The Role of the Federal Privacy Commissioner
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Presentation to E-Commerce and Privacy
Implementing the New Law in the Public and Private Sectors
February 21, 2000
Office of the Privacy Commissioner of Canada
(Check Against Delivery)
Workshop: The Role of the Federal Privacy Commissioner
The presenters from the Office of the Privacy Commissioner of Canada were:
Brian Foran, Director, Issues Management and Assessment
Anne Rooke, Director, Private Sector Secretariat
Gerry Neary, Director, Investigations & Inquiries
INTRODUCTION - Brian Foran
The panel's title of "The role of the Federal Privacy Commissioner" is a simple if intriguing one, if only for the fact that if our role is known at all, it is not well understood, and if it is understood at all, it is shifting to such an extent that the understanding may be wrong.
Having spent the last several years at the Office of the Privacy Commissioner, I have come to recognize that while there may be changing responsibilities and expanding jurisdictions, and that while there may be different audiences and shifting priorities, there is an underlying agenda to our work or mission and it is fairly straightforward, if somewhat delicate. It is to promote the perspective that all of our practices in this increasingly digital and commercialized world must be informed by a sense of human values and that they must take place in an environment of ethical principles. And that respect for the individual and for the privacy rights of the individual must be fundamental to all our information practices.
The Office of the Privacy Commissioner, which began principally as a data protection office to investigate complaints, now finds itself grappling with a much broader range and variety of privacy issues. The Privacy Commissioner, of course, is a specialist ombudsman - and he is not called the Privacy Commissioner to be on the sidelines in this debate - you can be assured that the Privacy Commissioner can and will assert the privacy claim, but only this claim - and while we are not unmindful of or insensitive to other values and interests, they will be for others to assert.
Up to now, we have not had to make much significant change to our structure or operating procedures. In light of Bill C-6, the Protection of Personal Information and Electronic Documents Act*, however, the office will have to recreate itself in order to face a future which is uncertain in many ways but which is certain to hold greater challenges.
*(Bill C-6 is intended to regulate the commercial uses of personal information. The bill will require business to respect a code of fair information practice requiring individual consent for the collection, use and disclosure of personal information. It provides a mechanism for independent oversight - mandating the Privacy Commissioner to investigate complaints, issue reports and conduct audits. As a last resort, it provides recourse to the Federal Court and empowers the court to award damages. The Commissioner will have a broad mandate to promote the Act through public education and research.)
Some years ago, when we were facing the realities of change that all organizations face; the Commissioner re-examined his role and that of the office under the Privacy Act and developed the following mission statements:
- To be an effective ombuds office - providing thorough and timely complaint investigations such that Canadians enjoy the rights set out in the legislation.
- To be an effective guardian on Parliaments' behalf - performing professional assessments of the quality of the government's adherence to the law.
- To be Parliaments' window on privacy issues - so as to ensure that legislators are armed with the facts needed to make informed judgements, and,
- To be the primary national resource center in Canada for research, education and information on privacy.
Bill C-6 adds to these and bolsters them in a number of ways. In light of Bill C-6, for example, we have the following added and enhanced activities:
- To promote research into issues and practices associated with the protection of personal information.
- To specifically educate business and the general public on privacy rights and the responsibilities associated with the handling of personal information.
- To promote best practices for the management of personal information in the private sector and to work with organizations to develop detailed policies and practices, including codes of conduct, to ensure compliance with the legislation.
- To answer complaints on the handling of personal information during the course of commercial activity, not simply by way of investigation but by way of seeking resolution through negotiation, mediation or conciliation.
- To conduct formal audit reviews of organizations' personal information handling practices, but to so with a goal not simply to identify shortcomings but to promote improvement in the handling of personal information (a sort of a missionary approach to working with the private sector), and finally,
- To support and complement provincial efforts to harmonize legislation across Canada to protect personal information involved in all commercial activity.
The basic utility of the Privacy Commissioner's office is simply that it exists - and certainly it exists as an office with broad investigatory powers and statutory review responsibilities. On the one hand, then, it provides a special place for persons to turn when they feel deprived of a privacy right - a place less awesome, less formidable, less expensive and less cumbersome than a court - and a place with more specific privacy expertise - in short, a more useful place.
On the other hand, the office has a consultative role to educate business to the issues at hand and to work with them to promote the achievement of fair information practices in all of their dealings and handling with personal information. In short, it has to provide a special place for business to turn to for privacy expertise that is useful to them as well.
Now, these roles may appear somewhat schizophrenic at first but they are wedded in one office and to help bring these issues into clearer perspective, I would like to introduce you to our panelists so you can hear from them their views and have the opportunity to discuss these questions with them.
Our first speaker will be Anne Rooke. Anne joined the Office of the Privacy Commissioner of Canada in June 1999 as the Director of the Private Sector Secretariat. In that role, she is the key manager responsible for preparing the Office for the implementation of Bill C-6. In her career, prior to joining our office, Anne spent 15 years with the Canadian Human Rights Commission in a variety of roles, the last of which was as Deputy Director of Compliance. In that position, she was responsible for managing conciliation and mediation functions and the investigation of policy complaints. Anne will outline for you her thoughts on some of the implementation issues for business as a result of C-6 and the role of the Office of the Privacy Commissioner in that regard.
Our second speaker is Gerry Neary. Gerry is currently Director of Investigations and Inquiries at the Office of the Privacy Commissioner, a position he has held since 1992. Prior to that, he conducted investigations for the office, and like Anne, also held positions with the Canadian Human Rights Commission, the last of which was as Regional Director for Western Canada. As a sidenote, he has a long history in the area of rights, having been one of North America's first university ombudsmen, when in 1969 he became Carleton University's first ombudsman. Gerry will speak to the investigate role of the Office of the Privacy Commissioner - how we operate and how we propose to operate under Bill C-6.
WHAT DOES IMPLEMENTATION OF C-6 MEAN FOR BUSINESSES - Anne Rooke
I can't think of a better lead-in to this presentation on C-6, the Personal Information Protection and Electronic Documents Act than to quote from the cover of the March issue of PC Computing:
WE KNOW EVERYTHING ABOUT YOU
Where you live
Where you work
How much you make
What you buy
What you do on the Web
Your private past
As this suggests, businesses increasingly have the power and the incentive to gather, use, reuse and release personal information on a massive scale. I'm certain most of you have suspected, at one time or another, that companies often sell the information they collect to other organizations. Some of you have probably received advertising material addressed specifically to you or solicitation phone calls, where the caller knows your name.
Some organizations are coming to realize that privacy protection can provide them with a competitive edge - protecting clients' personal information makes good business sense, especially in the ever-growing world of e-commerce.
The objective of the Personal Information Protection and Electronic Documents Act, is to help create a state of mind in which businesses routinely consider the privacy rights of their clients, customers and employees, when they develop products and administrative practices.
C-6 requires business to respect a code of fair information practices for the collection, use and disclosure of personal information. One could say that this new act provides organizations with the incentive to clean up their record keeping.
A major component of C-6 is the Canadian Standards Association's Code. The Canadian business sector was an active participant in developing the CSA Code and should have a proprietary interest in ensuring it is respected. Recently, we have seen a wide array of organizations that have already taken steps to prepare for this new piece of legislation.
There are however many businesses that have not yet done so. They will have to adjust their current practices to meet the obligations set out in C-6 for handling the personal information they are entrusted with. No one expects this to happen overnight, but change it must.
This is probably as good a time as any to take a minute and review the 'phased in' approach of this legislation. As it now stands, the phase-in period covers 4 years:
- the year 2000: considered the ramp up or implementation period (this is the time for companies to get their houses in order so to speak)
- 2001: all federal works and undertakings, as well as organizations handling cross border transfers of personal information for consideration, become subject to provisions of C-6, e.g. complaints can be filed. The only exception may be personal health information, if the Senate's amendments are accepted. Personal health information would then be covered as of 2002.
- 2004: (3 years after C-6 comes into force) business involved in the transfer of personal information within a province will be covered, if not exempted by Order in Council (where province has substantially similar legislation)
An organization's 1st step toward implementing C-6 is to appoint someone to be responsible and accountable for the manner in which the company handles personal information. This is not a task to be assigned to a non-management employee. I would like to stress that responsibility for data protection is not a clerical function. Many organizations elsewhere have wisely assigned senior executives to oversee data protection issues.
The company official must also be responsible for dealing with requests for access to personal information received from employees and the public; for dealing with complaints concerning privacy breaches and have responsibility for interacting with OPC, if and when the need arises.
The next step for an organization is to review and analyze how it conducts its business to determine:
- what personal information it collects
- why it is collected
- how it is collected
- what is done with it
- where it is kept
- when it is used or disposed of
- whom is it given to
Companies may be surprised to learn that they really don't know what personal information they collect, how it is used and what quality controls and security safeguards, if any, are in place to protect that information. They may even decide that they are collecting excessive amounts of personal information for no valid reason, and at unnecessary cost.
One of the most important principles of this new piece of legislation is the requirement for businesses to obtain an individual's consent when they collect, use or disclose the individual's information. The general rule is that no one can use a person's information without that person's permission.
Among other things, businesses must establish an open and transparent relationship with their clients by providing clear explanations about what they do with their clients' personal information. They must provide the name or title & address of person accountable for information holdings and to whom complaints or inquiries can be addressed.
Under C-6, an individual has the right of access to his/her personal information that is held by a company and have it corrected if need be. Business must establish a user-friendly process so that an individual can obtain access to his/her information; the individual must be given the opportunity to challenge the accuracy of the information and have it corrected.
To summarize, the 10 principles businesses' must respect to conform to C-6 are:
- accountability (assign responsibility for compliance to official)
- identify purposes (reasons for collecting the information)
- obtain consent for collection, use or disclosure of personal information
- limit collection to what is necessary
- limit use, disclosure & retention (can't use or disclose any information for other purposes)
- accuracy (information must be correct, complete & current) - information must be necessary for the identified purpose
- safeguards to protect the information
- openness/transparency (have open and clear policies/practices for handling personal information)
- give individuals access to their information
- ability to challenge compliance
What is the Office of the Privacy Commissioner's Role in all of this?
Our goal is to improve privacy protection by finding the underlying problems in the way personal information is handled, and by working with business to find solutions.
Our approach has always been, and will continue to be to identify and solve problems, not create them. OPC is here to help not impede business. We will encourage organizations to resolve their own privacy problems before we intervene.
We can't of course promise that life will be as it was before C-6. This legislation is being introduced for a reason: to offer protection to individuals where little, inconsistent or no protection of their personal information existed before. Some organizations will have to do things differently when it comes to handling personal information, just as the introduction of human right legislation altered the business climate in this country over 2 decades ago.
The federal Privacy Commissioner is an ombudsman - this role provides for reaching reasonable solutions by reasonable people. We are non-confrontational and non-adversarial but this does not mean that we will be an easy mark.
We know this new legislation may cause uncertainty both for organizations and for us. We want to resolve as many of those uncertainties ASAP to ensure the smooth transition from the current status quo, to life under private sector data protection rules.
Our focus in the coming months will be to learn about business from business and to educate business about C-6 and the role of our Office. We will meet with representatives of the business community, discuss their concerns, and look for solutions that make the legislation both workable for them and effective for the Canadian public.
Perhaps best advice I can offer organizations with existing personal information data bases is to start reviewing those information holdings now, if this has not already been done. Businesses must assess how to ensure that their information handling practices comply with C-6.
My strongest advice is not to delay. We anticipate that the Bill will likely come into force as of January 2001.
What Role Will the OPC Play in Education?
One of the most important roles given to the Privacy Commissioner under C-6 is to educate Canadians, to encourage knowledge and understanding of privacy. This is a new role for our Office and to our minds, a critical one.
Recent surveys show that consumers are uneasy about the state of personal information practices in business world, particularly in the world of e-commerce. Some of these concerns are based on consumers' lack of knowledge about just how their information is being used and shared.
The OPC will take steps to foster public understanding of how information is used and shared. A large segment of the population is not familiar with how Canada's private sector handles personal information. One of the goals of our Office is to make Canadians aware of privacy invasive practices and of the personal and social consequences of privacy intrusions.
In this day and age, many citizens are too trusting with their personal information. Until I joined the OPC nine months ago, I would freely give out my personal information when I was asked for it with little or no thought as to why the information was required. Why does a store need to know my name, phone number and address when I pay cash for an item? Now I refuse to provide the information and ask why it is being requested. I have yet to receive a satisfactory explanation.
Staff in our office is working on guides, fact sheets, and pamphlets that explain the Act, the rights of citizens and the obligations of business. We are introducing ourselves to and getting to know advocacy groups, associations, unions, and groups of professionals including educators, lawyers, researchers and members of business communities across the country. We will be involved in the development of educational materials that will provide Canadians with the tools they need to protect their own privacy.
In conclusion, the OPC is looking for:
- ways to help businesses to adjust to the new legislative environment,
- ways to help individuals understand their rights under the Bill, and
- ways to ensure that the Office deals reasonably and efficiently with both groups.
COMPLAINTS INVESTIGATIONS UNDER C-6 - Gerry Neary
I have been asked today to speak about our complaint experience in the public sector and whether our approach will change when we conduct complaint investigations under C-6, and what will be the similarities and differences in complaint investigations under the Privacy Act and under C-6.
I feel very comfortable in speaking about our experience under the Privacy Act. In speaking of C-6, however, I am to some degree guessing, speculating and gazing into a crystal ball.
Let me begin by speaking to the current means of how we conduct complaint investigations under the Privacy Act.
And I want to talk about this because I believe that the methodology we use in investigating complaints under the Privacy Act has implications for the manner in which we will conduct complaint investigations under C-6.
The Privacy Act gives individuals both personal information rights and a forum for rectifying perceived abuses of the law. That forum is the Privacy Commissioner; a specialist ombudsman, independent of government (the Privacy Commissioner reports directly to Parliament through the Speakers of the Senate and the House of Commons), with his own investigators and considerable powers in the law.
Perhaps the most important thing to understand about our complaint work is that the Commissioner functions as an ombudsman. He has no powers of enforcement and, although this may surprise you, he wants no powers of enforcement. Neither he, nor his staff, wants these powers. The great advantage of this ombuds structure lies in the ability to audit and investigate conduct of government institutions without automatically importing the adversarial atmosphere that would arise if the Commissioner had specific powers of enforcement. The chief strengths in the ombuds role lie in effective research and negotiation with government institutions. As a last resort, and to be used only with clear justification, there is what we can call the power of embarrassment.
In fact, the Commissioner prefers informal methods. Many complaints result from misunderstandings, confusion or simply human error. Sometimes there is an honest disagreement over interpretation of the act. The office's negotiations and explanations have prompted the release of thousands of pages of personal information. This non-confrontational approach can be more time-consuming for the investigator and the organization. However, it pays higher dividends for the complainant than an early (and perhaps costly) recourse through the courts. It also serves as an educational vehicle for the organization's staff.
Should it be necessary, the Act gives the Commissioner and his investigators the power to enter any premises, examine any records (except those designated confidences of the Queen's Privy Council), administer oaths, subpoena documents and compel testimony; he may also initiate his own complaint if he considers circumstances warrant.
In the approximately 17 years since the proclamation of the Privacy Act, the Privacy Commissioner has not had to exercise his quasi-judicial powers. Nevertheless, the powers are there if needed.
Those 17 years of experience that our office has had with an ombuds role for complaint investigation has shown that heavy-fisted enforcement is not necessary to secure the privacy rights of Canadians. Rather than emphasizing confrontation, the ombuds role emphasizes resolving complaints. Perhaps ultimately more important, it emphasizes correcting the underlying problems that lead to those complaints. You will note, of course, that the Commissioner's powers under bill C-6 are similarly restricted to those of an ombudsman. The approach that has been taken to the application of the federal Privacy Act is therefore very much the approach that will apply under Bill C-6.
Of the 20,000 complaints our office has handled since 1983, fewer than a dozen have prompted our recourse to the courts. The office is less a police department than a problem solver. Our approach has always been non-confrontational and non-adversarial - an approach that will be even more necessary in the private sector. We have no intention of arbitrarily crashing through the doors of businesses. To do so would only doom the cause of promoting respect for privacy from the start. Recourse to the courts remains, as under the Privacy Act, a last resort.
Who may complain and about what?
Under the Privacy Act, all individuals present in Canada have the right to apply to see their own personal information and to complain to the Privacy Commissioner that organizations may be improperly collecting, using or disclosing their personal information. Anyone believing the Privacy Act has been contravened may complain:
- if they are denied some or all of their personal information;
- if the organization takes longer than 30 days to respond to their request (or the maximum 60 days with an extension);
- if they are denied their request to correct some of the information on the file, or their right to annotate contested information;
- if the information is not provided in the official language of the applicant's choice (the Act gives the head some discretion to provide material in the other language);
- if they believe that organizations are collecting, using, maintaining or destroying personal information in a way that contravenes the Privacy Act, or that the bank descriptions in the "Info Source" are inaccurate or incomplete.
How is a complaint investigated?
An organization normally hears of a complaint when its privacy coordinator receives a notice in the form of a letter from the Commissioner's office. The notice contains the name of the complainant, the substance of the complaint (whether of delay, denial of access etc.), and the personal information bank(s) concerned. The notice will also identify the investigator assigned to the compliant.
The investigator then gets in touch with the coordinator to describe which records or files he or she needs to examine to conduct the investigation. Investigator and coordinator then arrange to sit down together to review and discuss the material.
The type of material required will depend on the type of complaint: for example, if one of delay, the requirements are fairly simple. The investigator needs to obtain copies of the original request, the organization's acknowledgement, any letter extending the time and citing the reasons for the extension, and the correspondence accompanying the release of the material. The investigation is essentially a matter of calculation (unless the investigator questions the validity of an extension).
However, if - for example - the complainant has challenged exemptions applied to the file, the investigator needs to obtain the original request, copies of the letter of acknowledgement and the material sent to the complainant, the material withheld and the reasons for exemption, and the names of the organization's staff who have been designated to apply those exemptions.
If material has to be taken from an organization's office, the investigator provides the coordinator with a receipt and will either return or destroy the material (according to the organization's preference) when no longer needed.
During the investigation, the organization's staff is encouraged to make any representations they consider relevant. Many complaints are resolved at this stage. Once the investigator has gathered all the relevant facts, he or she may ask the complainant for any further information or representations. The investigator then reports the facts to the Commissioner who makes his decision.
What are the Commissioner's powers?
If the complaint has been resolved, or the Commissioner finds the complaint not well-founded, he writes to the complainant to explain his decision. The investigator advises the privacy coordinator. (In those rare instances when privacy staff are unable to resolve the problem, the Commissioner may write directly to the organization's head advising that he has made an "adverse finding".)
As an ombudsman the Commissioner has no power to order an organization to take a particular action. He relies instead on negotiation and persuasion. However, if the Commissioner believes an organization has improperly denied a complainant access or he is dissatisfied with the resolution of a complaint, he may ask the complainant's permission to have the Federal Court review the denial from the beginning of the process. (Note that the Court does not review the Commissioner's decision.)
Any complainant denied access may ask for a Federal Court review, regardless of the Commissioner's finding. But there is no court review of other types of complaints.
Does the Commissioner report findings publicly?
The Commissioner does not routinely report details of all complaints, choosing rather to include in his annual reports to Parliament the year's statistics and summaries of selected cases which have policy implications or which illustrate effectively how the law works. He describes all audit findings. While the act gives the Commissioner the option of reporting to Parliament at any time that he finds a matter sufficiently "urgent", he has not yet done so.
How the Complaints Process Works under C-6?
Bill C-6 permits an individual to file a written complaint with the Privacy Commissioner against an organization for contravening a provision dealing with the protection of personal information or for failing to follow a provision set out in the Schedule to the bill. As well, the bill permits the Privacy Commissioner to initiate a complaint if he is satisfied that there are reasonable grounds to investigate a matter.
The bill requires the Privacy Commissioner to conduct an investigation in respect of a complaint and gives him the power to summon witnesses, administer oaths, receive evidence, enter premises and examine documents.
The bill also provides financial penalties for knowingly obstructing the Commissioner's investigation.
As you listen to the Commissioner's powers, keep in mind his ombuds role. He has substantial powers to investigate. These powers are not granted to be heavy-handed but to ensure the Commissioner understands what prompted the complaint. From a thorough investigation comes effective understanding of the organization's operations. And from that understanding comes effective mediation and resolution-not orders.
The Commissioner does not have the power to issue binding orders. Rather, the Commissioner will attempt to resolve complaints by means of dispute resolution mechanisms such as mediation and conciliation.
Once an investigation is completed, the Privacy Commissioner must prepare a report, setting out he findings and recommendations and any settlement reached by the parties. If appropriate, he may also ask the organization to advise him, within a specified time, what action it has taken or proposes to take to implement any recommendations, or reasons why it will take no action. The report will also outline the recourse, if any, that is available. The report will be sent to both parties without delay.
A report is not required if the Commissioner is satisfied that the complainant ought first to exhaust existing grievance or review procedures, such as the organization or industry's complaint resolution process. The Commissioner also need not report if he concludes that the complaint could be more appropriately dealt with under other existing laws, or that so much time has elapsed between the date of the complaint and the incident that a report would serve no useful purpose. Finally, he need not issue a report if he considers the complaint trivial, frivolous or vexatious, or made in bad faith.
In the vast majority of cases, consultation and negotiation resolve disputes. The federal Privacy Commissioner issues no orders but can apply for a Federal Court review on behalf of a complainant.
The Federal Court has broad powers to grant remedies. These include ordering an organization to correct its practices to comply with the bill, ordering an organization to publish a notice of any action taken or proposed action to be taken to correct its practices, and awarding damages to the complainant, including damages for any humiliation that the complainant has suffered.
Bill C-6 is therefore not without some teeth. It is a criminal offence to obstruct the Commissioner during an investigation or audit or knowingly dispose of information that is the subject of a request by an individual. The bill also makes it a criminal offence for employers to take various retaliatory actions against employees. Employers cannot dismiss, promote, discipline or otherwise disadvantage employees who report a contravention of the bill to the Privacy Commissioner, who refuse to contravene the data protection provisions, or who have done or stated an intention to do anything to prevent a contravention of the bill's privacy provisions.
Some of these provisions may sound particularly harsh. In fact, they reflect the importance that is attached to protecting personal information. However, as my remarks to this point have shown, it is also that the Privacy Commissioner does not intend to pursue the goals of this legislation through unnecessary confrontation. Nor, I believe, will his successors, if they wish to see truly effective private sector data protection.
In closing, I would like to point out that this office has almost two decades of experience as an independent ombudsman. As mentioned, it has handled more than 20,000 complaints involving scores of government departments and agencies with widely differing functions and management systems. Yet the number of cases referred to the Federal Court can be counted on the fingers of one hand, primarily because, overall, the recommendations made by the Commissioner are perceived as impartial and, we believe, informed and fair.
And we intend to carry that philosophy and practice into the regime under C-6.
Report a problem or mistake on this page
- Date modified: