Information & Ethics Committee on April 8th, 2014

We have a twin mandate at the commission of protecting human rights and promoting them. While we are a regulator and receive complaints and participate in cases, we also have a very strong mandate to work with stakeholders to promote, to research, and to share information. In so doing, we share information with departments such as the Department of Justice and with agencies.

In the context of this research, we consulted a number of national security agencies, including Foreign Affairs, Passport Canada, CIC, and we have shared our best practices with them.

In this case it was a question of trying to have options among methods for identifying Canadians and trying to gather information to see and ensure that discretionary decisions are not taken in a way that adversely impacts upon a given group.

We have a discipline grid at CRA that tries to ensure that there is consistency in application, because we're such a large organization with approximately 40,000 employees. The grid will say what kind of misconduct has occurred and then what kind of discipline should be given.

For unauthorized access, it ranges from suspension up to dismissal. I can say that in the past year, there have been 14 employees dismissed and 18 suspended for that reason.

No.

I think the numbers reflect that we take the problem quite seriously and follow through when incidents occur and that there is some consistency across all of our branches in ensuring that the issue is recognized and treated in a consistent fashion.

I'm not in a position to comment on that. I think the evidence speaks for itself, in that it shows that it has happened.

I have a point of order.

We've shared a tool with a number of the organizations we work with. It's a guide on the impact of security measures on human rights and is intended to address issues just like that. It examines whether persons with disabilities and members of other groups protected under the act have access to the measure in place. That analysis has to happen at the very beginning when the measure is first implemented. Then, the measure has to be tested to determine whether it is effective security-wise and whether it has a negative impact.

The situation you described would involve an impact. The test could reveal that the measure seemed like a good idea initially but had a negative impact on either safety, health or individuals.

And the assessment process should continue even after the measure is implemented. Assessment and improvement have to be ongoing.

Every situation, we say, ought to be looked at for its human rights impact.

If you have a situation where you find that a certain protected group, say, persons with disabilities, is more likely to have their identity stolen with a given measure, then that impact ought to be identified. It then raises the question, how can we minimize and at best eliminate that negative impact? That's what the human rights impact assessment is. We look at groups. We're not only looking at a direct impact on the group but indirect as well. Let's make sure, and again, this shouldn't impact security, as security is fundamental, but let's make sure that the human rights lens is there from the very design of the measure throughout its implementation and beyond.

The one that I gave was the personal identity card in the United States. This was one where you're using fingerprints. If that doesn't work, you're going to use facial recognition.

I'll ask my colleague, Mr. Karpinski, if this came out in the research.

There are a few examples in Canada.

If you look at the report, we surveyed a bunch of secondary identity documents produced by the Government of Canada. Among them is the NEXUS card which uses two particular biometrics, that being fingerprinting and iris scans. There's an example that, should the fingerprint not be readable or the person not have the appropriate fingers in order for the machine to scan, they could potentially rely on an iris scan. That in itself might not necessarily be as inclusive because not everybody might have scannable fingers and scannable irises. It's to ensure....

What the report demonstrates is that when you develop those kinds of systems, you always have some kind of additional thinking behind it to say that if this is what is required, what other measures can you put in place that might compensate for those exceptions where needed?

There are other simpler examples. If you go to a grocery store, for example, you might find hand scanners that allow you to clock in an employee. There again you might want to find out if the hand scanner can scan one hand or both hands. You want a system that can scan presumably both because there have been demonstrated examples of people objecting to having one particular hand scanned over another. When you have systems like that, our argument is to not rely exclusively on that one system, but have others there to complement it.