Electronic Commerce and Privacy Legislation: Building Trust and Confidence
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Notes for Riley Information Services Inc. Seminar Electronic Commerce: The Personal Information Protection and Electronic Documents Act and the Role of the Office of the Privacy Commissioner
February 23, 1999
Director, Issues Management & Assessment
(Check against delivery)
Let me start by giving you a little background about the Office of the Privacy Commissioner: what we do; how we operate; and how we propose to operate under Bill C-54.
The Office for which I work is a creation of the federal Privacy Act. The office and the position of Privacy Commissioner were established in 1983 as an independent ombudsman to investigate complaints from the Canadian public about the federal government's handling of personal information.
At its heart, the federal Privacy Act is an "information handlers code of ethics". It is a code of fair information principles which recognizes individuals' inherent right of ownership of their personal information. It requires government to collect data directly from those people wherever possible. It obliges government to tell people why the information is needed and how it will be used. It requires government to protect that data from unauthorized or unrelated uses and disclosures. It gives individuals the right to examine their information. And finally, it puts in place an independent ombudsman (our office) to resolve problems and oversee compliance.
The law and thus our office's authority extend only to about 120 federal government institutions. We have no jurisdiction over the provincial, municipal or private sectors (although the public often sees us as the office of last resort.)
As it stands, the label "Privacy Commissioner" has encouraged Canadians to think of the federal Privacy Commissioner as the guardian of every aspect of their privacy rights. They complain to us if they are denied information, which they have requested, or if they feel that a government department is collecting, keeping, or misusing their information in a way that contravenes the act. Since 1983, we have conducted over 17,000 investigations of complaints that government departments have contravened the act.
In that regard, our office is a persuader, not an enforcer. But, if needed, we have the power to compel documents and evidence under oath, to report urgent matters directly to Parliament, and to take some matters to Federal Court.
As well, people call and write us about anything that touches on their personal privacy. This can include junk mail, social insurance numbers, credit card applications, video surveillance, and cross border shopping. Recently, these calls and letters run to more than 10,000 a year. Since 1983, we have handled over 70,000 inquiries from Canadians on all manner of topics that touch on their personal privacy.
We also audit government compliance to the act by examining government departments and how they manage their personal information holdings. Finally, we try to sensitize the public to privacy issues. For example, we have issued major studies dealing with the privacy implications of Drug Testing, AIDS, and Genetic Testing.
Perhaps our most important role is one neither spelled out in the law nor funded. That role is as an educator and an advocate for Canadians' privacy rights. We would risk irrelevancy if we do not follow, and speak out on, the issues that potentially threaten our privacy. Well, that is what we do.
What does Bill C-54 propose for the Office of the Privacy Commissioner? Well, unlike the Privacy Act, the bill mandates the Commissioner to conduct public education. This includes developing and conducting programs to foster public understanding of the intent of the legislation, researching privacy issues, and encouraging organizations to develop detailed policies and practices to comply with Part 1.
Several observers have commented that the most important role of the Privacy Commissioner may be to study and comment on emerging privacy issues, provide advice and guidance to industry, inform consumers about privacy risks and methods of enhancing personal information protection and report to government about significant privacy concerns.
Part 1 of Bill C-54 (that is, the privacy section) also gives the federal Privacy Commissioner oversight responsibility with substantially the same review powers as exist under the Privacy Act. He is to receive and investigate complaints, as well as to investigate business collection, use, retention, and disposal of personal information.
As you listen to the Commissioner's powers, keep in mind his ombuds role. He has substantial powers to investigate. These powers are not granted to be heavy-handed but to ensure the Commissioner understands what prompted the complaint. From a thorough investigation comes effective understanding of the organization's operations. And from that understanding comes effective mediation and resolution-not orders.
So, as an ombudsman, the Commissioner may respond to written complaints from individuals concerning either the provisions of Part 1 or Schedule 1 (the CSA Code).
The Commissioner may also initiate his own complaint if satisfied that there are reasonable grounds to investigate a matter under Part 1.
And, to investigate complaints, the bill provides the Commissioner substantial investigative powers. Such as summoning individuals, administering oaths, and compelling evidence and the production of records.
The bill also provides financial penalties for knowingly obstructing the Commissioner's investigation.
The Commissioner does not have the power to issue binding orders. Rather, the Commissioner will attempt to resolve complaints by means of dispute resolution mechanisms such as mediation and conciliation.
Once an investigation is completed, the Privacy Commissioner must prepare a report, setting out the findings and recommendations and any settlement reached by the parties. If appropriate, he may also ask the organization to advise him, within a specified time, what action it has taken or proposes to take to implement any recommendations, or reasons why it will take no action. The report will also outline the recourse, if any, that is available. The report will be sent to both parties without delay.
A report is not required if the Commissioner is satisfied that the complainant ought first to exhaust existing grievance or review procedures, such as the organization or industry's complaint resolution process. The Commissioner also need not report if he concludes that the complaint could be more appropriately dealt with under other existing laws, or that so much time has elapsed between the date of the complaint and the incident that a report would serve no useful purpose. Finally, he need not issue a report if he considers the complaint trivial, frivolous or vexatious, or made in bad faith.
The Privacy Commissioner also has the powers to audit the personal information practices of organizations if he has reasonable grounds to believe that the organization is contravening the provisions set out in Part 1 or Schedule 1. To conduct such an audit, the Commissioner may employ the same powers he is granted for investigations.
Once an audit is completed, the Commissioner provides the audited organization with a copy of the audit report and any recommendations he considers appropriate. Details from this report may be included in the Commissioner's compulsory annual report to Parliament on the application of Part 1.
What does this all mean to business? We have heard expressions of concern over the Commissioner's power, in large part, we believe, because people fear things in proportion to their ignorance of them. And these expressions of concern over the role of the Privacy Commissioner may well be out of ignorance of what we do.
So, how do we conduct ourselves? Well, the Privacy Commissioner is an independent ombudsman - a term that requires some explanation.
Traditionally, ombudsmen are seen as a protection against bureaucratic mistakes and abuses of power. They deal with the average citizen's complaints about unfair administrative actions. They are often referred to as "watchdog" agencies or advocates for the little guy. They strive to right the imbalance between the powerless individual and the powerful organisation.
Ombudsmen are also politically independent and impartial and this independence is the most critical factor to the effective oversight of administrative functions.
Ombudsmen's influence is derived from this objectivity, and their specialised knowledge, experience and competencies. When these are unpersuasive, their last resort is to secure remedial action publicly through the press or reports to Parliament.
Unlike courts, ombudsmen handle complaints directly, informally, speedily and cheaply. They do not have the power to make binding decisions and their offices are not a substitute for existing appeal procedures. They resolve disputes using mediation and persuasion.
Finally, ombudsmen are intermediaries who can facilitate relationships between an organisation and its clients. On the one hand, ombudsmen can help an organisation better understand the needs of its clientele. On the other, they help improve the public perception of organisations by contributing to better services.
The Privacy Commissioner maintains that the essence of successful oversight is maximum reliance on consultation, conciliation and negotiation, and only minimum resort to coercion and compulsion.
Just as public credibility demands the openness and impartiality which only independent oversight can provide, so commercial confidence in the process requires a system which recognizes the complexities of business and assumes that goodwill and patience are more effective than heavy-handed and arbitrary approaches.
The ombudsman concept embodied in the federal Privacy Act has proved the success of this approach. In the vast majority of cases, consultation and negotiation resolve disputes. The federal Privacy Commissioner issues no orders but can apply for a Federal Court review on behalf of a complainant.
This office has almost two decades of experience as an independent ombudsman. As mentioned, it has handled more than 17,000 complaints involving scores of government departments and agencies with widely differing functions and management systems. Yet the number of cases referred to the Federal Court can be counted on the fingers of one hand, primarily because, overall, the recommendations made by the Commissioner are perceived as impartial and, we believe, informed and fair.
We suggest that this oversight model offers some assurance of democratic process in an increasingly technological and complex society and should appeal to the federally regulated private sector. It demonstrates an appreciation of the complexities of business and assumes that goodwill and patience are more effective than coerced "solutions". Specifically, this model is sensitive to particular organizational problems, yet still encourage the uniform application of privacy principles. Equally important, it avoids proliferating bureaucracies and unnecessary costs. The best route to a "level privacy playing field" is also the simplest.
Finally, to move back from the specifics of our role to the impact of the proposed bill itself, let me close with a quote from the marketing head of American Express, a company which knows something about the rules of personal information management and protection who said:
"Our future as never before depends upon our respect for the patience and privacy of each consumer."
"We must remember that we are essentially intruders. We weren't invited into the customer's home.we weren't invited to call them on the telephone."
"The customer's database can become our most powerful (marketing) tool, or (it can become) a tool of destruction which erodes customer confidence and ultimately takes our future out of our hands."
I am convinced that organizations have nothing to fear from making the protection of their customers' information a business priority. Don't worry about customers knowing more about the personal information you maintain. Worry more about their general ignorance about the way your business handles that information and the suspicion worry and lack of confidence that generates.
Assuring consumers that you're taking care of their information by respecting their privacy can be a positive sell. It's good records management, it's good employee relations, it's good customer relations, and, in the end, it's simply good business.
- Date modified: