Speeches
Notes for a presentation
CONFERENCE BOARD OF CANADA
by Jennifer Stoddart, President
Commission d'accès à l'information
February 11, 2002
Introduction
One of Peter
Gzowski's enduring contributions over the last thirty years
was to whet the curiosity of Canadians outside Quebec to
the unique and often-remarkable developments that were
taking place there. His interest was genuine and his editing
of the events and the actors he covered in his work as
a journalist was generous and sympathetic. I would
like to think that tonight's invitation to talk about the
paradox, which constitutes the regulation of privacy is
an example of one of the potentially intriguing sub-themes
of governance in Quebec which he so enjoyed.
I very much appreciate your interest
and your invitation to talk about our experience of over
seven years in interacting with the private sector. As Chief
Privacy Officers your job is to advise on the evolution of
the environment in which your corporation attempts to meet
public, client and government expectations about privacy
within your particular segment of the marketplace. I hope
that the snapshot I am about to provide of the Quebec experience
over the last few years will be helpful for you as you comply
with the new federal legislation which is now affecting a
broad range of business activities.
For those of you who have offices or
do business in Quebec or with Quebec firms, you will be aware
of the historically high profile of the provincial government
in every day life. This means that citizens will often turn
to Quebec government agencies as a first stop on the line
for help with a problem. Listening to Quebeckers' privacy
concerns over the years has given us a good idea of what
their concerns with the private sector are likely to be.
Our private sector legislation has been
in place since 1994 and is a direct result of Quebec's cosmopolitan
outlook on the relationship between the private sector and
the state. Situated in a cultural context which draws as
much on continental Europe as it does on North America,
Quebec followed the developments for legislative protection
surrounding the exchange of personal information over the
last twenty years with keen interest. As you know, the trend
towards regulation began with the OECD guidelines in l980,
which culminated in the European Union's 1995 Directive on
the collection, use and dissemination of personal information.
Meanwhile, the United States developed
a sectorial approach especially through the regulatory action
of the Federal Trade Commission and the recognition, during
the Clinton administration of patients' rights to some control
over their own health information. This approach relied heavily
on self-regulation as a compliance mechanism, a philosophy
which has had its effect on Quebec as well, as I will explain
later.
In order to immediately meet the standard
for treating personal information set out by the European
Union, Quebec adopted North America's first private sector
legislation in l994. The same year, in the modernized Civil
Code, six new articles dealt with personal privacy rights,
adding to the protection of privacy as a fundamental right,
which had been in the Quebec Charter of Rights and Freedoms
since 1975. The implications of these new personal rights
were felt in the Supreme Court Vice-Versa decision of l998(1),
where it was decided that the commercial dissemination of
an unauthorized photograph without the subject's permission
contravened her right to her own image. I mention this because
I feel that it illustrates the different cultural background
for the use of personal information, which exists in Quebec.
Another example of the different approaches within and without
Quebec is the case of the holidaying UIC recipients. In December
of last year, the Supreme Court ruled that they did not benefit
from an expectation of privacy such as to prevent two government
agencies from exchanging and cross-tabulating information
concerning them. In Quebec, such cross-tabulation can only
take place if it is clearly spelled out in the sectorial
legislation. In addition, the CAI is often consulted on such
projects. And as far as sensitive information such as fiscal
data is concerned, the most recent legislative approach has
been to require yearly notification to the individual of
the uses to which it has been put by government.
Quebec's cultural proximity to the European
data protection experience can be seen in the new graphics
for our Web site. They may seem surprising and do indeed
stand out in the Canadian context where most of my colleagues
have opted for elegant and discreet abstract backgrounds.
We have purposely chosen illustrations that are people-centered
and that include an assortment of almost cartoon-like characters
to portray a cross-selection of our citizenry affected by
data transmission in the information age. Check out the French
privacy agency's, the CNIL's site, after ours and you'll
see what I mean.
If you know the characters in the hard-cover
comic books which adults read, you will recognize the cultural
tradition behind such figures as Tintin, Spirou, Bécassine,
Gaston Lagaffe, Lucky Luke and the world weary intellectuals
of cartoonist Claire Brétecher.
1. The application of Quebec's private
sector legislation
In spite of the new federal legislation
of which the last phase, dealing with interprovincial data
transfer still has to come into force next year, Quebec's
private sector law will continue to apply to provincially
regulated sectors and data transfers within the province.
What should you know about our law ? From the perspective
of a Chief Privacy Officer, you should know that there are
some differences in the substantive content of our law as
compared to the new federal legislation. These, however,
lead us into a highly specialized legal debate, which can
best be taken up by your legal departments, if it should
prove necessary. I think that what is most important for
you to know is how we have enforced our law over the last
few years. To help you get a sense of this, I'll give you
some highlights of our enforcement experience.
First of all, privacy legislation in
Quebec, as everywhere else, relies on voluntary compliance
and good corporate citizenship. This is buttressed by a complaint
mechanism, which we hope to make quicker and more efficient
for the citizen, especially with the aid of impending legislative
changes.
2. Requests for the examination of differences
The Commission is responsible for settling
differences arising from a private organization's decision
to deny an individual access to his personal information
or the correction of such information. The Commission first
tries to resolve the dispute through mediation, and it is
successful in a majority of cases. The Commission is a tribunal
and its decisions on matters of fact are final. On matters
of law or jurisdiction, they can be appealed to the Quebec
Court, with leave from a judge of this court.
The importance of the issues referred
to the Commission and the expertise developed by its members
over the years has been largely recognized. From interpretive
issues (the liability of a professional order)(2) of
a constitutional order (the liability of an airline)(3) to
labour relations issues(4),
the definition of professional privilege(5) or
the nature of personal information contained in a file(6) to
mention only these, the Commission has dealt with more than
500 disputes since the Act has come into effect in the private
sector.
I'll briefly refer to one of these decisions
involving the access of an individual to his or her own file,
the Stebenne decision. The Quebec Court of Appeal dismissed
the appeal in November 2001. Here the Commission decided
that administrative notes or internal memos placed by an
insurance company in one of its client's files were accessible
to the client as personal information because they related
to the individual and identified him, even though they had
been created by the company.
3. Complaints referred to the Commission
from the private sector
An individual may lodge a complaint before
the Commission if he or she feels an organization has failed
to abide by the law with regard to his personal information.
These complaints may be about the collection, use, disclosure
and transmission of personal information.
The number of complaints about personal
information is much higher in the private sector than in
the public sector.
Which organizations are the subjects
of complaints ? Most complaints concern the services industry.
Within this broad category, complaints against landlords,
video rental shops and telecommunication companies top the
list. Next come banking and financial services, insurance
companies, and collection agencies. Although more marginal,
there are also a number of complaints against non-profit
organizations.
What does the public complain about in
the use of personal information. For the year 2001, in close
to 20% of cases, they complain about the collection of identifiers
that are not relevant to the purpose of the file; for instance,
the MIN or the SIN to join a video club, the bank account
number and the annual income figure to rent an apartment,
the SIN to subscribe to cable TV.
Nearly half the complaints have to do
with the transmission of personal information to third parties
without the consent of the individual concerned; for example,
the transmission of information by an employer, a lawyer
or a doctor, or the disclosure of credit records by a financial
institution or a collection agency.
Other complaints concern the collection
of information from third parties without consent, the validity
of the consent form, the use of nominal lists for commercial
or fund-raising purposes and, finally, the leaking of personal
information because of lax security.
I observe a new phenomenon in the statistics
collected over the past few years. There are fewer complaints
about the collection of non-essential identifiers, and more
complaints about the unauthorized disclosure of personal
information. We might conclude from this that private organizations
in Quebec are more mindful of limitations on the collection
of personal information. We might also conclude that the
public is more aware and more particular about the collection
and use of their identifiers without consent.
What is the outcome of these complaints?
A review of cases closed in the year 2001 indicates that
more than a third were closed because complainants failed
to follow up the steps taken by the Commission. In some cases,
it seems, the plaintiffs are reluctant to submit their complaint
in writing to the organization, as the Commission requires
or, more often, we don't hear from them after we relay to
them the organization's version of the facts.
More than a quarter of the complaints
were settled amicably after agreement between the parties
or correction of the situation that gave rise to the complaint.
Sometimes, apologies are accepted.
In 2002, the Commissioners examined about
thirty complaints. You can look up our recent decisions on
our Web site. Most, but not all, are in French but we have
plans to provide resumés in English of our most significant
positions to facilitate the exchange of ideas in the Canadian
and global context.
Many of our decisions involve the unauthorized
use of SIN numbers. In December, we came to the conclusion
yet again in the case of Look Communications that the requirement
for a SIN number before renting a mobile phone was illegal
and we handed down an order to desist from the practice.
This decision follows the Commission's traditional position
on this question which is adhered to when the issue is brought
forward by a concerned citizen. Our Annual Report for the
year 2001 describes our agreement with Videotron by which
it refrains from requiring personal identifiers before installing
cable services. Hydro-Quebec is one exception to this position
on requiring personal information because, by law, it cannot
withdraw its services during the cold winter months.
In January of this year, in the case
of Desjardins v. Groupe Lyras et Godard(7),
the Commission came to the conclusion that there had been
an illegitimate use of personal information by an insurance
broker who transmitted it without the client's consent. Fortunately,
the practice of transferring client files and pre-authorized
bank account debits had already been modified at the time
of the hearing. The Commission nevertheless ordered the broker
to send it its current policy of access to client files.
The Quebec law has penal provisions,
although we have not yet encountered a situation which we
felt required them. I mention this only because my British
counterpart, Mrs. Elizabeth France, leaving her job in December
after seven years, protested the UK's culture of secrecy
in a recently published report. She specifically mentioned
the absence of such teeth in the legislation she administered
as one of the indicators of too permissive an attitude to
the misuse of personal information.
4. Personal health information
Quebec's different and often more demanding
approach to the use of personal information can be observed
in the parallel treatment of the collection of health data
by the federal Privacy Commissioner and the Quebec Commission.
In a complaint brought to the federal Commissioner, the practice
of collecting prescriptions from pharmacists without the
prescribing doctor's consent in order to analyze them for
commercial purposes was examined. Rejecting the complaint
as not contrary to the Privacy Act, the federal Commissioner
stated that information on professional activities, which
was linked to an individual in his or her professional capacities,
was not personal information within the meaning of the federal
privacy legislation. Work related activities did not constitute
meaningful personal information, in this case about a prescribing
physician.
The Quebec National Assembly recently
clarified the provisions of our private sector Act as it
applies to the use of health information. Most interestingly,
before authorizing a person to receive communication of personal
information on professionals regarding their professional
activities, without the consent of the professionals concerned,
the Commission must ascertain the views of the prescribing
professions involved. Authorization for collecting personal
information from professionals regarding their personal activities
without their consent may be given if the Commission has
reasonable grounds to believe that the communication protects
professional secrecy, especially in that it does not allow
the identification of the person to whom the professional
service is rendered, and does not otherwise invade the privacy
of the professionals concerned. There is also an obligation
on the part of the data collector to notify each professional
involved periodically and to give him or her an opportunity
to opt out of the data collection and utilization. Of course,
the Commission must also check that there are adequate security
measures.
5. Biometrics
Another way in which Quebec is innovative
in privacy practices is in new powers concerning the use
of biometrics given to the Commission as part of an initiative
to validate electronic signatures in the context of Quebec
legislative authority. We expect to come down with these
guidelines this spring and it can be foreseen that they will
follow on general principles as to the correct use of personal
information with which you are familiar. The guidelines will
also indicate appropriate use of biometrics generally, not
just in on-line situations.
The Commission is very concerned with
the speed at which our society is moving towards more extensive
surveillance of individuals' movements on the basis of previous
selected identifiers, which will also be available in vast
data pools. Airport security schemes, which have been discussed
publicly in recent weeks, involve a huge loss of privacy
not only for frequent fliers but also for all citizens whose
life will be increasingly distilled into government data
banks. With this backdrop of increasing encroachment on privacy,
it is to be expected that the Commission will be very insistent
about the strictly limited uses which biometrics should be
put to in situations which do not involve national security.
This new legislation on on-line identification
provides that a person may not be required to submit for
identification purposes to a process or device that affects
the person's physical integrity. Unless otherwise expressly
provided by law for health protection or public security
reasons, a person may not be required to be connected to
a device that allows the person's whereabouts to be known.
Similarly, it is also specifies that
a person's identity may not be verified or confirmed by means
of a process that allows biometric characteristics or measurements
to be recorded except with the express consent of the person
concerned. Only the minimum number of characteristics or
measurements needed to link the person to an act and only
such characteristics or measurements as may not be recorded
without the person's knowledge may be recorded for identification
purposes.
This new Act also guarantees citizens
that no other information revealed by the characteristics
or measurements recorded may be used as a basis for decision
concerning them or for any other purpose whatsoever. Such
information may only be disclosed to the person concerned
at the person's request.
The record of the characteristics or
measurements and any notation relating thereto must be destroyed
as soon as the purpose of verification or confirmation of
identity has been met the reason for the verification or
confirmation no longer exists.
The creation of a database of biometric
characteristics and measurements must be disclosed beforehand
to the Commission d'accès à l'information.
As well, the existence of such a database, whether or not
it is in service, must be disclosed.
The Commission may make orders determining
how such databases are to be set up, used, consulted, released
and retained and how measurements or characteristics recorded
for personal identification purposes are to be archived or
destroyed.
How will these principles apply to those
doing business in Quebec ? For example, if you thought that
a biometric check of employee identity in your Quebec office
was necessary before accessing confidential company information,
your practices could be the subject of a complaint by an
employee or an union. The Commission would examine the complaint
and could, if it felt the situation warranted redress, make
an order to modify or cease the practice. Another example.
Surveillance cameras at a company installation or service
point, which are linked to biometric data banks will, in
the case of a complaint or an audit, come under close scrutiny
as to the necessity of collection and retention of personal
information. Requiring the use of global positioning systems
on intra-provincial transport vehicles might also raise privacy
concerns, which could be brought to the Commission.
6. Video surveillance
A final example of a different cultural
approach to privacy is the increasing use of video surveillance
cameras in some Canadian cities. In Quebec, we took a strong
position on this in 1992 and in a formal opinion stated that
the practice, as it was to be carried out on the main street
of downtown Sherbrooke for the purpose of reducing delinquent
behaviour, was contrary to Quebec's public sector privacy
legislation. Since then, we have not been made aware of any
new initiatives in street surveillance although we do express
the opinion that video surveillance in school buses, daycare
centers and hospital should only be used in cases where ordinary
supervision by person is not feasible.
7. Financial services
Yet another way in which your company
may come into contact with the Commission is through the
inspection powers of the new Bureau des services financiers
which supervises the insurance industry, financial planners,
mutual fund brokers and other actors in the financial services
sector. The Bureau must report back to the Commission on
the protection of personal information within the industry.
Conclusion
As you have seen, the role of Chief Privacy
Officer in Quebec is a challenging one, in a society where
there has been early recognition of the right to privacy
for its citizens and consumers. Our public sector legislation
has given a key role to the person designated as responsible
for access to information who responds to the public and
interfaces with the Commission in case of conflict. A parallel,
but non-legislated, perspective would suggest that the Chief
Privacy Officer of a corporation is central to privacy enforcement
in Quebec and will be an important partner for the CAI. We
hope the recognition of the importance of Chief Privacy Officer
will help us to continue to work with you to solve privacy
problems on an amicable and pro-active basis.
|
1. |
Vice-Versa v Aubry,
[1998] 1 S.C.R. 591. |
| 2. |
Grenier v Collège
des médecins du Québec, [1996] C.A.I.
199; [1997] C.A.I. 459. |
| 3. |
Laperrière v Air
Canada, [1997] C.A.I. 167; [1997] C.A.I. 480. |
| 4. |
Jabre v Middle
East Airline - Air Liban, [1998] C.A.I. 404. |
| 5. |
Chaîné v Paul
Revere, Compagnie d'assurance vie, [1998] C.A.I.
139; [2000] R.J.Q. 1937. |
| 6. |
Stébenne v Assurance-vie
Desjardins inc., [1995] C.A.I. 14; C.A. no 500-09-006257-984,
November 8, 2001, jj. Mailhot, Fish, Otis, p.
3. |
| 7. |
C.A.I. PV 99 17 45,
January 10, 2002. |
|
