Trans-Union of Canada
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Semi-Annual Breakfast Meeting
June 5, 2001
Privacy Commissioner of Canada
(Check Against Delivery)
I don't normally speak at functions of private companies. As an independent Officer of Parliament, I need to guard against any appearance that I might be endorsing a particular company-and I'm emphatically not doing that today.
But I made an exception to my rule today, because I think it's very important for the consumer reporting industry, and those who use consumer reporting services, to know about the Personal Information Protection and Electronic Documents Act, the new federal privacy legislation for the private sector.
This new act is critical to the way business will be done in this country from now on. Consumer reporting agencies deal in personal information-that's what their business is about. So they have a particular interest in this new legislation.
For those of you unfamiliar with my role, let me explain that I am an Officer of Parliament, appointed for a seven-year term to be the independent guardian and champion of the privacy rights of Canadians.
I don't work for, or report to, the government. I work for and report directly to the people of Canada, through Parliament.
I am mandated to oversee and enforce two critical pieces of national privacy legislation: the Privacy Act, which governs the personal information practices of Federal government institutions, and the new Personal Information Protection and Electronic Documents Act, which does the same for the private sector. The first phase of this new act came into effect in January 2001.
Before I talk to you about the specifics of the act, I want to talk about privacy itself-about why it's so important that Canada has legislation and a Privacy Commissioner to protect it.
Privacy is a critical element of a free society-it's "at the heart of liberty in a modern state," as Justice La Forest of the Supreme Court has said.
That's because there can be no real freedom without privacy. None of us wants to go through life feeling that at any moment someone may be, either metaphorically or literally, looking over our shoulder. If we have to weigh every action, every purchase, every statement, every human contact, wondering who might find out about it, judge it, misconstrue it, or somehow use it to our detriment, we are not truly free.
In fact, many have suggested that privacy is the right from which all others flow-freedom of speech, freedom of association, freedom of choice, any freedom you can name.
That's why lack of real privacy is a distinguishing characteristic of so many totalitarian societies.
And that's why privacy is not only an individual right-it's also a shared value, a social, public good. Our society as a whole has a stake in the preservation of privacy.
We need to turn around the widespread idea of the privacy of the individual being balanced against the interests of society. The interests of society include the privacy of individuals. When privacy is lost, the individual feels it, of course, but society is the real loser.
We cannot continue to have the kind of society that we all want-a free, open and democratic society in which we all have the autonomy to fulfil ourselves-unless the right to privacy is respected.
That doesn't mean that privacy is an absolute right. Sometimes some of it has to be sacrificed to advance other crucial social objectives.
But if we make too many trade-offs, accept too many calls to give up a little privacy here, a little privacy there, soon we'll have no real privacy, and no real freedom.
So, when someone proposes a limitation, a trade-off for some other objective, we need to scrutinize it very, very carefully. Is there really a need that clearly outweighs the loss of privacy? Will sacrificing privacy really achieve the objective? Is there a less privacy-invasive way to achieve the same objective?
Though we all value privacy, it's not always clear what people mean by it. I think how you define it is important to understanding how it's at risk, and how to protect it.
It used to be common to think of privacy as the right to be let alone, and that's still how a lot of people understand it. It's that gut-level concern that people have about wanting to go about their peaceable, lawful business without being monitored or bothered.
But there's another kind of privacy invasion that's less obvious, and that's the collection and compiling of information about us without our knowledge or consent.
That's why I define privacy as the right to control access to one's person and to information about oneself.
And it's this broader, informational concept of privacy that leads me to believe that privacy will be the defining issue of this new decade.
That's because we are at a crossroads.
Until relatively recently, privacy was protected pretty much by default. As long as information about us was in paper records, and scattered over a whole lot of locations, someone would have to go to a lot of trouble to compile a detailed dossier on any individual.
So unless you were very famous, or very important, or... had done something really bad, your privacy was pretty safe.
But now the move to electronic record-keeping and networked computers is eating away at those barriers-barriers of time and distance and cost-that once guarded our privacy from all but the most determined of snoops.
Now some stranger at a computer keyboard can compile an amazingly detailed dossier on your whole life, literally in minutes.
The choices we make in confronting these threats to privacy will determine what kind of world we leave for our children and grandchildren.
One of the choices we as a society have made is to enact legislation, the Personal Information Protection and Electronic Documents Act.
Let me point out a couple of things to put this legislation in perspective for you.
First, it's not some bureaucrat's dream of the way society should be. The act is based on the principles in the Model Code for the Protection of Personal Information drawn up by the Canadian Standards Association, in consultation with business, consumer groups, and government. It is based on the reality of the marketplace.
Second, this legislation does not set Canada apart.
Virtually every other industrialized nation in the world either has legislation like this, or is in the process of putting it in place. The only significant exception is the United States, and there, the question is not whether these principles are valid, but what is the best way to put them into practice.
So, while the new act is definitely a step forward for privacy in Canada, it really just brings us up to speed with the rest of the world.
With those points in mind, let me describe for you now the basics of the new legislation.
What the new act says, in a nutshell, is this:
Apart from some very limited exceptions, no private sector organization covered under the law can collect, use or disclose personal information about someone without their consent.
It can collect, use or disclose that information only for the purpose for which they gave consent. And even with consent, it can only collect, use or disclose information for purposes that a reasonable person would consider appropriate.
People have the right to see the personal information that is held about them, and to correct any inaccuracies.
There is oversight, through me and my office, to ensure that the law is respected, and people have a means of redress if their rights are violated.
The act applies to personal information collected, used, or disclosed in the course of commercial activities.
You probably know that the act is being implemented in stages, over a period of three years.
In the current stage, which began in January of this year, it applies to personal information, other than health information, of customers or employees of federal works, undertakings, or businesses-principally banks, telecommunications, broadcasting, and interprovincial or international transportation.
It also applies to personal information-again, other than health information-in any commercial activity when the information is disclosed across provincial or national boundaries for consideration. If you're wondering what "disclosed for consideration" means, it's basically legalese meaning that you get something in exchange for it-for example, through sale, lease, or barter.
Disclosing personal information for consideration, of course, is what consumer reporting agencies do. That's why the act applies to your industry.
That's the first stage. The next stage starts in January 2002, about six months from now. At that time, the act will extend to include personal health information of customers and employees of federal works, undertakings or businesses, and of anyone else if it's disclosed across borders for consideration.
The final stage comes in 2004. At that time, the act's coverage will be extended to all commercial activities in Canada-with one significant exception. In provinces that have passed privacy legislation that is "substantially similar" to the federal act, the federal government can exempt all or part of the provincially-regulated private sector from the application of the act. Federally-regulated businesses in those provinces and information disclosed across borders will continue to be governed by the act.
So eventually all of the private sector in Canada will be required to comply with the federal law or a provincial law very much like it.
What happens if someone complains to me about the way a company handles personal information?
I generally take a non-confrontational approach. As an ombudsman, I try to resolve the complaint through mediation and discussion.
I do have considerable powers, however-the law does have teeth. I can subpoena witnesses, and, if necessary, enter and search premises. But in 20 years of administering the privacy law for the public sector, my office has never had to use those powers, because voluntary cooperation was always forthcoming. I very much hope that will be the case with the private sector as well.
I also have powers at my disposal for those instances-which I hope will be rare-where I find that an organization is, in fact, violating privacy rights, and it refuses to do the right thing.
First of all, I have the power of disclosure. I can make public-in a report to Parliament, in a press release, or in any way I choose-that I find an organization to be in violation of the law. This is significant, as I'm sure you can appreciate. No company wants to be seen publicly as violating the basic privacy rights of its customers.
I also have the power to go to the Federal Court and ask it to order an organization to do, or cease doing, whatever is necessary to come into compliance with the law. I can ask the court to award damages, including damages for such things as humiliation, to anyone whose privacy rights have been violated.
But I don't like to dwell on the enforcement end of things. It's more productive for us all to look at how to conduct business consistently with the new legislation.
So, what does all this mean for consumer reporting agencies, and for the credit granting industries that work with them and use their products?
To answer that, let me begin by directing your attention to what are, to my mind, the three fundamental principles in the act.
One is that organizations wanting to collect, use, or disclose personal information may only do so for purposes that a reasonable person would consider appropriate.
Privacy advocates refer to this as the justification principle. What it means is that it's not sufficient just to tell people that you are collecting, using, or disclosing their information. That's necessary, but it's not sufficient. You have to be able to justify it.
For example,to subscribe to a magazine you have to be prepared to give them a mailing address. They've got to tell you that they're collecting it and why, but you're not going to object. That's something a reasonable person would consider appropriate.
If you want to apply for a loan, the potential lender needs to know your income and hence your ability to repay, whether you have a good record of repaying your loans in the past and so on-otherwise, the transaction is impossible. Again, the lender needs to tell you what it's doing, but obviously, a reasonable person would see that this is appropriate, and would not object.
On the other hand, if an airline said you can't fly with us unless you consent that we can disclose all your travel information to anyone we want, a reasonable person would not find that appropriate. It's not enough that the airline tell us that it's going to collect, use, or disclose our personal information. What it's proposing has to be justifiable.
The next principle is consent. Any time you collect, use, or disclose someone's personal information you have to have his or her consent. The act allows some very limited exceptions, but they are just that: exceptions to a general rule.
These two principles, justification and consent, are the basis of the right of privacy at the heart of the act. It's these principles that say that we as citizens will determine whether and how much of our personal information can be collected, and what can be done with it. It's these principles that give us control over access to ourselves and information about ourselves.
The third principle is the right of people to see the personal information that is held about them, and to correct any inaccuracies.
This principle allows people to exercise their right of privacy-their right to control information about themselves. It's the linchpin, the thing that gives effect to privacy rights. Without it, the act's protections would be purely formal.
Now let's look at your industry with these principles in mind: justification, consent, and access.
Shall we talk about credit scoring?
Is the personal information that goes into credit scores collected, used, and disclosed for reasonable, justifiable purposes?
Has the information been collected with consent, and is it being used and disclosed with consent? I know it's not consumer reporting agencies that get consent, but as secondary users of the data, I would expect that you would be working with your clients on this.
I'm talking about real consent. I'm not talking about an open-ended "I consent to any use of any information about me by anyone," as a condition of someone getting a loan or some other service.
When consumers are asked to sign consent forms, they have to be told what they are consenting to. If the information that they provide in a credit card application is going to end up being used by a different bank two years later, they've got to know that up front.
It's not going to be self-evident to consumers that certain information they provide will find its way into a credit score. You can't assume that when they provide their age, address, and occupation, they understand that this will be used to develop a statistical profile of their credit worthiness. So you've got to be transparent about things like this. It's their information. Tell them what you're going to do with it. And tell them in language that they can understand.
If consumers are going to be satisfied that credit scores are something that a reasonable person would consider an appropriate collection, use, and disclosure of personal information, they've got to have access to them. That's how the law gives effect to their right to control their personal information: it requires that they be given that access.
I've heard a lot of the arguments about why credit scores should not be released to consumers. You might as well know that so far I'm not persuaded by them.
Credit scores are personal information. A score is compiled from information about an individual's payment history, employment, personal circumstances, what have you. It purports to be predictive about the risk presented by that individual. It's used to make a decision affecting that individual. A credit score is an opinion about that individual and as such, I cannot help but see it as personal information.
That is personal information. As such, consumers have a right of access to it under the act.
And, as the credit reporting agencies themselves have pointed out, it's not enough to give them access to a number that they don't understand. They have to have access to meaningful scores, so that they know what information you hold about them, and what decisions about them that information will lead to.
I understand that some of you may be troubled by the prospect of consumers taking unfair advantage of their access rights under the act. There are concerns about consumers trying to suppress or conceal valid information about their payment history or other risk factors.
Look: access is not a licence to erase valid negative information. Canadians have had a right of access to their personal information held by government institutions for over 20 years now. It works. And in most provinces they have access rights under consumer reporting legislation. You've managed to live with it.
Sure, there will always be a few who try to use the law unfairly. It may be that what you're concerned about is those few people abusing the complaint process under the act. I believe that the act, and a diligent staff in my office, provide reasonable protection against that.
But, by the same token, be prepared for these access provisions. Make sure that what you're doing with personal information would be seen as appropriate by a reasonable person. Bear in mind that, for all intents and purposes, if there's a complaint about this, and people can't come to some kind of reasonable agreement about it, the law makes me, as Privacy Commissioner, the proxy for the reasonable person.
I want to conclude by giving you an assurance.
I'm not going to assure you that the act will be dead easy to comply with. You've got challenges ahead.
And I'm not going to assure you that you won't get complaints, or that you and I will always see eye to eye. My staff and I are here to help solve problems, but we know that there will be times when our views diverge from yours.
The assurance that I can give you is that good privacy practice is good business.
As businesspeople, you all understand the need to assess the overall business environment, to understand what people are thinking, so you can direct your activities as effectively as possible.
Privacy-not just legislation, but the way people are thinking about privacy-is a significant part of the business environment..
There is what I would call a "culture of privacy." People are aware of it, and of the risks to it. They're taking an active interest in protecting it. They're not tolerant of breaches of it. And when something happens to their privacy, they're not keeping it to themselves. They're letting the world know about it.
I don't have to tell anyone here that losing in the court of public opinion can be far more costly than any damages a judicial body might assess.
Look at the privacy-related public relations disasters of the past couple of years. Look at cookies and web bugs; look at DoubleClick. Look at the infamous Longitudinal Labour Force File set up by Human Resources Development Canada.
We know that access to personal information is essential to business. We know that that can be beneficial to customers.
But, in the new culture of privacy, businesses that want access to an individual's personal information must respect limits. They must have the individual's consent. They must be open with people about their personal information.
If they ignore this, it's at their peril.
Privacy has become part of the product. A company can offer its customers a product that meets the minimum standards, or it can offer a product that reflects the organization's commitment to excellence.
A business can look at the new federal privacy legislation and do exactly what the law requires, or it can look at the business environment, at what people are thinking, and do what the customer requires.
So what does the new act mean for you? Yours is an industry that has received its share of criticism from consumer advocates and privacy people. This new legislation gives you a chance to get with the program. It gives you a window of opportunity to change the public perception, to show that your industry can be consumer-friendly.
Accept that this new law reflects a new culture, that it's the way business is going to be done from now on. Find a way to put control of personal information back into the hands of the people whose information it is. Make those credit scores accessible-and I mean really accessible: meaningful, easily comprehensible, and not conditional on some exorbitant fee. Get your credit-granting partners on side, and make those consents meaningful-make them explicit and informed and limited to reasonable purposes.
Showing respect for privacy is part of showing respect for your customer, and respecting your customer is the cornerstone of a good customer relationship.
The bottom line is that good privacy is just good business-and in a culture of privacy, better privacy is even better business.
Thank you. In the time remaining, I'll be happy to try to answer any questions.
Report a problem or mistake on this page
- Date modified: