Vol. 139, No. 4 — February 23, 2005

Registration
SOR/2005-34 February 8, 2005

PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT

Regulations Amending the Regulations Specifying Investigative Bodies

P.C. 2005-140 February 8, 2005

Her Excellency the Governor General in Council, on the recommendation of the Minister of Industry, pursuant to paragraph 26(1)(a.01) of the Personal Information Protection and Electronic Documents Act(see footnote a), hereby makes the annexed Regulations Amending the Regulations Specifying Investigative Bodies.

REGULATIONS AMENDING THE REGULATIONS SPECIFYING INVESTIGATIVE BODIES

AMENDMENT

1. Section 1 of the Regulations Specifying Investigative Bodies(see footnote 1) is amended by striking out the word "and" at the end of paragraph (z.21), by adding the word "and" at the end of paragraph (z.22) and by adding the following after paragraph (z.22):

(z.23) Teranet Services Inc.

COMING INTO FORCE

2. These Regulations come into force on the day on which they are registered.

REGULATORY IMPACT
ANALYSIS STATEMENT

(This statement is not part of the Regulations.)

Description

Part 1 of the Personal Information Protection and Electronic Documents Act establishes rules to govern the collection, use and disclosure of personal information by organizations in the course of commercial activity. The legislation requires an organization, which is disclosing personal information, to obtain the individual's consent in most circumstances. An exception to this rule is found in paragraphs 7(3)(d) and (h.2) of Part 1 of the Act which permit the disclosure of personal information to and by a private investigative body, without the knowledge or consent of the individual, if the investigative body is specified by the Regulations. The purpose of this amendment to the Regulation is to name additional investigative bodies for the purposes of paragraph 7(3)(d) or (h.2) of Part 1 of the Act.

Many investigations into frauds and breaches of agreement are conducted by private sector organizations, either acting as or making use of independent, non-governmental investigative bodies. Should the investigation reveal grounds for suspecting that a fraud has been committed or a law contravened, the organization may then turn the findings over to a law enforcement agency or other interested parties for further action. Paragraph 7(3)(d) allows an organization to disclose personal information, without the consent of the individual, to a private investigative body in order to instigate or facilitate an investigation. Paragraph 7(3)(h.2) allows an investigative body to disclose personal information to another private organization, including the client organization on whose behalf it is conducting the investigation. The disclosures are circumscribed as they must be related to investigations of a breach of an agreement or a contravention of the law and be reasonable.

Paragraph 7(3)(h.2) completes the exception provided in paragraph 7(1)(b) for collection without consent for the purposes of the prevention of fraud by extending it to disclosure. Collection alone would be of limited use to those combatting fraud and other breaches of agreement, unless the information could be disclosed to the parties that need the information. However, without paragraph 7(3)(h.2), the flow of information could only go in one direction — from the organization to the investigative body. The investigative body would be unable to disclose the results of its investigation back to its client or other interested parties without consent.

The ability to exchange personal information without consent for investigative purposes between or among private organizations is the only exception granted to these organizations by the Regulation. Organizations and investigative bodies which exchange personal information will remain responsible for compliance with all other requirements of the Act for this information, and will be subject to oversight by the Privacy Commissioner of Canada and the ability of individuals to seek redress in the Federal Court of Canada. More particularly, the general requirement that the Act imposes on all organizations to obtain consent before disclosing personal information is not altered by virtue of granting an organization status as an investigative body. Organizations with investigative body status would be able to disclose personal information in their investigations without the consent of the individual only in those exceptional circumstances in which obtaining consent is impossible, impractical or undesirable because it would frustrate the conduct of the investigation.

Based on our experience from the first two rounds of applications and public comments received during these exercises, Industry Canada would like prospective applicants to be aware that it will continue to exercise care in the naming of additional investigative bodies because these bodies are allowed to collect, use and disclose personal information without consent in certain circumstances, contrary to the general regime of the Act. In particular, the granting of investigative body status to an organization when only some of the organization's work is "investigative" will raise concerns about the potential for the misuse of the authority. More generally, only organizations which participate in the investigative process will be considered for investigative body status — those that do not actively conduct investigations will not. In addition, granting investigative body status to a large number of small organizations will raise concerns about effective oversight.

During the initial preparation of these Regulations, Industry Canada developed a set of criteria that would be used in the assessment of candidates for investigative bodies. These criteria were intended to cover privacy concerns associated with allowing organizations to disclose personal information without consent for investigative purposes. All of the criteria would not necessarily be applicable to each investigative body.

Industry Canada would also like to emphasize that the current criteria for investigative body status are meant to be read within the overall compliance regime of the Act. This means that an investigative body should be conducting its activities with the minimum privacy impairment that is necessary for the carrying out of its investigative function. It also means that the public interest in its investigative activity should outweigh the harm caused to any associated privacy interests. Finally, it should be understood that the specification by name or class of an organization as an investigative body applies only to the part of the organization that requires the designation, and only to the investigative activities in question. For example, when the specification is granted to a professional regulatory body such as a Law Society, only those entities or activities that constitute the investigation function of the Law Society have investigative body status.

The criteria include:

• The specific contraventions of law or breaches of agreements against which the investigative activities are directed.
• The specific personal data elements which are disclosed by other organizations to the body; the specific personal data elements which flow back to the organizations from the body; the uses and disclosures made of the information by the body; whether audit trails are maintained; the length of time the information is kept; the security standards and practices in place for retention and disposal of the information.
• Whether the operational structure of the body or process is fully documented and formalized and the authority, responsibility and accountability centres are identified.
• Whether there are specific legal regime, licensing requirement, regulation or oversight mechanisms to which it is it subject and whether sanctions or penalties for non-compliance exist.
• The privacy protection policies and procedures, such as a privacy code, followed by the body. The extent to which the policies and procedures comply with Part 1 of the Act.
• The extent to which the investigative body is independent from the association of members or client organizations that it serves.
• The extent to which all alternative methods of complying with the Act, such as contract or consent, have been exhausted.
• The amount of information provided to individuals about the existence and operation of the body and about how to make a complaint or seek redress.

Part 1 of the Act was implemented in two stages. On January 1, 2001, it applied to the personal information of the customers and employees of the federally regulated private sector, including telephone and transportation companies, broadcasters, and banks. It also applied to organizations that sell personal information across provincial borders, e.g., companies selling or renting mailing lists. On January 1, 2004, the Act applied to all personal information collected, used or disclosed in the course of commercial activity.

Due to the phased introduction of the legislation and the fact that it is new to the private sector, it was expected that additions to the list of investigative bodies in the Regulation would be necessary. For this reason, the Department has indicated that it would continue to consider applications on a case by case basis in the future. The Department would also like to underline the fact that the behavior of organizations receiving investigative body status will continue to be monitored by Industry Canada once the designation has been given. Should concerns be raised regarding the compliance of an investigative body with all of the requirements of PIPEDA, e.g., through findings issued by the Privacy Commissioner of Canada, then the investigative body designation will be withdrawn by an amendment to the Regulation.

On the basis of the documentation submitted, describing its operation and investigative activities, Industry Canada has concluded that the Regulation should be amended by adding the organization listed.

Alternatives

The legislative framework in Part 1 of the Act requires that an investigative body, for the purposes of paragraph 7(3)(d) or (h.2) of the Act, be specified by the Regulations. There are no alternatives to deal with the collection, use and disclosure of this information without consent.

Benefits and Costs

According to industry estimates, property related fraud cost the associated Canadian financial services industry upwards of $300 million in 2001. The costs of fraud are paid for by the public through increased premiums and the personal inconvenience caused by identity theft and the correction of credit rating errors. The Regulation will benefit the public by assisting organizations in combatting fraud as well as by providing a mandated standard of protection for the personal information that is obtained by the organizations engaged in private investigations.

Costs

The Regulation should not impose significant additional costs on the organizations to which it applies as it merely permits the continuation of existing information sharing relationships between organizations and the specified investigative bodies.

The Regulation will have no impact on Department resources.

Consultation

The proposal to specify Teranet Services Inc. as an investigative body was pre-published in the Canada Gazette, Part I, on November 8, 2003. Following publication the Office of the Privacy Commissioner (OPC) and the Canadian Internet Policy and Public Interest Clinic (CIPPIC) both commented on the Teranet application. The OPC indicated that Teranet Services Inc. had not demonstrated that designation was necessary while the CIPPIC raised a number of technical objections to the application. Industry Canada, taking into consideration the concerns raised, decided not to include Teranet Services Inc., among the organizations which were specified as investigative bodies in the Canada Gazette, Part II, on April 21, 2004.

In response to the concerns raised with its application, Teranet met with the OPC and with Industry Canada and also provided additional information concerning the structure, membership and operation of the Real Estate Data Exchange Non-Public Service. As a result, the OPC has indicated that this additional information has addressed its concerns about the application. Industry Canada has also reviewed the additional information provided by Teranet in response to the concerns of the CIPPIC and is satisfied that the operation of the Non-Public Service is in accordance with the requirements of the Personal Information and Electronic Documents Act. Accordingly, the Department is now prepared to proceed with Teranet's application for specification as an investigative body.

Compliance and Enforcement

Individuals may make complaints about the practices of an organization to the Privacy Commissioner of Canada who will investigate the matter and deliver a report to the parties. The Commissioner may make recommendations to an organization concerning its practices and whether they are considered to comply with Part 1 of the Act but the Commissioner does not have the power to issue binding orders on the organization. The individual or the Privacy Commissioner, or both acting together, may take unresolved complaints to the Federal Court of Canada which has the power to order an organization to change a practice and to pay damages to the individual.

Contact

Mr. Richard Simpson
Director General
Electronic Commerce Branch
Industry Canada
300 Slater Street, Room D2090
Ottawa, Ontario
K1A 0P8
Telephone: (613) 990-4292
FAX: (613) 941-1164
E-mail: simpson.richard@ic.gc.ca

Footnote a

S.C. 2000, c. 5

Footnote 1

SOR/2001-6

NOTICE:
The format of the electronic version of this issue of the Canada Gazette was modified in order to be compatible with extensible hypertext markup language (XHTML 1.0 Strict).