Letter to the Minister of Industry regarding the 5 year statutory review of the Personal Information Protection and Electronic Documents Act (PIPEDA)
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
July 13, 2007
The Privacy Commissioner of Canada, Jennifer Stoddart, sent the following letter to the Honourable Maxime Bernier, Minister of Industry, regarding the 5 year statutory review of the Personal Information Protection and Electronic Documents Act (PIPEDA).
The Honourable Maxime Bernier, M.P., P.C.
Minister of Industry
C.D. Howe Building
5th Floor, West Tower
235 Queen Street
Ottawa ON K1A 0H5
I am writing in regard to the 4th Report of the Standing Committee on Access to Information, Privacy and Ethics regarding the 5 year statutory review of the Personal Information Protection and Electronic Documents Act (PIPEDA). I thought it might be helpful for you to know of any concerns my Office has regarding the recommendations.
Let me begin by saying how much I appreciated the Committee's work on its comprehensive five year review of PIPEDA, and that I believe that this sort of regular ongoing review is critical to ensure that we have the best possible law to protect personal information. Alberta, British Columbia, and Ontario with regard to personal health information, have all passed legislation subsequent to the passage of PIPEDA and it is helpful for us all to learn from their next-generation legislation.
I generally agree with the vast majority of the Committee's 25 recommendations, either as proposed or as requiring further consultation, and I hope that you will move forward with the necessary legislative changes.
I do not propose to speak to all the recommendations, though I would be happy to discuss them with you. For the sake of clarity, I am only writing to you about the six areas with which I have particular concerns. One of these issues, whether I have the requisite powers to review solicitor-client privileged documents, is scheduled to be heard by the Supreme Court of Canada in February 2008. Although I disagree with the Committee on this point, I think it would be premature to consider a legislative amendment to clarify my powers at this time.
In this letter, I address the remaining five areas and for ease of reference, I have followed the order of the recommendations in the Report.
1. Work Product [Recommendation 2]
In our appearances before the Committee, both Assistant Commissioner Heather Black and I spoke to the proposal of excluding work-product from the definition of personal information. We said then, and I continue to believe that it would be imprudent to introduce such an exclusion. I believe that the current approach to work product, which allows us to examine the issue on a case by case basis, is more appropriate. One of the OPC's main concerns about the removal of work product from the definition of personal information is that it could result in increased employee surveillance and intrusive workplace monitoring without any privacy protection. To date, we have been able to assess the privacy implications of the introduction of new technologies in the workplace, such as biometrics, global positioning and RFIDs and to ensure that employees' privacy rights are appropriately protected.
There is no clear understanding at present as to what "work product" includes, nor has there been adequate discussion as to the consequences of such an exclusion. At the very least, I would ask that the government consult with, and seek representations from, a range of stakeholders whose rights may be affected, to ensure that the complex privacy issues are canvassed. I have attached a copy of a paper that my Office produced at the request of the CommitteeFootnote 1 that outlines some of the privacy concerns about such an exclusion. Should the government accept the Committee's Recommendation No. 5 regarding the need for an employer/employee code for federal works, undertakings and businesses, it may be that this would alleviate some of the concern about work product. I was grateful for the Committee's recognition of the need for such an amendment and my Office would be happy to work with you and your Department on this issue.
2. Principal-Agent Relationship [Recommendation 8]
The OPC does not agree that there is confusion regarding the principal-agent relationship in PIPEDA. PIPEDA makes provision for transfers for processing under Principle 4.1. In other cases, where an organization discloses personal information to another organization, there is a requirement for consent and we believe that this is not overly onerous. It may be that our Office could issue a FAQ that would give guidance to those parties concerned.
3. Litigation Process /Legal Proceedings [Recommendations 9 & 10]
The Canadian Bar Association recommended that the AB and BC Acts both provide clarity in regard to information legally available in a legal proceeding. I do not believe that this issue has posed any great difficulty over the past five years. The OPC has stated in complaints that the access provisions of PIPEDA may be broader than the requirements of discovery, depending on the breadth of documents relevant to a proceeding.
4. Collection and Disclosure for Law Enforcement and National Security Purposes
If the government feels that definitions of "lawful authority" and "government institution" will bring clarity to the legislation, then I would have no objection to that. However, recommendation 12 goes on to indicate that the disclosure by organizations without knowledge or consent should be mandatory [for issues dealing with law enforcement and national security]. This represents a further step backwards from the amendment that was crafted in 2000 to maintain the status quo for law enforcement to request "pre-warrant" information from organizations. I believe that the discretion whether or not to disclose should be left with the organization.
5. Breach Notification [Recommendations 23, 34 & 25]
In our first appearance before the Committee, I expressed support for the principle of a duty to notify where a security breach had occurred. Subsequent to that appearance and prior to my second appearance, we were notified of several major security breaches, which were reported in the media. In our second appearance before the Committee, we asked the Committee to include a breach notification provision in the legislation. I am pleased that the Committee did so and I am confident that this will be an important addition to the legislation. However, I am concerned that the recommendation asks the organizations to notify the OPC and proposes that our Office should determine whether or not they need to notify individuals. I think that this may put us in a difficult position of making decisions regarding notifications and then having to deal with complaints on the same issue. As well, I am unsure at this time of the resource implications for our Office.
As I told the Committee, our Office has been working with stakeholders to develop guidelines that would apply until such time as the Act may be amended. These guidelines encourage organizations to inform us of material breaches and to seek our advice regarding the criteria we set out, but put the onus on the organizations to decide if notification is appropriate in consultation with our Office as appropriate. We expect that these guidelines will be on our website within the month.
Many of the other recommendations will no doubt involve further consultations with various stakeholders, including discussion with my Office, and I look forward to meeting with you and your officials in the coming months.
Given the great interest in the evolution of PIPEDA by stakeholders and Canadians, we will post this letter on our website in the following weeks.
Original signed by
Privacy Commissioner of Canada
- Date modified: