Everyone agrees on the need for business to respect the privacy of the individual. But there is less agreement on the extent to which privacy should be protected or on how this is to be done. In a recent appearance before the Senate Standing Committee, the Privacy Commissioner argued strongly for government regulation as opposed to the self-regulation. The following is an extract from his testimony along with comments and questions from some of the Senators present.
Three years ago I recommended that all financial institutions under federal jurisdiction be required To adhere to a code of fair information practices, with an independent oversight and dispute resolution mechanism. At the time a good deal of interest was evinced in a so-called sectoral approach That is to say, a code of practice being developed specifically for the banks and that being embodied as regulations in the Bank Act.
I thought that was not a bad approach then. I still think it is not a bad approach. But my own thinking on this subject has evolved a good deal partly because of the multitude of changes that have taken place in the whole field of information management brought about by the marriage of computer technology and high speed transmission systems, and other developments as well.
Some of those include the following:
* the emergence in the province of Quebec of a new privacy regime which covers both the private and public sector and the consequent development of uneven standards across the country if other provinces follow suit;
* the imminent application of the European draft directive on privacy practice, which will empower member states of the European Union to decline to make data transfers to countries which they consider do not have adequate protection as defined by their own draft directive. At this moment we do not enjoy that standard.
* the government's own rapid move toward the implementation of new information highway techniques in the management of its own information holdings which comprehends, among other things, the marriage of private and public sector data management systems.
At the moment we have a federal Privacy Act which lays down conditions under which the Government of Canada may collect, use, dispose and disclose personal information. Once those arrangements are complete and we have a marriage of both government and private sector systems, what then becomes of the various forms of protection that are now offered in the Privacy Act unless amendments are made to cover that contingency?
Those are some of the major developments that have taken place, not to mention overall the very rapid conversion of almost all of the information management practices both in public and private sectors over to databases that are now almost completely computerized and now offer improvements in terms of the manipulation, marriage of databases and the compilation of dossiers in a degree and at a speed which was never contemplated as recently as five years ago.
This has led me to the conclusion that we need now a much more comprehensive look at the whole issue of privacy protection in the information highway age. When I first broached this subject generally in 1992, it was a fairly lonely position. I did not have a whole lot of company. But I feel a lot less lonely now. The government's Advisory Council on the Information Highway recently concluded its study of this particular aspect of information highway problems. Although its final report has not been published, I have seen its recommendations dealing with this issue. The advisory council will be advising the government that legislation is needed in this field and that oversight mechanisms are required.
My provincial counterparts in Quebec, Ontario, and British Columbia now all subscribe to the proposition that it is no longer possible to get by on pure voluntaryism.…