Evidence of meeting #18 for Access to Information, Privacy and Ethics in the 41st Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cra.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Philippe Dufresne  Director General and Senior General Counsel, Human Rights Protection Branch, Canadian Human Rights Commission
Susan Gardner-Barclay  Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
Helen Brown  Director General, Security and Internal Affairs Directorate, Finance and Administration Branch, Canada Revenue Agency
Maciej Karpinski  Senior Research Analyst, Human Rights Protection Branch, Canadian Human Rights Commission

11 a.m.

NDP

The Chair NDP Pat Martin

Good morning, ladies and gentlemen. We'll convene our meeting.

Welcome to the 18th meeting of the Standing Committee on Access to Information, Privacy and Ethics.

Today we continue our study on the growing problem of identity theft and its economic impact.

We're pleased to welcome, as witnesses and presenters today, representatives from the Canadian Human Rights Commission, Mr. Philippe Dufresne, director general and senior general counsel; and from the Canada Revenue Agency, Ms. Susan Gardner-Barclay, the assistant commissioner and chief privacy officer, who is accompanied by Helen Brown, director general for security and internal affairs directorate.

We will begin with opening remarks from both of the parties. We'll begin with Mr. Dufresne, from the Canadian Human Rights Commission.

Usually, we invite you to make a presentation of approximately 10 minutes and then we open it to questioning from the floor.

Welcome, Mr. Dufresne. You have the floor.

11 a.m.

Philippe Dufresne Director General and Senior General Counsel, Human Rights Protection Branch, Canadian Human Rights Commission

Mr. Chair, thank you to the committee for inviting the Canadian Human Rights Commission to contribute to your study on the growing problem of identity theft and its economic impact.

I would like to introduce my colleague, Maciej Karpinski, senior research analyst with the commission's protection branch.

Today, I would like to touch upon three main points. First, I will briefly talk about the Canadian Human Rights Commission and how we promote and protect human rights, and ensure equal opportunity for Canadians. Second, I will discuss the commission's 2010 report on identity certification and the importance of ensuring that measures used to certify a person's identity comply with human rights principles. Finally, I will share with you our recommendations on how to avoid being discriminatory in this area.

I will begin with a short description of the commission and its mandate.

We are mandated by Parliament to administer the Canadian Human Rights Act and monitor compliance of federal organizations with the Employment Equity Act.

We receive discrimination complaints regarding employment and services provided by organizations under federal jurisdiction. This includes the federal public sector, as well as private sector companies involved in industries such as transportation, telecommunications and banking.

We also participate in major human rights cases before tribunals and courts, including the Supreme Court of Canada.

The commission works to prevent discrimination and promote the development of sustainable human rights cultures. We do this by providing organizations with research, policies and tools to promote understanding of and compliance with the Canadian Human Rights Act.

One of these tools is the Human Rights Impact Assessment for Security Measures, which I will touch upon later in my remarks.

The report you have asked us to speak about today was published in 2010. It was part of a research initiative related to national security and human rights. Our objective then was to help national security organizations strengthen their identity certification practices in a way that respects human rights principles.

While our report focused on national security organizations, its conclusions, we believe, are relevant for any public or private organization that offers services for which identity information is required. We therefore hope that the information contained in this report will be of assistance to the work of this committee.

Our report demonstrates that the most common forms of identity certification tools used are at risk of being discriminatory based on the prohibited grounds of discrimination set out in the Canadian Human Rights Act. And that is for two reasons.

First, the method may be inaccessible to an individual or a group of individuals. Second, discretionary decisions rendered by officers in validating identities may lead to discrimination.

Our report has shown that there are two main types of metric systems used for identity purposes. The first is uni-modal, which is using just one metric of identity information, and the second is multi-modal, which is using a combination of two or more metrics.

For example, a uni-modal system might rely exclusively on fingerprints. This may be inaccessible to people who do not have fingers or whose fingerprints have been affected by their working conditions and/or their age. By contrast our study found that multi-modal biometric systems offer a degree of inclusiveness that can often address the limitations of uni-modal systems. Multi-modal systems not only have the capacity to help protect human rights, but also have the ability to build a stronger and more trustworthy security system.

At the time of the review, the personal identity certifier card in the United States was identified as an effective multi-modal system. This card stores both fingerprints and facial-scanned biometrics for each enrolled federal employee or contractor. Though it primarily uses fingerprint biometrics, digital facial imaging is used when it is not possible for a federal employee or contractor to provide fingerprints, or if there is an anomaly.

In dealing with these important issues, human rights law provides guidance for determining whether an otherwise discriminatory measure can be justified. This includes looking at: first, the extent to which the measure is necessary; second, whether there are less discriminatory ways of achieving the same objective; and third, the extent to which the infringement on human rights outweighs the benefits gained by the measure.

Situations may also arise where users may require an exemption. Policies and practices to reasonably accommodate these individuals should therefore be included as part of the development of any measure. Should there be no reasonable alternative for a given biometric, it is up to the organization employing the biometric to demonstrate that sufficient measures have been taken to explore other less discriminatory ways of achieving similar results.

Based on these principles, we developed the human rights impact assessment for security measures. This tool outlines the steps to take during a security measure's life cycle to ensure that security standards, policies, and practices are both effective and respectful of human rights.

We believe that by applying a human rights impact assessment before a security measure is finalized, we can not only improve a security measure's effectiveness and efficiency, but also save time and money while bolstering public support for new and existing security initiatives.

That is what we mean when we call on organizations to apply a human rights lens to a proposed policy or procedure.

Thank you for your attention. We'd be happy to take your questions.

11:05 a.m.

NDP

The Chair NDP Pat Martin

Thank you, Mr. Dufresne.

We'll go now to Susan Gardner-Barclay, from the Canada Revenue Agency.

You have approximately 10 minutes, please, Ms. Gardner-Barclay.

11:05 a.m.

Susan Gardner-Barclay Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency

Good morning, Mr. Chair, and thank you very much.

Good morning to members of the committee.

My name is Susan Gardner-Barclay, and I am assistant commissioner of the public affairs branch and chief privacy officer of the Canada Revenue Agency, or CRA.

I am joined this morning by Helen Brown, our director general of the security and internal affairs directorate at the CRA's finance and administration branch.

We are very pleased to appear before you today to support you in your study on the growing problem of identity theft, by speaking about the measures the CRA has in place to protect taxpayer information.

As one of the Government of Canada's largest institutions, the CRA has more interactions with Canadians than any other department. In 2012-13 alone, over 27 million Canadians and businesses filed tax or benefit returns. The CRA collects approximately $400 billion annually in taxes and duties, and distributes $22 billion in credits and benefits to Canadians. Our call centres receive 20 million calls a year, and we process over 150 million pieces of mail. As a result, we have one of the largest personal information data holdings in the Government of Canada.

The trust that Canadians place in the CRA to protect their information is the cornerstone of Canada's system of voluntary self-assessment. Further, section 241 of the Income Tax Act and section 295 of the Excise Tax Act prohibit the disclosure of taxpayer information by any employee of the CRA unless specifically authorized under these acts. Breach of these provisions is a criminal offence subject to strong penalties up to and including imprisonment.

That's why the CRA has an extensive number of safeguards in place to protect Canadians' personal information and, in turn, reduce the risk of identity theft.

First and foremost, the agency has worked diligently to promote a strong culture of integrity among its employees.

Our code of ethics ensures that staff are aware that the protection of the privacy rights of taxpayers is central to their responsibilities and that this responsibility continues even after they leave the CRA.

In 2012, the CRA launched its integrity framework, all of its policies, programs and systems that work together to protect the integrity of the agency. The framework ensures that the high standards established to protect taxpayer privacy are communicated to all employees and managers, and that the CRA's performance against those standards is carefully monitored and reported.

The CRA also works closely with the Privacy Commissioner of Canada to ensure that protections are strong and any areas of improvement are addressed.

In 2009 and 2013, the Privacy Commissioner conducted audits of the CRA's privacy management regime. In these audits, the commissioner recognized the immense scope and complexity of the CRA's operating environment, as well as the agency's established culture of security and confidentiality. Of course, she also noted areas for improvement that focused on the consistent and timely completion of privacy impact assessments; the completion of risk assessments for all IT systems that process taxpayer information; strengthened monitoring of employee access to CRA computer systems; and improved processes for sharing information internally about privacy breaches. The CRA agreed with all recommendations, and significant progress has been made in responding to them, with many activities already completed.

This includes the creation of the role of chief privacy officer in April 2013. I assumed that role when I was appointed as Assistant Deputy Commissioner of the Public Affairs Branch and Chief Privacy Officer in October of last year.

As chief privacy officer, I am responsible for overseeing all decisions related to privacy at the CRA and to champion and report on personal privacy rights within our organization.

The CRA is also actively pursuing many other program, policy, and technology changes to strengthen our privacy management. These include building on our front-end controls that ensure employees have only the access to CRA computer systems that they require in order to perform their duties, and strengthening our back-end controls to build on our automated systems so that the CRA can better monitor and analyze the full range of actions performed by employees on their computers.

New information-sharing protocols have also been established within the agency to ensure accurate reporting and monitoring of privacy issues, and we have put in place an integrity advisory committee, chaired by the commissioner of the CRA, with an external integrity adviser as part of its membership. We are also conducting an organization-wide exercise to verify that privacy impact assessments are up to date for all agency programs or initiatives requiring one.

The CRA is keenly aware that, due to the nature of the information holdings we have, a breach of personal information may hold the potential for that information to be used in identity theft or other criminal activities.

The nature of information breaches that occur at the CRA is extremely varied, and can range from an employee mistakenly accessing the wrong taxpayer file in the course of his or her work, to misdirected mail, which in fact, constitutes 95% of the CRA's information, data and privacy breaches, and to rare instances where the personal information accessed could potentially be used for fraud or financial gain.

It's important to note that many of the breaches identified by the CRA do not constitute privacy breaches, as no personal information was disclosed. However, when the CRA discovers a privacy breach has occurred, the breach is assessed in accordance with Treasury Board policies and procedures to document and evaluate all potential risks to the affected individual.

In instances where there is reasonable potential that an individual may have been harmed by the privacy breach, that individual is informed. The Privacy Commissioner is also informed according to Treasury Board guidelines.

Before I conclude, l'd like to take a few moments to address what the CRA does to warn Canadians about third party phishing schemes that attempt to masquerade as the CRA in order to gain sensitive personal information from the victim. This year's tax season has seen a significant growth in these types of schemes and the CRA continues to take a variety of measures to warn Canadians about them. Our website provides easy to find information on what these scams look like and what to do to reduce the risks of identity theft. We also use tax alerts and news releases to the media, and frequently highlight this information to Canadians through our corporate Twitter account.

To reach communities such as seniors or other vulnerable groups who may not have access to the Internet, we have a proactive media strategy that offers interviews to specialized media, and in a variety of languages depending on the region, including Punjabi, Hindi, Cantonese, Greek, and Italian. We also have a strong network of intermediaries, seniors and youth organizations, multicultural groups, police associations, tax preparers, among many, who distribute our information to their clients and communities. We partner with other government organizations to spread the word through such events as fraud prevention month. When identity theft does happen, the CRA can and will flag taxpayer files to guard against suspicious activity.

In short, Mr. Chair, the CRA is working to ensure controls are in place, and that we continue to assess and improve those controls.

Our responsibility to protect Canadians' information is fundamental to who we are and what we do, and we continue to dedicate significant effort to meeting the expectations of Canadians in this regard.

We'd be very happy to take your questions.

11:15 a.m.

NDP

The Chair NDP Pat Martin

Thank you, Ms. Gardner-Barclay.

We'll go to rounds of questions.

For the official opposition and the first seven-minute round, Charmaine Borg.

April 8th, 2014 / 11:15 a.m.

NDP

Charmaine Borg NDP Terrebonne—Blainville, QC

Thank you, Mr. Chair.

First, I'd like to thank our witnesses for joining us today. Even though you are all undoubtedly very busy, you took the time to come and speak to us about a very important issue. We really appreciate it.

Now, I'd like to ask the Canada Revenue Agency officials a question.

In your presentation, you indicated that a number of data breaches had occurred. In response to a written question from a colleague of mine, within your department, you identified 2,983 occurrences of data breach or loss affecting 2,249 individuals. That represents more than half of data breaches or losses if you consider all federal agencies in question. That's extremely high for a single year.

With so many data breaches or losses, how do you intend to do a better job of managing Canadians' personal information and reduce the risk of identity theft that data breaches can lead to?

11:15 a.m.

Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency

Susan Gardner-Barclay

Let me begin by giving you a bit of context around the numbers that appeared in written question 255, which I think is the question you're referring to.

That response indicated that the CRA had experienced around 2,900 information, privacy, and data breaches in the time period requested. Some 2,800 of those were actually misdirected mail. That constitutes about 0.001% of the 150 million pieces of mail that the CRA handles in any given year.

Having said that, we certainly understand that we need to take strong measures in any instance where a taxpayer's information ends up where it shouldn't be. We do have measures that are aimed at addressing misdirected mail specifically, and my colleague Helen Brown can speak to that.

I'll also mention the number of initiatives that we have put in place as a result of the two Office of the Privacy Commissioner audits we had in 2009 and 2013, which I referred to in my opening remarks.

We essentially now have a tiered response to managing information security and privacy breaches.

Our first line of defence, of course, is our employees. We have a very strong code of conduct that makes it absolutely clear to our employees what their responsibilities are with regard to security management.

We have ongoing staff training and awareness. We have a mandatory course for security for all of our employees at the CRA. We now have extensive information-sharing protocols within the CRA that help us to identify and address breaches when they do occur, particularly between our security and advisory directorate and our ATIP directorate, which has responsibility for monitoring these things.

We now have active controls at the front end of our technological systems which ensure that only the computer systems that employees need to access to do their jobs are those that they can access. We now have very strong back-end controls and are working to actually strengthen those through some technological changes that we'll have in place over the next two years We will put in place systems that will allow us to very carefully monitor employee activity on all of our computer systems, right down to what files they're accessing, how they're accessing them, and what information they're looking at on those files.

We have a very strong regime of policies and practices that go along with that, including a very strong discipline policy that situates unauthorized access as a significantly serious offence within the disciplinary regime. We have a very strong oversight process, which includes my office. It includes the integrity advisory committee that I referred to, and of course, the OPC, which takes great interest in our privacy regime.

11:15 a.m.

NDP

Charmaine Borg NDP Terrebonne—Blainville, QC

Thank you kindly.

Ms. Brown, you may have a chance to answer my next question.

Ms. Gardner-Barclay said that 2,800 pieces of mail were sent to the wrong person. A constituent of mine came to see me with a letter telling him he was now eligible for old age security. With his letter was another one addressed to someone else. Clearly, both letters contained very confidential information. And I, myself, alerted the CRA about the situation.

If it happened in my riding, I assume it has happened to many people. You said 2,800 were affected. What do you do when that happens? Why were 2,800 pieces of mail sent to the wrong person?

You said it represented a low percentage of all CRA mail, but it still seems like a lot of people to me. We are talking about 2,800 people whose identities could potentially be stolen as a result. And to me, that's very serious.

11:20 a.m.

Helen Brown Director General, Security and Internal Affairs Directorate, Finance and Administration Branch, Canada Revenue Agency

Thank you for your question.

It's a very important issue. Our goal would be to have no misdirected mail, if that were possible, and we've put many steps in place.... I don't know when your situation occurred personally, but what we've put in place in the last year is a protocol whereby as soon someone advises us that there has been misdirected mail, our security people get back to them within a day and we find a way to retrieve the misdirected mail.

Our norm is that we're getting it back within four days. Of the mail that's misdirected, we manage to retrieve 95%. We look to see what the cause of the problem was so that we can try to reduce the risk of its happening again, and we advise the taxpayer, if we feel that there's been the potential for harm.

11:20 a.m.

NDP

Charmaine Borg NDP Terrebonne—Blainville, QC

How do you keep it from happening?

Let's say I receive a letter from the old age security people as well as someone else's letter. If I were a person who was up to no good, I could use the confidential information in the letter to steal the person's identity.

How can you assure the beneficiary that the person who received their letter erroneously isn't going to use the information in the letter for criminal purposes?

11:20 a.m.

Director General, Security and Internal Affairs Directorate, Finance and Administration Branch, Canada Revenue Agency

Helen Brown

My first response to that question is that as our first line we would try to retrieve it as quickly as possible. The second thing, if we find out about the misdirected mail, is that we advise the taxpayer, if we think there's a risk of harm, and encourage them to contact the CRA. We can either provide them with some support with Equifax, the credit services, and/or we can put a flag on their file so that we are aware that there's a concern there might be identity theft.

11:20 a.m.

NDP

The Chair NDP Pat Martin

Thank you, Ms. Brown.

I'm sorry, Ms. Borg, that concludes your time.

Next, for the Conservatives, is Mr. Laurie Hawn.

11:20 a.m.

Conservative

Laurie Hawn Conservative Edmonton Centre, AB

Thank you to all the witnesses for being here.

I'd like to talk a little bit more about the impact of these things, rare as they are—and that's a good thing. Just to refresh the numbers—this is for CRA—did you say that 150 million pieces of mail go out?

11:20 a.m.

Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency

Susan Gardner-Barclay

There are 150 million pieces of mail that we manage; around 120 million of that correspondence is correspondence coming from the CRA, and the remainder is correspondence coming back in to the CRA. It is 150 million in total.

11:20 a.m.

Conservative

Laurie Hawn Conservative Edmonton Centre, AB

I think you said that 0.001% of the things that you send out wind up being misdirected.

11:20 a.m.

Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency

Susan Gardner-Barclay

That's correct.

11:20 a.m.

Conservative

Laurie Hawn Conservative Edmonton Centre, AB

What's the raw number? Was that the 5% of the 2,800?

11:20 a.m.

Director General, Security and Internal Affairs Directorate, Finance and Administration Branch, Canada Revenue Agency

Helen Brown

That's a good question.

11:20 a.m.

Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency

Susan Gardner-Barclay

It's about 1,600.

11:20 a.m.

Conservative

Laurie Hawn Conservative Edmonton Centre, AB

Okay.

Are there any cases of any of those misdirected pieces of mail falling into the wrong hands? The number of bad people out there who would take advantage of this is pretty small, and the chances of that piece of mail going to one of those people is really very small. Has there ever been a case of misdirected mail having an actual negative impact on a taxpayer?

11:20 a.m.

Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency

Susan Gardner-Barclay

We have no evidence that that this has ever occurred. A significant majority of the misdirected mail that is sent out doesn't actually contain any personal information, as well.

11:20 a.m.

Conservative

Laurie Hawn Conservative Edmonton Centre, AB

To Ms. Borg's question, which is a legitimate hypothetical question, the odds of that happening are pretty tiny, I would suggest.

With respect to the kind of experience you had with human rights, I'm not sure how you would characterize the impact. I see three things: somebody might use information for extortion purposes of some kind, or simply for identification theft, or for fraud against a vulnerable senior or something like that.

Do you have any data on the frequency of any of those kinds of things?

11:20 a.m.

Director General and Senior General Counsel, Human Rights Protection Branch, Canadian Human Rights Commission

Philippe Dufresne

We have not looked into the frequency of theft or the frequency of use of information that might have been stolen. What our report focused on was what types of information we're using and what types of metrics we're using to certify the identity of Canadians, whether to gain access to services or access to Canada, etc., and whether those measures are having a negative human rights impact, and what we can do to prevent negative human rights impacts.

We found that ensuring that measures are consistent with human rights principles is not done at the expense of security; it strengthens security. They work together.

11:25 a.m.

Conservative

Laurie Hawn Conservative Edmonton Centre, AB

Okay.

I have a question for both agencies. A lot of work, obviously, has gone into keeping information secure, and every agency does its own thing. How much information sharing on best practices goes on between agencies such as the Human Rights Commission, Public Safety, CRA, and so on?

Either of you may respond.

11:25 a.m.

Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency

Susan Gardner-Barclay

We participate quite actively on two levels. The first is around the access to information community. We participate in interdepartmental standing meetings of ATIP personnel. Information is exchanged on best practices. As a matter of fact, we recently gave a presentation to other departments on the creation of the chief privacy officer and its mandate in other departments. Also, Ms. Brown participates in a similar community of departments that look at departmental security measures.