This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Ottawa, May 27, 2003 - The Privacy Commissioner of Canada, George Radwanski, yesterday sent the following letter to the Honourable David Coutts, Minister of Government Services, Government of Alberta, regarding Bill 44, the Personal Information Protection Act, Alberta's proposed private-sector privacy legislation.
May 26, 2003
Dear Minister Coutts:
Re: Bill 44 - Personal Information Protection Act
As I am sure you know, as Privacy Commissioner of Canada, I am required under subsection 25(1) of the Personal Information Protection and Electronic Documents (PIPED) Act to examine provincial or territorial legislation and report annually to Parliament on "the extent to which the provinces have enacted legislation that is substantially similar to the PIPED Act." I expect that this reporting will be a key consideration for the Cabinet in determining whether it is appropriate to grant any given province an exemption on the basis of substantially similar legislation.
I have reviewed Bill 44, the draft Personal Information Protection Act, and I think it important to inform you now, before it becomes law, that Bill 44 has a number of very grave deficiencies that would in my view make it impossible for the Government of Canada to recognize this legislation in its current form as substantially similar to the federal Personal Information Protection and Electronic Documents (PIPED) Act.
Effective January 1, 2004, the PIPED Act will extend to the collection, use or disclosure of personal information in the course of any commercial activity within a province, subject to one crucial exception: Where a province has passed privacy legislation governing the private sector that is "substantially similar" to the federal Act, the Governor in Council may exempt all or part of the provincially regulated private sector from the application of the Act to activities within the province's boundaries and the provincial law will apply.
If a province enacts private sector privacy legislation that is not found to be substantially similar to the PIPED Act, the provincial law will of course remain in effect. But effective January 1, 2004, it will operate concurrently with the federal law. Where the PIPED Act sets higher standards for privacy protection than the provincial legislation, the federal provisions will take precedence to the extent of any inconsistency and all organizations carrying out commercial activities will have to comply with them.
In my first report on the matter of substantially similar provincial legislation, in May 2002, I formally set out the criteria that I will use in assessing provincial legislation: In assessing provincial legislation, I will interpret substantially similar to mean equal or superior to the PIPED Act in the degree and quality of privacy protection provided. The federal law is the threshold or floor. A provincial law must be at least as good, or it is not substantially similar.
The standard set by the PIPED Act is a high one, but certainly not unattainable. In May 2002, I reported to Parliament that Quebec's Act Respecting the Protection of Personal Information in the Private Sector is substantially similar to the PIPED Act.
In view of my statutory obligation to report and advise on whether any provincial law meets the test of substantial similarity, I believe that the most helpful and constructive course is for me to share my preliminary views when proposed legislation is still subject to possible amendment and improvement, rather than wait for it to be definitively enacted.
It is in that spirit that I write to you today, to inform you that in my view the Bill as it stands has deficiencies - albeit deficiencies that can be remedied easily enough - that would be fatal to any possibility of it being regarded as substantially similar.
A major weakness of this Bill is the discretion it gives the Lieutenant Governor in Council (the Cabinet) to issue sweeping regulations dealing with a broad range of matters, including:
- giving consent;
- the procedures to be followed in making and responding to access requests;
- the circumstances in which personal information can be collected, used or disclosed without consent; and
- the personal information to which the Act does not apply.
This broad authority to make regulations is deeply troubling because it has the potential to dramatically lower the level of protection provided by the Bill. No similarly broad regulatory discretion exists in the PIPED Act. Regulation making authority should be limited to unforeseen housekeeping matters. Fundamental changes that would impact individuals' right to privacy, such as those that would be permitted under this Bill, should be subject to full and open public debate.
Second, the "grandfathering" provisions of the Bill make it significantly different from the PIPED Act, which does not distinguish between personal information collected before and after its coming into effect. By explicitly stating that information collected before the Act comes into force is "deemed to have been collected pursuant to consent given by that individual" the Bill eliminates any need to seek consent to use or disclose information that has already been collected.
Limiting the use or disclosure of this information to the purposes for which it was collected does not provide any meaningful protection since there was no requirement to specify purposes when the information was collected. An organization can use or disclose this personal information for any purpose and claim that this purpose was intended when it was collected, making it extremely difficult for an individual to challenge the use of this grandfathered personal information.
This is clearly inconsistent with the PIPED Act, which takes a much more privacy-protective, and very straightforward, approach: To use or disclose information collected before the Act came into force, organizations require consent.
Third, the Bill is clearly inferior to the PIPED Act with regard to privacy rights in employment. The workplace is where most people spend most of their waking lives; in few circumstances are privacy rights more important. Yet Bill 44 specifically allows the collection, use and disclosure of employee personal information without consent - completely depriving an employee or a prospective employee of any control over his or her information.
The Bill does not even contain a requirement that the organization inform employees after the fact that their information was collected, used or disclosed without consent. As a result, employees may be completely unaware that the collection, use or disclosure took place, completely depriving them of the right to complain. And even if they do become aware, complaining after the fact cannot undo the damage that has been done. Once privacy has been violated, it cannot be unviolated.
I recognize that the Bill requires that the collection, use or disclosure of employee personal information be reasonable, but this a weak test, that provides little or no meaningful protection. From the employer's perspectives - which seems to be the perspective from which these provisions of the Bill were drafted - almost any intrusion on employee privacy can be seen as "reasonable".
An employer might think it reasonable to collect and disclose information about a prospective employee's health or religion or sexual orientation. This Bill would allow the employer to do that, without consent.
The PIPED Act, in contrast, makes no distinction between information collected, used, or disclosed in employment and in commercial activities. The protection afforded employees covered by Bill 44 would be drastically inferior to that enjoyed by employees covered by the PIPED Act.
It is important to note in this regard that these provisions of the PIPED Act have now applied for more than two years to employers in some 15,000 federal works, undertakings and businesses - primarily banks, broadcasters, transportation and telecommunications companies - without any indication that these organizations have thereby been prevented from effectively managing their workforces.
Fourth, a fundamental component of the PIPED Act is the power of individuals to find out what personal information organizations have about them and to correct any information that is incomplete or wrong.
The access and correction provisions in Bill 44 fail to provide similarly effective protection. First of all, individuals would be prevented from obtaining access to information about themselves if it would reveal the identity of individuals who provided the information. For example, an individual would not be able to obtain access to negative comments provided by a co-worker or supervisor, or pejorative information provided to a banker or other credit grantor, if it would reveal the identity of the person who made the comments. Without access to this information, an individual would not even know it existed and obviously would not be able to challenge its accuracy.
Individuals can also be denied access on the grounds that disclosure might result in that type of information no longer being provided to the organization. The PIPED Act does not contain such a provision and it is difficult to see the need for it given the other grounds in the Bill for denying access. This is a very amorphous basis for denying access that would be almost impossible for an individual to challenge.
Bill 44 also differs from the PIPED Act with respect to fees. Bill 44 allows an organization to charge "reasonable" fees for access. The PIPED Act requires that access be provided at "minimal or no cost."
As well, there is no requirement, when the accuracy of information is in dispute, that the organization in control of the information inform other organizations that have access to the information about the substance of the dispute. The other organizations can retain, use and even disclose personal information, regardless of whether its accuracy is in dispute. The PIPED Act contains such provisions, as should any proper privacy legislation, and the failure of Bill 44 to do so is a substantial weakness.
Fifth, the draft legislation allows collection, use or disclosure without consent for the purposes of an investigation or proceeding. This is a necessary feature of any privacy protection law, but the wording of the Bill is far too open-ended.
The definition of the term "investigation" in the Bill is much broader than the way in which the term is used in the PIPED Act. The PIPED Act limits the term to investigations of "a breach of an agreement or a contravention of the laws of Canada or a province." The definition in Bill 44 includes an investigation related to "circumstances or conduct that may result in a remedy being available at law" and trading in securities. The Bill contains a similarly broad definition of "legal proceeding."
Furthermore, there is no requirement, similar to that in the PIPED Act, that personal information can only be collected, used and disclosed without consent for the purposes of an investigation, if it is reasonable to expect that "the knowledge or consent of the individual would compromise the availability or the accuracy of the information."
Allowing an excessive number of situations in which personal information can be collected, used or disclosed without consent seriously erodes the fundamental principle of consent that is the underpinning of any sound privacy legislation.
Finally, I want to comment on the provisions concerning professional regulatory bodies and non-profit organizations. The Bill would permit the Lieutenant Governor in Council to delay or exempt application of the Act to these types of organizations. I would see no problem if the Act only applied to professional regulatory bodies and non-profits to the extent they engage in commercial activities - this is consistent with the PIPED Act - but to exempt them entirely would establish a lower level of protection than that provided by the PIPED Act. Some non-profit organizations collect highly sensitive information, including information about medical conditions. To allow non-profits to disclose this information for gain without consent would provide a lower level of protection than under the PIPED Act.
In bringing these various deficiencies to your attention, I wish to emphasize that the issue is not one of debating the merits of the relevant provisions of this Bill in isolation. The issue is solely whether they provide a level and quality of privacy protection that is as good or better than the corresponding provisions of the PIPED Act. Clearly, they do not. Consequently, it would be my duty to recommend that the Bill in its current form could not be regarded as substantially similar.
I appreciate the opportunity to provide these comments. If I or my Office can provide any further clarification or assistance, we would be glad to do so.
(Original signed by)
Privacy Commissioner of Canada
- 30 -
For more information, please contact:
- Date modified: