ETHI Committee Meeting

38th PARLIAMENT, 1st SESSION

Standing Committee on Access to Information, Privacy and Ethics

EVIDENCE

CONTENTS

Wednesday, December 1, 2004

¹

1535

The Chair (Mr. David Chatters (Battle River, CPC))

Ms. Jennifer Stoddart (Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada)

¹

1540

The Chair

Mr. David Tilson (Dufferin—Caledon, CPC)

Ms. Jennifer Stoddart

¹

1545

Mr. David Tilson

Ms. Jennifer Stoddart

Mr. David Tilson

Ms. Jennifer Stoddart

Mr. David Tilson

Ms. Jennifer Stoddart

Mr. David Tilson

Ms. Jennifer Stoddart

Mr. David Tilson

Ms. Jennifer Stoddart

Mr. David Tilson

Ms. Jennifer Stoddart

Ms. Heather Black (Assistant Privacy Commissioner, Office of the Privacy Commissioner of Canada)

Mr. David Tilson

Ms. Heather Black

¹

1550

The Chair

Mr. Mario Laframboise (Argenteuil—Papineau—Mirabel, BQ)

Ms. Jennifer Stoddart

Mr. Mario Laframboise

Ms. Jennifer Stoddart

Mr. Mario Laframboise

Ms. Jennifer Stoddart

Mr. Mario Laframboise

Ms. Jennifer Stoddart

¹

1555

Mr. Mario Laframboise

Ms. Jennifer Stoddart

Mr. Mario Laframboise

Ms. Jennifer Stoddart

Mr. Mario Laframboise

Ms. Jennifer Stoddart

Mr. Mario Laframboise

Ms. Jennifer Stoddart

Mr. Mario Laframboise

Ms. Jennifer Stoddart

The Chair

Mr. Derek Lee (Scarborough—Rouge River, Lib.)

Ms. Jennifer Stoddart

º

1600

Mr. Derek Lee

Ms. Jennifer Stoddart

Mr. Derek Lee

Ms. Jennifer Stoddart

Mr. Derek Lee

Ms. Jennifer Stoddart

Mr. Derek Lee

The Chair

Hon. Ed Broadbent (Ottawa Centre, NDP)

º

1605

Ms. Jennifer Stoddart

Hon. Ed Broadbent

Ms. Jennifer Stoddart

Ms. Heather Black

Hon. Ed Broadbent

Ms. Heather Black

º

1610

Hon. Ed Broadbent

Ms. Heather Black

Hon. Ed Broadbent

Ms. Heather Black

The Chair

Hon. Ed Broadbent

The Chair

Ms. Jennifer Stoddart

The Chair

Hon. Marlene Jennings (Notre-Dame-de-Grâce—Lachine, Lib.)

The Chair

Hon. Marlene Jennings

The Chair

Hon. Marlene Jennings

º

1615

Ms. Jennifer Stoddart

Hon. Marlene Jennings

Ms. Jennifer Stoddart

Hon. Marlene Jennings

Ms. Jennifer Stoddart

Hon. Marlene Jennings

Ms. Jennifer Stoddart

The Chair

Mr. Art Hanger (Calgary Northeast, CPC)

Ms. Jennifer Stoddart

Mr. Art Hanger

Ms. Jennifer Stoddart

Mr. Art Hanger

Ms. Jennifer Stoddart

Mr. Art Hanger

Ms. Jennifer Stoddart

Mr. Art Hanger

Ms. Jennifer Stoddart

Mr. Art Hanger

Ms. Jennifer Stoddart

Mr. Art Hanger

º

1620

Ms. Jennifer Stoddart

Ms. Heather Black

The Chair

Mr. Navdeep Bains (Mississauga—Brampton South, Lib.)

Ms. Jennifer Stoddart

Mr. Navdeep Bains

Ms. Jennifer Stoddart

Mr. Navdeep Bains

The Chair

Mr. Russ Hiebert (South Surrey—White Rock—Cloverdale, CPC)

Ms. Jennifer Stoddart

Mr. Russ Hiebert

º

1625

Ms. Jennifer Stoddart

Mr. Russ Hiebert

Ms. Jennifer Stoddart

Mr. Russ Hiebert

Ms. Jennifer Stoddart

Mr. Russ Hiebert

Ms. Jennifer Stoddart

The Chair

Mr. Mario Laframboise

Ms. Jennifer Stoddart

Mr. Mario Laframboise

º

1630

Ms. Jennifer Stoddart

Mr. Mario Laframboise

Ms. Jennifer Stoddart

The Chair

Mr. Russ Powers (Ancaster—Dundas—Flamborough—Westdale, Lib.)

Ms. Jennifer Stoddart

Mr. Russ Powers

Ms. Jennifer Stoddart

The Chair

Hon. Ed Broadbent

º

1635

Ms. Jennifer Stoddart

Hon. Ed Broadbent

Ms. Jennifer Stoddart

The Chair

Ms. Jennifer Stoddart

The Chair

Mr. Navdeep Bains

º

1640

Ms. Jennifer Stoddart

Mr. Navdeep Bains

Ms. Jennifer Stoddart

Mr. Navdeep Bains

Mr. Patrick Amyot (Director, Financial Services, Office of the Privacy Commissioner of Canada)

Mr. Navdeep Bains

Ms. Jennifer Stoddart

Mr. Navdeep Bains

Ms. Jennifer Stoddart

Mr. Navdeep Bains

Mr. Patrick Amyot

The Chair

Mr. David Tilson

º

1645

Ms. Jennifer Stoddart

Mr. David Tilson

Ms. Jennifer Stoddart

Mr. David Tilson

Ms. Jennifer Stoddart

Mr. David Tilson

Ms. Jennifer Stoddart

Mr. David Tilson

Ms. Jennifer Stoddart

The Chair

Mr. Art Hanger

º

1650

Ms. Jennifer Stoddart

Mr. Art Hanger

Ms. Jennifer Stoddart

Ms. Heather Black

Mr. Art Hanger

Ms. Heather Black

Mr. Art Hanger

Ms. Heather Black

Mr. Art Hanger

Ms. Heather Black

Mr. Art Hanger

The Chair

Mr. Russ Hiebert

º

1655

Ms. Jennifer Stoddart

Mr. Russ Hiebert

Ms. Jennifer Stoddart

Mr. Russ Hiebert

Ms. Jennifer Stoddart

The Chair

Hon. Ed Broadbent

»

1700

Ms. Jennifer Stoddart

Hon. Ed Broadbent

Ms. Jennifer Stoddart

The Chair

Ms. Jennifer Stoddart

»

1705

The Chair

Ms. Jennifer Stoddart

The Chair

The Chair

Hon. Marlene Jennings

The Chair

Mr. Russ Hiebert

The Chair

Hon. Ed Broadbent

The Chair

Hon. Ed Broadbent

The Chair

Hon. Ed Broadbent

The Chair

Hon. Ed Broadbent

The Chair

The Chair

Mr. Russ Hiebert

The Chair

Mr. Russ Hiebert

The Chair

Mr. Russ Hiebert

The Chair

Hon. Marlene Jennings

»

1710

Mr. Russ Hiebert

The Chair

Mr. Derek Lee

The Chair

Hon. Marlene Jennings

The Chair

Hon. Marlene Jennings

The Chair

Mr. Mario Laframboise

The Chair

---

CANADA

Standing Committee on Access to Information, Privacy and Ethics

---

NUMBER 005

l

1st SESSION

l

38th PARLIAMENT

---

EVIDENCE

Wednesday, December 1, 2004

[Recorded by Electronic Apparatus]

*   *   *

¹  (1535)  

[English]

    The Chair (Mr. David Chatters (Battle River, CPC)): We will call the meeting to order.

    We have two guests with us today. With us is Jennifer Stoddart, Privacy Commissioner of Canada, who was with us the other day, and we have unfinished business there; and with Jennifer today is Heather Black, assistant privacy commissioner. Welcome to the committee.

    Before we start, I'd like to read the order of business that we're here to do, and that's, pursuant to Standing Order 81.5, supplementary estimates (A) 2004-05: vote45a, Office of the Privacy Commissioner,under Justice, referred to the committee on Thursday, November 4, 2004. I call vote 45a under Justice.

    We'll proceed with the witnesses' statement first. Please go ahead.

    Ms. Jennifer Stoddart (Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada): Thank you very much, Mr. Chair, honourable members.

    With your permission, Mr. Chair, I'd read a short opening statement that is factual in nature, given that I think we are dealing primarily, first of all, with financial information. As you said, I'm accompanied by the other assistant privacy commissioner, Heather Black, today. Mr. D'Aoust is on a speaking engagement in the west. And I have members of my staff with me. With me are Patrick Amyot, who is director of finance; François Cadieux, the departmental liaison officer; René Couturier, director of communications; and Nancy Sanders, director of human resources. Should the members have any detailed questions on any of these areas, they can respond.

[Translation]

    Members of my staff who are with me today will be happy to field any detailed questions that you may have.

[English]

    So thank you very much for calling us to discuss our supplementary estimates. I'd like to start out by thanking the committee for considering, recommending to the House, and approving our $4.7-million grant for the implementation of the Privacy Act in our main estimates under vote 45. And as you know, we really appreciate this funding to carry out our investigations, compliance reviews, and to address citizens' complaints and respond to public inquiries.

    I'd like to go on and talk about the supplementary estimates. As I mentioned at my last appearance, I've set a clear goal of rebuilding the trust of Parliament and Canadians in our office, and most notably to lead the office's institutional renewal in the areas of human resources, planning, budgeting, and reporting.

    This renewal is a critical factor in our efficacy and efficiency as an ombudsman dedicated to the promotion and protection of privacy rights. We've made, I think, slow but steady progress towards that goal in remedying many of the issues highlighted in past audits of our office.

    As I mentioned in my last appearance, our office is funded to protect data protection rights in accordance with two federal statutes, and the 2004-05 supplementary estimates--that is, vote 45a--reflect the budget of $6.7 million for work to be carried out under PIPEDA, that is the Personal Information Protection and Electronic DocumentsAct, which you adopted in 2000. This particular funding sunsetted last year. It was renewed for one year and it's tabled with Parliament in supplementary estimates (A).

[Translation]

    The 2004-2005 Supplementary Estimates also reflect an operating budget carry forward of 5 per cent of our Office's 2003-2004 Main Estimates. This amount is explained by the funds received in 2003-2004 to assist the Office in its institutional renewal efforts.This budget has not, however, been substantially modified for years.

    As a result, in the last few years, our Office has spent the funds allocated for PIPEDA to cover off the requirements to manage complaints under the Privacy Act and to do minimal public education on privacy rights.

    As well, the Office assumed additional responsibilities under the 2002 Treasury Board policy on Privacy Impact Assessments for which it has never been funded, either to enforce this or other legislation previously examined.

    Although we are currently not experiencing a shortage of financial resources because of the staffing challenges addressed during my appearance before this committee a few weeks ago, we do, however, foresee in the long-term that our existing funding will be inadequate to address growing privacy concerns under both privacy statutes.

    Our Office must work in accordance with Treasury Board Secretariat requirements to determine its permanent level of funding. We will be doing an A-base review of the Office's operations which will also include a business process review of our investigations and inquiries functions. These functions account for a significant proportion of our resource utilization.

¹  (1540)  

[English]

    So in 2005 we will make a submission for long-term permanent funding. This is necessary to further strengthen our human resources practices and to reposition our core operations and functions to meet the ever-increasing complexity of privacy issues in both the public sector and the private sector.

    At your request, Mr. Chairman, we provided the committee with a copy of the office's organizational charts and salary ranges. I would like to draw your attention to the fact that this organizational chart is still very much a work in progress. We're still finalizing the classification reviews of our positions and we will also be undertaking a business process review of our key operations as mentioned earlier. At the completion of these two activities, we would hope to provide this committee with a more accurate organizational chart.

    In concluding, I would like to draw the attention of the committee to the fact that adequate funding is required for the office to continue demonstrating value in dealing with privacy complaints, privacy audits, and in educating and informing Canadians about the importance of privacy.

    Thank you very much for calling us here. I would be very happy to answer any questions you may have.

    The Chair: Thank you very much. We look forward to your answering questions from our members.

    We'll start with Mr. Tilson.

    Mr. David Tilson (Dufferin—Caledon, CPC): Thank you very much, Mr. Chairman, and Ms. Stoddart and Ms. Black.

    I'd like to carry on with an area that I started into the last time you appeared before the committee, and this has to do with identity theft. You pointed out that it may be more of a police matter than a matter for the commission, and I understand that to a certain extent. However, since then there has been this terrible story from, I believe it was West Virginia, involving somebody in a scrapyard getting all kinds of faxes from the Canadian Imperial Bank of Commerce, where all kinds of information was sent from all across the country. I've read in the media that you're doing an investigation or some sort of investigation. Can you give us any details on that investigation?

    Ms. Jennifer Stoddart: Thank you for the question.

    Our investigations are usually conducted in private, so I can't give you perhaps a great amount of detail about what we're finding. It's still the beginning of our investigation. I can perhaps tell you what we have done.

    We were contacted, I think it was Thursday afternoon, by a representative of the CIBC privacy section and informed of this problem. We immediately opened a file on this. We've been in constant touch with the CIBC I think every day since this came to our attention. We have assigned an investigator immediately to the file. I think it's our top priority because of the implications of it at the present time. I'm being briefed daily on the progress of this.

    We have received several inquiries from the public and I believe one formal complaint from the public. I think that is the status. I should add that the president and the CEO of the CIBC phoned us yesterday and spoke with Assistant Commissioner Black, me, and the acting director of investigations to inform us of the steps that they were taking to redress the situation and to prevent a reoccurrence. That, however, does not change the status of the investigation, which goes forward on the facts that will be uncovered.

¹  (1545)  

    Mr. David Tilson: When do you expect that your investigation will be completed?

    Ms. Jennifer Stoddart: I would think in a very few months.

    Mr. David Tilson: Would you be prepared to provide this committee with a report on that investigation?

    Ms. Jennifer Stoddart: Yes, certainly.

    Mr. David Tilson: Perhaps I could ask some generic questions. I understand the privacy of the Privacy Commissioner; however, I wonder if you could tell the committee what safeguards of personal customer information your office anticipates will be in place during the investigation of a complaint from the client of a credit union or a financial institution, a bank?

    Ms. Jennifer Stoddart: You mean in our investigation, what safeguards?

    Mr. David Tilson: Yes.

    Ms. Jennifer Stoddart: All our files are treated with the greatest confidentiality. Our files do not go out of the office. Our employees have the requisite classification of security clearance levels. We have very stringent privacy protection policies in our office. We use, as a matter of principle, cover sheets whenever we're faxing information. Unless there's something that Assistant Commissioner Black can add, I think those are the main aspects of privacy and protection of personal information, which of course is a huge concern in our office, and the investigations are confidential.

    Mr. David Tilson: I expect that part of your investigation will deal with the consent of clients or customers of financial institutions, private institutions, or even government institutions, even more importantly. Can you tell us whether the consent requirements of customers with the banking sector, financial institutions, and government are adequate?

    Ms. Jennifer Stoddart: The honourable member has raised a huge question, because there are different standards of consent for the private sector and the public sector.

    Mr. David Tilson: Let's start off with the banking institutions. Are the consent requirements of the banking institutions adequate?

    Ms. Jennifer Stoddart: The standard is informed consent that is laid down in PIPEDA. It's hard to give a general answer. They are adequate if they conform to the standard set out in PIPEDA, and if on investigation, either through a complaint or not, we find these standards are not being adhered to, then we find a practice that is not legal and conforming to those standards. The consent set out in PIPEDA depends on the information that is given to the person at the time they consent, that is, the nature and circumstances in which they give their consent.

    Perhaps I could ask the assistant privacy commissioner, Heather Black, who is acting general counsel, to elaborate on this.

    Ms. Heather Black (Assistant Privacy Commissioner, Office of the Privacy Commissioner of Canada): The PIPEDA requires knowledge and consent, and the knowledge portion of it requires that the institution, whether it's a financial institution or any other organization subject to the law, explain its purposes for collecting information, how the information will be used, and to whom it will be disclosed.

    Mr. David Tilson: Do you think that's done? I'm thinking specifically of someone who comes to a bank or an institution and wants a loan, wants to transfer money to an RRSP; it could be any sort of banking information. If that is done, do you think the average Joe or Jane understands all that, understands the consent?

    Ms. Heather Black: The banks have made a fair amount of progress in making their consent forms, and their forms generally, more easily understood. It's certainly open to anyone to ask questions about the document they're signing. Certainly when people are initiating a relationship with the bank it's all very well laid out, because normally the bank is relying on those consents to do certain things such as credit checks. The credit bureaus have to rely on the fact that the banks have received consent to run credit checks.

¹  (1550)  

    The Chair: Thank you.

    Mr. Laframboise.

[Translation]

    Mr. Mario Laframboise (Argenteuil—Papineau—Mirabel, BQ): Thank you, Mr. Chairman.

    You found out about the CIBC incident through media reports. I read your 2003-2004 report in which you describe some incidents under PIPEDA and mention records obtained from dumpsters.The Office also learned through media reports that the police had discovered some financial records of bank customers in a suspect's apartment and that the records had been retrieved from a dumpster.

    Another incident reported involved the sale of bank computers containing client personal information.

    Obviously, these incidents came to your attention through media reports. In the case of the sale of bank computers containing client personal information, you discovered that the bank had reviewed the disposal process and had drafted new guidelines.

    As I understand it, you have no real authority. You stated that no complaints were filed over any of these incidents. How do you respond then? You learn about these incidents through media reports and reprimand the bank for not doing what it should have done. The bank promises to clean up its act and the matter is considered closed. What kind of authority, if any, do you actually wield? Do you lack the funding to act? Speak up, because we're here to help you.

    Ms. Jennifer Stoddart: We have some, but not total, authority. And yes, we do lack funding. We can revisit that topic later.

    You've given some interesting examples. These are incidents on which the Office opened a file because certain matters were brought to our attention, generally by the media. In both of the cases mentioned, no complaints were filed.

    We can monitor the situation and contact a bank or financial institution with a view to encouraging it to adopt the appropriate procedures and policies. We act as an ombudsman. We can also launch our own investigations. We have the power to do that.

    Furthermore, we can go to Federal Court on behalf of a plaintiff after conducting our investigation. That's also something we can do.

    Mr. Mario Laframboise: In both instances, did you conduct your own investigation, or did you merely carry out a summary audit of the operations?

    Ms. Jennifer Stoddart: We can audit the institution's operations with their cooperation. We do not conduct a formal investigation per se.

    Mr. Mario Laframboise: For instances, do you plan to investigate the incident involving the CIBC, which we've heard about in recent weeks, or do you only do audits?

    Ms. Jennifer Stoddart: We are in fact conducting a formal investigation.

    Mr. Mario Laframboise: And who determines that the incident is worthy of being investigated? Is it you? A complaint was filed. Is that the reason why you are launching an investigation? Earlier, you stated that someone had filed a complaint over the CIBC incident.

    Ms. Jennifer Stoddart: Yes, we are required to investigate any complaints we received. We can also decide to launch an investigation in the absence of a complaint, or we can monitor a particular situation and recommend a constructive solution.

¹  (1555)  

    Mr. Mario Laframboise: Over the past year, have you initiated any investigations?

    Ms. Jennifer Stoddart: I can't answer that question without consulting with my associates. I believe this happens very rarely, because the fact of the matter is that we have a significant number of filed pending owing to insufficient resources and the problems we're having with the staffing process. Such problems arise each time a review is done of administrative procedures that fail to conform to public sector practices. However, even after we've completed this review, we still won't have sufficient funds to hire the staff needed to handle all outstanding complaints.

    Mr. Mario Laframboise: I see. So then, when you do not launch an investigation, it means that you don't view the case as being important.

    Ms. Jennifer Stoddart: Not at all.

    Mr. Mario Laframboise: You're saying then that sometimes you are unable to investigate a complaint because of insufficient funding.

    The two cases mentioned in your report concern banks. These are large institutions with many employees that handle large amounts of personal information. They need to regulate their own operations, or else you need to have the power to ensure that incidents like this don't happen again.

    When we read the report, we're left with the impression that they cleaned up their act. They examined the situation and notified their customers. No complaint was filed. However, sometimes people don't complain because they don't realize personal information about them has been disclosed. If people knew the truth, they probably would lodge a complaint.

    People could also be advised to complain as soon as this type of incident occurs, but then your Office would be swamped, and that's not the objective here. However, when personal records are retrieved from dumpsters, or when a bank sells computers containing client personal information, it's time to do something to stop this kind of thing from ever happening again. We have no guarantees that it won't happen again. Is that what you're telling me?

    Ms. Jennifer Stoddart: There's one other very important power that we have, but have not exercised thus far in the private sector. I do, however, intend to exercise it very shortly. I'm referring to our authority to do audits. In accordance with the Personal Information Protection and Electronic Documents Act, the act that applies to the private sector, there must be reasonable grounds for auditing an organization's practices and operations. Thus far, we have not exercised this authority.

    Mr. Mario Laframboise: Owing to a lack of resources.

    Ms. Jennifer Stoddart: It has a lot to do with the Office's internal management problems. We can use this tool to follow up on incidents of this nature.

    Mr. Mario Laframboise: And the legislation authorizes you to carry out this type of audit. You arrive on the scene and the organization has no choice but to allow you to investigate its practices.

    Ms. Jennifer Stoddart: The Office must have reasonable grounds to act and must conform to certain standards. Our auditors must have some proof which constitutes reasonable grounds. The decision to carry out an audit cannot be made arbitrarily or randomly.

[English]

    The Chair: Your time is up.

    Mr. Lee.

    Mr. Derek Lee (Scarborough—Rouge River, Lib.): Thank you.

    Madam Commissioner, since we're dealing with estimates, I thought we'd do some number crunching, and it's not my strength to do number crunching. I'll try to deal with the macro rather than the micro because I probably couldn't get to the micro detail.

    The reason I'm doing this is just more or less to confirm that our role here is to approve the funding for your agency. You're an officer of Parliament. If we don't do it, who else will make sure the money is well spent?

    I have no doubt you're making every effort to fulfill your mandate, and your agency's doing it. Your agency has had some bumps in the road the last two years or three years.

    As I look at the supplementary estimates now, I see a number of $6.4 million; that's vote 45a. Now, as to the $6.44 million, the original estimates for your agency involved $4 million. Why would your agency not have put your whole budget in the first estimates? Why wouldn't you have had a $10-million budget for the year? Why is it necessary to come back to get additional money that exceeds the amount your agency originally asked for?

    Ms. Jennifer Stoddart: Well, honourable member, I guess in a normal world it would in fact all be run into one, and that is our goal, that eventually we may have one budget that takes account of our two responsibilities.

    The answer is that this is an historic situation. The Office of the Privacy Commissioner has historically been voted moneys, your vote 45, under the Privacy Act. Starting in 2001-02, it was then given a three-year allotment for its new responsibilities under PIPEDA, which is the larger amount.

    The PIPEDA grant then came to a term; it was sunsetted after three years. Treasury Board then, given the situation of the Office of the Privacy Commissioner, suggested simply prolonging it de facto another year and has now suggested that the appropriate way to go would be to prolong it for the next fiscal year in order that we may do all the analyses necessary to establish permanent funding.

º  (1600)  

    Mr. Derek Lee: Somebody decided originally to sunset $6 million; it looks like it's on the verge of becoming permanent. I don't understand. If we're renewing a sunset, surely we must look at the reasons the sunset was originally planned. Does your agency need all of this start-up infrastructure for PIPEDA? Are you saying to us that your agency needs all of the start-up money plus more to carry on and live in this brave new world of threats to privacy?

    Ms. Jennifer Stoddart: I'm saying it is my estimate and the estimate of my officials that in the future we'll need this start-up money, yes, and we'll need more. We need a basic revision of the money we get under the Privacy Act, which deals with privacy in the government, and this has not been seriously looked at for many years. There are huge privacy issues that have emerged and will probably continue to emerge about what government does with personal information of Canadians.

    I would think we will be applying for resources under the Privacy Act as well as keeping the funding and possibly asking for additional resources under PIPEDA to meet, again, the challenges of the implementation of this new act and the new technologies that it applies to in the public education outreach to Canadians we should be doing. That is what Treasury Board has told us to do, to make the case to them for permanent, long-term funding.

    Mr. Derek Lee: So you're doing an education piece with moneys scoured from the $4 million plus and the $6 million. You have a corporate plan to educate the public. I guess all the agencies do, but I suppose that when we set up PIPEDA as legislation, we didn't bargain on the administrators going out to be teachers all across the country.

    I'm being a little hard on you here, but I'm asking you to justify the education and your money to the taxpayers.

    Ms. Jennifer Stoddart: That's all right.

    PIPEDA does formally justify an educational role for the Privacy Commissioner. In fact, it is one of the problems needing reform in the Privacy Act, which is a much older document, because it doesn't formally call for an educational role. At the same time, you have Canadians bombarding us with questions about what the government is doing with our personal information; technically, you don't see that dealt with in the act. But under PIPEDA, we do have a formal educational role, yes, so part of our money under PIPEDA goes to that endeavour.

    Mr. Derek Lee: So you're working with Treasury Board now and you hope to have a long-run, permanent funding structure in place when it adopts the principles of economy, efficiency, efficacy, and things like that.

    Ms. Jennifer Stoddart: That's right.

    Mr. Derek Lee: Thank you, Mr. Chairman.

    The Chair: Thank you.

    Mr. Broadbent.

    Hon. Ed Broadbent (Ottawa Centre, NDP): Mr. Chairman, I would like to go back to the issue that has been discussed here before and in the House, namely the U.S. Patriot Act and Visa information of our chartered banks being subject to the U.S. Patriot Act once it gets to the U.S. My understanding is that the Royal Bank, TD Canada Trust, and Scotiabank outsource their credit card operations to U.S. firms while the Bank of Montreal does not do so.

    In the case of the former three I mentioned, none of them explicitly tell their customers that information may be outsourced to U.S. subcontractors in the first place or that the information may be subject to the U.S. Patriot Act. My question to you is, do you think it should be obligatory that the banks at least tell their customers this?

º  (1605)  

    Ms. Jennifer Stoddart: The honourable member may know--I think we discussed it the last time--that we are investigating a complaint about one of the banks and this particular clause. In order to let that investigation go forward and for us to be able to deliberate on it appropriately, I don't think I should take a categorical position on that at this time, because we do have a complaint investigation.

    Perhaps I could reiterate the general principles of PIPEDA, which are transparency about where information is going, what it's being used for, and its primary disclosure through primary and secondary use. These are some of the principles that are in PIPEDA and that organizations are supposed to inform people of.

    Hon. Ed Broadbent: If that's the case and the three banks I mentioned don't provide this information, then it seems to me that this is a violation of the transparency provision itself. If I'm a customer, and in fact I am a customer at one of those banks, it's in my interest right now as a Canadian to know, I would think--speaking for myself, I would like to know and didn't until recently--that this information is being accumulated in computers in the U.S. and is subject to the provisions of the U.S.A. Patriot Act, which means from my point of view, in principle, it's a violation of my privacy.

    I didn't know this before. My own personal view is that as a minimum--I'll come back to another variant on this issue--I should be told by my bank.... And it goes beyond me; any Canadian who has dealings with any of these banks ought to know in terms of normal disclosure requirements what may be happening with their information.

    I don't want to be argumentative, but I don't see how you would be in any kind of conflict because you have a particular case before you alleging a violation of privacy. That's one thing, but it seems to me that the question I'm asking has nothing to do with that particular case--whether there's been a violation of existing law or regulation or not. It's on whether or not you think, as the Privacy Commissioner, that given the transparency requirement you alluded to already, the banks should be obliged to disclose this to their customers.

    Ms. Jennifer Stoddart: Given that we are investigating a complaint about this, I perhaps don't want to forejudge our investigation before we complete it. But perhaps I can ask Assistant Commissioner Heather Black, who works very closely on this topic, to continue with the application of the PIPEDA privacy principles to this kind of case.

    Ms. Heather Black: The processing of personal information by large organizations such as banks is almost always outsourced. I think we need to--

    Hon. Ed Broadbent: One bank doesn't do it.

    Ms. Heather Black: It probably outsources it in Canada.

º  (1610)  

    Hon. Ed Broadbent: Yes, but that's another question.

    Ms. Heather Black: But there's all sorts of information that gets outsourced. When you deal with one of these organizations, the real question you have to ask is whether consumers want in the ordinary course of events to be burdened with a wealth of detail about how their cheques are sent out to XYZ cheque-printing company to be printed, certain information is processed here and certain information is processed there.

    The whole issue of the Patriot Act has raised the consciousness of people about the fact that a lot of our information goes to the United States. It's not new. Most of our insurance information is in the United States, which in many cases is much more sensitive information than banking information.

    The position I guess I would argue on a preliminary basis, before we've completed an investigation, is that probably right now, given the general unease about the Patriot Act issue, it would be best for the financial institutions to tell people they are processing in the United States--really a departure from the ordinary rule about having to tell people every last detail about processing.

    Hon. Ed Broadbent: But if I may say so, being subject to the provisions of the U.S.A. Patriot Act is not for many Canadians a bit of incidental detail they might regard as frivolous or perhaps not necessary to their well-being. I would think most of them would be interested in this. What I'm talking about here is simply a disclosure requirement.

    But if I understood your answer now, at least you think the banks should do it. Then I'd ask you, do you think there should be a regulation that would require them to do it?

    Ms. Heather Black: I don't have any particular views on a regulation. It would be the responsibility of the Minister of Finance to make such regulations. The banks are heavily regulated as far as their information is concerned now. The Bank Act requires them to maintain records in Canada, regardless of where they're processed. All the information the banks have is also present in Canada.

    The Chair: Your time is up, Mr. Broadbent.

    That completes our first round. We'll go on to the three-minute round.

    Just before we do so, I'm not very comfortable with the lack of an answer to Mr. Broadbent's question. But if Mr. Broadbent is happy with it--

    Hon. Ed Broadbent: No, I'm not, but my round's up.

    The Chair: Well, we might consider--

    Ms. Jennifer Stoddart: I would be happy to continue, because Mr. Broadbent's questions are important and we are trying to give them the answer they deserve. They reflect the concerns of many Canadians--

    The Chair: We'd better catch that next round, if we can. But give it some thought, and we'll go on to our three-minute round.

    Yes, Ms. Jennings.

    Hon. Marlene Jennings (Notre-Dame-de-Grâce—Lachine, Lib.): On a point of order, Mr. Chair, I'm not comfortable with this committee questioning the commissioner on a file where an ongoing investigation is happening. We are putting the commissioner and the deputy commissioner in a very awkward position. It could in fact turn around at a later date. We could then be sanctioning them for having made statements that could lead the public or the banks to believe they had prejudged--had already taken a position on--what conclusions should be made with regard to the investigation of the complaint.

    I would suggest that we leave it alone. Mr. Broadbent has explored, to the extent he has; answers have been given, to the extent that they have. I don't know about the other members here, but I'm very uncomfortable with this committee going any further on this particular issue.

    The Chair: Very well, your objection is noted. I don't believe Mr. Broadbent asked the commissioner to discuss an investigation on a file that's underway. I think the question was quite broad. At any rate, we'll leave this issue now.

    Hon. Marlene Jennings: The issues that are under investigation are the issues he was discussing.

    The Chair: Ms. Jennings, your three-minute round.

    Hon. Marlene Jennings: Thank you.

    Thank you very much for your presentation.

    I have one question that pertains to the “Other Professional Services” at $917,837 on the organizational chart you provided that gives a breakdown of your estimates by reporting objects. You also have “Other Business Services” at $270,700. That comes to over a million dollars. I'd like to know exactly what those other professional services and other business services are. That's my first question. If you don't have the breakdown here, you can always provide it to the chair through the clerk.

    My second question is not about the estimates. It's about the composition of your personnel. I see from the organizational chart that you have 85 staffers at all different levels. I'd like to know what number are women, aboriginals, people with handicaps, and visible minorities. I'd also like to know what number are full-time indeterminant, full-time permanent staffers, and if you have full-time not permanent, term employees, I'd like that breakdown as well.

º  (1615)  

    Ms. Jennifer Stoddart: Could I send those? I'm not sure to be able to give the honourable member an accurate answer to this question.

    Hon. Marlene Jennings: Sure.

    Ms. Jennifer Stoddart: You're of course referring to employment equity issues--

    Hon. Marlene Jennings: I definitely am.

    Ms. Jennifer Stoddart: --which, I can assure you, have been on our agenda this year. They are on our list of things to be addressed and aspects to be taken care of in staffing.

    Hon. Marlene Jennings: Thank you.

    I would like to make the point that I'm not singling out your office. I read the annual report of the Public Service Commission, and I was appalled by the fact that this Public Service Commission seems to be taking the issue lightly. There were light-years of difference between the amount of information that was provided in this report and the amount provided by the same commission in the past. There was virtually no information provided, in my view, compared to past years. So I'm taking it upon myself, any time I have an opportunity to question either agencies or departments of the federal government, to get the information directly from them.

    Thank you.

    Ms. Jennifer Stoddart: Okay. Thank you.

    I'll just reiterate my personal commitment to employment equity concerns.

    The Chair: Your time is up.

    We'll move on to Mr. Hanger.

    Mr. Art Hanger (Calgary Northeast, CPC): Thank you, Mr. Chairman.

    Thank you too, Commissioner, for the breakdown in your office budget. I see that the total actually is more in the line of $11,841,000, your total budget. You're asking in the supplement for an additional $6,440,000.

    Ms. Jennifer Stoddart: I think it's $6.7 million, honourable member.

    Mr. Art Hanger: Okay, it's $6.7 million, then.

    Ms. Jennifer Stoddart: In my opening statement, I mentioned that there are some slight variations in the columns of figures due to the additional employee benefits and things like that, which are taken care of by Treasury Board.

    Mr. Art Hanger: Basically what you're asking for in the supplement is to fund the entire salary scale in your office.

    Ms. Jennifer Stoddart: It doesn't really work out that way, but the figures do coincide. We're asking you to carry forward the PIPEDA funding in the order of $6.7 million, but that does coincide with the amount we spend on salaries.

    Mr. Art Hanger: Yes, I guess I did find that odd. I also find it very strange, along with my colleague Mr. Lee, who made reference to this issue, that you did not ask for a complete budget the first time around. You knew what your budget would be. Why would you want to come in with a supplement of those additional funds to...?

    Ms. Jennifer Stoddart: That's a very good question. This is apparently the way we have to function, because in the greater scheme of things, Parliament has never approved permanent funding for us, so this is the way we were told to operate. We are trying to regularize the situation as soon as we can. That's why we'll be spending the next six months in an intensive process to set up what's called a business case to establish a base for permanent funding.

    Mr. Art Hanger: Okay. On page 7 of the estimates you indicate that in certain circumstances the commissioner may take cases to the Federal Court. Have you ever had to do that?

    Ms. Jennifer Stoddart: To take cases to the Federal Court.

    Mr. Art Hanger: Yes.

    Ms. Jennifer Stoddart: Yes. I'll ask the acting general counsel to talk to you about that.

    Mr. Art Hanger: Before you answer, my next question is going to be this. I don't see any provision in these estimates for any kind of Federal Court cases, estimated or otherwise, other than for basic information, advertising, repair, rentals, and so on and so forth. I would think that a Federal Court case would be fairly expensive, would it not?

º  (1620)  

    Ms. Jennifer Stoddart: Yes, court cases are expensive. We often act as intervener, because there are a number of ongoing court cases.

    Could I ask the acting general counsel to speak to that?

    Ms. Heather Black: Mr. Chairman, yes, we have initiated Federal Court cases. We do it rarely. What we usually do is work with a complainant; either we are added as a party to the action, or we act as an intervener. We do have the possibility of starting an action ourselves.

    We have been getting by with well under $200,000 a year in fees paid to outside legal counsel to conduct most of these Federal Court actions for us, so I think we're getting good value for the money we spend.

    The Chair: Your time is up.

    Mr. Bains.

    Mr. Navdeep Bains (Mississauga—Brampton South, Lib.): Thank you very much, Mr. Chair.

    Again, thank you very much, Ms. Stoddart and Ms. Black, for coming out today.

    My question, unfortunately, has nothing to do with the estimates. I have a question with respect to the document we received called “Privacy Act Reform: Issue Identification and Review”. My question pertains to personal information and the definition of personal information and the recommendation you've made in that.

    I was speaking to some of my colleagues about this as well. In the past I've heard of businesses encountering difficulties in the government sector dealing with the private sector, of really identifying what is considered personal information. Have you ever passed any ruling or judgment on this? If so, have you done so recently?

    Ms. Jennifer Stoddart: I think the Office of the Privacy Commissioner has long drawn the government and public's attention to the fact that the definition of personal information under the Privacy Act should be broadened to take into account technological developments like DNA sampling. So within the numerous reforms we think should be envisaged, including the reform of the Privacy Act, which I believe you asked a question about before, we certainly think the definition of personal information should be looked at again and be broadened because of the way the world has unfolded in the last 20-odd years since it was adopted.

    Mr. Navdeep Bains: Just in follow-up to that, in terms of the definition and broadening the definition, will that in any shape or form impact the private sector or companies in conducting their business? We understand the advancement of technology, but by advancing or broadening the definition, will that now force certain companies to provide information, for research, for example? Say you have a doctor, for example, who's prescribing information regarding a patient, and that information needs to be used for research, is that considered personal information, or in other cases like that?

    My only concern is this. If we broaden the definition, will it hurt us in other areas of research, and so forth?

    Ms. Jennifer Stoddart: If we broaden the definition in the federal Privacy Act, this should not have a huge influence on what is done with patients' personal information, because that is regulated under PIPEDA, our newer act, the one that has the temporary funding and specifically envisages those kinds of situations. In fact, it exempts certain, I'd say, restrictions on personal information when it is necessary for scientific research and it is infeasible or impractical to ask for the consent of the people. It specifically foresees that we should be able to do scientific research in medically related areas under PIPEDA.

    Mr. Navdeep Bains: Okay. I appreciate it.

    Thank you very much.

    The Chair: Mr. Hiebert.

    Mr. Russ Hiebert (South Surrey—White Rock—Cloverdale, CPC): Thank you for coming back.

    If I understand things straight, and dealing with the estimates, you've not yet spent your budget for the year? Is that correct?

    Ms. Jennifer Stoddart: No.

    Mr. Russ Hiebert: You're asking for another $6.7 million.

    I reviewed the staffing report you provided to us. Thank you very much for that. I noticed there are 22 open positions, or about 25% of your staff is not filled. I'm trying to understand: you have a surplus and you have unfulfilled positions, but you're asking for more money. Should you not wait until those positions are filled to see if that will be sufficient to solve the backlog of cases, and then come back to this committee, before asking for more money?

º  (1625)  

    Ms. Jennifer Stoddart: Well, we actually are spending money from both sources in our budget, so we can't.... I think if we just spent money allotted to us under the Privacy Act, we wouldn't have enough.

    You've drawn attention to the fact that 25% of our positions are unstaffed—

    Mr. Russ Hiebert: It's 22 positions out of 85; that's 25%.

    Ms. Jennifer Stoddart: Yes.

    I drew the attention of the committee to the fact that this organizational chart is not as accurate as it should be. In fact, even were this committee to approve all the money, it would not be enough to staff all the positions shown on that chart. I think this is one of the historic legacies of, shall we say, mismanagement.

    Putting those two budgets together, we calculate that we have the possibility of staffing about 95 positions—not all the ones you see on that chart, which were put there at a previous time.

    Mr. Russ Hiebert: So you're saying the chart is outdated?

    Ms. Jennifer Stoddart: I'm saying the chart is inaccurate, yes. And we will get you a new chart as soon as possible. We have already corrected some of the inaccuracies that were on this, but we will continue to correct it and give you an updated one.

    I don't think the office really ever had the money to fund all of those positions as labelled, but we haven't done that exercise. One year the office overspent its combined budgets, and so we have to pull back to a position that's more realistic—

    Mr. Russ Hiebert: I just want to interject here before I lose my time.

    I'm not fully understanding something. There's an $11.8-million budget; there's about $7.8 million allocated towards staff, and 25% of these positions are not filled; but you're asking for another $6.7 million in funding, almost the equivalent of another 85 positions, according to this budget you've tabled with us.

    Help me understand why you need another full amount of funding for positions that are already filled?

    Ms. Jennifer Stoddart: Well, the money under the act, which you've already approved funding for, would not in fact cover the 85, or even the 95, positions and allow us to do things like travel-out-of-the-office investigations, maintain our website, produce public education material, etc. So we need the money from both acts. However, the most accurate breakdown, using the combined amounts from both acts, would only allow us to staff, I believe, at this time a maximum of about 95 positions. If I say about 95, it depends on how much the positions cost with their benefits.

    The Chair: Mr. Laframboise.

[Translation]

    Mr. Mario Laframboise: Thank you very much, Mr. Chairman.

    If I understand correctly, Ms. Stoddard, even if you received 95 per cent of the funding you needed, you still would not be able to exercise your audit authority. You've never in fact exercised this authority and your budget merely allows you to keep up with your workload.

    Ms. Jennifer Stoddart: That's about the size of it. Many positions remain unstaffed. We hope to remedy this situation very soon. Ideally, we would still need additional resources to put in place a real audit team to crisscross the country and audit organizations that come under PIPEDA.

    Mr. Mario Laframboise: I agree with you there. I've thoroughly reviewed the work done by your Office and I agree that there is still work to be done.

    Getting back to my initial question, I'm concerned. A growing number of banks are doing business in cyberspace. Call centres are often Canadian branches of US banks that have given themselves a Canadian name. Obviously, we don't know what they do with the information supplied to them. Banks and the health care system have the most personal information on file.

    I want you to exercise your authority to do an audit. I'd like you to table a budget and tell us how much it might actually cost to do these audits. We're certainly not here to squander the Liberals' infamous surplus, but perhaps we could use some of these surplus funds to look out for the interests of members of the public. Often, they have no idea why they're being asked to disclose personal information or what happens to that information subsequently. The only way to get answers is to do an audit without giving any advance notice.

º  (1630)  

    Ms. Jennifer Stoddart: Are you making a formal request, sir?

    Mr. Mario Laframboise: If possible, yes.

    Ms. Jennifer Stoddart: Can you give me some time? The new director is currently away on training. We would be happy to do an audit, particularly as the audit function would demand knowledge of accounting and computer practices that we currently do not have.We would need to hire people who know something about the personal records kept in data banks and computers.

[English]

    The Chair: Thank you.

    Mr. Powers.

    Mr. Russ Powers (Ancaster—Dundas—Flamborough—Westdale, Lib.): Thank you, Mr. Chair.

    I have two quick questions. Number one, just following up on something raised by the honourable member Mr. Hiebert, perhaps you could give us something on a spreadsheet. Like him, I have some problems with the rationale of the unfilled positions and the request for the funding in order to do that. So perhaps you could give us some explanation, perhaps in written form, as to why the full complement of funding is required to complete this fiscal year. That would be helpful.

    Ms. Jennifer Stoddart: Certainly.

    Mr. Russ Powers: The other one is just a very quick question. My simple question is, if indeed there were the appropriate funding, would there be a willingness of your group to assume some of the responsibilities of the whistle-blower legislation, if indeed it were deemed appropriate and funding were put in place?

    Ms. Jennifer Stoddart: It's not a question to which we've turned our minds.

    The Chair: That's it.

    Mr. Broadbent.

    Hon. Ed Broadbent: I'd like to go back to that subject. I appreciate your willingness to continue the exchange that we had before.

    To go back to the question that Ms. Black answered, I don't want to put it too strongly, but with reference to the banks, I found it surprising when the suggestion was made that we could rely on the Minister of Finance to make a decision on what the banks should or should not disclose. In the context of your mandate to Parliament, of course, your appointment is approved by Parliament and you report to Parliament. If I misunderstood, I'd like to go back to that

    To go back to the issue of whether or not answering questions on the appropriateness of requiring banks to disclose to Canadian customers whether information and data is being disclosed in the U.S. under the provisions of the U.S. Patriot Act, I haven't the foggiest concept of how that could be seen to be interfering in the particular case that you have under consideration. It seems to me that it's a basic requirement for your office to inform us, as members of Parliament, in terms of your concern with privacy, either in the private sector or the public sector, on your views and principles about regulation and whether it's necessary or not necessary.

    As I understand it, right now, under the provisions of the U.S. Patriot Act, warrants and subpoenas could be issued in the U.S. to obtain information on Canadians who happen to be residing in the U.S., because Canadian banks have subcontracted some services to U.S. sources. That's my understanding of the provisions. I see that you're nodding that you are in agreement with that.

    It seems to be a pretty clear example in terms of the security operations of the United States. Whether they're right or wrong in their judgment about a particular individual, a Canadian, in terms of the ultimate sense of whether this person has or has not been doing something wrong under U.S. law...let's assume that their security forces see that a number of individuals happen to be Canadian citizens. This has been known to happen before. In fact, they do it now, with the number of people being held in Cuba. Under the powers of existing law in the U.S., the Patriot Act, they may get personal information about a Canadian citizen who may be totally innocent of anything, but happens to visit the U.S. Suddenly, all kinds of personal data could turn up for U.S. security forces.

    In general terms, with a specific kind of incident, that is my concern, and I want to come back to that. Again, I'd like to know your view on whether in principle, as a minimum, our banks should be required to disclose to Canadian customers that this may happen. It seems to me a judgment about privacy matters that, in my view, you should express an opinion on.

    A related question would be this. Is disclosure sufficient? Perhaps we need some tougher regulation. In the banks, perhaps this really is a question. This part is not a rhetorical point, it's a serious question. Given these possibilities, perhaps we need tougher regulation to stop the flow across the borders and, in certain instances, stop the flow of contracting out privacy information about Canadians to foreign sources, whether it's the U.S. or any other foreign source.

º  (1635)  

    Ms. Jennifer Stoddart: With great respect, I would decline to answer specifically your first question. I think it does go to the heart of the matter that we are investigating, where we have a complaint about a bank and the information is processed in the United States. I think many of the questions you have been raising will be addressed in that, so with great respect, I'd rather go to your second question.

    Hon. Ed Broadbent: Could I ask you to clarify the first one? I would certainly be the last person who would want to jeopardize any individual case. Would you explain to me, on the question that you're considering, how an answer to my question would somehow put that question in jeopardy?

    Ms. Jennifer Stoddart: Well, we have a complaint about the outsourcing of personal information for processing by a Canadian bank. We are currently investigating that. So I think it is inappropriate, in terms of being fair in the process, impartial in the investigation process in our consideration of the facts that come up, in our consideration of the position that can be put forward by both parties, to prejudge what remedies we might suggest or not suggest should we find that the complaint was well founded.

    The Chair: I understand that it's an important issue. Could we ask that when that investigation is complete, you would give us a report of that investigation--which would, it seems, answer Mr. Broadbent's question?

    Ms. Jennifer Stoddart: Yes, certainly.

    The Chair: Mr. Bains.

    Mr. Navdeep Bains: Thank you very much, Mr. Chair.

    Now, my question is going to pertain to the expenses or estimates that you have outlined for 2004-05.

    Based on the $11.8 million that you've outlined here, $6.4 million goes toward salaries, approximately $1.5 million is for employer contributions, and then you have an additional $1.8 million in professional fees, which you will provide backup for as per Ms. Jennings' request. That's about $9.7 million.

    I'm slightly astonished at the repair and maintenance, $800,000, which I think is a substantial amount. I think that might reflect some legacy systems that you deal with, possibly. Perhaps you can talk about that briefly.

    After all that's said and done, that leaves you very little money for discretionary spending. The last time we met I had asked, do you have any tools or any software, or any type of technology that you foresee in the future will help you to streamline your processes so that it relieves the amount of money you need to spend on salaries and on personnel? You had indicated that there were tools or technologies that you were dealing with. I don't see that expenditure here. I don't see that amount reflected here. Do you have any major upgrades to any systems when you're dealing with concerns or setting up your office right now?

º  (1640)  

    Ms. Jennifer Stoddart: It's hard for me to hear, unfortunately.

    The honourable member's question has to do with the systems that we use to--

    Mr. Navdeep Bains: Correct.

    To simplify it very briefly, one is that you have $800,000 for repair and maintenance for machinery and equipment. So I'm assuming that has to do with legacy systems. Would you clarify that? That seems to be a substantial amount.

    Secondly, my question is with respect to any further investments into any other technology that will help to streamline processes. Perhaps you could speak to that, please.

    Ms. Jennifer Stoddart: Yes, in fact, over the last year and a half we have spent a certain amount in upgrading our software systems. This has been a major expenditure. Because we can't fill positions as rapidly as we would want to, we have put money into that. So we have a new system, called an IIA system, to track cases, which was extremely expensive. Through new Microsoft applications we are upgrading our financial system. I believe our HR system, too, has been upgraded.

    On corporate services, is there anything?

    Could I ask the chief of financial services to give us more details on that?

    Mr. Navdeep Bains: That sounds good to me.

    Mr. Patrick Amyot (Director, Financial Services, Office of the Privacy Commissioner of Canada): In terms of the $800,000 you're talking about in repairs and maintenance, it's divided into two things.

    The repair and maintenance of equipment is $500,000. That's basically licences for software renewal. Microsoft is a big one. We have also all the financial systems: Free Balance, HRIS, and all the systems that are used for corporate services.

    The other portion is $242,000 for non-professional contracted services. That's basically temporary help. All the temporary help goes here.

    We presented it this way because this is the way public accounts are presented for reporting objects. So it's represented in the normal fashion or the normal chart of accounts or display that the government presents it in.

    Mr. Navdeep Bains: I appreciate the clarification.

    In terms of the investments you have made in the technologies and for the software, are they included in this, or were they included in last year's estimates?

    Ms. Jennifer Stoddart: I believe some were included in last year's estimates.

    Mr. Navdeep Bains: Are the ones you put in included in the repair and maintenance section, the additional software that you talked about, the upgrades?

    Ms. Jennifer Stoddart: No.

    Mr. Navdeep Bains: Can you tell me where they are included in the estimates here? Are they included in these estimates?

    Mr. Patrick Amyot: The IIA system was included in last year's public accounts. That's new software that we use to track cases. That's an investment we made, but it's not included in this budget right now.

    The Chair: Mr. Tilson.

    Mr. David Tilson: Mr. Chairman, I just have a general question on the funding they're requesting. I've reviewed again your introductory statements today and the last time, and I could be misinterpreting what you're saying, but clearly the commission is having a certain amount of difficulty in rebuilding the office and dealing with the two pieces of legislation. You've said today that roughly 25% of staffing needs to be done for different things. There's a little legal action, which may or may not be a good thing. You've never used the audit power.

    And then I looked at this booklet that was delivered, at least to my office, this morning. I don't know whether other members got it. I have yet to look at it in detail; it's this document done in 2000, “Privacy Act Reform: Issue Identification and Review”. In your letter, you made an astounding statement, which I'd like you to elaborate on. This is almost five years old: “I would also like to point out that although this report was originally tabled with the federal Department of Justice, no formal discussion with the Department ensued as a result, nor was any action taken to implement the recommendations contained in the report”.

    So, hello, is anyone out there? I guess my question is, you're asking for a whole lot of money, but no one's listening to you. And you're planning on staffing, but clearly the government doesn't seem to be listening to your recommendations. They won't even talk to you; that's what your letter says at least.

    Could you comment some more on that?

º  (1645)  

    Ms. Jennifer Stoddart: I just wanted to put this report into its historical context, because you had asked for the latest formal report or suggestions for reform of the Privacy Act. It was done in the last weeks of the tenure of Commissioner Bruce Philips. My understanding is that his successor did not give his attention to this or did not consider it a priority. And there was no subsequent follow-up on this.

    It is clear that the Privacy Act is in need of reform. However, this is the last formal document, I would say. We are beginning to work on this.

    Mr. David Tilson: You're going to start all over again. You're going to prepare another one? Why do you want to listen to that one?

    Ms. Jennifer Stoddart: I don't know if we're going to start all over again, because I think a lot of things are self-evident and have been, I would say, for almost 20 years.

    To the question, is anybody listening, I'd say yes, Minister Cutler is listening; we met with him for about an hour and a half on Tuesday.

    Mr. David Tilson: But this report's five years old.

    I guess I'm getting at.... Mr. Broadbent asked some questions on his issue and I've asked some questions on my issue; we're concerned about whether the laws are adequate. The previous commissioner, Bruce Philips, made some recommendations. But no one's listening; it's as simple as that. And yet we're coming along asking for another, what, over $6 million for different things.

    So my question is, shouldn't we really be clarifying what our mandate is or ensuring that when you make some recommendations at least someone will listen to you for over $6 million?

    Ms. Jennifer Stoddart: If I could point this out to the honourable member, the money we're asking for today is the money under the new Personal Information Protection and Electronic Documents Act.

    Mr. David Tilson: I understand.

    Ms. Jennifer Stoddart: Okay.

    With that act, you can say the government certainly took action, because Parliament adopted it in 2000 and funded us substantially for the first three years. The issue is now, how do we go forward with long-term funding? And it's that part of our budget that is integral to our daily operations, because we don't have enough with the Privacy Act budget, which we're technically here before you on.

    But the honourable member is quite right. I am very concerned about what I discovered on assuming this office, the historic lack of action on Privacy Act reform issues. This goes back far before this 2000 report tabled by Commissioner Philips. To go back to one of the questions raised by the honourable member, Mr. Broadbent, there are also reports that have never been acted on, including at least one important report called, Crossing Borders, which is about the international circulation of information.

    Mr. David Tilson: Look, all I'm saying is that with 174 pages of recommendations, surely you as commissioner could say, “Do something”.

    Ms. Jennifer Stoddart: Yes, that's what I'm saying.

    The Chair: Okay, Mr. Hanger.

    Mr. Art Hanger: Thank you, Mr. Chairman.

    In a previous life, I was a commercial crime investigator. During those years the big issue for identity theft and fraud, which involved maybe those with a criminal intent as individuals or as groups, organized crime, was to obtain the carbon copy of the credit card receipt that was thrown away in the garbage. These sort of ambitious types would rummage through the garbage and get the information of the credit card and be able to actually reproduce those cards and commit criminal acts.

    Today, of course, there are a lot more electronic devices and cards--debit cards, for one. I was just reading in the Chronicle-Heraldabout a situation where the debit cards that customers use to pay for whatever goods or services often show the entire number of the card on the receipt. In your opinion, is this a breach of the act, to allow that information to be exposed openly on a receipt?

º  (1650)  

    Ms. Jennifer Stoddart: I think I would have to give that question more thought. It certainly seems to me a practice that should be avoided when at all possible. Is it possible?

    Mr. Art Hanger: Yes, it is.

    Ms. Jennifer Stoddart: I think I'd have to look at that.

    Could I ask Heather Black, who looks at these cases a bit more closely, to give you her opinion?

    Ms. Heather Black: The law requires organizations to protect personal information with security appropriate to the information itself. So in the circumstances you're talking about, my view would be that if it's not necessary to display the entire number, then it shouldn't be done.

    It's something that used to happen with credit card numbers as well. The whole number appeared on the receipt. In the last couple of years, it has only been the first three or the last three numbers, or whatever.

    Anything an organization can do to prevent information being misused, they are required to do.

    Mr. Art Hanger: What can the commissioner's office do about it?

    Ms. Heather Black: Our normal way of proceeding would be threefold: we can wait until we get a complaint on this issue, we could start or initiate our own complaint, or I think the better way to go is to educate business organizations to the risk that they're running and that they're running for their customers when they do this sort of thing. We do public education in the form of, often, best practices or fact sheets that go up on our website so that it gets much wider distribution than a mere finding.

    Mr. Art Hanger: Apart from an educational effort, there's no other proactive stance that the commissioner has--or even authority, then. If you were to look at the number of small businesses in this country that might not be complying with any kind of policy or best practices, there's nothing, really, you can do about. You would be overwhelmed with complaints if even a small business chose to proceed along the way they're used to doing and maybe not wanting to spend any money to, say, hide the numbers. I know the technology is out there that's capable of doing that.

    Ms. Heather Black: I venture to say you're right, and there are probably lots of organizations out there that are waiting to get caught, but we do our best to encourage compliance with the law.

    Mr. Art Hanger: But there is no law.

    Ms. Heather Black: There is a law. The PIPEDA requires organizations to protect personal information with various methods of security from encrypting it, to keeping it locked away, or whatever is appropriate in the circumstances.

    Mr. Art Hanger: Thank you.

    The Chair: Thank you, Mr. Hangar.

    Mr. Hiebert.

    Mr. Russ Hiebert: Thank you.

    Just before I ask my question I do want to make a note here. I've just added the numbers attached to the organizational chart that you gave to us, and the maximum salaries don't jive with the budget that you've given us. The maximum salaries come to about $5.3 million, if all the positions were filled, and you're asking for $6.4 million. So there's some discrepancy here that needs to be resolved, and I would encourage your office to do that.

    My question relates to a topic that I raised the last time you were before this committee. We had a brief discussion about RFIDs, radio frequency identifiers. Since that time I've learned that Applied Digital, a company based in Florida, has received FDA approval for using VeriChips--these are subdermal implantable chips--to sell them in the United States. When contacted, they've indicated that they have not yet applied in Canada, but they intend to do so and they intend to sell them worldwide.

    While these subdermal chips may not be intrinsically dangerous, there are huge privacy concerns associated with these things. They are currently being used in Europe, for example, in Spain for financial transactions. People are proposing them to be used for quick access to medical records. Of course, the concern is whoever gathers this information, because it's non-voluntary at this point...what happens to that information is a real concern.

    So my question to you is, what concerns do you have about implantable chips in humans, in Canadians, and do you believe that legislation ensuring that the use of these chips remains voluntary would be an appropriate response to the possibility of coercion by government or by commercial interests? To say it another way, if the use of such chips remains strictly voluntary and legislation ensures that, that would give people the feeling that their privacy is not being abused as this development comes forward.

    Please comment.

º  (1655)  

    Ms. Jennifer Stoddart: Yes, we are very concerned about developments, and this is I think potentially one of the most privacy invasive. As I recollect, there's also a Montreal firm that is working on this. This would be so that we have local versions of this technology that could be implanted, but I'd have to check my facts.

    This is of great concern to us. What can we do in the immediate is a question. As you see, we're understaffed. A lot of our specialist positions are not filled. I think what we have to look to in the future is the question, is the Privacy Act or PIPEDA, which is general.... That is, some of the answers we give are general. We give those answers because the legislation is general and always has to be interpreted in the context.

    Mr. Russ Hiebert: Would you support legislation to protect Canadians?

    Ms. Jennifer Stoddart: So one of the questions that I'm asking myself and we're asking ourselves at the office is should we go, in the cases of fast-moving technology such as implantable RFIDs, to spot legislation? I think that's one of the questions. I've raised this, in fact, with the minister Tuesday, and I said I think this may be a way to go. We should look into this, and I think that, yes, this would be a direction we could move in.

    Mr. Russ Hiebert: I'd appreciate a response from your office as to what you're doing as a commission with respect to this issue. It's very fast moving, and I think a written response to this committee would be appropriate. Can you provide that?

    Ms. Jennifer Stoddart: Yes.

    The Chair: Thank you.

    Last question, Mr. Broadbent.

    Hon. Ed Broadbent: We'll leave the one we were on for a while. I want to use my time to raise a much more general question about the right of privacy in general.

    Article 12 of the Universal Declaration of Human Rights reads as follows: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

    Before coming back to political life, I was the head of an international human rights group in a democratic development organization that was concerned with a variety of rights. This right of privacy it seems to me to be a serious matter, and one issue anyway is unresolved in my own mind, but it's a matter of public concern, I think.

    Princess Diana was, in the view of some, harassed by journalists--that is to say, in this case, having her picture taken when she did not want to have her picture taken. There have been many instances of Canadians, both public figures and ordinary people, who have had their pictures taken under circumstances in which they did not want those pictures to be taken.

    In terms of your consideration of privacy, let me put forward a contention to see if you agree with it or not. If I'm residing in my own home, or I'm residing in my own hotel room, or if I am driving my own car--and I'm in the car as opposed to walking down the street, or being in a park, or climbing a mountain, or what have you, all of which are public spaces--do you think citizens ought to have their right to privacy protected in the former circumstances, that is to say, home, hotel, car, with a prohibition of photos from being published unless they give their consent?

»  (1700)  

    Ms. Jennifer Stoddart: Certainly, those are usually private spaces in most instances. In some circumstances they may be less private, but most of these have to do with public security and public safety issues. Yes, as a general rule, they should not be photographed in those particular places without their consent, I would agree with that. The issue of what one can do with photographs is a really important issue, which is now before the Senate in related legislation having to do with copyrights of photographs. This is an issue that we are looking at. So, yes, I would agree with the honourable member that in most circumstances, yes, you have the right not to be photographed in the privacy of your home.

    Hon. Ed Broadbent: Let me pursue that. There have been some well-known cases--I won't cite them--where TV cameras and photographers have arrived on the scene with police forces, including taking pictures of people in their own homes. These are, up to this point, quite innocent people. Beyond that, to go back to a photographer who takes pictures, zooming with a zoom lens through a window in somebody's home, and takes a picture whether police are there or not, if I've understood you correctly, you think this is an invasion of privacy. But do you think publications, newspapers, television networks in Canada should be prohibited from using that material unless the individuals in question give their consent?

    Ms. Jennifer Stoddart: The honourable member asks questions that are very complex and don't usually have one response, because it depends on the conditions of each case.

    The police should be there, because they have a warrant. The warrant can be contested after the fact.The question can be asked, do they or do they not have the warrant, so that goes to the legality of the information they've been getting. The photographer, no, does not have the right to zoom into someone's home, as I understand it. However, once the photographer or media have the information, then the question becomes an issue of freedom of information, circulation of information. I believe there are cases in which our courts have held that some information, even if obtained illegally, when it enters the public domain can be published. I think everything depends on the exact circumstances and the type of information that is being circulated, being used.

    The Chair: Time's up, Mr. Broadbent.

    Thank you, colleagues, for excellent questions, and thank you, Ms. Stoddart, for very candid responses.

    The questions were tough, but I think most of us around the table recognize what the situation was in your office when you took it over and understand the restructuring job you have to do. Some of the questions perhaps reflected a lack of understanding of what's going on in your office, but I think most of us do appreciate that.

    Thank you again for coming before us and answering our questions, and we look forward to having you back again before too long.

    Ms. Jennifer Stoddart: Thank you.

    I'd just say in closing, Mr. Chair, that we'll certainly attempt to answer all your questions. They were all challenging but important questions that go to the heart of this issue, and I'm very happy to attempt to answer your questions. If we can't now--sometimes they need a bit more research--we'll be happy to send our answers to you.

    Mr. Chair, I am concerned about our funding, because the $6.7 million that technically is before you for approval is an integral part of our ongoing funding, even though we only have some of our positions staffed. We will do our best to get this financially related information you've requested to you as soon as possible and then follow with the answers to your other questions.

»  (1705)  

    The Chair: We appreciate that.

    Ms. Jennifer Stoddart: Thank you.

    The Chair: Colleagues, we have to dispose of this business so I, as your chair, can report it back to the House. I would ask, shall vote 45a under Justice carry?

JUSTICE

Office of the Privacy Commissioner of Canada Program

ç	Vote 45a--Office of the Privacy Commissioner of Canada--Program expenditures and contributions..........$6,440,190

    (Vote 45a agreed to)

    The Chair: Shall I report vote 45a to the House?

    Some hon. members: Agreed.

    The Chair: Thank you.

    I'd like now to submit a report from the subcommittee on future business, from a meeting we held on Monday afternoon. We've brought a couple of recommendations back to the committee for your consideration: number one, that the committee hold a meeting with the Clerk of the House of Commons onMonday, December 6, 2004, at 3:30 p.m. on the proposed mandate of thecommittee; and number two, that the committee hold a meeting with the Ethics Commissioner onWednesday, December 8, 2004, at 3:30 p.m. on the mandate and the operations ofhis office.

    I open that up for any discussion you might have, or a motion.

    Hon. Marlene Jennings: I move that we adopt it.

    The Chair: Mr. Hiebert.

    Mr. Russ Hiebert: Is there any interest in members having our meeting with the clerk on Tuesday, December 7, as opposed to Monday, December 6?

    The Chair: I think that's an issue of availability of space; I don't think that's possible. There just isn't a place to have our meeting. I understand that after the Christmas break our meetings will be on Tuesdays and Thursdays rather than Mondays and Wednesdays. It's very tight to find space, so I don't think that would be possible.

    Are there any further comments? Yes, Mr. Broadbent.

    Hon. Ed Broadbent: Mr. Chairman, I'm sorry. I agree with it, and now that I've agreed, I want some facts. Who's coming on Monday, December 6?

    The Chair: That's the chief clerk of the House of Commons.

    Hon. Ed Broadbent: On what?

    The Chair: On the proposed mandate of the committee.

    Hon. Ed Broadbent: And then on the eighth?

    The Chair: On the eighth it's the Ethics Commissioner.

    The clerk informs me that he will make available to your office two possible drafts of our mandate for you to look at before the meeting.

    Hon. Ed Broadbent: Thank you.

    The Chair: Is there any other discussion?

    (Motion agreed to)

    The Chair: Finally, we have a notice of motion from Mr. Hiebert. Go ahead.

    Mr. Russ Hiebert: Basically, the purpose of this is to bring forward in the future the estimates from the Information Commissioner to this committee. I understand that at this point it's too late for us to see those estimates and to comment on them, but in the future it would give us the purview of reviewing those estimates from that office just as we've done--

    The Chair: I beg your pardon, Mr. Hiebert. Which commissioner were you suggesting?

    Mr. Russ Hiebert: Isn't it access to information?

    The Chair: That we get. I think you're referring to the Ethics Commissioner.

    Mr. Russ Hiebert: Sorry, it's the Ethics Commissioner; my mistake.

    It would give us the same access to the Ethics Commissioner's estimates as we've just had in the review for the Privacy Commissioner. That's the purpose of the motion.

    The Chair: I think there are some problems with it, but it's a good idea.

    Miss Jennings.

    Hon. Marlene Jennings: One of the reasons the committee has just adopted the second report was, point one, to hold a meeting with the Clerk of the House of Commons on Monday, December 6, on the proposed mandate, and this is an issue we'll be bringing up. Given that, I would suggest that we simply hold your motion in abeyance and wait to see what the results of our meeting with the clerk are. If he recommends to the House that our mandate be expanded to include the Ethics Commissioner estimates, etc., then it's a moot point. If on the other hand we don't get what we wish from the clerk on Monday, then we'll deal with your motion.

»  (1710)  

    Mr. Russ Hiebert: I don't think there's any harm in our pursuing this opportunity. It's not going to be available to us this budget cycle anyway, so this is a future opportunity. It's not going to conflict with any upcoming mandate. If the conflict did arise, we could dismiss it at that point, so there's no harm.

    The Chair: Go ahead, Derek.

    Mr. Derek Lee: Just on a technical basis, we all agree now that we don't have a written mandate. The Privacy Commissioner was here just because. The access commissioner will come just because.

    There is a scenario out there that the mandate of the Ethics Commissioner will be divided between this committee and another committee, so the issue as to which committee should handle all of the estimates of the Ethics Commissioner is a real question.

    We ourselves and the other committee haven't even fully addressed the issue of our respective mandates, so at this point I suggest--I'm agreeing with Ms. Jennings--that it's probably premature to ask for all of the estimates of the Ethics Commissioner to come to this committee when we haven't even sorted out what aspect of the Ethics Commissioner work is going to come to this committee. His work, as I say, may be divided between PHA and this committee.

    I would respectfully suggest that we simply acquiesce in the tabling of your motion. It can be raised at any time later after we get our mandate sorted out, and it can be taken up in discussion with the clerk.

    For example, Mr. Chairman, if we're feeding this motion into a vacuum and if in the end the mandate of the Ethics Commissioner is to be divided, surely one wouldn't want all of the estimates of the Ethics Commissioner to come to just this committee if part of his mandate involved another committee.

    I'm not going to move it be tabled; I'll try to work with a consensus here. I'm suggesting that we table that motion and resurrect it after we've dealt with the mandate issue.

    The Chair: I would make a suggestion here. I don't think we need to table it because it is a notice of motion; it's not the motion being moved. I would suggest we let the motion stand until after the meeting with the clerk, and then we can decide what we'll do with it.

    Hon. Marlene Jennings: But this is dated November 29.

    The Chair: But it's a notice of motion.

    Hon. Marlene Jennings: No, I understand, but if it's dated November 29, I would understand that it was actually tabled with the clerk on November 29, in which case the 48-hour requirement has been made.

    The Chair: Yes, you're quite right, Ms. Jennings, so we would suggest that it has been moved and we'll let it stand until after the....

    Mr. Laframboise, a comment.

[Translation]

    Mr. Mario Laframboise: As you said, Mr. Chairman, we can defer the study until the next or until a future meeting. I don't have a problem with this motion. However, it should be contained in a report to be adopted by the House. If that were the case, we could examine Vote 12a and then split the responsibilities. Obviously, we need to spend some time reviewing the mandate of the Ethics Commissioner. We'll also be analyzing a portion of Vote 12a.

    Therefore, I'm fine with this motion, provided it's included in a report to be approved by the House. Our mandate should come from the House.

[English]

    The Chair: Because of the concerns, I think we'll let the motion stand until the end of the next meeting. We'll further discuss it at that point.

    That's all that's on our agenda.

    I adjourn to the call of the chair.