:
Thank you, Mr. Chairman. It's a pleasure to be here today.
I might just add to the introduction you made a moment ago that Barbara Robins is also chair of our ethics and privacy committee. Her responsibilities as vice-president, legal and regulatory affairs, extend not just to Canada but to Latin America and the Asia-Pacific region as well. So she has some international perspective that might be of interest to the committee.
I also want to take a quick moment to thank the committee for its indulgence. We were asked to appear next week, but that appearance conflicted with our board of directors meeting to consider our annual plan and budget. Given the fact that we have 37 people on our board, that would have been a little difficult to move.
In 1995, this association was the first national business association to call on the federal government to pass privacy legislation to govern the private sector. CMA believed that a well-balanced privacy law would result in benefits for consumers and for information-based marketers, an increasingly important sector of the Canadian economy.
Marketers know that respect for personal information is good for business. They advocated a law that would provide clear direction on how personal information could be collected, used, and disclosed, and a law that would be sufficiently flexible to enable businesses to grow the economy and take advantage of our new and emerging technologies. And to a great extent, PIPEDA has fulfilled these high expectations, although we remain in the early stages of implementing this new privacy framework. It should be kept in mind that for the vast majority of the private sector, this law only came into effect on January 1, 2004.
CMA is the largest marketing association in the country, with more than 800 corporate members representing a wide variety of marketing sectors, and we do have a code of ethics and standards of practice that is mandatory for our members. It is the self-regulatory code that provides our members and other marketers with a comprehensive set of best practices. We've provided committee members with a copy of that code for your future reference in your deliberations.
Privacy provisions of the code are structured to reflect PIPEDA's 10 privacy principles but are supplemented with additional rules for marketers. For example, for marketing to children, our code requires the express consent of a parent or guardian before a child's personal information can be collected, used, or disclosed for marketing purposes. CMA members are required to offer an opt-out opportunity with every e-mail marketing communication that's made. CMA members are banned from using unsolicited email, or spam, to acquire new customers. And CMA members must use our do-not-contact program, the only service of its kind in Canada, and it is offered free to consumers. All these provisions and the rest of the code are supported by detailed compliance guidelines.
With respect to PIPEDA, CMA takes the position that it's still too early to consider substantial changes, especially given the fact that the act has only been in effect, for most of the private sector, since January 1, 2004. The law does appear to be working well, as demonstrated by the noticeable downward trend in the number of complaints directed to the Privacy Commissioner and the increasing proportion of these complaints that are resolved or settled. At the same time, CMA's research, conducted for the Privacy Commissioner, shows the need for improvement, particularly among small and medium-sized enterprises in terms of both awareness and compliance. We have provided the committee clerk with a copy of that research.
In her own presentation to this committee, the Privacy Commissioner observed that this is not the time to make major changes in the framework of PIPEDA. CMA supports the Privacy Commissioner's view in that respect, and were Parliament to consider changes in the near future, we would strongly advise that these early adjustments be limited to technical amendments for purposes of clarifying meaning and intent.
The commissioner raised some issues that we'd like to comment on. First, I'll go to the question of the commissioner's powers and whether the existing ombudsman model has been effective. The evidence of the past few years clearly indicates that the ombudsman model has worked very well in promoting and protecting the privacy rights of Canadians. In response to complaints, organizations have invariably demonstrated a willingness to follow the direction of the Privacy Commissioner. We also feel that the commissioner's role as a privacy advocate is one that inherently contains positional bias and is therefore more compatible with an ombudsman's role.
Most importantly, however, the reality is that the commissioner's powers of influence are well supported by the discretionary power to publicize privacy breaches and by the ability to seek binding orders through the Federal Court. The last thing any marketer wants to see is their name on the front page of the Ottawa Citizen, being identified as being in breach of the privacy provisions, in the opinion of the Privacy Commissioner.
Another subject that has been the topic of much discussion over the past year or so is notification to consumers where there has been a breach of security or accidental disclosure of personal information. The question is, under what circumstances should organizations report a loss or theft of personal information to consumers? CMA believes that organizations do have a responsibility to notify consumers where the loss or theft of personal information poses a reasonable risk of harm to the individual. The challenge is to establish the correct threshold for triggering that notification. For example, how would we best define a risk of harm to the affected individuals?
We do not want to unduly alarm individuals with interminable notices of inadvertent disclosures of information that are totally innocuous. Our proposed approach to this issue is to request that the Privacy Commissioner of Canada consult with all stakeholders to develop and publicize national privacy breach response and notification guidelines. Those national guidelines can then be easily adjusted as we come to better understand the impacts of breaches and the impacts of notification, and they could subsequently form the basis of some legislative action by Parliament.
The Privacy Commissioner, on another issue, has also indicated that she is satisfied that her office can also deal with the matter of cross-border information flows by providing guidance to organizations. In our experience, that has worked very well and we agree with her assessment.
I have a couple of concluding remarks, Mr. Chairman.
Today's information-based economy continues to present new and innovative ways for business to interact with existing customers and potential customers and grow their customer base. Indeed, consumers expect more, demanding more tailored offers, convenience, and better service, requiring business to become more sophisticated in its ability to anticipate and meet these needs. Central to that marketing relationship is the collection, use, and disclosure of personal information.
Canadian marketers have long recognized that consumer confidence, privacy protection, and transparent information practices are critical for continued success. Good marketers know that respect for personal information is good business. PIPEDA is a privacy framework designed to achieve that delicate balance. In the words of a former Attorney General of this country, it is “a remarkable national consensus based on a series of delicate compromises”, one that all stakeholders believe would provide effective privacy protection while allowing businesses and not-for-profit organizations to responsibly use personal information to grow our information-based economy.
And there is much at stake. In 2001, through information-based channels, marketers generated over $107 billion in annual sales. That supported over 850,000 jobs in the Canadian economy.
PIPEDA has been working well, although there's work to be done in improving its performance and making small and mid-sized enterprises aware of its provisions. That being the case, CMA fully supports the existing act, and we urge the committee to resist making any fundamental changes to PIPEDA until we've had a few more years' experience with the legislation in its current form.
Mr. Chairman, thank you very much. We look forward to your questions and your committee's questions.
:
We therefore have the five-year perspective rather than the shorter period that other organizations have.
We are going to talk about employee issues, and we're going to be exclusively talking about it because it's the only thing we talk about.
From FETCO's perspective, PIPEDA is one of many pieces of labour legislation regulating our businesses. Others include the three parts to the Canada Labour Code, the Canadian Human Rights Act, and the Employment Equity Act. It is our belief that Parliament intended these various statutes to be applied in such a way as to minimize conflict. Through their application, the other statutory obligations placed on employers would be given cognizance, minimizing interference with normal business operations.
I'll reiterate the comment we made five or six years ago to the committee at the time, which I think was the industry committee, that this looks very much like a piece of commercial legislation. Canadians were told about it in the consultation process. It really wasn't until we saw the bill that we realized the larger labour implications. We think perhaps the bill has suffered and the act is suffering from the fact that not enough thought went into the actual provisions dealing with labour issues.
In the brief I circulated, which hopefully was sent to members—I think I sent it about 10 days ago—we cover a number of areas. Quite frankly, we've collectively run into a number of problems with the act.
We make numerous recommendations in the area of employee relations. However, I'm only going to spend time on two of them, because we think they're two of the most important: information consent and the formal dispute resolution process.
There is clearly a need to distinguish between truly personal information related to the employee and information that is used for legitimate business activities or business identifiers. It has been a cause of concern in terms of the application of the act. We understand the Privacy Commissioner is perhaps cognizant of this.
For example, identifiers such as a fax number, which is a phone number, and an e-mail address, which is a business address, are provided for the express purpose of running the business. These in fact belong to the employer, not the employee. When the employee leaves the business, the identifiers stay with the business and don't go with the employee. It's therefore very difficult for us to determine why this would be considered personal information.
When I left the Canadian Pacific Railway a few years ago, I didn't take my e-mail address with me. On the day I left the company, they cancelled it.
We believe it's an example of a situation where a little more thought was needed. The act should have been drafted a little differently to capture what is clearly business information rather than personal information.
Given the increased tension among the various pieces of employment-related legislation in PIPEDA and the importance of maintaining a balance in the employment relationship, consideration may need to be given to whether employee consent should be treated differently.
Different options exist for dealing with employee consent, including reliance on implied or deemed consent or even eliminating the requirement for employee consent for the collection, use, or disclosure of personal information related to managing reasonable requests of the employment relationship. I would say, and I'll probably repeat this at the end, we are favourably disposed to the approach taken in B.C. and Alberta.
It is recommended that issues surrounding employee consent be considered and addressed during the review process. We have a couple of specific recommendations in this area.
We recommend that e-mail addresses and fax numbers should be excluded from the existing definition of personal information and that a new definition of personal information should be developed.
We also recommend that the act be changed to permit employers to collect, use, and disclose personal employee information, either without consent or when there is deemed consent in the conduct of routine and reasonable business in the managing of the employment relationship. That's how we think the acts in B.C. and Alberta work.
The second issue is probably more problematic in the context of the day-to-day operation of the business. It is the informal dispute resolution process. And for the record, Mr. Chairman and members of Parliament, the original bill that was introduced into the House of Commons by the Minister of Industry, way back when, didn't have this provision in it. We foresaw all sorts of difficulties in a whole pile of different areas unless there was something to deal with our ability to manage the employment relationship and fulfil our responsibilities under other statutes.
For example, part 1 of the Canada Labour Code requires that there be a process for dealing with disputes without stoppage of work. Investigations are required under part 2 of the Canada Labour Code. According to part 3 of the Canada Labour Code, you have to have a sexual harassment provision. And if Harry Arthurs has his way, there will be a lot of other obligations on employers, given the kinds of things he'll put in his report on the review of part 3. Of course, we are also obligated under the Canadian Human Rights Act to conduct investigations when there is a complaint lodged.
While PIPEDA provides that personal information generated in the course of a formal dispute resolution process not be provided when an access request is received--that's what we requested six or seven years ago when that was put into the legislation--FETCO believes that the definition of what constitutes a formal dispute resolution process and the stipulation that the information can be withheld in the course of a formal dispute resolution process are restrictive and erode confidence in the process.
Employers are required to investigate employee complaints, often on a confidential basis and without the assistance of an outside body. All investigations of complaints or disputes begin with the differing of opinions, which leads to an information-gathering process. It is impossible to resolve a dispute until the facts identifying the dispute have been determined. Doing so is often undertaken by those having knowledge of the incident and providing information about it, often on a confidential basis, in some form, to those in the business of handling the complaint. This fact-finding process is an integral part of the formal dispute resolution process, whether to determine the need for discipline or to investigate grievances, sexual or other harassment, or other workplace complaints. The fact that an employee being investigated can have access to any confidential information provided by complainants and witnesses results in complainants' being reluctant to have their issues addressed through appropriate internal redress systems, and witnesses' being reluctant to give evidence. We think that the definition is too restrictive. We think it has to cover all aspects of the dispute resolution process, including the information-gathering aspects, which would naturally be the early workings of any dispute resolution process. For anything you do, you collect data and you collect information.
At the present time, the integrity of the fact-finding process is very likely compromised by the fact that it is not protected by exceptions to access. In cases like these, the OPC has taken the position that such information is not, in fact, being generated in the course of a formal dispute resolution process, and therefore is subject to access under PIPEDA. It is FETCO's experience that the OPC's current position--that information gathered in the course of internal investigations is subject to access--has an adverse effect on the ability of employers to collect pertinent information and resolve workplace disputes without complication.
We have a couple of recommendations here, specifically the following:
The term “formal dispute resolution process” should be broadly defined to include all established mechanisms used to conduct an investigation, or otherwise resolve an employee complaint.
In all phases of a dispute resolution process, the employer should not be required to provide access to personal employee information.
Information collected while investigating a breach of a law or contract, regardless of whether the information was collected with or without the knowledge and the consent of the individual, should be also exempt from the requirement to provide access.
It is also inappropriate for employees to be able to access opinions and recommendations made by industrial relations or human resources personnel with regard to employee relations matters, including recommendations as to appropriate discipline or suitability for continued employment.
If I might conclude, Mr. Chair, FETCO strongly encourages that the recommendations contained in our brief be carefully examined in this review of PIPEDA. We've been around a long time, and we don't expect you to pick up every recommendation in your report. But we do ask that you give serious consideration to them. It is imperative that this review take into account the implications of this legislation on employers, their workplaces, and their business activities.
We are aware that subsequent to the implementation of PIPEDA, some provinces have passed substantially similar legislation. They have benefited from the experience gained under PIPEDA and have brought more clarity to the treatment of employee issues. The definition of personal employee information--including confirmation that the definition does not include work product--the concept of a formal dispute resolution process, and the reasonable use of employee information without consent are cases in point. We would recommend that in reviewing PIPEDA, examination be made of the developments in privacy legislation provincially. We would specifically direct your attention to Alberta and B.C.
Thank you very much.
:
There's a judgment issue here. In the course, obviously, of any business operation, especially with the types of things we deal with here--grievances, sexual harassment complaints, human rights complaints--often the individual is identified as a potential culprit. So you have to balance between having people come forward, which we're urged to do by law, by the Canadian Human Rights Act or part III of the Canada Labour Code. We urge employees to come forward when they have a complaint. If we can't deal with them in some measure of confidentiality, they're not going to come forward.
Now, in answer to your question, let's say Barbara gets a complaint from an employee saying she's been sexually harassed, and after the investigation it becomes clear that perhaps some action needs to be taken, then obviously we have to provide the appropriate level of evidence in order to take the action. In the process of collecting the data, in the process of doing the investigation, and in the process of talking to other people, with respect, we believe that information should be protected within that context, You're right, of course, that when it comes to actually taking action, we clearly have to provide the evidence to sustain it.
FETCO employers, not entirely but for the most part, tend to be unionized operations, and many, as you know, in the federal sector especially, have a long history of unionization. My previous employer, Canadian Pacific Railway, had its first collective agreement in 1896. So we're talking about long-established bargaining relationships that have built right into the collective agreements these kinds of protections--investigations, how they're held--to ensure that an employee cannot be disciplined without the appropriate procedures. We recognize that, and nobody is suggesting that it should be otherwise.
However, we believe that unless you can provide in the fact-finding process some measure of confidentiality, we're not sure how the thing can work properly. If an employee knows that if she comes in with a sexual harassment complaint and can't deal with a company on a confidential basis, that anything she's likely to say is immediately going to go to the alleged perpetrator, we think that would have a chilling effect on people coming forward.
Thank you all for coming.
I'm a new MP, and coming from small business, I remember the uneasiness when this act came into being. So I looked at it purely from my perspective. Then of course, as we're introduced to these proceedings and we're introduced to the laws, I can see the other side. So it's very interesting to see all the different aspects and the guidelines, the safeguards.
There's one thing that concerns me, just one thing, and it's the only question I'm going to throw out here. We talked about the employer's responsibility, we talked about the employee's responsibility, and we talked about the rights. The only thing that concerns me is, down the road, have we put together an organization that...? And forgive me for saying this, but it is the only thing that troubles me somewhat—and I would never suspect this from our current Privacy Commissioner. We've met her, and she is doing a great job. But is there a possibility, down the road, that we may create a reign of terror, where the Privacy Commissioner can force laws that are enacted, that obviously aren't going to be...? With the examples I just cited in private business, I've come to understand that those things are really unreasonable to expect, but the laws are there.
Have we put in place any safeguards where the Privacy Commissioner has some safeguards too, so they can't start to put in laws or force things that would make it impossible for a business to continue?
:
Mr. Chairman, my position is that these bills are justice bills and this is before the House. In his interruptions, Mr. Peterson said it has nothing to do with this motion, but it does, unless you want us to drop all the justice bills and move into this topic. And that can be done. It may be that Madame Lavallée and others should start pushing for some of these bills so we can get to the information legislation, which is indeed very important.
Mr. Chairman, I think the motion is premature and she should wait until the 15th to hear what the minister is going to do. The committee has heard from the commissioner and the minister. The minister made some comment on a discussion paper when he spoke to us last June, I think, which was tabled in April, dealing with access to information. This committee has yet to even start looking at that topic.
I assume from the motion made by Madame Lavallée, which carried, that Madame Lavallée doesn't want to talk about former Commissioner Reid's proposed bill, which was adopted by this committee. It has essentially been rejected. Therefore, I can conclude from her motion that she wants the government to ignore that bill and proceed with another bill.
The minister came to this committee and said, here's a discussion paper. We've put it on our bookshelf and we haven't looked at it. Before we start getting on a rant as to why she hasn't heard from the minister, even though she's given until December 15, at the very least she should look at that discussion paper.
Once the committee has had an opportunity to speak to the stakeholders and review the issue of the cost of the proposals suggested by the Information Commissioner, the government would be in a stronger position for the next stage of access reform. The committee hasn't dealt with that. I would hope the committee, before getting into that, would review that discussion paper and talk about what these proposals are going to cost.
Mr. Chairman, those are the main issues. Quite frankly, I think it's a flippant proposal, and I say that with due respect to Madame Lavallée. She should wait until her original motion, which is December 15.
:
Okay. It is only appropriate to give the minister an opportunity to follow through on what this committee asked. We had a very interesting day when he was here talking about the item. As a government, we have tabled the previous commissioner's report. We have made a conscious decision, rightfully or wrongfully, that we're not looking at that, expecting the minister to do something different. That is what he'd heard and what he did.
As previously mentioned, the priority for the justice committee at this particular moment has been on the other justice items, mostly Criminal Code items, and there's only so much time available for his staff or the staff of the group to work on different things.
Based on my discussions, I think the ministry is likely aware of the deadline put forward by the committee. To be absolutely frank, I don't know whether they have had time to work on the issue or not. It is more appropriate and more professional for this committee to set a deadline and put it in the House, have it voted on and accepted, that we honour that commitment and that commitment be respected. Then, for example, by the end of next week, if there has been no indication from the ministry that there is anything coming before Christmas, we will be back at this in late January or early February. I hope we'll be done with PIPEDA shortly thereafter. Then if this is the real work of this committee and this is what the next project is, we should get a response from the ministry on whether they're prepared or have the time and ability to do that, to present the bill. If they can't, they probably could provide reasons why they can't, but they should provide them to this committee.
If this is an invitation to show up in the new year, I may give some consideration for the minister to come to tell us where they're at, if they haven't met that deadline, but we're not asking for that at this point. It is only fair to give them the length of time we said we would, which we have all voted on and which was accepted in the House.
From my side, the previous speaker, whether you liked his approach or not, was absolutely right. We've set a deadline already, and if the ministry doesn't make that deadline, let's invite them back and talk about what's realistic. They indicated to us that we have put a document on the table that was well researched, well done, by the previous commissioner. It was referred to this committee. I don't recall our ever even looking at it. Maybe that's the approach we need to take. If they don't have the time to do it, we need to put it as a priority.
For me personally, access to information is important. I had a choice whether to stay on this committee or move to another committee, as I got moved to finance. I chose this committee specifically for that purpose. I am very interested in access to information, and as a municipal councillor, I spent many years dealing with stuff at the local level.
How am I doing, Pat?