Letter in response to Industry Canada's consultation regarding the review of the Personal Information Protection and Electronic Documents Act (PIPEDA)

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

January 15, 2008


The Privacy Commissioner of Canada, Jennifer Stoddart, sent the following letter to Mr. Richard Simpson, Director General , Electronic Commerce Branch, Industry Canada, in response to Industry Canada's consultation regarding the review of the Personal Information Protection and Electronic Documents Act (PIPEDA).

Mr. Richard Simpson,
Director General
Electronic Commerce Branch
Industry Canada
300 Slater Street,
Ottawa, Ontario
K1A 0C8

Dear Mr. Simpson:

I am responding to Industry Canada's consultation regarding the review of the Personal Information Protection and Electronic Documents Act [PIPEDA] that appeared in the Canada Gazette on October 27, 2007. As you are aware, my Office made two submissions on the review of PIPEDA to the Standing Committee on Access to Information, Privacy and Ethics [ETHI Committee] and wrote a letter to the Honourable Maxime Bernier, Minister of Industry following the issuance of the ETHI Committee's Report on the review. Rather than repeat those comments here, I would ask that you bear them in mind as you proceed with the comments received as a result of the consultation.Footnote 1

The Canada Gazette consultation refers to several issues. I would like to comment on two of those issues mentioned and take the opportunity to note some views on three issues not mentioned in the consultation.

Work Product

The Canada Gazette indicates that you are seeking views as to whether an amendment to PIPEDA is required with regard to the issue of “work product”. I continue to believe that an amendment is not necessary and that there is no compelling need for a special exemption to cover “work product”. I also note that the Alberta Select Special PIPA Review Committee which was conducting a 3-year review of the Alberta private sector Personal Information Protection Act [PIPA] studied the issue of work product as well. On that issue, the Committee concluded that the “current contextual approach allows for greater flexibility”.Footnote 2 This is in line with my view that a contextual approach is necessary and most appropriate in approaching the subtle question of what information produced at work might be personal to that individual. In my view a blanket carve-out would not be advisable at this stage as it would risk encapsulating, in too blunt a fashion and with no critical oversight, much personal information which is in need of privacy protection.

Breach Notification

The second issue deals with data breach notification. As I stated in my February 22, 2007 submission to the ETHI Committee, I support amending PIPEDA to include a requirement that organizations notify their customers or clients in the event of a “data breach”. The Government's Response proposes a two step notification process:

  • Organizations should be required to notify promptly those affected by the loss or theft of the personal information “where a high risk of significant harm to individuals or organizations exists”; and,
  • In the case of “any major loss or theft”, the organization should be required to notify the Office of the Privacy Commissioner. This notice should include details of the incident and the steps taken to notify the individual or the justification for not doing so.

I support this general approach. I agree that the responsibility to notify the affected individuals should lie with the organization accountable for the personal information and I agree that this should be based on an assessment of the risk of harm although we would suggest that the concept of harm be defined broadly to include more than just financial harm.

I also support a requirement that our Office be notified of breaches where there is a major loss or theft. I also support notification in cases where the organization has determined that it is not necessary to notify the individuals affected. The Government's Response notes that the “determination of the specifics of the model, including ‘triggers' and ‘thresholds' for notification? will be a critical element in the breach notification provision.” I agree and I would urge that these triggers and thresholds be defined as clearly as possible in order to provide guidance to organizations and to help individuals understand their rights

Powers of investigation

The third issue relates to a case still before the courts, and hinges on the question of the Commissioner's powers to verify the legitimacy of an organization's claim of solicitor-client privilege. As Industry Canada noted in its response to the ETHI Committee's Fourth Report, the issue of the Privacy Commissioner's power to review solicitor-client documents is scheduled to be heard in the Supreme Court of Canada in February 2008. The government was of the view that it would be premature to consider the need for any legislative amendment to clarify the Commissioner's powers until the Supreme Court has rendered its decision and offered guidance on this issue. I look forward to receiving the Court's decision on this key issue and having the opportunity to revisit the issue with you should amendments to PIPEDA be needed as a result.

Employee code

PIPEDA is a law of general application, crafted to protect information in the realm of commercial transactions. It does not deal with the collection, use or disclosure of personal information in specific contexts such as employment and the application of the law in this context has given rise to key questions and challenges. I would reiterate my view that PIPEDA would benefit from some amendments regarding the collection, use and disclosure of employee information in line with the provincial private sector privacy legislation.

While each province has taken its own unique approach to balancing employee privacy with the right of employers, our Office sees merit in the approach taken by Alberta of a reasonable purposes-based employee codeFootnote 3, combined with the notion in the Quebec Civil CodeFootnote 4 which obligates employers to respect the dignity of workers.

Discretion in handling complaints

Finally there is one issue that has evolved since I last appeared before the Committee: It is the need to implement a more effective means to deal with complaints. At the time I appeared in February 2007, I still hoped that with the generous addition of resources, we would be able to get a handle on the lengthy and increasing delays we face in handling complaints while at the same time be in a position to take a more pro-active approach in addressing more systemic and pervasive issues through research, public education, Commissioner initiated complaints and audits. Despite our continuous efforts to shift focus, the delays continue to persist and overly consume resources. Other data protection authorities, including those in the United Kingdom, Europe, Australia and New Zealand, are also finding similar challenges with the need to deal with all complaints received regardless of the nature or the seriousness of the complaint. We are all concerned that with no ability to dismiss some complaints early as serving no public interest or warranting no further investigation, we find ourselves unable to deal effectively with the growing number of systemic issues that face us.

Privacy issues have traditionally arisen in the context of discrete transactions between an individual and an organization and have come to light as a result of individual-driven complaints. Today, major privacy issues arise from more systemic threats resulting from rapidly-advancing information technologies, particularly those enabled by the internet. Such new and emerging threats affect society as a whole, at such a pervasive level, in such complex and obscure fashion, and on such a daily basis, that in most cases, the average person would not even know about them, let alone complain about them. One has only to think of the vast array of surveillance technologies and nanotechnologies which are becoming commercially available, RFIDs, social networking, behavioural on-line marketing etc. Increasingly, data protection authorities around the world are recognizing that this is where our efforts must be directed if we have any chance of curbing these privacy threats as they emerge.

The UK Commissioner recently asked the British Parliament for the right to investigate only when an issue is in the public interest. In like manner, the US Federal Trade Commission [FTC] does not accept complaints from individuals but uses them to track systemic issues warranting FTC intervention. Here in Canada, the Canadian Human Rights Act, the Public Servants Disclosure Protection Act and the Accountability Act as well as the Quebec Private Sector ActFootnote 5allow those Commissioners to refuse or cease to examine a matter if the application is frivolous, made in bad faith, could be better dealt with in another forum or where further investigation would clearly serve no purpose. More recently in November 2007, the Alberta Select Special PIPA Review Committee recommended that the Act be amended “to provide the Commissioner with explicit authority to discontinue an investigation or a review when the Commissioner believes the complaint or request for review is without merit or where there is not sufficient evidence to proceed.”Footnote 6

I would ask the government to consider granting my Office a similar degree of flexibility. More specifically, I would ask for greater discretion at the front-end to refuse complaints and/or discontinue complaints if their investigation would serve no useful purpose or are not in the public interest, thereby allowing us to focus our investigative resources on those privacy issues that are of broader systemic interest to address. I believe that I should have the same discretion under the Privacy Act as the challenges under both Acts are very similar.

Again, I would like to extend our thanks to the Minister and Industry Canada for their ongoing commitment to privacy protection in general. I would also ask that the Government ensure that any upcoming legislation that might be relevant to the protection of personal information be coordinated with any proposed amendments to PIPEDA. My Office is available to answer any questions or concerns your staff may have on the suggestions made in this submission. I appreciate your ongoing consultation on these important issues.

Sincerely,

Original signed by

Jennifer Stoddart
Privacy Commissioner of Canada

Date modified: