:
Good morning. As mentioned, my name is Corinne Pohlmann. I am the director of national affairs for the Canadian Federation of Independent Business. With me today is our policy analyst, Lucie Charron, who will be supporting me through the question and answer period.
I have been in this position for about a year, and for the six years prior to that I was in Alberta as CFIB's director of provincial affairs. In my experience there I was involved in the implementation of the Personal Information Protection Act and saw its impacts on Alberta's small and medium-sized companies. In fact, until my departure about a year ago, I was a member of the ministerial advisory committee on Alberta's privacy act, providing feedback on how well SMEs were adapting to the legislation in that province.
First I'd like to share just a little bit about CFIB. We're a non-partisan, not-for-profit organization that's 100% funded by our 108,000 members, who are independently owned and operated small and medium-sized businesses from across the country. Our members come from all sectors of the economy, and they're found in all regions of the country.
You should have in front of you a slide deck. The first slide shows the profile of our members. You'll notice that our membership is a pretty good reflection of the general business population, which as you know is dominated by small and medium-sized companies.
The chart at the top of the next page illustrates the fact that more than 97% of Canadian businesses have fewer than 50 employees. These businesses represent approximately 45% of Canada's GDP and employ almost 60% of all Canadians. They also continue to create the bulk of new jobs in our economy.
As you can see on the next chart on that page, using Industry Canada findings, of the almost one million jobs that were created between 1993 and 2003, close to 80% were created by small firms, which they define as those with fewer than 100 employees.
Why do I show these to you? It's to emphasize the growing importance of SMEs and to encourage you to always think about how government decisions can impact this integral part of Canada's economy. What may seem trivial to a larger firm can be of great significance to a smaller firm. It can add more cost, confusion, and paperwork, thereby adding more stress for the average small business owner.
So what is top of mind for SMEs? The chart on the next page shows you the issues of highest priority for our members, which we collect on an ongoing basis, face-to-face, through a survey process. We then aggregate those results every six months. This information provides us with direction on which issues we need to take on as an organization.
I'd like to highlight the second highest issue of concern for Canada's SMEs: government regulations and paper burden. This really comes as no surprise when you realize that the cost of regulations tends to be much higher for smaller firms. As you'll notice in the smaller chart, this is illustrated quite well using both CFIB and OECD data. It has been supported by data out of Quebec and the United States that the smaller the firm, the higher the cost per employee to deal with regulations.
That is why we have been so pleased to see commitments being made by provincial governments such as British Columbia, Quebec, and Newfoundland and Labrador to tackle this issue and commit to measuring and reducing the regulatory and paperwork burden on business. More recently we were very pleased to see the federal government also make a commitment to a 20% reduction in the paperwork burden on business.
This leads me to the issue of PIPEDA. Our members in all provinces and territories without their own provincial law are expected to comply with PIPEDA when it comes to dealing with public and consumer information. You should know that we are not legal experts on the technical aspects of the law. Rather, we are here to provide you with some feedback on what we have learned about how SMEs have dealt with this legislation.
First, our members are consumers as well as business owners, so they're concerned about making sure their own personal information is protected. As a result, they are also conscious of protecting the privacy of their clients, customers, and employees.
As far back as 1996, we asked our members about the need for the federal government to introduce a national privacy legislation. Based on more than 10,000 responses, you will see on the top slide on the last page that our members supported the notion of a national law protecting personal information right across Canada. As a result of this finding, CFIB has never argued against the national law. In fact, we believe that for this law to be truly effective it must be adopted by SMEs across Canada. In order for that to happen, it cannot be complicated or onerous to comply with. So the focus of our work has been to ensure that the legislation is simple to understand and does not impose a significant burden on small businesses.
We do actually view PIPEDA as workable legislation from a small business perspective because it avoids prescriptive solutions and allows for flexibility in how businesses can respond to its requirements. The act understands that not every business manages huge amounts of personal information, and that the types of information can vary substantially from sector to sector, and from business to business.
We also like the balance it achieves between protecting consumers' interests while understanding that businesses need information to provide products and services. As mentioned, our members support national privacy legislation--after all, they are consumers too--but they're also business owners who may sometimes need to ask for personal information to be able to offer the public or its employees what they demand.
We also support the fact that it is a complaints-driven process. Regulations and paper burden can be stressful for small business owners, who tend to wear several hats in their business, from human resources to sales to marketing--you name it. It's usually the owner who's responsible for protecting personal information as well. We do believe that most are already doing what they can to protect personal information in their possession as a matter of good business practice. They may simply have not yet put it down on paper and formalized it.
Keeping the process complaints driven removes the level of stress for the SME owner who may otherwise fear being inspected or even fined if they've not complied to the exact letter of the law.
We also believe the ombudsman model works well. It is less intimidating for a small business owner to approach the commissioner's office to ask questions about their own privacy compliance issues.
Since its implementation on the broader private sector three years ago, CFIB has handled hundreds of calls from small business members across the country looking for direction on how to comply. To handle the questions, we've created a dedicated page on our website with links to where they can get more information. We've put together a handout summarizing their obligations, of which you have a sample in front of you. We also offer our members an online course for free on how to manage private information under PIPEDA.
While most calls came during the first phases of implementation in 2004, we continue to get inquiries on a regular basis. By far the most common calls we receive are questions on how to comply--specifically, how to put together a privacy policy for customers and for employees, and whether or not a template is available for them to use. We know a template was developed in Alberta and British Columbia specifically for SMEs, so we've been encouraging and we will continue to encourage the commissioner to consider producing something similar for PIPEDA.
Finally, you may be curious to know how well SMEs are complying with PIPEDA. While we do not have specific information for PIPEDA, we do have...members in Alberta who were asked this question in relation to the provincial legislation introduced at the same time.
On the last page you'll find a table of our findings, which were that most business members in that province, between 70% and 80%, were aware of the legislation, but far fewer had developed a formal privacy policy. The good news is that compliance is increasing, with 40% saying that they had a formal written policy in 2006, which is substantially higher than the 31% who said they had such a policy in 2005.
So what does all this mean? Well, at this point we do not see any need for substantial change to the act and request that PIPEDA be given more time so that SMEs can gain more experience with the law in its current form. Making changes at this early juncture could needlessly complicate the process and make it even more difficult for SMEs to comply. In other words, we believe more time is needed to really understand the full effect of this law on SMEs and consumers.
In the meantime, CFIB will continue to do what it can to help our members and the general small business population understand their obligations under the law.
Thank you.
:
Before I begin, I have to offer Mr. Cran's regrets. He was a victim of our snowstorm yesterday and was unable to get out of Vancouver.
My name is Margaret Ireland. I'm a member of the board of directors of the Consumers' Association of Canada.
We would like to thank you for inviting us to speak to your committee this morning.
The Consumers' Association of Canada is a 60-year-old, independent, not-for-profit, volunteer-based organization with a national office here in Ottawa and with provincial-territorial representatives. Our mandate is to inform and educate consumers on marketplace issues and to advocate for consumers with government and industry, and to work with government and industry to solve marketplace problems in beneficial ways.
At the time PIPEDA was enacted, we were only beginning to see the various ways that personal information could be mishandled or misused. Sufficient time has now passed to show us which types of improvements need to be made to the act. It's become quite obvious that theft of personal information from corporate data banks, specifically, is out of control. Voluntary guidelines have proven worse than useless, and the time has come to put some strict protection in place for Canadians, with some serious consequences for those who place consumers at risk. We believe the Office of the Privacy Commissioner should be given some real teeth. Regulations and penalties that are meaningful and rigorously implemented could make an enormous difference in the everyday lives of Canadian consumers.
It is time to move from voluntary guidelines for the protection of personal information to actual regulation designed to ensure that those entities collecting information have clear rules about what information they can ask for, what they can do with it, how long they can keep it, and what measures they must take to protect this information. This, together with stiff penalties for breaching these regulations and rules on notification of citizens when their information is compromised, will help reduce the disastrous consequences of identity theft.
Limiting the type of collectable information to the bare necessities is the first step. We have specific concerns about what type of information is collected from consumers and how this information is handled. We would also like to see limits on the length of time that corporations can keep this information and restrictions on sending it outside the country. There is very little reason for a company to keep, for example, a consumer's credit or debit card number in their computer system for extended periods of time unless they have an ongoing relationship that requires this.
In addition, we would like to be assured that the process, which is now ongoing, where all automated debit and credit card transaction records are obscured, is completed by the end of the year. We oppose sending Canadians' personal information, either financial or health information, outside this country. Removing this data from Canadian jurisdiction puts each of us at unnecessary risk, with no actual benefit to consumers.
In conclusion, I will be absolutely blunt. We do not believe that some commercial enterprises' right to collect a consumer's personal data for marketing purposes can be allowed to outweigh the rights of the consumer to be safe and secure in this day and age of international computer hacking, fraud, and identify theft. The only way to ensure that data are not hacked is not to have them available in the first place.
Thank you.
:
Thank you, Mr. Chairman.
I'd like to ask a question. It has been suggested by some witnesses that there should be an amendment that would require you to notify your public of a breach. Either last year or the year before, a whole bunch of information was found in some scrap yard in the southern states. Then we had the Winners situation a number of weeks ago. CIBC lost the data of 470,000 people, which included client names, addresses, signatures, dates of birth, bank account numbers, beneficiary information, and/or social insurance numbers.
A story came out this morning on the news. I don't know what's in the press, but it was on the television. It said that CIBC--I think it was CIBC, one of the banks--was sending out new credit cards to everyone, but they weren't saying why. Why was that? Was that as a result of the loss of all this information?
I understand business. Whether it be the big banks or individual businesses, the cost of notification would be unbelievable. On the one side, I understand that dilemma. On the other side of the coin, people want to know. They want to know whether someone has their social insurance number, or their names even.
Could both sets of witnesses comment on that? My specific question is whether notification of a breach should be a requirement.
:
Thank you all for coming. I'm so glad to see you. I've been a member of your organization since 1987 and still am. I can testify that you do a great service to small businesses.
I have to say that when I read what the act covers, it conjures up images of exactly what you talked about when I was running my dealership. We saw this sort of stuff. We said, oh gee, it's exactly like you said; that's all we need.
I'm looking at accountability, the access. We must appoint an internal privacy expert commissioner with knowledge. You're absolutely right, a small business is totally hampered by those things.
As we begin to examine this whole privacy commissioner issue, there appears to be—and I want you to make a comment on this—a dividing line. I'm speaking to the consumers as well. Many of the problems, and much of the seriousness of privacy, seem to concern the larger firms more. When I look at your chart and see the incredible numbers--and I am familiar with those numbers, but every time I see them again, I am astounded by them--that this is the engine of our country....
Am I right in assuming this, or can you make a comment? Is this something that has more to do with larger businesses, larger corporations, that would possibly abuse it? Is there the same danger for a small or medium-sized business?
Could both sides make a quick comment? Ms. Ireland, could you please comment as well?
Ms. Pohlmann, my question is directed to you because, if I understand correctly, you maintain that all of your information is based on a code of ethics, more or less. You say that people, particularly those working in small firms, pay attention to what they're doing.
On looking at your table, we see that 56 of the businesses that belong to your federation are one-person operations with no employees. That's a fairly large number. This means that they do not necessarily have help destroying their documents. It also means that they may dispose of these documents in bulk.
Even if we assume that small firms face a lower risk than large firms because many people can be affected by errors that occur in large firms, the fact remains that in small businesses -- and I know something about this area -- information is often passed on from one person to another.
Do you have some way of preventing information from getting passed along from person to person within small businesses? What happens is that people know and call one another, requesting information about a particular individual. Ultimately, information ends up in the hands of someone other than the person requesting it.
How would your code of ethics and the voluntary compliance measures you mention limit this transfer of information?
:
Thank you, Mr. Chairman.
I want to direct my question to you, Ms. Ireland. In your presentation, you actually were quite outspoken on the issue of what I'll call outsourcing, for lack of a better word, or the notion that companies will take what is in some cases personal information and will use a third-party contractor who may be out of country.
PIPEDA currently allows that under the fourth paragraph of section 4.1 of schedule 1, and essentially says that companies or organizations would have to assure, by contract or other means, that these third-party organizations would provide at the very least a comparable level of protection for those types of services.
We had testimony from the Canadian Bankers Association, for example, that talked about the fact that outsourcing is a reality now, and that it in fact makes business more competitive. By extension, that provides more competitive prices for consumers.
Are you objecting to it just on principle? Could you reflect a little bit on why that would be so objectionable if these third-party companies provide that same level of protection?
:
The chairman is quite right, I should not speak for them, but my perception is that many of the members of Parliament do not know what this legislation is. Many of us don't even know how to pronounce it. God knows what the French speakers think. They may have a debate in the French language on how to pronounce it.
This legislation has been in the works for, I don't know, a couple of years. Last year the commissioner's budget was $6 million. This year it's $16 million, and that is because of the issue that is before us now. A lot of it is.
The commissioner has come and said that a lot of her budget has to do with education, as have the witnesses. The average person doesn't know anything about this, whether you're a big bank or whether you're a dry cleaner somewhere.
There will be all kinds of amendments. The staff is going to prepare us a list of proposed amendments that have come from witnesses. If the thing is too difficult now, if members of the public find it too difficult now--and this is a question for both witnesses, particularly the Canadian Federation of Independent Business--what will they do when we make a whole bunch of amendments? Will we just drive them over the edge? Let alone in cost, in understanding.... People could be violating the law and they don't even know they're violating the law.
My question for you is this. Taking all that into consideration, and taking into consideration the cost to the government, and taking into consideration the cost of educating individual organizations and their members, whether it is chambers of commerce or independent business or whatever, should our report back to Parliament be that maybe we should just wait a little bit? If we make any amendments at all, maybe we should make it less onerous.
:
Thank you, Mr. Chairman.
I find it very disturbing to hear the comments from consumers and industry representatives. They claim that we may have to wait years to find out what we're going to do about this. I don't see what the problem is.
I think that good old fashioned common sense should prevail. What is personal information? Each of use has a driver's licence. We all have personal information. We know what we're referring to. We also know that certain information such as a credit card number or some such thing should not be disclosed to just anyone.
Therefore, in my opinion, when a consumer discloses personal information to someone, that person should be held responsible. Furthermore, persons or firms to whom personal information has been disclosed become the guardians of that information. If documents are lost, or if some facts are conveyed to other persons, that the individual who disclosed the personal information should be held accountable.
Secondly, the act should contain a provision whereby all costs, including those associated with credit cards, that may have been incurred because personal information was lost should be borne by the company that lost them, and not by the consumer who trusted this business.
What do you think about that idea? The onus should be on the company in question. The owner of a business should be able to protect the personal information of other individuals, of other consumers, as if this was his very own personal information.
An hon. member: Oh! Oh!
Mr. Robert Vincent: I'm sorry for bothering you, but we weren't sure where this was going.
How do you feel about making businesses more accountable for the loss of personal information? Do you feel that they can be made more aware that they have a responsibility here and that they should look at the act to see what they can do? I'd like to get your opinion on this matter.
Earlier, mention was made of conveying to businesses, both large and small, some knowledge of the act that they are required to enforce. Someone asked a good question on this subject. It was noted that the Commissioner travelled across Canada giving speeches about PIPEDA to keep people informed about procedures that must be followed.
Do you not think the government could take on more responsibility in terms of imparting information about the act to those concerned, using the case of the National Building Code as an example? The federal government publishes the code every five years or so and on that occasion, some representatives crisscross the country to bring people up to speed on any new provisions, even if there are only a few of them.
Some organizations also issue certifications, for example, in the case of ISO, LEED or Novo-Climat in Quebec. For instance, one-, two- or three- hour courses may be given to engineers to provide certifications.
Do you think it would be possible to increase awareness of the act's provisions among small businesses and large companies by providing personal information certifications?