institutions and
authorities about such fraud. We propose a simple solution to these concerns in
order to ensure that existing rights of our banks to disclose information
without consent are not eroded. We strongly recommend that paragraph 7(3)(i) be
amended to read "required or permitted by law." We think that the
addition of the two words would address our concerns.
Our second concern is with the role and powers accorded to the Privacy
Commissioner. We believe that they far exceed what is necessary to meet the
stated purposes of this act. These powers cannot be described as light and
flexible, which was supposed to characterize this bill when it was first being
considered. The investigative powers of the commissioner include the ability to
enter premises and to examine and extract records without a warrant. In
addition, the commissioner can speak to individuals without benefit of legal
counsel. We suggest that these may be contrary to sections 7 and 8 of the
Our recommended solution is to curtail the powers of the commissioner or have
the bill operate on a complaints-driven basis, at least until the first review
of the act in five years. At the time of the first review there would be a
clear track record, and whether or not a stronger oversight mechanism is needed
could be determined. We believe that this approach would recognize the progress
being made with sectoral codes and complaint resolution mechanisms that are
already apparent in the private sector. We also believe that the investigation
and publicity of complaints, combined with the Privacy Commissioner's role in
educating the public, would effectively highlight and discourage any
unacceptable personal information handling practices by organizations.
Our third concern is with the reasonable person requirement under subclause
5(3). This introduces yet another test before disclosure is permissible, in
addition to those already imposed by the bill. In the experience of the banks,
privacy protection is best achieved when it is based primarily on a policy of
customer control of information embodied in the right to give one's consent and
the right to withdraw that consent at any time. Banks are concerned that the
inclusion of this provision adds an overriding requirement of reasonableness to
all provisions, notwithstanding that consent has already been obtained. This
could negate consent already given to uses of information, thereby giving rise
to some uncertainty.
The final issue that I wish to highlight concerns the possible effect of this
bill on an organization's ability to restructure. The federal government
proposed in its June 25 policy paper that financial institutions should be able
to organize themselves under a holding company structure. I will demonstrate
our concern with a practical example. Let us say that a bank's credit card
operation, which under law today must be done within a bank, is being spun out
of the bank into an affiliate of the bank under a common holding company
parent. In order for the bark's credit card operations to be moved effectively
from the bank to the new credit card affiliate, the personal information
regarding the bank's credit card customers must be transferred to the new
affiliate. It is not clear whether the proposed exemptions under subclause 7(3)
contemplate such disclosure of information by the bank to the credit card
company affiliate. The same concern applies in cases of corporate restructuring
and acquisitions, whether within or outside of a holding company.
For the sake of clarity and to ensure that the government's desire to give
financial institutions greater flexibility can be fulfilled, we suggest that
the bill specifically provide an exemption permitting the transfer and use of
personal information for such corporate restructuring.
In conclusion, I will make a few remarks about Part II and Part III of the bill,
which deal with electronic commerce and the use of electronic signatures. We
believe that these will be valuable tools to assist the continued development
of electronic commerce in Canada, and we wish to stress today the importance of
wide consultation in the development of regulations that are contemplated under
these sections. Open and early consultation will ensure that the concerns of
industry, consumers and other stakeholders regarding any proposed technological
standards are taken into account. It is critical that we get these
technological standards right. This can only be done in the spirit of
cooperation and consultation.
Mr. John Gustavson, President and Chief Executive Officer, Canadian Marketing
Association: The Canadian Marketing Association is Canada's largest marketing
association. We have some 750 members representing some of the largest
marketers in the country who use customer information to make most of their
major marketing decisions. That generated over $13.5 billion in sales last year
and generated employment for over 230,000 Canadians. Today we appear in support
of the bill.
As you know, in 1991 Industry Canada put together a group of privacy advocates,
consumer representatives and business representatives to come up with some sort
of voluntary privacy code. I was at the first meeting and I can tell you that
when I heard the views around that table, especially from what I then thought
of as wild-eyed privacy radicals, I would have bet a large amount of money that
there would never be any consensus out of that group. Therefore, no one was more
surprised than I to find myself, four years later, voting as part of a
unanimous vote on a consensus document.
That document was the product of much research, much arduous debate and a
considerable amount of compromise. I would describe that consensus document as
a very delicate compromise. That is the document that subsequently became a
national standard published by the Canadian Standards Association. It also may
help explain why it does not necessarily look, feel or smell like ordinary
legislation. It is a set of principles and there are many words in there like "should"
rather than "shall" and "ought to" rather than "must",
but that is very much a product of that compromise.
When we approved that document in 1995, my association decided to call on the
government to put it into legislation. We have been working on that for a long
time. If our economy is to grow, especially an information-based economy,
consumers must have confidence that their information will be held securely,
that it will be used properly and that they will still have control over their
personal information. Survey after survey shows Canadians reluctant to embrace
some of the new technologies and new ways of doing business because of their
fears over what is happening to their personal information.
With more and more businesses engaging in the field of acquiring personal
information and using it in various new and different ways, it is important to
have a common set of rules, some guidelines, some guides to best practices.
Finally, we believe it is important to do it now, when we have a consensus
document, before we have the privacy abuses that might lead to excesses in
legislation and regulation.
I do not know how many of you saw 60 Minutes last night, but they did a section
on Internet privacy or e-commerce privacy. One of the people interviewed said,
"If you asked Henry Ford 75 years ago what he thought of people regulating
his marketplace, he would probably would have said, `Speed limits are a good
idea. Stop signs are a great idea. Anything that helps my customer feel safer
and more comfortable buying and using my product is good for the economy.'"
That is what we think about this bill. We think it is an excellent step. It may
not be perfect and it may need some refinement -- in fact, there is a five-year
review built into it -- but it is a great start to giving us a leg up on
building the economy in this country. We would ask you to pass it and to pass it
Finally, I hope that you will not be too disappointed that we do not have a
single amendment to offer you today.
Senator Murray: In the folder that you have left with us -- admittedly, it was
dated February 1999 and dealt with this bill when it was before the Industry
Committee of the House of Commons -- you lobbied for amendments that would
exempt certain types of public-domain data, specifically business information,
et cetera. I presume you got that amendment through at the report stage, did
Mr. Gustavson: Yes.
Senator Murray: Mr. Young, your suggestion that the additional powers proposed
for the Privacy Commissioner might be an infringement of the Charter is a
matter that we will be able to take up when we have some constitutional experts
with us, among whom will be Roger Tassé, who was the Deputy Minister of
Justice when the Charter of Rights and Freedoms went through and had overall
responsibility for drafting it. We will raise that with him and with the other
constitutional experts when they get here.
You suggest that this should be amended where disclosure is permitted under
existing common and statutory law. Furthermore, you want Bill C-6 amended in
paragraph 7(3)(i) to read, "required or permitted by law." Perhaps
the officials will tell us, but you can also tell us if you know: What else
would be caught under that? How broad an exemption would it be if we added the
words "or permitted by law"?
Mr. Young: I can speak to the Tournier case. There were four grounds on which a
bank could disclose information: first, if it was with the customer's consent;
second, if it was required by law; third if it was in the public interest; and
fourth, if it was in the best interests of the bank. The courts have very
narrowly circumscribed those circumstances. I do not believe that it would be
opening the floodgates to disclosure of information. That might be a concern
that you would have by adding that amendment.
Senator Murray: I wish to address the question of routine operations, such as
cheque printing, when these are contracted out to third parties, where
information will not be used for any purpose other than its originally stated
purpose. For what information would the bank have to get my permission to
disclose? My name, address and the number of my account?
Mr. Young: Your account number, yes.
Senator Murray: Is my consent not implicit in the fact that I have applied for a
new book of cheques?
Mr. Young: We would want to ensure that we obtained your consent when you opened
your account. It is not clear what happens to third parties with respect to
Senator Murray: As of now, I fill in a form to get a new box of cheques.
Mr. Young: If you have consented, then it is not a problem.
Senator Murray: But the consent is implicit, is it not? I do not suppose that
the manager of my bank has in his office a printing press which is printing my
cheques. I assume that someone in the printing business is doing that.
Mr. Young: That is correct.
Senator Oliver: It will be moot anyway, as people get used to doing their
Senator Murray: I will leave it at that.
Senator Oliver: I have a question for Mr. Young, but it is ultimately a question
for you, Mr. Chairman. Mr. Young was talking about the legislative framework
for electronic commerce and you said that, in relation to Part II, you hoped
that there would be broad consultation on the regulations that will come from
this. One of my big concerns is that often we find that bureaucrats legislate by
regulation and they regulate in such a way that we never get to see the real
rules pushing something. When these regulations are finally drafted, will you
ensure that they come before your committee for a careful review before they
become law? Otherwise, we will have another grand example of bureaucrats
legislating by regulation.
The Chairman: Senator Oliver, that is a subject that the committee will have to
discuss when it considers its report. In all the years you and I have served on
the Banking Committee, we have done things like that on more than one occasion
and have, ultimately, had changes made in the regulations as a result. On a
personal level, I have no difficulty with that process, but we would have to
consult the committee when considering what is contained in our report.
However, you are quite right that there is certainly precedent for doing it.
Mr. Young: We wanted to bring it to your attention because it is vitally
Senator Oliver: Yes, it is.
Senator Carstairs: I was interested in your comment about senior abuse. In the
one case with which I am familiar, it was actually a bank teller who abused the
senior to the tune of $77,000. That senior happened to be my father-in-law.
What makes you concerned that this present section 7 does not adequately
protect? It uses the word "reasonable". Do you not think that it is
reasonable for a bank teller to report, as I know happens frequently, when a
senior has come in and withdrawn $10,000 and then $10,000 another day and
$10,000 another day, particularly if they ask for it in cash? The tellers are
going to the police and saying, "I think there is reasonable grounds that
something is being violated here and that there may be an incident of abuse."
What makes you think this bill will prohibit that?
Mr. Young: We believe that today, under common law, it is clear that that sort
of thing could be reported. However, it is not entirely clear that such an
incident would meet the standard of "a crime is about to be or has been
committed." That may be too high a threshold and I do not think we can
expect bank tellers to know what the Criminal Code says. Our concern is that it
is not certain that tellers would continue to have that authority under this
Senator Carstairs: Let us be reasonable. I cannot imagine a situation in which a
teller calls the police without having contacted the bank manager, who has
access to the bank's lawyers. Those lawyers can indicate whether or not they
think this is reasonable. You cannot tell me that there are tellers out there
who are calling up their local police officers without talking to any other
official in the bank.
Mr. Andrew Finlay, Senior Counsel, Employment Law Group, The Bank of Nova
Scotia: There are two thresholds here. One is that they must have reasonable
grounds, which is somewhat established as a threshold at law. It is a fairly
high threshold. The second one is whether or not a contravention of the laws of
Canada has been or is about to be committed. That suggests imminence. There is
also the scenario where you are suspicious -- that is, where there is something
smelly and you want to find out a bit more, but how far can you go? That is
where there must be a bit more room for the use of the information.
Senator Callbeck: Mr. Chairman, I wish to ask about the definition of "commercial
activity" in Bill C-6. It has been suggested that that definition is not
precise enough, that it is too vague. Have you any comments on that?
Mr. Young: We have looked at the bill and we are largely supportive of the
legislation. We had no comments with respect to this definition.
Mr. Gustavson: I share that view. The chairman of this committee articulated an
important idea with the previous witnesses. Many people are very nervous about
this bill because it is new, and they are uncertain how it will work.
Since 1991, the groups of people who have come together representing privacy
advocates, consumer groups and businesses have come to know each other and they
can now work together. They are behind this bill. They want to make this bill
work. There is a provision for five-year review if we get into trouble.
As Senator Kirby quite rightly said, this is something new and unfamiliar and
that causes discomfort. However, that definition is fine by us.
Senator Murray: Mr. Young, I suppose we should know this, but how long do the
banks keep personal information on their clients?
Mr. Young: Various statutes, federal and provincial, require records to be kept.
They differ in their provisions. My recollection is that the Income Tax Act
requires retention for seven years. Other statutes provide for five years,
seven years, and maybe as long as 10 years.
Senator Murray: I am interested in this subject because of a particular clause
in this bill that I discussed a few days ago, and again today, which would make
it legal to disclose personal information collected for commercial purposes 20
years after the person in respect of whom it was collected has died. I presume
that would apply, therefore, to a bank. Would you have personal information
about individuals after that length of time?
Mr. Young: It would be highly doubtful. If the information did exist, the
request for information would have to disclose the purposes for which it was to
be obtained. Therefore, it is difficult to conceive of how it would be
disclosed for a purpose other than which it was obtained.
Senator Murray: The bill is silent on that. It may be disclosed 20 years after
Mr. Young: There are requirements in the schedule.
Senator Murray: I do not want to pick on Senator Callbeck again, but a historian
doing a political history of Prince Edward Island might wish to get some
information about Senator Callbeck's business career and how successful or
unsuccessful she was and what her relations with the bank or mortgage company
or whomever were, all of which is personal.
I see no justification ever for disclosing personal information that had been
collected for commercial reasons unless there has been a contravention of a
Mr. Young: We would not object if that clause that you are referring to were
eliminated from the bill. We do not think it applies to us.
The Chairman: First, in your section on the role and powers of the commissioner,
you say that it should be complaints driven. It will be a complaints-driven
process. The only way the Privacy Commissioner will know there is a problem is
if someone complains.
Second, you do talk about whether the powers exceed what is necessary to
implement the legislation. I should tell you, I had that same concern and, I
obtained from the Justice Department a list of 8 or 10 other federal agencies
from farm inspectors to other kinds of agencies where exactly the same
conditions exist. My initial personal reaction was that the provisions in this
proposed legislation were very similar to the search and seizures provisions of
the old Combines Investigation Act.
It turns out that the legal distinction is between investigatory powers when you
are attempting to establish a crime has been committed, and investigatory
powers under a civil action. At least 8 or 10 other federal statutes on the
list I was given have exactly the same powers as proposed here.
Mr. Young: To suggest that it is a complaint-driven process is not entirely
correct. The commissioner can initiate an audit of an organization on his own
The Chairman: Logically, how will he choose one organization out of more than
100,000? He will pick one because some group or a series of people have
Mr. Young: That is possible. However, the legislation gives him the power to
initiate an audit.
The Chairman: I trust we will keep him busy enough.
Mr. Young: Hopefully the banks will not be keeping him busy.
Mr. Finlay: In regard to the powers of the commissioner, you mentioned that
there is other legislation where the powers are similar. Some of that
legislation would not entail a complaint-based process.
Under the Income Tax Act, for instance, I will not complain that Mr. Young did
not pay his taxes. Revenue Canada has its own interest in whether Mr. Young has
paid his taxes. Under the privacy scheme, though, there could be a complaint
that Mr. Young misused information about me. That is a different framework.
In the framework of the Human Rights Act there are greater limitations on the
power of an investigator and the commissioner. I think more appropriate to the
privacy situation, where we are talking about rights in a sense, human rights
and privacy rights are analogous.
You must look at other legislative frameworks and compare the purpose, not just
the fact that an agency may have powers. For instance, I cannot compare the job
of farm inspectors to the job of the Privacy Commissioner. I see a large
distinction there. In other legislation there may not be as much of a
distinction. Then the question is: Is it appropriate?
Earlier Senator Murray mentioned the fact that there is a constitutional Charter
question around the powers of the commissioner. There are also basic questions
of procedural fairness and natural justice quite apart from the Charter
arguments. The powers of this commissioner in the case of a complaint are quite
excessive. I do not know that you can say that the respondent, typically a
business or an employer, is being afforded the basic natural justice,
procedural fairness rights that we have come to expect. I do believe it is more
than just a Charter issue.
Senator Finestone: Your answers to the chairman indicate that there is an
important role for the Privacy Commissioner. Could insufficient funding of the
commissioner's office and insufficient staff have a negative impact on your
businesses, banks and marketing institutions, given that the commissioner may
not have the kind of funds to hire the kind of staff that he would require? What
would be the impact for all of you?
Mr. Young: I would think that the banking industry would not require the
attention of the Privacy Commissioner because of the long-standing practice in
the industry and the concern we have for customer information. Therefore, I
would not think that we would be a heavy drawer of the time and effort of the
Senator Finestone: The question came to me as you were discussing this with our
Mr. Finlay: I must say something because our experience with the Human Rights
Commission has been very positive over the years.
Unfortunately, I have come to know them better than I would like. With a good
quality of staff and investigative function, the whole system runs better.
Everyone is served, including the complainant, the respondent and the
The quality of the people is important. How do you fund that quality? I cannot
comment on that.
Senator Finestone: He would need sufficient staff and quality staff to make this
Mr. Finlay: Certainly quality is important, yes.
Mr. Gustavson: If this does not work, we shudder to think of the alternative.
This is a basic set of principles. It must be properly funded to work
efficiently. If it does not work, we will need legislation which is more
detailed and which will be more intrusive in the marketplace. That will be far
worse for business.
There is always the danger of fishing expeditions because of the enforcement
provisions, and that does worry us. The commissioner will probably be more busy
with other complaints and not have the time or money for such fishing
expeditions, but we want to ensure that the system works and is properly
Senator Gill: Mr. Young, are you representing the caisses populaires in Quebec?
Mr. Young: No, the caisses are separately represented. They are not members of
the Canadian Bankers Association.
Senator Gill: Do they come under the Bank Act, even though they are not members
of the association?
Mr. Young: No, they have their own legislation.
The Chairman: I should explain. Credit unions, which effectively include caisses
populaires, are under provincial legislation. The only part of federal law
which governs credit unions is that in relation to the provincial credit union
centrals, which are the overseeing bodies, and the Canadian Credit Union
Central. Individual credit unions, of which the caisse is by far the biggest in
the country, are covered by provincial legislation.
Senator Gill: Will Bill C-6 apply to them?
The Chairman: This law will ultimately apply when the four years have expired.
The caisses now do business interprovincially. They have at least one branch in
Ontario, so they will be covered.
Honourable senators, we have one last item of business before we adjourn. You
have before you a motion which relates to the decision of the Senate, last
week, to authorize this committee to do a five-year update on the final report
of the Special Senate Committee on Euthanasia and Assisted Suicide, entitled; "Of
Life and Death." The intention is to complete this work by June 2000, the
five-year anniversary of the tabling of the report.
Senator Carstairs: Honourable senators, I move:
That a Subcommittee to update Of Life and Death be established, comprising five
members, including the Honourable Senators Carstairs, Pépin, Beaudoin,
Keon and Kirby; and
That the Order of Reference adopted by the Senate on Thursday, November 25, 1999
That the Standing Senate Committee on Social Affairs, Science and Technology be
authorized to examine and report upon developments since the tabling in June
1995 of the final report of the Special Senate Committee on Euthanasia and
Assisted Suicide, entitled: Of Life and Death. In particular, the Committee
shall be authorized to examine:
1. The progress on the implementation of the unanimous recommendations made in
2. Developments in Canada respecting the issues dealt with in the report;
3. Developments in foreign jurisdictions respecting the issues dealt with in the
That the Committee submit its final report no later than June 6, 2000;
be referred to the Subcommittee.
That the Subcommittee be authorized to send for persons, papers and records,
whenever required, and to print from day to day such papers and evidence as may
be ordered by it;
That, pursuant to Section 32 of the Financial Administration Act, the
Committee's authority to commit funds be conferred on the Subcommittee;
That pursuant to Section 34 of the Financial Administration Act and Guideline
3:05 of Appendix II of the Rules of the Senate, the Committee's authority for
certifying accounts payable be conferred on the Subcommittee; and
That the Committee's power to permit coverage by electronic media of meetings be
conferred on the Subcommittee.
The Chairman: I have also distributed to you a suggested work plan which has
been developed by Senator Carstairs. After five hours of hearings today, we may
not want to do that. We will come back subsequently in an in camera session to
discuss the work plan in detail.
Is it your pleasure to adopt the motion?
Hon. Senators: Agreed.
The Chairman: Carried.
Senator Carstairs: To clarify, now that the subcommittee has been established,
the subcommittee will determine its own work plan.
The Chairman: There you go, getting me stuck on the rules again. The
subcommittee will meet tomorrow at 11:00 a.m. in room 172-E.
The committee adjourned.