Good afternoon and thank you for inviting me here today. Central 1
Transcription
Good afternoon and thank you for inviting me here today. Central 1
Good afternoon and thank you for inviting me here today. Central 1 is the central financial facility and trade association for all credit unions in British Columbia and our member credit unions in Ontario. My submission reflects the consolidated feedback of our 43 B.C.-based financial institutions. We are co-operative financial institutions that are dedicated to driving the economic prosperity of the province by paying dividends, financing commercial projects and residential mortgages, and staying committed to the financial success of the one-in-three British Columbians who are our members. From Masset to Surrey, credit unions take privacy very seriously. Our suggestions to improve the Personal Information Protection Act are intended to ensure that we can continue to protect our members and employees to the greatest extent possible. I will divide my remarks into three main sections: areas of the legislation where greater clarification would be beneficial, areas of the legislation that we feel should be changed and areas of the legislation that should be made consistent with federal statutes and guidelines. Clarification In general, credit unions feel that compliance with the Act would be better supported with enhanced guidelines and standards. For example, clarification would be particularly beneficial in terms of fees. Section 32 permits organizations to charge a “minimal” fee, which is vague and does not acknowledge that it can be costly to carry out access requests, and that sometimes one request requires numerous detailed searches. We recommend instead that a fee schedule be established in regulation and the term “minimal” be replaced with “reasonable” in the Act. Additionally, privacy legislation is generally becoming more consumer-centric, viewed as “opt-in” as opposed to “opt-out”. PIPA provides that consent can be deemed or implicit in certain circumstances, subject to “reasonability”, which is somewhat of a moving target and difficult for credit unions to assess. We recommend that “reasonability” be defined in the Act or Regulation and circumstances in which an “opt-out” consent be relied upon, be defined. Changes Credit unions often build long-standing personal relationships with their members and acting in the best interests of those members throughout their lives is extremely important to our principled approach to financial management. Unfortunately, circumstances in which members, particularly the elderly, become subject to financial abuse are becoming increasingly common. While Section 18 does permit the disclosure of personal information without consent “if the disclosure is clearly in the interests of the individual and consent cannot be obtained in a timely way,” it is unclear in which precise situations this may be done, how, and to whom. Furthermore, these circumstances may not necessarily constitute clear fraud and credit unions must balance the risk of disclosure against a member’s “financial health and safety” – terms not contemplated in the Act. |2 We recommend that financial institutions be given authority and guidance on reporting suspected financial abuse to an individual’s next of kin or authorized representative. This would also be consistent with the federal privacy act. Similarly, only a personal representative or “nearest relative” can currently act for a deceased individual, for example, when requesting information about the deceased’s estate. This is problematic in the not-infrequent circumstances in which there is no nearest relative or personal representative immediately identified. Consistent with the 2008 report of this committee, we recommend that PIPA be amended to allow for the release of the deceased’s information to a specified individual, such as their legal counsel. The final change we recommend is to amend PIPA to allow for the use and disclosure of an employee’s personal information, without consent, in limited situations where it is of benefit to a relationship with a previous employer. The existing requirement to only use personal information if there is a current employment relationship can lead to difficulty in the administration of pensions and benefits by a former employer. Consistency with federal legislation Under Canada’s new Anti-Spam Law (“CASL”), the Electronic Commerce Protection Regulations make an exception to the consent requirement for commercial electronic messages sent following a referral, if certain conditions are met. Yet under PIPA, collection of personal information is not permitted in this circumstance. Credit unions believe that CASL strikes a reasonable compromise between commercial and individual interests and ask that PIPA be brought up to date to be consistent with CASL. Additionally, the Act’s definition of “source of information available to the public” is too narrow given the proliferation of the Internet and social media. Consistent with CASL, we recommend that references in the Act reflect technological advances. Finally, while we have already adopted the best practice of notifying individuals in the rare event that the security of their personal information has been compromised, credit unions support amending PIPA to explicitly require privacy breach notification, consistent with federal legislation. Credit unions also have adopted the best practice of retaining responsibility for personal information transmitted to 1 third parties via contractual or other means, as required in the federal privacy act and ask that B.C.’s law be brought up to date to avoid confusion. Honourable members, thank you for your attention. The credit unions of B.C. are committed to the long-term financial security of their members, and through them, the economic prosperity of our province. PIPA is an important tool in helping us to achieve those goals reasonably, and we look forward to your amendments that will bring this legislation up-to-date. I’d be happy to take any questions you may have. 1 PIPEDA, Schedule 1, 4.1.3