Good afternoon and thank you for inviting me here today.
Central 1 is the central financial facility and trade association for all credit unions in British Columbia and our
member credit unions in Ontario. My submission reflects the consolidated feedback of our 43 B.C.-based financial
institutions.
We are co-operative financial institutions that are dedicated to driving the economic prosperity of the province by
paying dividends, financing commercial projects and residential mortgages, and staying committed to the financial
success of the one-in-three British Columbians who are our members.
From Masset to Surrey, credit unions take privacy very seriously. Our suggestions to improve the Personal
Information Protection Act are intended to ensure that we can continue to protect our members and employees to
the greatest extent possible.
I will divide my remarks into three main sections: areas of the legislation where greater clarification would be
beneficial, areas of the legislation that we feel should be changed and areas of the legislation that should be
made consistent with federal statutes and guidelines.
Clarification
In general, credit unions feel that compliance with the Act would be better supported with enhanced guidelines
and standards.
For example, clarification would be particularly beneficial in terms of fees. Section 32 permits organizations to
charge a “minimal” fee, which is vague and does not acknowledge that it can be costly to carry out access
requests, and that sometimes one request requires numerous detailed searches.
We recommend instead that a fee schedule be established in regulation and the term “minimal” be replaced with
“reasonable” in the Act.
Additionally, privacy legislation is generally becoming more consumer-centric, viewed as “opt-in” as opposed to
“opt-out”. PIPA provides that consent can be deemed or implicit in certain circumstances, subject to
“reasonability”, which is somewhat of a moving target and difficult for credit unions to assess.
We recommend that “reasonability” be defined in the Act or Regulation and circumstances in which an “opt-out”
consent be relied upon, be defined.
Changes
Credit unions often build long-standing personal relationships with their members and acting in the best interests
of those members throughout their lives is extremely important to our principled approach to financial
management. Unfortunately, circumstances in which members, particularly the elderly, become subject to
financial abuse are becoming increasingly common.
While Section 18 does permit the disclosure of personal information without consent “if the disclosure is clearly in
the interests of the individual and consent cannot be obtained in a timely way,” it is unclear in which precise
situations this may be done, how, and to whom. Furthermore, these circumstances may not necessarily constitute
clear fraud and credit unions must balance the risk of disclosure against a member’s “financial health and safety”
– terms not contemplated in the Act.
|2
We recommend that financial institutions be given authority and guidance on reporting suspected financial abuse
to an individual’s next of kin or authorized representative. This would also be consistent with the federal privacy
act.
Similarly, only a personal representative or “nearest relative” can currently act for a deceased individual, for
example, when requesting information about the deceased’s estate. This is problematic in the not-infrequent
circumstances in which there is no nearest relative or personal representative immediately identified.
Consistent with the 2008 report of this committee, we recommend that PIPA be amended to allow for the release
of the deceased’s information to a specified individual, such as their legal counsel.
The final change we recommend is to amend PIPA to allow for the use and disclosure of an employee’s personal
information, without consent, in limited situations where it is of benefit to a relationship with a previous employer.
The existing requirement to only use personal information if there is a current employment relationship can lead to
difficulty in the administration of pensions and benefits by a former employer.
Consistency with federal legislation
Under Canada’s new Anti-Spam Law (“CASL”), the Electronic Commerce Protection Regulations make an
exception to the consent requirement for commercial electronic messages sent following a referral, if certain
conditions are met. Yet under PIPA, collection of personal information is not permitted in this circumstance.
Credit unions believe that CASL strikes a reasonable compromise between commercial and individual interests
and ask that PIPA be brought up to date to be consistent with CASL.
Additionally, the Act’s definition of “source of information available to the public” is too narrow given the
proliferation of the Internet and social media. Consistent with CASL, we recommend that references in the Act
reflect technological advances.
Finally, while we have already adopted the best practice of notifying individuals in the rare event that the security
of their personal information has been compromised, credit unions support amending PIPA to explicitly require
privacy breach notification, consistent with federal legislation.
Credit unions also have adopted the best practice of retaining responsibility for personal information transmitted to
1
third parties via contractual or other means, as required in the federal privacy act and ask that B.C.’s law be
brought up to date to avoid confusion.
Honourable members, thank you for your attention. The credit unions of B.C. are committed to the long-term
financial security of their members, and through them, the economic prosperity of our province. PIPA is an
important tool in helping us to achieve those goals reasonably, and we look forward to your amendments that will
bring this legislation up-to-date.
I’d be happy to take any questions you may have.
1
PIPEDA, Schedule 1, 4.1.3