Proceedings of the Special Senate Committee on the
Issue 12 - Evidence - Evening meeting
OTTAWA, Monday, May 30, 2005
The Special Senate Committee on the Anti-terrorism Act met this day at 7:04 p.m. to undertake a comprehensive
review of the provisions and operations of the Anti-terrorism Act, (S.C. 2001, c.41).
Senator Joyce Fairbairn (Chairman) in the chair.
The Chairman: Honourable senators, I call the meeting to order. This is the twenty-seventh meeting with witnesses
of the Special Senate Committee on the Anti-terrorism Act. For our viewers, I will explain the purpose of this
In October 2001, in direct response to terrorist attacks in New York City, Washington, DC, and Pennsylvania, and
at the request of the United Nations, the Canadian government introduced Bill C-36, the Anti-terrorism Act. Given the
urgency of the situation then, Parliament was asked to expedite the study of the legislation. We agreed. The deadline
for the passage of that bill was mid-December 2001.
However, concerns were expressed that it was difficult to thoroughly assess the potential impact of this legislation in
such a short period of time. For that reason, it was agreed that three years later Parliament would be asked to examine
the provisions of the act and its impact on Canadians, with the benefit of hindsight and a less emotionally charged
The work of this special committee represents the Senate's efforts to fulfil that obligation. When we have completed
the study, we will make a report to the Senate outlining any issue that we believe should be addressed. The results of
our work will be available to the government and to the people of Canada. The House of Commons is undertaking a
To date, the committee has met with government ministers and officials, international and domestic experts on the
threat environment, legal experts and those involved in enforcement and intelligence gathering. This evening, we are
joined by the Hon. Reg Alcock, President of Treasury Board. We are delighted to have him here. Mr. Alcock is
accompanied by Ms. Helen McDonald, Chief Information Officer, and Mr. Donald Lemieux, Senior Director of
Security Policy. Unfortunately, honourable senators, the minister is available for only one hour, but I understand that
the officials are prepared to remain longer to answer additional questions that senators might have. This is a lively
group so it will be a good discussion. Mr. Alcock, please proceed.
The Honourable Reg Alcock, President of the Treasury Board of Canada: Thank you, Madam Chair. I believe this is
my fifth appearance before a Senate committee in my short tenure as President of Treasury Board of Canada. I can
assure senators that they are always lively, although I do believe Senator Stratton is tracking me, because he seems to
appear at each meeting I attend and in my constituency. Before I begin my formal remarks, I would like to make one
comment: I am delighted to be here.
In my role as President of Treasury Board, I am the manager of ``stuff'' as opposed to the policyholder on some of
these issues. This review is incredibly important. I did review the testimony before the committee this afternoon to
understand just what the committee is looking at. I do not add a great deal of value in the broad policy discussions. I
will speak specifically to some of the interactions that Treasury Board has in managing the Privacy Act and some of the
challenges that we have had in dealing with the USA Patriot Act. I understand that was one interest of the committee.
That may give senators a sense of some of the challenges from the perspective of Treasury Board. We will see where the
questions take us from there.
It is my pleasure to discuss with senators the issue of the transborder flow of information, which includes concerns
related to the USA Patriot Act, and the Canadian government's action plan to continue to ensure the privacy and
security of Canadians' personal information.
In my role as President of Treasury Board, I am responsible for the government-wide administration of the Privacy
Act. My department is also responsible for government privacy, security, contracting and procurement policies. It is in
this capacity that I have led the file on the USA Patriot Act and continue to focus on what is perhaps the more
pertinent privacy issue for sovereign countries: flows of personal and sensitive data.
The transborder flow of data is simply defined as the transmission of information across the Canadian border to any
foreign jurisdiction. Globalization and the advent of new information technologies have had an unprecedented impact
on the flow of and speed at which information crosses sovereign borders, including the personal information of
Canadians, by means of what are now considered rather mundane activities, such as email and e-commerce, for
For its part, the Government of Canada is responsible for protecting its holdings on the personal information of
citizens, its employees and other sensitive information in outsourcing arrangements. We take this role very seriously.
Our commitment to the protection of personal information is articulated in existing federal safeguards, including
privacy legislation and policies such as the Privacy Act and the Personal Information Protection and Electronic
Documents Act, PIPEDA, as well as various multilateral agreements with foreign jurisdictions.
The government believes that concerns about Canadians' privacy should be assessed more adequately in light of this
transborder flow of data, rather than through a restricted focus on the USA Patriot Act. Indeed, the act is a very
unlikely course for American authorities to access information on Canadians, given the multitude of other channels of
cooperation between the two countries.
Nevertheless, the government is responding to concerns about the Patriot Act. Our action plan consists of two
streams: a comprehensive assessment of departments' major outsourcing activities, vulnerabilities, mitigation strategies
and model clauses. The results of this assessment will be made public sometime early this summer, and will lead to the
deal with the concerns about personal information or other sensitive government information. The Government of
Canada is developing these clauses in a manner that is mindful of its international trade responsibilities.
Many federal institutions have indicated that they already have a risk management strategy in place, while other
institutions have stated that, as a result of this initiative, they will be reviewing their current risk management practices
to ensure that such risks are adequately considered.
The consideration of privacy risks as part of an overall risk management strategy will ensure that any privacy issues
are addressed at the planning stage of any initiative, which will, in turn, help officials to make informed decisions on
whether or not to contract out or outsource certain personal information. It will also ensure that any potential risks to
privacy or other sensitive information can be adequately mitigated throughout the contractual process.
To date, the government has determined that the USA Patriot Act will have no impact on the privacy of the vast
majority of Canadians. This determination is based on our findings up to now that indicate that the bulk of
government institutions assessed thus far, 84 per cent, have classified their risk as either no risk or low risk in terms of
the possibility of application of the USA Patriot Act provisions.
The contracts classified as medium to high risk are limited in scope and are often closely linked to the mandate of
the institution. For example, Foreign Affairs Canada and Export Development Canada have offices in the U.S. and
overseas and therefore have contracts with companies in foreign jurisdictions where they are located.
In my own department, we have classified our contracts as no risk or low risk. For example, the contract for the
Public Service Management Insurance Plan is currently with National Life Assurance Company of Canada, which has
no offices in the United States. NL is a wholly owned subsidiary of Industrial Alliance Insurance and Financial
Services Inc., a Canadian company incorporated under the laws of Quebec. As such, there is no risk of application of
foreign legislation to this contract. The situation was similar for contracts related to the administration of the Public
Service Dental Care Plan and Pensioners Dental Services Plan.
An example of a low risk of application of foreign legislation includes a contract with Sun Life Assurance Company
of Canada related to the Public Service Health Care Plan and the Disability Insurance Plan. Sun Life uses the services
of World Access to adjudicate out-of-country travel and comprehensive claims for the health care plan. Although
World Access Canada does not normally share PSHCP data with its U.S. counterpart, the current arrangement allows
for calls to be transferred to the Richmond, Virginia office in the event of a disaster in the Waterloo office. In such
circumstances, temporary access would be granted to the U.S. office to ensure continuity of service to Canadians.
A similar situation exists in relation to Sun Life's CHESS system, used for claim adjudication and payment under
the disability insurance program. Sun Life's U.S. employees could potentially look at disability insurance plan data.
In addition, there is a longstanding record of cooperation between our two countries' authorities. We remain
confident in the efficiency and expediency of existing multilateral agreements between our countries to deal with such
The Canadian government will complete its assessment of the reports submitted by departments and agencies in the
next month or two to ensure that concerns over the U.S. Patriot Act are considered thoroughly, as well as to determine
whether additional policy guidance and tools are required with respect to the broader issue of transborder data flows.
The final comprehensive assessment report will be published this summer to reassure Canadians of the protections in
place from this or other types of foreign legislation.
Finally, at her May 9 appearance before this committee, the Privacy Commissioner made reference to a number of
measures to strengthen the government's privacy management regime that she had previously raised with me. I have
since responded to the commissioner, confirming that Treasury Board Secretariat has launched or planned work in
these areas and will seek to advance the concept of a privacy management framework.
As indicated earlier, the government is currently reviewing outsourcing involving personal information and is
developing comprehensive policy guidance, including some model contract clauses to mitigate privacy risks. The
government will continue to work closely with the Office of the Privacy Commissioner to ensure that Canadians'
privacy is respected and that personal information is protected from inappropriate disclosure.
The government will also work closely with provincial governments and the private sector to continue to protect the
security and privacy of Canadians and the interests of Canadian businesses. We will also maintain an open dialogue
with U.S. officials relating to cross-border information sharing to ensure that our governments achieve the right
balance between privacy rights and effective law enforcement.
That concludes my remarks and I look forward to your questions.
Senator Stratton: Welcome, minister. It is good to see you again. I hope you are healthy.
The government, by my notes, should have spent some $6.6 billion of the $7.7 billion originally allocated in the2001
budget by the end of this fiscal year.
Can you tell us if this amount of money has in fact been spent to enhance the security of Canada and is the Treasury
Board tracking the spending in any fashion that we would be aware of?
Mr. Alcock: I am sorry, Senator Stratton, we did not come prepared to discuss that particular aspect. We were asked
to discuss privacy and data protection. The Deputy Prime Minister, I think would be more appropriate —
Senator Stratton: If you are here on privacy, tell me about the process. You are Treasury Board. You are the process
person. You get things approved by cabinet. You then take that cabinet approval and you implement the policy. You
develop a plan for it. Is that not what takes place?
Mr. Alcock: Are you talking about the budget approvals that were provided to security agencies or are you talking
about the privacy and security tracking that we do?
Senator Stratton: Yes.
Mr. Alcock: The second one?
Senator Stratton: I am going by your topic now. How do you track it and ensure that it is on track? I get a little
concerned about different reports coming down about privacy. How do you track it?
Mr. Alcock: Let me walk around that a little. We have a policy for the protection and holding of the personal
information of Canadians within the Canadian government. The issue that was raised last fall, coming out of British
Columbia, was about the potential use of the U.S. Patriot Act to access data on Canadian citizens surreptitiously,
without any knowledge that it was being done. I think everyone had a concern initially that if this was indeed
happening we should investigate and understand the parameters of it, what the impact would be on Canadians, and
then make some decisions.
The first thing that happened is that I met with the Privacy Commissioner. Her indication was — because you may
recall there had been some questions in the House about the CIBC potentially moving data into the U.S. — she felt
that the PIPEDA, given that it is relatively new legislation, covered the private sector companies adequately and that
she had the tools that she needed to act should there be a concern raised about that.
However, in the area of the government, she also indicated that the Privacy Act itself is much older legislation and
had not contemplated some of these cross-border flows. In particular, the issue was, in a world where we are all
contracting on both sides of the border, data could be held in the U.S. in such a manner that it could be accessed by the
U.S. government under the Patriot Act.
We undertook to do a review of all of them. You can imagine the amount of contracting that goes on in the federal
government. It has taken us a while to go through each department and to assess if they contract for the holding of
personal information outside of their own resources; if so, to what extent, and what is the nature of the contract and
the provisions to protect that information? That is the review I was speaking about earlier.
Senator Stratton: Why would Treasury Board get involved? Why particularly your department?
Mr. Alcock: We have the policy responsibility for ensuring the protection. The Privacy Act is the legislation. The
Privacy Commissioner acts as a watchdog to that. We have the administrative responsibility for seeing that the
government complies with it and has proper regimes in place. We also have responsibility for contracting the
procurement policy. The solution that has been identified by the Privacy Commissioner is changes to the wording of
the provisions in the contracts that we write when it comes to the holding of data.
Senator Jaffer: Minister, thank you for appearing before us at this late hour. I found your presentation very
interesting. I also commend you. When this issue of the Patriot Act came to your attention you started working on it
I have a number of questions. I absolutely accept that you may not have the answers until September-October, when
we come back. I will ask the chair if she will kindly invite you back once you have the report in the summer and are
able to give us a better idea.
My first question is on the outsourcing, and you have covered it somewhat. On May 9, I had the opportunity to ask
the Privacy Commissioner about outsourcing. As you are very well aware, minister, Canadians are very concerned
about their information being placed in U.S. companies. As I understand it, under the Patriot Act, U.S. companies
must release that information to their governments. Because the information is held by U.S. companies, it is obviously
not protected by Canadian law.
I know there are treaties in place to allow us to share information with our allies when need be, but these treaties still
give Canadians a role in determining how this information is shared. The concern is that outsourcing removes this role.
It takes it out of our hands. The Privacy Commissioner has told us that you are currently reviewing this process, and
you have confirmed that. It would be very useful, minister, if you were able to share with us some of the thinking or
how the review process is being carried out. I absolutely accept that it is still a work in progress.
Mr. Alcock: I thank you for that, Senator Jaffer. One of the issues in government is there is such a smorgasbord of
interesting items. I have opinions on our security legislation also, but I have to avoid being dragged into that because I
have no expertise in this area. I have not spent the time studying it that you have.
There is a concern. Some of the concern is a fear of the unknown. It is not a realized fear. It is just a fear of what
could happen. In part, it is almost the traditional fear of something big. You commented that U.S. companies holding
data could be ordered to release this data under the Patriot Act. I discussed this at some length, and we investigated it
at some length, both with the Privacy Commissioner and internally. It is certainly true that the Patriot Act would
function in that way if the data were held by a U.S. company doing business in the U.S. There were fears stated by
some that the only precondition was that it was a U.S. company or U.S. subsidiary. I have been assured by the Privacy
Commissioner and others that that is not the case. U.S. companies doing business in Canada have to function under
Canadian law. The new PIPEDA is quite clear on the holding and release of that information.
It should be said that in the legislation that you are reviewing, there are means and provisions for the surreptitious
access of information. It is not as though the U.S. is doing something that we are not. We also allow our security
services to do that, but we have perhaps a higher bar that they have to clear before they get the permission.
We are also informed that the Patriot Act itself is under review by Congress, and that may result in some changes on
On suggestion that was made to us, and as the Privacy Commissioner wrote to me, was that we develop contractual
model language for all government contracts that have to do with the holding of personal information that spells out
some of the conditions under which this information is being held and the access to it. There has been a debate. In this
particular case, Senator Austin would be more expert than I on some of the trade implications of limiting the ability to
hold information offshore when we are moving both ways on that. We hold considerable U.S. information here in
Canada under some of these agreements. It is believed that through simple changes to the way we procure that service,
we can provide an enhanced level of protection.
I have the Privacy Commissioner's letter in front of me. She also suggests that a strengthening of reporting
requirements under section 72 of the Privacy Act would provide more notification when such information is accessed.
Is it a perfect instrument? I do not think so. Is it as good as we are likely to get, given the other concerns behind the
review that you are doing? Where is that boundary between accessing information for reasons of public protection and
the right to personal confidentiality?
Senator Jaffer: Minister, the concern that people have raised with me is that a U.S. company may be operating here,
but they may be outsourcing the data processing in the U.S., which brings them under both Canadian and U.S. law.
How do we then protect personal information?
Mr. Alcock: There are two issues here. Ms. McDonald was saying to me that if the information is held by a
Canadian company, PIPEDA, the new private sector legislation, applies. Ms. McDonald is saying that even in the case
of a company operating in Canada that was storing the data somewhere in the U.S., that information would still be
covered. The company would still be liable for the improper access to that information.
Senator Jaffer: So they do not have to release it to the U.S.?
Mr. Alcock: There is a debate about that.
Senator Jaffer: My understanding is they have to.
Mr. Alcock: My understanding, too, is that if the information is physically held in the U.S., it would be difficult for a
company to refuse the access to it.
Senator Jaffer: Minister, I know these are difficult issues and you are looking at them, but many Canadians have
great concern. Parents have phoned me and said that their child visited the U.S. and, after using their credit card, they
have had FBI appear on their doorstep. They have had cases of them being tracked down through the use of their
I know this is a work in progress and in September it may not be there, but this is a great concern to Canadians.
Minister, other countries also deal with the U.S. Do we have any examples of how other countries are dealing with
Mr. Alcock: It is interesting. I should say that this discussion arose in British Columbia, as you know. The Privacy
Commissioner in British Columbia, with some pressure from and discussion with the public sector unions in British
Columbia as the government was moving to outsource some of their data holding, got involved and was the first to
raise this. I met with the minister from British Columbia on this.
As we canvas across the country, we have not had a lot of concern raised by other jurisdictions on this particular
issue, nor have we had concerns raised internationally.
Senator Jaffer: Not internationally?
Mr. Alcock: No.
Senator Jaffer: I am sure you will have to take some time to answer my next question, and I accept that.
I was pleased to read in your presentation that you are responsible for government-wide administration of the
Privacy Act. One of the things that have come out in the Arar hearings is that when Canadians think that they are
speaking privately with the counsellor, it is shared by the RCMP and with the RCMP and CSIS. Is this also within
Mr. Alcock: If you are talking about the sharing of written or recorded information between two jurisdictions, there
would be legislation and agreements that govern that sharing between law enforcement agencies and the like. The
sharing and accessing of personal data that is held by one department or another would have to be prescribed and
supported by either legislative or administrative agreements that we would oversee.
Senator Jaffer: May I please ask that, when you come in September, you determine how that protection happens?
Mr. Alcock: I will endeavour to provide this before we return in September so that honourable senators will have as
much time as possible to go through it. We will have completed the review by then and we will make it available
immediately. We will do the same on the administrative question.
Senator Jaffer: I will make one short comment. I appreciated very much what you had to say, and I am sure
Canadians listening did also.
I know the minister will understand this: Protecting the vast majority of Canadians is not our aim; it is to protect all
Canadians. I urge you to see that the privacy of all Canadians is important. It is important that people understand
Mr. Alcock: There is no question that privacy, while it is not a right that has been written into the Constitution, is
certainly a right that has been read into the Constitution by the Supreme Court, and we act on that basis. We take it
I think there could be a very interesting discussion with this committee about privacy in general. You are looking at
an extraordinary power that encompasses an entire range of issues. You are doing very important work, and I think it
is important that we educate both ourselves and Canadians about how these various processes interact.
There is also a discussion to be had about privacy itself and how we manage it in government. A lot of
enhancements, service improvements, efficiencies and other things can occur — I am not talking in the judicial or
investigative sense, but in the provision of services — if we can share data.
The approach has been quite antiquated, in the sense that if we do not share anything with anybody, we will never
violate privacy. In the first place, that is not true. In the second place, we deny ourselves advantages and benefits that
come through how we hold information.
How we provide privacy protection and give life to that right is an important discussion and one that I would love to
have with this committee.
Senator Fraser: Like the others, I was comforted when you told us that to date the government has determined that
the Patriot Act will have no impact on the privacy of the vast majority of Canadians. My degree of comfort was
lessened in your next paragraph, where you said that this was based on your findings so far in connection with
On what basis did you extrapolate the information held by government institutions to the vast majority of
Canadians in general? Did I misunderstand what you were saying?
Mr. Alcock: No, you did not. There are two things I would like to mention. My responsibilities are overseeing the
management of information held by government, so my world is the federal public sector. It is governed by the original
Privacy Act passed in 1982 as a companion to the Access to Information Act.
We proclaimed in 2004 the new PIPEDA, Personal Information Protection and Electronic Documents Act, directed
at the private sector holdings of personal information.
When this issue was first raised, the first thing I did was call the Privacy Commissioner and meet with her. Her sense
was that because that legislation was new, it had anticipated or understood better some of this electronic data sharing.
She felt she had the tools to investigate and hold to account private sector companies that were holding personal data
Having had that assurance, then we focused our work on the area we manage. The concern there was simply that the
Privacy Act itself is 20-plus years old and in need of renewal. There has been some work done on how a new act could
be created, but in the meantime we should concentrate on areas where data were being held and use our authority
under the procurement policy to try to address the issue.
Senator Fraser: I was particularly struck by this because on my way to Ottawa this morning, I heard a report on
CBC Radio concerning a well-known Quebec-based insurance company that had transmitted a health insurance claim
to a U.S. subsidiary for some reason. That U.S. subsidiary had contacted the physician in Quebec and demanded not
just the specifics on this claim, but the patient's entire medical file, which I gathered, from listening to the physician
being interviewed, was an unusual occurrence.
As one of the experts who was interviewed said, the concern that immediately comes to mind is that people would
like to use this kind of information to build profiles of greater or lesser sensitivity. It is probably a very high sensitivity.
As I think you suggested, once that information is sent down there, we cannot really protect it.
I suspect I am asking you to comment on something that you have not heard about. If you take it as hypothetical
situation rather than a real case, does it sound to you like a definite infringement of the law, or do we have a loophole
that needs to be fixed?
Mr. Alcock: I thank you for giving me a loophole before I answer the question. I do not know the specifics of that
Some of this, like all new law, has not been tested because there have not been a lot of claims. One of the first things
the Privacy Commissioner said to me was that there needs to be a complaint for her to act. She felt she had the tools to
enter private premises, get the information and hold to account the people responsible when it came to private sector
organizations. Beyond that, it is hard for me to answer this one.
Senator Fraser: Clearly this committee has been trying to wrap its collective mind around not just the narrow
specifics of what one government department does or what one clause of the legislation says, but the whole context in
which we operate. That includes this kind of relationship with our neighbours to the south.
I hope you will tell me I am wrong, but it sounds to me as if we may be operating in our own corporations and their
relationships with their partners south of the border on a degree of trust that would have been appropriate prior to
September 11, but perhaps should be re-examined now.
Mr. Alcock: You may be right. We have two relatively new developments coming at us. We have this greatly
enhanced capability to transmit information quickly anywhere at any time and also this strong desire in both countries
for enhanced protection from acts like those that took place on September 11.
In the chairman's opening remarks, she defined part of the issue. This was a horrific event. Both countries reacted
swiftly, and this legislation was brought in swiftly with the full knowledge that we would have to do exactly what you
are doing, go back and have a look at it when things have cooled down a little, and we have had a little more time, to
see whether we have gone too far.
There are two issues here, and I have to be careful not to ride one of my own hobby horses. I definitely want to have
a conversation with somebody about privacy itself. Here, you are looking at extraordinary ways to violate privacy in
the national purpose. Again, I do not have enough policy background to add much to that conversation, other than to
recognize it is an extraordinarily important one, and in carrying out our responsibilities for holding pertinent data on
Canadian citizens within the federal government, we are trying to ensure we provide as much protection as we possibly
Beyond that, on the issue of the loss of privacy, I think we have tended, because of our fear of the newness of this
technology and the enormous rapidity with which information can be shared, to react to that by not sharing
information instead of looking at building penalty regimes. I often argue that in the case of medical records, they are
only as secure as the dumpster behind your doctor's office, and yet we think that is adequate. We deny ourselves a
considerable range of benefits that could come from using information differently. That is a debate for another time. I
like to throw it out now and again. I want someone to pick it up.
Senator Joyal: I would like to pick up where you left off. I totally agree with you that we live in a world where
communication is on a much wider scale than before. The problem as I see it, and as you have outlined it, is that as
long as the information goes to your own government, you are protected by the system of law of Canada.
Mr. Alcock: That is right.
Senator Joyal: Canadians generally trust our system of law, the rule of law and the way it is implemented in Canada.
The uneasiness starts when the information is passed to another government and they are not aware of it, and
second, they do not have the same access to the protection of the system that we have in our country. That is where we
have a totally different ball game, if I can use the expression. As you said, if we are to continue to cooperate generally
with our friendly neighbour in the south, we might want to have additional reassurance that we know what is being
done and how. Therefore, citizens of Canada who trust their government by providing the information will trust their
government to follow up when they no longer have control of it.
That is where, in our dilemma and the way I see Senator Fraser's dilemma, we realize now there is a different game,
because an American company that controls information on Canadian citizens might be ordered by a court to provide
it and told not to inform its Canadian customer, i.e., the Government of Canada or any other provider of services in
Canada, that they are releasing the information. Therefore, it is the secrecy of the use of the information that is a
preoccupation for us.
My other preoccupation is, and I am speaking as a lawyer, if we are to include, as you said on page 3 of your brief,
``Developing clauses for Requests for Proposals and contracts,'' I am tempted to ask how you envisage the extra-
territoriality of your own jurisdiction over those clauses. If the violation happens in the United States, where will you
seek redress? This is another important element of the efficiency of the system that you might contemplate putting into
Mr. Alcock: Unless the clauses called for the holding of the data in Canada and did not allow the cross-border
Senator Joyal: What would the penalties be if there is violation of that undertaking by the company?
Mr. Alcock: That does get us into a different area, Senator Joyal, and you would be more expert than I, given your
background as a lawyer. I cannot speak to the specific penalty. Maybe others can in the area of the PIPEDA. The same
issue applies in the PIPEDA. Then you are faced with breaking the law or breaking the contract. It came up for
Statistics Canada, where they had written a contract that provided for holding data outside the country, and when they
became aware of the concern they rewrote the contract so the data are held within Canada. Once it is held in Canada,
PIPEDA applies, and anyone who then moves it offshore, if you like, is subject to the penalties that apply under that
legislation. I do not know what they are off the top of my head.
In the case of our contracting, which is what we would be doing with government information, I would assume, at
the very least, it would lead to a violation of the contract or its withdrawal. We would also, in the model contract
clauses, because it depends on the kinds of information you are holding, build penalties into the contract.
If you put a clause in the request for proposal that people identify where the information would be held and added
some other clauses around the use of that information, it is argued we could provide an adequate level of protection.
Senator Joyal: In other words, you would be developing — and I do not want to use terms that you have not used
yourself — contractual language clauses that would specifically establish a prohibition for the foreign company, let us
call it that, to transfer any information without the knowledge of the customer, namely, government, you or any other
government agencies, without first getting the authorization. If the company ever released that information, it would
be subject to the penalty established in the contract in case of non-compliance.
I am sorry. You were nodding, but the minutes will not register that.
Mr. Alcock: They will not show my nod.
Senator Joyal: I do not want to put words in your mouth that describe something you are not really looking at doing
or contemplating in the short term.
Mr. Alcock: That is certainly where our thinking is going on this.
It is also in the context of the need to revamp the Privacy Act itself, which would contain further enhancements once
we got that done and through the House.
Senator Joyal: That is another approach.
Mr. Alcock: Yes.
Senator Joyal: You have one responsibility as the customer, in that you can establish the sets of obligations that you
want your co-contractor to subscribe to because you offer payment in exchange. There is an exchange of demand and
offers. On the other hand, you have to establish a follow-up system in case the commitment that your co-contracting
party is undertaking is broken. It has to be a real follow-up system; otherwise, people can break the contract and there
is no penalty or consequence. In other words, it becomes a pro forma clause, with no teeth.
Mr. Alcock: Given that the contracting we are talking about is within government departments, the Privacy
Commissioner's office can be involved in auditing them or investigating complaints. If we have within the contracting
language an ability to sanction the company, it is argued that that is the quickest and most efficient way to address this
Senator Joyal: For instance, retaining payments, among other penalties.
So far in your study of the Privacy Act, which is not recent legislation, is it your opinion that the act would need to
be amended to make sure that the Privacy Commissioner would be in a position to assume that responsibility, not with
the Canadian agencies but with someone outside government operations?
Mr. Alcock: There are two pieces of legislation, one being the original Privacy Act, which the Privacy Commissioner
herself would argue is old, and it did not in its inception contemplate some of the things that have occurred. It is 23
years old. However, she believes the new legislation is adequate to deal with companies outside the federal family.
Inside the federal envelope, the additional enhancement suggested was, as you have described it, to provide contracting
language that determined how data were to be held and penalties for their misuse. She would nonetheless have the
ability at any time to investigate complaints about the way personal information was being held and whether personal
privacy was being violated. She is fully empowered within the existing legislation, within the federal community. The
question comes only once information moves offshore.
Senator Joyal: The remedy.
Mr. Alcock: That is right. The remedy once it moves offshore. She has considerable authority if it is held within
Canada. Given that it is government in the case we are talking about, public sector institutions, Government of
Canada institutions that are the holders of the information, it is felt that if we simply changed the contracting regime to
hold the information within Canada in those cases where there is a substantive concern about the kind of information
being held offshore, that would bring us under the umbrella of Canadian legislation. I always argue we have lots of
laws that prevent the theft of cars, yet people still steal cars, so you have to have a way of identifying the breaking of
the law and a penalty regime to deal with it as best you can, to the extent that a law can provide a solution.
Senator Joyal: Have you contemplated reviewing the NAFTA treaties to cover that aspect now that they have been
opened to allow American companies to bid on Canadian government contracts? In the review of the NAFTA there
could be some clauses that would cover those aspects of a reality that did not exist before and that we did not
contemplate at that time, for obvious reasons, as you said. There were rapid changes. Is it something you are
Mr. Alcock: It is not something we are activity pursuing at this point, although we have explored the question with
our U.S. counterparts. This is second- or third-hand, but we are told that in the U.S. there are groups who have
substantive concerns about the Patriot Act and its application. That is under review, much like our own legislation is.
We are engaged at a number of tables around a variety of these cross-border relationships with the U.S. and Mexico,
so it is certainly possible to include this issue in those discussions. There is no question about that. We have not
undertaken to do that now, other than raising it. It was raised when President Bush was here.
Senator Joyal: I think this is a very important element in all those discussions to create the kind of trust we need
between the two countries.
Mr. Alcock: In fairness to your question, Senator Joyal, let me go back and have a conversation with the folks who
are dealing with this. I also chair the smart regulation process, which has a large U.S. sector. Let me get you a more
adequate answer on that because you are quite right. It does open up an area for discussion that might be quite fruitful.
The problem is that in both cases, here and in the U.S., our security services, in the kind of legislation you are looking
at, are really looking for extraordinary powers that are not contemplated in some of these regular agreements.
Senator Smith: I have one narrow area on which I want a reaction from you, minister. This afternoon we heard from
the Information Commissioner, Mr. Reid, and he had three of his officials with him. You mentioned in your
introduction that you had a chance to review his presentation. Did you read it?
Mr. Alcock: I read a précis of it.
Senator Smith: He was quite clearly making the case for certain amendments that he felt were in the Canadian
tradition, and it related to where things could be stopped cold, particularly when the government might have any
information that had been received by a foreign government, probably, in most instances, our neighbour to the south,
but not necessarily, and various government agencies. Then we got into whether or not he had made the case to the
appropriate government officials, and with regard to the minister responsible for this legislation, the answer was no.
Your name then came up, and quite positively. He did not use the words ``role model'' but made you sound like that
and stated you had been cooperative.
Without getting into the debate about the merits of the case we were hearing from him, obviously you have a role in
this issue, as does the Minister of Justice and, very clearly, the Minister of Public Safety and Emergency Preparedness.
Where you have an issue that falls within the jurisdiction of several ministers and departments, how do you coordinate
the government's policy? Do you paint broad brush strokes that say here is what we want to do? Is there a single big
kahuna, which is a Hawaiian word for high priest, coordinating this, or are you all out on your own? Some of us sense
today that not everyone sitting around the privacy table has their head in the same place. Maybe you can give us a
response about the challenge there.
Mr. Alcock: It is an interesting way of posing the question, senator, because you do get caught. In my role as
President of the Treasury Board, I am not the policy person in this case; I am the implementer. There is the policy, and
now we have to make it happen in an efficient and effective way. While we may be identifying problems with the policy
or legislation for future consideration, we do not play a policy role in that sense.
As a member of the cabinet sitting in some cabinet committees discussing this issue, I certainly have my personal
views, as I think most Canadians do. I do not want to make light of it, but it is less of a concern about the information I
have willingly said can go here or there. I willingly give my privacy away in many circumstances, but when the
government is collecting information involuntarily, there is a higher bar on its protection, and that information can be
accessed without us knowing it. It is in the surreptitious sense that it is a concern, and it does take us back into the
policy realm to a certain extent. I have a few things to say there, but we are struggling to find the mechanical way to
prevent that from occurring. The best we have come up with thus far is what I have described, the internal federal
family working with the contracting and procurement rules, which is essentially what the Privacy Commissioner
advised us to do.
Senator Smith: At least you met with them. We had the sense that not everyone else does.
Mr. Alcock: It is fair to say in any group of more than two people there will be more than one opinion. The biggest
kahuna will call the decision in the end. That would be the Prime Minister.
However, he expects us to work these things out collegially as much as possible, and you are witnessing a strong
debate among ministers about this legislation. The very issue that prompts this committee to do this study is felt by
many people. This was a departure for Canadians. There is unease because it is a stronger policing action than
Canadians have been comfortable with in the past, and it is driven by a stronger set of fears.
You will see that represented by some of the ministers who would appear before you on this question. We are
looking to the wisdom of the Senate to sort this out.
Senator Smith: We will be meditating on that.
Senator Stratton: We heard from the Canadian Council for Refugees and the Canadian Bar Association this
afternoon. There are five non-Canadians currently being held under the immigration legislation. How do we protect
their privacy rights?
You need to look not only at what will happen in the future, but also at what is happening now. Perhaps you should
look at that, because it is fairly critical to the questions we were asking this afternoon.
Mr. Alcock: Your question is whether these non-Canadians have the same privacy protection rights as a Canadian
citizen. I believe they would, would they not?
Senator Stratton: That is the question. No one really knows. These people have been held for nearly three years.
There is a sense that information was shared with other countries about these individuals. What is their status? We
should be looking at that. You say you are looking at the future. Why not look at the present and those cases in
Mr. Alcock: As I know nothing about these cases, I will not comment on them, other than to say that I will assess
immediately whether the same provisions would apply to them as to a Canadian citizen. The act says that they are
covered by the Charter of Rights, as is anyone on our soil.
I will check that out. For a more detailed discussion about those issues, the Minister of Justice is the person you
should have before you. I do not have the required level of knowledge.
Senator Stratton: I do not want too much buck passing, and I know you will come back.
Mr. Alcock: I am quite comfortable in saying that the Minister of Justice is a lot smarter than I am on those issues.
The Chairman: We wish to thank you for coming, minister. We will look forward to a longer and perhaps more
vigorous meeting with you in the fall after some of these issues have progressed over the summer and changes have
Mr. Alcock: Thank you very much. It is always interesting to appear before Senate committees.
We will share with you now the information that I indicated we would, and we will work with you as we finish this
review. I noted that we are 84 per cent done and we will get that to you right away.
We would be interested in your thoughts or recommendations about this. If you need any information from
Treasury Board, just ask and I will ensure that you have it.
The Chairman: I understand, honourable senators, that the officials are prepared to stay here and answer our
Senator Fraser: I want to recast my earlier comment, then I would like you to do some research and give us a written
Can we be satisfied that existing legislation, which I assume would be PIPEDA, can protect Canadians against the
following circumstance: A Canadian company has a business relationship with a foreign company and the government
of the country in which that foreign company is located uses that company as a conduit to get information about
Canadians. Do we have sufficient protection against that?
Earlier I was talking about health, but there are many industries with very close links to the U.S., including the
aerospace and the auto industries. There are all kinds of industries in which it would not be difficult for the American
government to do this. There are other companies that have strong links with companies in other countries. I am not
pointing a finger only at the American government.
In today's climate, do we think we have sufficient protection against this? This may be completely hypothetical, but
my attention has been caught by this possibility and I would like to know what the legal framework would be for that,
if there is one.
Ms. Helen McDonald, Chief Information Officer, Treasury Board of Canada: I am not an expert on PIPEDA, but it
is my understanding that there is an obligation there that the private sector company must ensure, when it outsources
its operations, its processes, its data, et cetera, to another company, that the same levels of protection flow through
that contracting process. One could argue that when a Canadian company has a relationship with a foreign company,
it is still incumbent on the Canadian company to ensure that the protections follow. That applies to the security of the
information as well. There must be no improper access.
In your example, if a foreign government were to require the foreign company with the relationship to release the
information without telling anyone, and perhaps it is done in such a way that the Canadian company is unaware of it,
then it is difficult to say whether we would know about it and be able to take action. That is the reason for the
emphasis we have been placing on contractual solutions that make you question whether you should be outsourcing
this information at all, whether you should have your information backed up in a foreign country, whether the risks
are such that you should keep it within your four walls and not let anyone else have access to it.
Senator Fraser: I was not thinking only of outsourcing, which is comparatively easy to control if you do your initial
contracts properly. I was thinking more of those very close business relationships that increasingly exist in many
industries. Perhaps this is a completely off-the-wall concern, but if someone could address themselves to it, I would be
I have a question with regard to matching of data contained in various federal agencies. Data matching can be a
handy investigative tool. I understand that there is no legislation that requires federal organizations that may be doing
data matching to notify the Privacy Commissioner, but that the Treasury Board has a policy about data matching.
Could you describe that policy?
Ms. McDonald: We do have a policy that requires notification to the Privacy Commissioner of data matching. Mr.
Lemieux will describe in more detail how it works.
Mr. Donald Lemieux, Senior Director, Treasury Board of Canada: If a government institution plans to conduct some
form of data matching, they must involve the Privacy Commissioner in the process. There is also the privacy impact
assessment policy, which is a more recent Treasury Board policy, that engages the Privacy Commissioner in any
activity involving the personal information of individuals or employees.
Senator Fraser: Would that policy apply, for example, to the much-discussed capturing of data by airlines, which is
yet to begin, that would be matched against data banks in CSIS or the RCMP?
Mr. Lemieux: Yes, it could apply to that.
Senator Fraser: In that case, the legislation sets out a number of quite clear criteria. I wondered if it had overridden
the Privacy Act.
Mr. Lemieux: There is a policy, but it can be overridden if legislation exists that authorizes an institution to share
data with another institution.
Senator Fraser: Are there guidelines on the kinds of matching allowed and not allowed?
Ms. McDonald: We could send you the material that describes under what circumstances matching is done and how
we define it. Would that be helpful?
Senator Fraser: That would likely be very helpful.
Senator Jaffer: I have a follow-up question on the airlines' sharing of information. I understand that it is not being
shared at this time. Under the Public Safety Act, there is to be a sharing of information on persons travelling from
Canadian airports to destinations in the U.S., for example.
Ms. McDonald: I cannot tell you how that happens.
Senator Jaffer: Could you tell the committee how that information would be protected? I understand that you do
not have that here today, but I would appreciate your looking into it to provide the committee with the details on how
information on airline passengers would be protected under the Public Safety Act. I am sure it is not implemented yet,
but I would like to see what the plans are for that.
Ms. McDonald: Yes.
Senator Jaffer: I have another question on the sharing of information. Minister Alcock spoke about the
department's comprehensive assessment of outsourcing and a report on the success of that in the case of individuals. At
this time, it is important for us to know what questions are being asked, although I do not expect an answer to that
today. On page 5 of the minister's comments, in the second-last paragraph, it states that:
The Canadian government will complete its assessment of the reports submitted by departments and agencies
in the next month or two to ensure that concerns over the USA Patriot Act are considered thoroughly, as well
as to determine whether additional policy guidance and tools are required with respect to the broader issue of
transborder data flows.
It would be helpful to the committee to know what questions are being asked before we read that report of the
Ms. McDonald: We could provide that to the committee. It is in the form of a letter from the then-Secretary of
Treasury Board to his colleagues. Essentially, it asks them to identify, assess and, if appropriate, mitigate any possible
risks with respect to the USA Patriot Act. Certainly, we can share that.
Senator Jaffer: Thank you. I receive inquiries in my office on a regular basis that I am unable to answer. The calls
are from people concerned about personal banking information being stored in the U.S., especially credit card
information. When questioning such a practice, people have been told that there is not much can be done about it. I
have suggested calling the ombudsman of these banks to ask general questions on this practice. I have been told that
there are many ways that the U.S. can access such information, but under the Patriot Act, the persons involved and the
Canadian government must be informed of such access to personal information. I absolutely believe everything that
Minister Alcock said about Canada asking the Americans how they collect the information under the Patriot Act, but
they are not required to respond. In that case, in spite of the assessments we do, how will we protect the personal
information of Canadians?
I was unable to advise the woman who called me about this and suggested that perhaps she should switch banks. She
said that most banks outsource to the U.S., and so that remains a concern. There are few banks in Canada and it is
difficult to tell people to change banks. The same thing applies to health information or any other personal
Ms. McDonald: I would say that there are two aspects to it. If information is collected under section 215 of the USA
Patriot Act, I am not convinced that we would find out about it. Our reading of the U.S. hearings suggests that it was
used in approximately 35 instances in late 2001. We would expect to receive no additional information from the U.S. as
to whether that information involved Canadian citizens and what was done with it. We are using whatever meeting
tables we can to make clear to the U.S. the concerns of Canadians about the protection of their information when it is
collected for any reason.
There is another aspect. People can voluntarily give information, and when they have a U.S. bank account they
automatically fall under the set of rules that apply in the U.S. where the enterprises are located. I am not in a position
to describe how strong or weak the protections are within the U.S.
Senator Jaffer: It is not simply a case of someone volunteering information in the U.S. Rather, people are
voluntarily giving information to banks in Canada and that has been outsourced. That is the concern.
Ms. McDonald: That would be covered under PIPEDA. I do not want to slough you off, senator, but the Privacy
Commissioner should be able to help people find the available recourses for such concerns.
Senator Jaffer: I understand that will be included in the assessment you will send to us.
Ms. McDonald: We are focusing on the provisions and protections available for information collected about people
by government, and not the information collected by banks. As the President of Treasury Board said, the Information
Commissioner believes that under PIPEDA, there is an obligation on private sector companies to protect information
as it may flow. Our focus within the secretariat has been on the government's outsourcing of information.
Senator Stratton: I have been listening to the testimony of the President of Treasury Board and you. How does this
relate to anti-terrorism? You are talking about privacy and what will happen in the future in terms of providing
information and the protection of the information of citizens.
If a person were under suspicion by a government agency, the RCMP or CSIS, what protection would that
individual have with respect to privacy? We are talking about terrorism and not what we will do to protect the average
citizen in the future. This is a study of the Anti-terrorism Act. If people come under suspicion, what rights do they have
that you can talk about to us?
What I have heard so far is just what the average citizen can expect in the future, and nothing to do with anti-
terrorism. How do you respond to that?
Ms. McDonald: It is my understanding that anti-terrorism or money-laundering legislation, or any legislation with a
specific focus, tends to trump the more general. We are responsible for ensuring that the general policy on the privacy
of information collected and used by the Government of Canada is implemented by departments in a consistent and
appropriate way. We do not have competence in the case of what happens when someone is detained at the border.
Senator Stratton: That is my point, then. What are you presenting tonight? What I have heard tonight from you
really has nothing to do with anti-terrorism. It has everything to do with protecting the rights of individuals not to have
their private information distributed in an untoward manner, but it has nothing to do with anti-terrorism, not that I
have heard, at any rate.
Senator Joyal: Could you tell us how many data bank matching reports exist in the Canadian government?
Ms. McDonald: Offhand, I could not. There have been over 30 data matching instances reported to the Privacy
Commissioner, although I do not know over what time frame.
Senator Joyal: I wonder if we could get that from the Privacy Commissioner. Senator Fraser asked about the airline
passengers, and there would be data from CSIS and the RCMP; and the latter, of course, have access to data banks of
provincial police. They would have access to the gun control information.
All kinds of information is asked for on the gun permit form, including how many times you have been married; if
you are separated, how it happened; whether there have been some complaints about violence in your connubial
relationship and so forth.
It is difficult to have an idea of what is encompassed in all that. When I was listening to you, I was saying to myself
that the responsibility of the government to maintain privacy might be much bigger than we think, because we do not
know where all the data matching happens. Perhaps in asking two or three questions, you get the entire picture because
of all the data matching; one set of information links to another branch of information, and then through that branch
you get everything else. There is a whole domain of information.
It triggers my curiosity. Has anyone, to your knowledge, ever done that kind of evaluation?
Ms. McDonald: My colleague was pointing out that we do have an online publication and a paper publication called
Info Source that is supposed to list instances of data matching. I would have to say that I do not think we have a really
good handle on the amount or the impact of data matching.
It is one of the issues that the Privacy Commissioner has flagged to us as being of importance to her, not only cross-
border flows of information, but the amount of data matching going on. It is one of the areas that we have agreed with
her that we need to work together on.
We are doing a review of our policies, including around data matching. Our suspicion is that data matching is not
being reported to the same extent as it is occurring, that perhaps there is greater clarity needed — it is an old policy and
needs to be updated — or that we need to help people with tools to answer unambiguously, is this a data match or not,
and remind them of the obligation to report such proposed activities to the Privacy Commissioner.
My colleague mentioned a privacy impact assessment tool, which was meant to ensure that when anyone makes a
change in how they collect information — they shift from direct collection from the data subject, for example, to
getting it from another department, or they change their system in a way that might have an impact on the security of
personal information — they will think about whether there is a privacy impact they need to consider. It was a step-by-
step process, an electronic training tool that helped ensure people did not make changes to an information system
without understanding and mitigating any privacy risks.
Our thinking was that that tool worked well in this setting. Perhaps we should use it for data matching as well. I
cannot say that I am comfortable with what we know about data matching. It is an area on which we have agreed to
work with Madame Stoddart and her office to try to get a better sense of what is going on and whether there is some
remedial action needed.
Senator Joyal: You remember that famous case whereby the Supreme Court accepted the matching of the data
between Revenue Canada, or the border agency at that time, with the unemployment insurance data. I am sure that if
you have information in the unemployment insurance data, you would have it too probably in the social assistance
data, the payments that are made provincially, because of all kinds of situations that might happen in a family, where
one of the spouses is unemployed and so forth.
We have a very important obligation to understand that when we give information to one element of public demand
— when I say ``public,'' I mean requested by the government — it immediately triggers an entire set of other
information coming to the forefront.
We have failed to understand the amplitude of the spider web. In my opinion, by answering two or three questions,
you could cover the vast majority of the information that might exist on one person. If we are to ensure that we
develop policy that protects privacy, we have to understand well how the system works, how the matching of the
information works, if we want to really be effective in our objective of protecting the privacy of citizens, especially in
the context of that data sharing that you have described.
Ms. McDonald: I would agree with you. The president talked about his interest in having a conversation about what
the new technologies mean for privacy. As we have the ability to offer services in different ways, how do we see that in
ensure that no one falls between the cracks — you are eligible and you are not in receipt of the program. Are there ways
in which data matching can help on one side but not the other?
Those are all important questions that you are raising.
Senator Joyal: On page 4 of your brief, you say that of the government institutions assessed thus far, 84 per cent
have classified their risk as no risk or low risk. What are the other 16 per cent?
Ms. McDonald: They have a medium to high risk. Which organizations are they?
Senator Joyal: Yes. Which ones are you still investigating at this time?
Ms. McDonald: Our current concern is to try to ensure that those who have not yet responded do so and complete
their assessment quickly so that we can have 100 per cent of the agencies covered by this. We are still missing a couple.
In the letter requesting this information, as you will see because we will share it, we are also requiring departments to
think it through. If you think there is a risk, medium to high, or even less than that, what can you do about it? Is there
something you can do about the way the contract is now structured or the relationship with the contractor? What is
possible, given that it is an existing contract? Is it due for renewal at some point and is your strategy to ensure the new
contract will not look the same? Our intent was to ensure that mitigation strategies are in place and to try to follow up
with departments through the summer, because that was an important point in our request to them.
Senator Joyal: Could you give us some examples of government agencies or departments that are still wrestling with
the information they have to provide to you?
Ms. McDonald: Yes. If you insist, I could. Some are small departments or agencies that perhaps do not have the
necessary staff or were not too sure what the problem is, but there are other larger, separate organizations like Canada
Post that have not responded.
Senator Joyal: What we call Crown corporations.
Ms. McDonald: That is one of them. Canada Food Inspection Agency has not responded. We understand they are
working on their response, but it has not been filed with us as of this morning.
Senator Joyal: Is it still your objective to complete your review by the end of the summer?
Ms. McDonald: Yes. We want to publish a report, because I think Canadians are looking for the results of this
review, what have we learned and what is the extent of the risk. Our next strategy with those departments who are
lagging a little is to say, ``We do not want to publish and leave a blank where you should be. That would suggest the
wrong impression.'' We are working with those departments to get this completed and to have a comprehensive report.
However, I am torn, in that I do not want to let it lag too long either.
Senator Joyal: You are committed to making a public announcement sometime this fall.
Ms. McDonald: Canadians are also looking for reassurance on what is going on.
Senator Fraser: In your policy on data matching, and indeed your policies concerning privacy in general, does your
writ include CSIS and the RCMP, or do they operate under their own policies?
Ms. McDonald: Yes.
Senator Fraser: Yes, you cover CSIS and the RCMP?
Mr. Lemieux: They are on the schedule to the Privacy Act.
Senator Fraser: All your policies apply to them as well as everyone else. That is terrific. What happens when the
Government of Canada operates a service that is transferred to a provincial government, as, for example, manpower
training was a few years ago? Is it the practice to require that privacy policies continue when a service is taken over by a
provincial government? Do you know that?
Ms. McDonald: I am not entirely certain. I suspect it would be. If a program is transferred or devolved, the
provincial legislation would take over. I cannot say I was engaged in the example you cite.
Senator Fraser: It is the one that comes to mind now, but there have been other cases. We are given to understand
that, as time goes by, there may be more cases of federal programs or activities being devolved to provincial
Ms. McDonald: It would be my understanding that if we were getting someone to deliver a service on our behalf, the
federal law and policy would apply, because this would be our agent, if you like. However, if the responsibility had
been devolved to another level of government, it would be the provincial law, but I can check on that and get back to
you if I have this wrong.
Senator Fraser: If you would. The parallel that comes to mind has to do with official languages policy. Early on in
the devolution process, it was not always required that the provincial government continue to apply the official
language policy to which Canadians had been entitled when a given service was provided by the federal government.
Later on, when people started to notice that in some cases the official language policy had just disappeared, then it did
become part of the negotiation and the transfer. I wonder if anything like that has been done in terms of privacy.
The Chairman: Thank you very much for staying. Clearly this will be a long-time friendship. We will be hearing
from you. Do not hesitate, as you collect information that you think would be interesting to members of the
committee, to send it to me and I will circulate it to them. We will also meet again in the fall.
The committee adjourned.