| |||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||
 |
| ||||||||||||||||||||||||||||||||||||
 |
|||||||||||||||||||||||||||||||||||||
|
Vol. 135, No. 1 — January 3, 2001 Registration PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT Regulations Specifying Investigative Bodies P.C. 2000-1776 13 December, 2000 Her Excellency the Governor General in Council, on the recommendation of the Minister of Industry, pursuant to paragraph 26(1)(a.01) of the Personal Information Protection and Electronic Documents Act (see footnote a) hereby makes the annexed Regulations Specifying Investigative Bodies. REGULATIONS SPECIFYING INVESTIGATIVE BODIES INVESTIGATIVE BODIES 1. The following investigative bodies are specified, by name or by class, for the purposes of paragraphs 7(3)(d) and (h.2) of the Personal Information Protection and Electronic Documents Act: (a) the Insurance Crime Prevention Bureau, a division of the Insurance Council of Canada; and (b) the Bank Crime Prevention and Investigation Office of the Canadian Bankers Association. COMING INTO FORCE 2. These Regulations come into force on January 1, 2001. REGULATORY IMPACT ANALYSIS STATEMENT (This statement is not part of the Regulations.) Description Part 1 of the Personal Information Protection and Electronic Documents Act establishes rules to govern the collection, use and disclosure of personal information by organizations in the course of commercial activity. The legislation requires an organization, which is disclosing personal information, to obtain the individual's consent in most circumstances. An exception to this rule is found in paragraphs 7(3)(d) and (h.2) of Part 1 of the Act which permit the disclosure of personal information to and by a private investigative body, without the knowledge or consent of the individual, if the investigative body is specified by the Regulations. The purpose of this Regulation is to name the investigative bodies for the purposes of paragraph 7(3)(d) or (h.2) of Part 1 of the Act. Increasingly, many fraud investigations are initially launched by private sector organizations (e.g., a bank or insurance company) by way of an independent, non-governmental investigative body. Should the investigative body's preliminary investigation reveal grounds for suspecting that a fraud has been committed or a law contravened, the organization will then turn the findings over to a police or other enforcement agency for further action. Paragraph 7(3)(d) allows an organization to disclose personal information, without the consent of the individual, to the appropriate private sector investigative body in order to conduct the preliminary investigation. The disclosure is circumscribed as it must be a reasonable disclosure related to investigations of breaches of agreements or contraventions of the law. Paragraph 7(3)(h.2) allows an investigative body to disclose personal information back to the client organization on whose behalf it is conducting the investigation. Paragraph 7(3)(h.2) completes the exception provided in paragraph 7(1)(b) for collection without consent for the purposes of the prevention of fraud by extending it to disclosure. Collection alone would be of limited use to those combatting fraud, unless the information could be disclosed to the parties that need the information. However, without paragraph 7(3)(h.2), the flow of information could only go in one direction — from the organization to the investigative body. The investigative body would be unable to disclose the results of its investigation back to the client organization without consent. The ability to exchange personal information between private organizations without consent for investigative purposes is the only exception granted to these organizations by the Regulation. Organizations and investigative bodies which exchange personal information will remain responsible for compliance with all other requirements of the Act for this information, and will be subject to oversight by the Privacy Commissioner of Canada and the ability of individuals to seek redress in the Federal Court of Canada. During the preparation of these Regulations, Industry Canada developed a set of criteria that would be used in the assessment of candidates for investigative bodies. These criteria were intended to cover privacy concerns associated with allowing organizations to disclose personal information without consent for investigative purposes. All of the criteria would not necessarily be applicable to each investigative body. The criteria were based on the following considerations:
Part 1 of the Act will be implemented in two stages. On January 1, 2001, it will apply to the personal information of the customers and employees of the federally regulated private sector, including telephone and transportation companies, broadcasters, and banks. It will also apply to organizations that sell personal information across provincial borders, e.g., companies selling or renting mailing lists. On January 1, 2004, the Act will apply to all personal information collected, used or disclosed in the course of commercial activity. Due to the phased introduction of the legislation and the fact that it is new to the private sector, it is expected that additions to the list of investigative bodies in the Regulation may be necessary. For this reason, the Department will continue to consider applications on a case by case basis in the future. Of the organizations which submitted information to Industry Canada describing their internal structure and investigative process, those listed satisfied the criteria on the basis of the documentation submitted. Copies of their submissions may be obtained by contacting Industry Canada or by visiting the Electronic Commerce Web site: http://e-com.ic.gc.ca/english/privacy/632d1.html. Alternatives The legislative framework in Part 1 of the Act requires that an investigative body, for the purposes of paragraph 7(3)(d) or (h.2) of the Act, be specified by the Regulations. There are no alternatives to deal with the collection, use and disclosure of this information without consent. Benefits and Costs Benefits Insurance fraud is estimated to cost the property and casualty insurance industry $1.3 billion dollars annually. Credit and debit card fraud, robbery, and counterfeit payments are estimated to cost the banking industry $250 million annually (additional losses related to cyber crime and other fraud would add to this figure). If the legislation did not allow information sharing between organizations and their private investigative bodies, the detection and prevention of fraud would be more difficult. This would add to the cost of insurance borne by law abiding policyholders and bank customers through increased premiums, service charges and fees. Costs The Regulation should not impose significant additional costs on the organizations to which it applies as it merely permits the continuation of existing information sharing relationships between organizations and their investigative bodies. The Regulation will have no impact on Department resources. Consultation Bill C-54 (the precursor to Bill C-6) was introduced on October 1, 1998 and received extensive hearings before the Standing Committee on Industry and the Standing Senate Committee on Social Affairs, Science and Technology. Representatives of the insurance and banking industries, among others, appeared before the Standing Committee on Industry and raised the issue of the viability of private sector investigative activities under the proposed legislation. As a result, the bill was amended to provide for disclosure without consent to and by investigative bodies that were specified by the Regulations. Subsequent to the Bill's receiving Royal Assent on April 13, 2000, Industry Canada had discussions with interested parties, including representatives of the insurance, credit reporting, telephone, banking, information technology, direct marketing, real estate, cable television, retail sale, as well as private investigators, internet service providers, the Canadian Chamber of Commerce and other business associations. Consumer and privacy organizations, the provincial and territorial privacy commissioners, and the members of the Federal-Provincial-Territorial discussion group on privacy legislation were included in these discussions. Consultations were also undertaken with the federal Privacy Commissioner. Following the publication of the Regulation in the Canada Gazette, Part I, the following comments were received. One commentator opposed listing the ICPB in the Regulation because it currently solicits information based on suspicion and does not permit the verification of incorrect information by allowing an individual to have access to their file. To the extent that these objections are true, they will be addressed through a combination of the Act and the regulation. Under the Act, the ICPB will be required to ensure accuracy, provide individual access, limit retention of information, etc., and will be subject to oversight by the Commissioner. Three organizations opposed listing the BCPCIO because, according to its own submission, it investigates "dishonest" activity (not breaches of an agreement) and because it collects victim information, rather than only information about suspects, as part of their investigation. On the first point, the Regulation only gives an investigative body the ability to disclose personal information when it has reasonable grounds to believe the information relates to a breach of an agreement. On the second point, it is difficult to conduct investigations without collecting at least some victim information. The above organizations also expressed concern that the investigative bodies may be regarded as not-for-profit entities for the purposes of the Act, and, as such, not engaged in commercial activity. If so, they would not be subject to the Act. The investigative bodies will be subject to the Act since all the disclosures of personal information mentioned in the Regulation take place in the course of commercial activity. One of these organizations also questioned whether the investigative bodies regulation required redrafting to clarify that the listed bodies are the only ones that qualify. Redrafting on this point is unnecessary. One commentator suggested that the "considerations" for investigative bodies should be identified as strict criteria, that applicants should be required to demonstrate that they could not function without the exception and that a public interest test be added. The "considerations" listed in the RIAS are the "criteria" employed. The listed organizations made the case that they could not function without being specified in the Regulation and also that it was in the public interest that they be allowed to function as investigative bodies to combat fraud. One organization stated that it did not want the investigative body regulation to derogate from their right to disclose without consent as may be authorized by other federal legislation. Whatever prior arrangements an organization may have had with law enforcement agencies, it will have to conduct its affairs in accordance with the Act when it comes into force since the Act generally takes precedence (subsection 4(3)) over existing legislation. Organizations may disclose to law enforcement agencies in accordance with subparagraphs 7(3)(c.1)(i), (ii) and paragraph (d) of the Act. One organization suggested that disclosures to professional, regulatory, disciplinary bodies (e.g., College of Dental Surgeons, Insurance Councils) for investigative activities be included in the next round of regulations. The question of the applicability of the Act to the investigative functions of these organizations will be studied and, if necessary, they could be added to the Regulation as investigative bodies. Finally, an organization suggested that licensed private investigators be listed as investigative bodies, at least on an interim basis, and that the Act be amended to permit other types of investigations to proceed without having to obtain the consent of the individual (e.g., background checks). Industry Canada is currently working with a number of organizations and associations who are assessing whether they need to apply for status as an investigative body, including the private investigators. As regards amendments to permit other types of investigations to be recognized, they can be considered in the future. Compliance and Enforcement Individuals may make complaints about the practices of an organization to the Privacy Commissioner of Canada who will investigate the matter and deliver a report to the parties. The Commissioner may make recommendations to an organization concerning its practices and whether they are considered to comply with Part 1 of the Act but the Commissioner does not have the power to issue binding orders on the organization. The individual or the Privacy Commissioner, or both acting together, may take unresolved complaints to the Federal Court of Canada which has the power to order an organization to change a practice and to pay damages to the individual. Contact Mr. Richard Simpson S.C. 2000, c. 5 |
||||||||||||||||||||||||
|
|||||||||||||||||||||||||
