Speeches

Government of Ontario's Proposed personal health information legislation (Bill 159)

An address to the Legislative Assembly of Ontario, Standing Committee on General Government

February 8, 2001
Toronto, Ontario

George Radwanski
Privacy Commissioner of Canada

(Check Against Delivery)


Thank you, Mr. Chairman, Honourable Members. Good morning.

I'd like to start by expressing my appreciation for the invitation to speak to you today.

Privacy is an issue of importance to all Canadians, and your invitation is an excellent example of cooperation across levels of government.

This legislation is a very serious matter. I regretfully find that, in its current form, it is an assault on health privacy rights, not a defence of them.

The legislation appears designed, in fact, to ensure that the Government of Ontario-and a virtually unlimited range of other organizations and individuals-could have unrestricted access to the most private health information of every Ontarian.

I have very serious concerns about this. And I am grateful for the opportunity to bring these concerns to you, and to the people of Ontario, in this forum.

I know that you heard yesterday from the Ontario Information and Privacy Commissioner, Dr. Cavoukian, and that she expressed many of the same concerns I will be sharing with you today. But in those instances where it may sound like we're covering the same ground, I trust that you will regard that as not merely repeating, but reinforcing a message that very much deserves reinforcement.

I know that you will also be hearing from representatives of many interest groups, and that there are some who might consider privacy advocates to be just another such group. But if that's true, then it is a very large interest group. All of us, when it comes to our own lives, are advocates for privacy,

None of us wants to go through life feeling that at any moment someone may be, either metaphorically or literally, looking over our shoulder. If we have to weigh every action, every purchase, every statement, wondering who might find out about it, misconstrue it, judge it or somehow use it to our detriment, we are not truly free.

That is why privacy is a fundamental human right, recognized in the United Nations Declaration of Human Rights. And no aspect of privacy is more fundamental than the privacy of our health information-information about the state of our own bodies and minds.

In the 1920's, Justice Louis Brandeis of the United States Supreme Court defined privacy as "the right to be let alone." But today, we may think we are alone, while our privacy is being invaded from a distance by ever more sophisticated methods of surveillance and information-gathering. So I would define privacy as the right to control access to one's person and to information about oneself.

And in an age when information crosses oceans and continents at the click of a button, when information-personal information-has itself become a commodity, that right to privacy is under threat as never before.

I have said many times since I assumed this position a few months ago, and I will say it again today: I believe that privacy will be the defining issue of this new decade.

That's because we are at a crossroads. The choices we make now, the paths we follow over the next few months and years, will to a very large extent define the type of society we leave to our children.

Until relatively recently, privacy was protected pretty much by default. As long as information about us was in paper records, scattered over many locations, someone would have to go to a great deal of trouble to compile a detailed dossier on any individual.

Now, the move to electronic record-keeping is eating away at the barriers of time and distance and cost that once guarded our privacy from all but the most determined of snoops. We are also under almost constant surveillance. Cameras record us at the bank machine, at the corner store, at the casino-and biometric recognition technologies can rob us of our anonymity. Computers record every time we use an electronic passcard to enter or leave our workplace, or our parking garage.

The personal information that is being collected about every one of us, just as a matter of routine, is mind-boggling. Debit card records, credit card records, telephone records, the movies we rent, the books we borrow, the Web sites we access.

The surveillance is so pervasive, the databanks so diverse and the computer networks so efficient that individuals have no idea who has what personal information about them, let alone what's being done with it.

This is why we now have the federal government's new Personal Information Protection and Electronic Documents Act, in effect since January, to give Canadians clear privacy rights in their dealings with the private sector. And it why we have a federal Privacy Commissioner who has been given the mandate to see that this law is respected.

It's what civilized societies do: Recognize certain fundamental rights, and do what they can to keep them from being abused.

And so I appear before you today as the Privacy Commissioner of Canada-an Officer of Parliament, appointed to be the guardian and champion of Canadians' right to privacy.

The Privacy Commissioner of Canada does not work for or report to the government. The Privacy Commissioner works for and reports directly to the people of Canada, through our national Parliament.

It is my responsibility as the Privacy Commissioner of Canada to stand up for the privacy rights of all Canadians. The right to privacy is not divisible.

It cannot be respected federally and violated provincially. It cannot be respected in one part of the country and violated in another. The door to our personal information is either closed or open. If it is open, it makes little practical difference which level of government has done the opening-our privacy is lost.

This is made very clear in the federal Personal Information Protection and Electronic Documents Act. In jurisdictions that do not have substantially similar legislation in place by the beginning of 2004, the federal Act will apply to the entire commercial sector.

To that end, the Privacy Commissioner of Canada is mandated under this Act to report to Parliament on the extent to which provincial governments have passed legislation that is substantially similar.

I believe that it is therefore very appropriate, and very necessary, for me to take this earliest possible opportunity to tell you that it is my considered opinion that the proposed legislation you are examining would fall fundamentally short of meeting this test.

It is not substantially similar. It is radically different-in content, spirit, and apparent intent.

It is worth pointing out here that the new federal privacy law does not qualify as ground-breaking legislation. It does not set Canada apart and it does not impose any kind of regulation that our trading partners are not prepared to implement or have not implemented already.

The federal Act is based on a set of internationally-accepted principles of fair information practices, principles that have been refined to suit the Canadian reality through several years of consultation with Canadian business, consumer and other groups.

There is no doubt that the federal legislation represents a significant a step forward for privacy in Canada, but it really does no more than bring us up to the minimum international standard.

It recognizes the fundamental value of allowing individuals to retain some control over their personal information, and provides them with certain legal remedies and protections when they feel their privacy rights have been violated.

These protections are all the more critical when the privacy and confidentiality of our personal medical information is involved. I can think of few other areas of our lives where we would want greater control than over our health information.

When we talk about confidentiality, we are talking about trust. When we take someone into our confidence and share something personal about ourselves, we do so in the belief that we can trust that person not to divulge the secret to anyone else.

This concept of trust is at the very heart of the doctor-patient relationship.

As far back as the days when the Hippocratic Oath was first conceived, it was understood that there can be no effective physician-patient relationship unless patients can feel free to be totally open and candid about their symptoms, habits, lifestyles and concerns.

Doctors cannot provide good diagnosis and treatment without full information, and people are not likely to surrender full information if they fear it might somehow be used against them.

Even though we may not know our physicians especially well on a personal level, we know they have taken an oath to respect our privacy. We trust them to respect that oath. We tell our doctors things about ourselves we might not share even with our spouses-let alone our employers, our bankers, casual acquaintances or the government.

This privacy of personal health information is not only a fundamental human right. It is also a very important social good.

We all have a stake in ensuring that our society as a whole is as healthy as possible. We all benefit when health care costs are kept down through early diagnosis, treatment and prevention programs; when contagious ailments are identified as early as possible, and when people with conditions that might cause accidents in the workplace or on the roads have them diagnosed and treated before harm is done.

And yet it is no exaggeration to fear that lack of confidence in the privacy of health information could lead people to avoid seeking treatment. If someone is feeling severely stressed and angry at work, is that person likely to share this with their doctor and get psychological help if there were even a chance that word might immediately get back to his employer?

Is someone more or less likely to get a recommended blood test if all the details of the results might become known by an endless array of unknown third parties?

Those choices are likely to be shaped by the realization that a violation of health care privacy can be catastrophic for the individual. It could change your entire life, and deny you a whole range of opportunities.

Suppose, for instance, that your genetic profile were revealed to an especially interested party. Your entire family could be stigmatized for generations to come.

If you think that this is far-fetched, I would draw to your attention that-this week-the newspaper The Independent in London reported that the Council for Responsible Genetics in the United States has identified more than 200 cases of genetic discrimination in employment.

And these are cases where individuals lost or were denied employment even though the statistical risk of a debilitating condition arising was small, where the condition would not arise until much later in life, or where the condition could be treated.

So these are not hypothetical concerns. As with so many other aspects of our privacy, the security of this most personal of trust relationships-the relationship between patients and health care providers-is threatened.

There is a powerful and steadily-increasing demand for our personal health information from any number of secondary users. Much of the time, we don't even know who they are.

The Canadian Medical Association has recognized the threat, and has responded with its excellent health information privacy code.

But with legislation like you are examining today, we are staring at the possibility of a user fee no one could have imagined: we cannot allow our privacy to become the price of admission to our health-care system.

Patients have a right to expect and be entirely confident that health information about them will not be collected beyond what is necessary for their care. They must be confident the information will not be used for any purpose other than their care, or disclosed for any reason other than their care. Certainly they must be confident it will not be put to any use that could do them harm.

In my view, the proposed Personal Health Information Privacy Act falls desperately short of meeting that standard in a number of critical areas:

It permits far too many people to access, collect, use and disclose personal information, often without regard to whether it is necessary for the care of the individual.

It gives the Minister of Health-that is to say, the Government of Ontario-broad powers to access and disclose personal health information at will, through regulation.

It permits the collection, use and disclosure of personal health information without the consent of the individual in far too broad a range of circumstances.

It denies individuals ready and assured access to their personal health information, as well as the means to correct it.

It fails to provide the powers of oversight needed to ensure that privacy rights are respected, and effective means of redress when these rights are violated.

Let me now turn to the specifics.

But I have to begin by telling you that this legislation is so extraordinarily convoluted that one would have to go through it clause by clause to parse all the exceptions, loopholes and openings for regulation that make most key provisions mean something quite different than what might at first appear.

That would probably take all day, not the limited though generous time I am accorded this morning. So, even though this is meant to be a technical briefing, I am going to have to provide a somewhat broader and more thematic, less technically detailed, overview than might be ideal.

That being said, the first major flaw of the bill is the lack of effective restriction on how and by whom personal health information may be accessed, collected, used and disclosed.

This problem begins in Section 2 with the almost absurdly broad listing of who qualifies as a health information custodian-that is, a person who can lawfully have custody or control of your health information.

This list includes obvious health care providers such as doctors, hospitals, pharmacies, and laboratories. But it also includes many others that a patient would not be likely to see as having any legitimate business accessing such deeply private information, including the Minister, members of district health councils-and absolutely anyone else the Cabinet decides to designate by regulation.

In my view, there is something fundamentally wrong, right from the outset, with legislation that says the Minister of Health has exactly the same right to hold your personal health information as your own doctor.

Although Section 12 would appear to set some limits on the collection, use and disclosure of personal health information, the wording of the section is often vague. And even where limits are clear, they are often qualified by statements such as "more than reasonably necessary" and "to the extent reasonably possible."

The limits on collecting, using and disclosing personal health information are made weaker still by the fact that they would not apply to most of the people who do these things.

As long as the information was being collected or disclosed "for the purpose of providing, or assisting in providing, health care to an individual," then doctors, hospitals, pharmacists, nursing homes, laboratories and others would not be bound by these limits.

There is no explanation why, for example, these custodians should be allowed to collect more information than they need to meet a specific purpose-a standard test under accepted fair information practices.

Cancer Care Ontario and registries of various diseases and conditions are also exempted from the limits on collection, use and disclosure, although it is not clear why. By including these organizations, the proposed legislation stretches the definition of "providing or assisting in providing health care to an individual" beyond what most would consider reasonable.

If Bill 159 provides few meaningful limits on the collection of personal health information, there are even fewer limits on disclosure.

Section 12, subsection 9, and Sections 29, 30, 31, 32 and 36 together allow for the disclosure of personal health information in a wide range of situations, with few limits.

With very few exceptions, these sections would allow anyone from a hospital administrator to a graduate student researcher to have access to your personal health information without your permission, without your knowledge, and without regard to whether it is necessary for your health care.

So that's a brief overview of problems related in general to collection, access and disclosure.

The second major failing of this Act is the broad discretionary power it gives the Minister of Health to override its provisions.

Section 30 allows health care custodians to disclose personal health information to the Minister for a variety of reasons. This section also allows the Minister to disclose personal health information to anyone the Minister designates by regulation. And the next section allows the Minister to order disclosure of an individual's personal health information.

These disclosures of personal information to and by the Minister can take place with virtually no accountability. There are provisions for a review by the Commissioner, but the conditions for review are so narrow that these arbitrary disclosures would rarely, if ever require justification.

In fact, it is a distinguishing characteristic of this Bill that it would allow the Minister and the government virtually total power over the personal health information of everyone in Ontario.

They can decide by regulation that anyone they want is designated to be a custodian of health information. They can access anyone's health information by having the Minister direct disclosure to himself or herself. And they can then disclose that information in turn to anyone designated by regulation.

How that can be called a privacy bill is beyond me. In fact, to allow those in a position of political power the latitude to invade the privacy of individuals in this way would be extraordinary, and simply unacceptable in a free society.

A third major failing of the proposed legislation is in the area of consent.

Consent and privacy cannot be separated.

If privacy is the right to control access to one's person and to personal information about oneself, as I indicated earlier, then it is the very essence of privacy that you cannot obtain, use or share my personal information without my permission. There is no control without the right of consent, and there is no privacy without control.

It follows that the requirement for consent must be at the heart of any good privacy law. The collection, use and disclosure of personal information without the individual's consent should occur only in exceptional circumstances.

But this Act would allow all three, in a variety of circumstances.

Section 22, for example, offers a list of situations in which an individual's personal health information could be collected from a third party. Several of these would allow someone's personal information to be collected from some other source without either knowledge or consent.

Section 27 details numerous ways an individual's personal health information can be used without their consent. In one instance, the legislation would allow someone's information to be used, without consent, for "a purpose that is directly related to the use for which it was collected." This is a variation on a phrase that has been used in some privacy laws in the past.

I say "in the past", because it was found to be too open to interpretation, and allowed a lot of secondary uses for personal information that bore only a very remote connection to the original use. The principles of fair information practices require that personal information cannot be put to a second use, related or otherwise, without the consent of the person from whom the information was collected.

Many of the secondary uses that would be allowed under this legislation also involve disclosure of personal health information without consent, another violation of the basic principles of fair information practices.

I have already discussed the many ways sections 29, 30, 31, 32 and 36 would allow disclosure without either the knowledge or consent of the individual.

I find the allowance for disclosure of personal information for research purposes to be a particular affront to the notion of consent. Section 32 says that a custodian can disclose personal health information to a researcher, provided a research ethics review board has approved the researcher's project.

Not only is the right of individuals to give or withhold consent denied, but someone else would have the power to exercise that right for them. Further, there is no assurance in the legislation that an ethics review board would include anyone with an interest in patients' rights, let alone patients' right to privacy.

I turn now to the fourth major failing of this Act. The fundamental principles of fair information practices-which, as I have said, are considered the minimum standard for the protection of privacy-state that an individual has the right to access their personal information, and to make corrections to that information.

And yet Section 44 of the legislation says that patients have no right of access whatsoever to several categories of their personal health information, including personal health information exempted from access by whatever regulations the government chooses to pass.

Section 48 would allow a custodian to refuse a person access to their information if it could be expected to result in harm to the treatment or the recovery of the individual. This is stated broadly enough that a person with no medical training could use this provision to deny access.

Custodians would charge a fee to allow people to see their personal health information. Since the fee would be set by regulation, we have no way of knowing whether this would present yet another barrier to access.

Individuals could ask the custodian of their personal health information to correct errors or omissions in the record, but the custodian can refuse.

If the custodian did refuse, but added a statement of disagreement to the individual's file, that would be the end of it. The individual would lose any right to complain to the Information and Privacy Commissioner. This is important because, obviously, a finding by the Commissioner that the record is wrong would carry a lot more weight than a simple statement of disagreement from an individual.

This mention of the Commissioner brings me to the fifth major failing of the proposed Personal Health Information Privacy Act: It permits neither sufficiently effective oversight to ensure that privacy rights will be respected, nor sufficiently strong means of redress when these rights have been violated.

Section 68 allows individuals to file a complaint with the Information and Privacy Commissioner-but they must pay a fee to do it. The fee would be set not by the Commissioner, but by the regulations.

This extremely unusual provision raises the possibility that your ability to exercise your right to privacy would be determined by your ability to pay for the privilege.

Section 68 also provides that the Commissioner would have to conduct the review of any complaints in accordance with procedures to be set out by the government in regulations. I must say that, given the skill, knowledge and experience of the Commissioner's staff, I fail to understand how or why the government would try to improve the procedures already in place.

But it's clear that telling the Commissioner how to do her job would be the very opposite of independent, arm's-length oversight.

I am equally troubled by the distinction between the right of review under Section 68 and the power of inquiry under Section 69. The power of inquiry allows the Commissioner to investigate a complaint by demanding the production of documents, entering premises to obtain them, and summoning witnesses to testify under oath.

The Privacy Commissioner of Canada has those powers with regard to investigating any complaint or conducting any audit.

The right of review, on the other hand, comes without any power. The Ontario Commissioner can ask for information or documents. But if the request is denied, she's out of luck and that's the end of it.

Under Section 68, the Commissioner would have only the right of review with regard to any complaints about the collection, use or disclosure of personal health information.

People would have to pay to have their complaints considered, the Commissioner's activities would be potentially restricted by regulations-and then she wouldn't necessarily even be able to obtain any documents or information to assess the merits of the complaint.

With all respect, that would be a travesty of oversight.

The Commissioner would have the power of inquiry under Section 69 only with regard to the right of individuals to see their personal information and to have a statement of disagreement attached.

There are also important gaps in the provisions for redress.

If the Commissioner reviewed a complaint and found that personal health information was being collected in contravention of the Act, Section 68 enables her to issue an order to cease such collection or to destroy the improperly collected information.

But there is no corresponding power to stop the unlawful use or disclosure of personal health information. The commissioner could neither issue a direct order to end the wrong-doing, nor could she ask a court to do so. All she could do is make comments or recommendations.

I am at a loss to understand this lack of symmetry. All I can speculate is that the provisions regarding collection are so broad that it would be hard to find any collection unlawful-but the drafters of this Bill didn't want to take even the slightest chance of having restrictions imposed on the use or disclosure of health information.

In the case of complaints about the rights of individuals to access their own information, the Commissioner can order a custodian to let a person see his or her personal health information. When the accuracy of information is in dispute, the Commissioner can order the custodian to attach a statement of disagreement to a person's file.

Orders made by the Commissioner could be appealed to the Divisional Court, whose decision would be final. But there is no general right to appeal the failure of a health information custodian to follow the requirements of the law.

Those are what I would classify as the major failings of the proposed legislation. It is by no means a complete listing of my concerns.

Computer matching of personal health information, for instance, is a big concern. Because of the exceptions in Section 14, only rarely would the Commissioner be able to review and comment on any proposed matching before it took place. In essence, computer matching is another disclosure without consent.

I also have extremely serious misgivings about Section 76, dealing with the regulations. This section would grant discretionary powers to the Lieutenant Governor in Council-the Cabinet, in other words-to change by decree many, if not most, of the key provisions and definitions in the Act.

All of this brings me back to the point I raised earlier, about the extent to which this Act could meet the test of being substantially similar to the federal privacy legislation.

This is an important test. As you know, in provinces that do not have substantially similar laws in place by 2004, the federal Personal Information Protection and Electronic Documents Act will apply. In the health care field, that would mean that key parts of the sector-including doctors' offices, laboratories and pharmacies-would fall under the jurisdiction of the federal Act.

In applying this test and reporting my findings to Parliament, I will interpret substantially similar as meaning equal or superior to the federal law in the degree and quality of privacy protection provided. The federal law is the threshold or floor. A provincial privacy law must be at least as good, or it is not substantially similar.

While all 10 principles of the CSA Code, embedded in the federal Act, are important, I regard substantial similarity as having four particularily key components: consent, access and correction rights, oversight, and redress.

In every speech and interview I have given, and in the information materials issued by my office, I have stressed that these are the main features of the new federal law.

Except in very limited and specific circumstances, no organization can collect, use or disclose personal information about you without your consent. And they can collect, use or disclose it only for the purpose for which you gave consent.

You have the right to see the personal information an organization has about you, and to have it corrected if it's wrong.

If you believe that your privacy rights have been violated or that the law is not being respected, you can complain to the Privacy Commissioner, who has full oversight powers to investigate your complaint.

If the Commissioner finds your complaint well-founded but is unable to negotiate a satisfactory resolution, there are two forms of redress: He can bring pressure to bear on the organization by making his findings public. And he can ask the Federal Court to order the organization to comply with the law, as well as to award damages to the complainant. You can also apply to the Federal Court yourself for these remedies. The decision of the Federal Court can be appealed to the Supreme Court.

I don't want to belabour the obvious by pointing out in any great detail how far the proposed Ontario legislation falls short of being similar to these provisions.

The federal law says that consent must be informed, and that any collection, use or disclosure of personal information without consent must have a clear and compelling rationale.

The legislation we are discussing today recognizes consent, but too often does not require it. This legislation not only allows disclosure without consent, it requires custodians to release personal information to the Minister regardless of patient consent or knowledge.

On access and correction rights, the federal law is clear and open. This Ontario legislation is restrictive and not transparent.

Under Bill 159, people would be denied any access to whole categories of personal information, including some categories yet to be defined under the regulations. When access is granted, a fee is required to see it. If access is denied, a fee is required to lodge a complaint.

If your information is incorrect or incomplete, the custodian can end the matter by attaching your statement of disagreement to the file. You have no other recourse under this legislation. The federal law allows the individual to challenge the accuracy of the information, and to have it amended as appropriate.

With regard to oversight, under the federal Act, the Privacy Commissioner of Canada is a fully independent ombudsman, with a mandate to resolve privacy complaints through investigation, mediation, conciliation and recommendation. If necessary, the Privacy Commissioner of Canada can use broad and unhindered powers of investigation. He can seize documents, enter premises, and compel testimony. He can also initiate audits of an organization's privacy practices.

Bill 159, in contrast, does not give the Ontario Commissioner the appropriate tools to carry out investigations of complaints other than complaints about denial of access.

As for redress, the federal Act allows the Commissioner or an individual to apply for a hearing in the Federal Court of Canada. Based on that hearing, the Court may order an organization to correct its information handling practices, and make public the steps its has taken to do so.

The Court can also award damages to the complainant. Decisions of the Federal Court can be appealed to the Supreme Court of Canada.

Bill 159 does not provide for similarly broad access to the courts. It makes no reference to damage awards. And if a custodian succeeds in having an order of the Commissioner reversed by the Divisional Court, the decision is final. The complainant has no right of appeal.

I am sure you will understand that if Bill 159 were to pass in anything resembling its current form, I would have no choice but to report to Parliament that it is not substantially similar.

The final decision would be up to the Governor-in-Council. But I frankly don't see how anyone could say that legislation that violates or ignores fundamental privacy rights at every turn is substantially similar to the federal law-or to meaningful privacy law anywhere in the world.

I am painfully aware that I have given you a very scathing and critical view of this Bill.

In the spirit of wanting to be constructive, I would very much like to find some positive things to say about it. But in all truth, looking for some good in a privacy bill that violates fundamental privacy does not strike me as a particularly constructive exercise.

I am sure that some people would say that this Bill is at least a start-that even if it were to pass with some of its many flaws uncorrected, the government can be counted on to do the right things over time.

To me, that would be the wrong way to approach such vitally important legislation even under the best of circumstances. Laws should not be enacted until and unless they can be expected to achieve the purposes they purport to serve.

And laws that leave the most important powers up for grabs by regulation are among the worst laws of all, because they defy the requirement for transparency and accountability.

But what is even more troubling is that, with regard to privacy, it is particularly difficult to assume that this government would, in fact, do the right things. This government's record on privacy to date is far from reassuring.

It wants to subject welfare recipients to the privacy invasion of mandatory drug testing.

It has twice announced the names of Young Offenders in the legislature.

It gave the names, addresses and bank balances of 50,000 of its citizens to a polling company.

It tried to use personal information to discredit an individual, when a staff member offered confidential information about a doctor's income to a reporter.

It has sold personal information for profit, in the form of names and addresses from drivers' licenses.

And it appears enthusiastic about introducing smart cards, with the possibility of province-wide finger-printing or retina-scanning.

I would like to believe that these are the results of a lack of understanding of privacy issues, or of a lack of sufficient attention to them, rather than of a deliberate willingness to attack the privacy rights of Canadians in Ontario. I very much hope that is the case.

If so, then these hearings on Bill 159-and the public interest I am sure they will generate-can perhaps be the occasion for a new focus by the government on the importance of privacy rights, and for a rededication to ensuring that they are truly and fully respected in law and in practice.

As for Bill 159, I don't believe that a law that is so fundamentally flawed in virtually every provision can readily be fixed. The government would have to rework nearly every section, reverse nearly every policy thrust and rethink nearly every assumption, which would be a massive task with so complex a piece of legislation.

My suggestion would be to scrap it, and start fresh in a new spirit. I believe that the people of Ontario deserve nothing less.

Privacy is not a partisan issue, nor a political one. It is not an issue of left or right, of federal versus provincial, or of business versus government.

It is an issue that goes to the core of our shared values as Canadians, and of our fundamental rights as individuals.

Privacy is an issue that should unite us, not divide us. And the privacy of health information, that most fundamental of fundamental privacy rights, is not only an issue but an opportunity-it is an opportunity for Ontario to be a model for the rest of the country, and for this government to show that it is coming to understand the importance of privacy as the defining issue of this new decade.

And so, in keeping with my responsibilities as the Parliament-appointed guardian of the privacy rights of all Canadians, it is my privilege and my duty to recommend that this flawed legislation be withdrawn and that a fresh start be made.

Thank you.