Vol. 142, No. 7 — February 16, 2008

Regulations Amending the Regulations Specifying Investigative Bodies

Statutory authority

Personal Information Protection and Electronic Documents Act

Sponsoring department

Department of Industry

(This statement is not part of the Regulations.)

Description

Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) establishes rules to govern the collection, use and disclosure of personal information by organizations in the course of commercial activity. The legislation requires an organization which is disclosing personal information to obtain the individual’s consent in most circumstances. An exception to this rule is found in paragraphs 7(3)(d) and (h.2) of the Act, which permit the disclosure of personal information to and by a private investigative body, without the knowledge or consent of the individual, if the investigative body is specified by the investigative bodies regulation. The purpose of this amendment to the investigative bodies regulation is to name additional investigative bodies for the purposes of paragraph 7(3)(d) or (h.2) of the Act.

Many investigations into frauds and breaches of agreement are conducted by private sector organizations, either acting as or making use of independent, non-governmental investigative bodies. Should the investigation reveal grounds for suspecting that a fraud has been committed or a law contravened, the organization may then turn the findings over to a police or other law enforcement agency for further action or, for a professional regulatory body such as the Association of Professional Geoscientists of Ontario, may take appropriate disciplinary action pursuant to its own statutory authority. Paragraph 7(3)(d) of the Act allows an organization to disclose personal information, without the consent of the individual, to a private investigative body in order to instigate or facilitate an investigation. Paragraph 7(3)(h.2) of the Act allows an investigative body to disclose personal information to another private organization, including the client organization on whose behalf it is conducting the investigation. The disclosures are circumscribed, as they must be related to investigations of a breach of an agreement or a contravention of the law and be reasonable.

Paragraph 7(3)(h.2) of the Act completes the exception provided in paragraph 7(1)(b) of the Act for collection without consent for the purposes of the prevention of fraud by extending it to disclosure. Collection alone would be of limited use to those combatting fraud and other breaches of agreement, unless the information could be disclosed to the parties that need the information. However, without paragraph 7(3)(h.2) of the Act, the flow of information could only go in one direction—from the organization to the investigative body. The investigative body would be unable to disclose the results of its investigation back to its client or other interested parties without consent.

The ability to exchange personal information without consent for investigative purposes between or among private organizations is the only exception granted to these organizations by the Regulations. Organizations and investigative bodies which exchange personal information will remain responsible for compliance with all other requirements of the Act for this information, and will be subject to oversight by the Privacy Commissioner of Canada. Individuals may also seek redress in the Federal Court of Canada. The general requirement that the Act imposes on all organizations to obtain consent before disclosing personal information is not altered by virtue of granting an organization status as an investigative body. Organizations with investigative body status would be able to disclose personal information in their investigations without the consent of the individual only in those exceptional circumstances in which obtaining consent is impossible, impractical or undesirable because it would frustrate the conduct of the investigation.

During the initial preparation of the Regulations, Industry Canada developed a set of background factors and considerations that would be used in the assessment of candidates for investigative bodies. These factors were intended to highlight possible privacy concerns associated with allowing organizations to disclose personal information without consent for investigative purposes. All of the factors would not necessarily be applicable to each investigative body. The factors include

• the specific contraventions of law or breaches of agreements against which the investigative activities are directed;
• the extent to which all alternative methods of complying with the Act, such as contract or consent, have been exhausted;
• the privacy protection policies and procedures, such as a privacy code, followed by the body and the extent to which the policies and procedures comply with Part 1 of the Act;
• the specific personal data elements which are disclosed by other organizations to the body; the specific personal data elements which flow back to the organizations from the body; the uses and disclosures made of the information by the body; whether audit trails are maintained; the length of time the information is kept; the security standards and practices in place for retention and disposal of the information;
• whether the operational structure of the body or process is fully documented and formalized and the authority, responsibility and accountability centres are identified;
• whether there are specific legal regime, licensing requirement, regulation or oversight mechanisms to which it is it subject and whether sanctions or penalties for non-compliance exist;
• the extent to which the investigative body is independent from the association of members or client organizations that it serves; and
• the amount of information provided to individuals about the existence and operation of the body and about how to make a complaint or seek redress.

Industry Canada will continue to exercise care in the naming of additional investigative bodies because these bodies are allowed to collect, use and disclose personal information without consent in certain circumstances, contrary to the general regime of the Act. Generally, only an organization which actually conducts investigations will be considered for investigative body status—those that do not will not be considered. Applications that seek investigative body status for an organization when only some of the organization’s work is investigative will raise concerns about the potential for the misuse of the authority. Applications that seek to grant investigative body status to a large number of small organizations will raise concerns about effective oversight.

Criteria

Industry Canada employs a set of criteria to be used in the assessment of candidates for investigative body status. The criteria are intended to address any specific privacy concerns that may be associated with allowing an organization to disclose personal information without consent for investigative purposes. As regards the assessment process itself, Industry Canada wishes to emphasize that the criteria for investigative body status are made within the context of the overall compliance regime of the Act.

The first criterion the Department will consider is whether the organization has exhausted all of the alternative methods of complying with the Act (such as consent or contract), with respect to carrying out its investigative activities. The second criterion the Department will examine is whether the proposed investigative body would be fully compliant with all of the requirements of PIPEDA, e.g., whether it would have a privacy code (preferably based on the Canadian Standards Association’s Model Code for the Protection of Personal Information, CAN/CSA-Q830-96) in place. The third criterion to be examined is whether the investigative body would be carrying out its investigative activities with the minimum privacy impairment necessary for its investigative function. Finally, the Department will consider whether the public interest in the organization’s investigative activity would outweigh the harm caused to any associated privacy interests.

Part 1 of the Act was implemented in two stages. On January 1, 2001, it applied to the personal information of the customers and employees of the federally regulated private sector, including telephone and transportation companies, broadcasters, and banks. It also applied to organizations that sell personal information across provincial borders, e.g., companies selling or renting mailing lists. On January 1, 2004, the Act applied to all personal information collected, used or disclosed in the course of commercial activity.

Due to the phased introduction of the legislation and the fact that it was new to the private sector, it was expected that additions to the list of investigative bodies in the Regulations would be necessary. For this reason, the Department has indicated that it would continue to consider applications on a case-by-case basis in the future. The Department would also like to underline the fact that the behavior of organizations receiving investigative body status will continue to be monitored by Industry Canada once the designation has been given. Should concerns be raised regarding the compliance of an investigative body with all of the requirements of PIPEDA, e.g., through findings issued by the Privacy Commissioner of Canada, then the investigative body designation will be withdrawn by an amendment to the Regulations.

Industry Canada has now completed its review of new applications. These include the organizations which regulate the physicians and surgeons of Alberta and Nova Scotia, the psychologists of Alberta, the geoscientists and insurance brokers of Ontario, and the geologists of Quebec. In addition, there are two organizations which regulate the mutual fund and investment dealers of Canada respectively. Finally, the regulation will be amended to reflect the change of name of an existing investigative body, the Insurance Crime Prevention Bureau, a division of the Insurance Council of Canada, to the Investigative Services Division of the Insurance Bureau of Canada.

On the basis of the documentation submitted, describing their operation and investigative activities, Industry Canada has concluded that the Regulations should be amended by adding the organizations listed. Copies of their submissions may be obtained by contacting Industry Canada.

Alternatives

The legislative framework in Part 1 of the Act provides that an investigative body, for the purposes of paragraph 7(3)(d) or (h.2) of the Act, must be specified by regulation. There are no alternatives to deal with the collection, use and disclosure of this information without consent.

Benefits and costs

The professional disciplinary bodies investigate the conduct of their members to prevent incompetent, unethical and unauthorized practices, which is to the general benefit of all persons who make use of their professional services. The Regulations will also benefit the public by assisting organizations in combatting frauds, the costs of which are paid for by the public.

Costs

The Regulations should not impose significant additional costs on the organizations to which it applies, as it merely permits the continuation of previous information sharing relationships. For some of the organizations which are not themselves subject to PIPEDA, such as the professional regulatory bodies, there could be some administrative costs associated with, e.g., developing a Canadian Standards Association compliant privacy code.

The Regulations will have no impact on Department resources.

Consultation

Following the publication of the new investigative bodies in the Canada Gazette, Part II, in 2001, 2004, 2005 and 2006, Industry Canada has not received any complaints or expressions of concern regarding the operation of these organizations or of the Regulations themselves. Industry Canada has engaged in extensive discussions with the applicants concerning their investigative activities and the need for an amendment to the Regulations to add them to the list of investigative bodies. Consultations with the Office of the Privacy Commissioner have also taken place.

Compliance and enforcement

Individuals may make complaints about the practices of an organization to the Privacy Commissioner of Canada who will investigate the matter and deliver a report to the parties. The Commissioner may make recommendations to an organization concerning its practices and whether they are considered to comply with Part 1 of the Act, but the Commissioner does not have the power to issue binding orders on the organization. The individual or the Privacy Commissioner, or both acting together, may take unresolved complaints to the Federal Court of Canada which has the power to order an organization to change a practice and to pay damages to the individual.

Mr. Richard Simpson
Director General
Electronic Commerce Branch
Industry Canada
300 Slater Street, Room D2090
Ottawa, Ontario
K1A 0P8
Telephone: 613-990-4292
Fax: 613-941-1164
Email: simpson.richard@ic.gc.ca