Information & Ethics Committee on April 4th, 2019

Thank you, Mr. Chair, and good afternoon. It's always a pleasure to appear before the committee.

My name is Marina Mandal, and I'm joined today by the CBA's general counsel and vice-president, Angelina Mason. Before I continue my opening remarks, I just want to apologize in advance if my voice drops during my comments. I'm fighting off a cold or flu or something.

The concept of digital government, when we're already living in a digital society, should be welcomed. This is especially true in the area of identification, where establishing who we are and what we're eligible to do is one of the foundational tasks of government. Despite remarkable advances in technology that accelerate with each year, we're still tethered to an analog model that relies on presenting physical documents to establish our identity in multiple daily transactions that we have with public services, businesses and each other. The good news is there's a modern solution to this challenge. The Canadian banking sector is ideally situated to underpin a digital ID system that will revolutionize the way we use personal data to interact with the world.

The current system is deficient in three major ways.

First, it's outdated, especially when it relies on physical documents like driver's licences and utility bills. These documents can be forged or stolen, and used fraudulently. Requiring face-to-face transactions also places the burden on those in remote communities and those with mobility challenges who could be forced to travel long distances to conduct basic business or access essential services.

Second, even today's technology-based approaches are clumsy. The two-factor identification sequence used online—where you enter a username and password—can be easily compromised. It's also a hassle for users who must remember dozens of log-in credentials.

Third, inefficient methods of establishing identity are a drag on economic growth. They slow down the speed of transactions, introduce uncertainty and are prone to costly errors. Countries around the world realize this situation is untenable and are crossing the electronic frontier to explore the benefits of implementing digital identity systems.

When ID goes digital, citizens can verify their identity electronically using a combination of existing systems and newer biometric tools, such as fingerprints or facial recognition. With the growing number of Canadians accessing services and businesses online and the increased use of mobile phones, Canada is in a position to move forward with its own robust digital identity system. Two recent developments have added momentum to this trend.

First, updates made in 2018 to the Bank Act expressly allow banks to provide identification, verification and authentication services beyond the needs of their own operations. This is a contemporary acknowledgement of what has always been true about banks: They know who their customers are, know about their financial status and can attest to both. Historically, banks would write physical letters of introduction for clients to help them in personal or business matters in distant locations. The endorsement of a bank created trust among strangers.

The second development is that the CBA produced a white paper last year that lays out a clear path for making digital ID a reality in Canada. We took into account our country's unique characteristics, advanced institutions and sophisticated infrastructure to develop a framework for what could work here.

We call for a federated model of digital ID because it would align with Canada's political structure. A federated model works by creating linkages between federal and provincial identity management systems. Right now, identity is spread across multiple isolated regimes. For instance, the federal government has social insurance and passport information, but the provinces manage health cards and driver's licences.

The first step in our model envisions maintaining these distinct systems, but connecting the disparate elements in such a way that someone's identity can be authenticated electronically using a combination of attributes. Instantly verifying someone who is using multiple digital reference points is more secure than relying on a plastic licence card that could be a forgery. Because this digital network is connected yet decentralized, the risk of compromising the system is reduced by eliminating honeypots of data that hackers tend to target.

The second step is to harness the power of the private sector. This would enable the creation of a digital ID system without the cost and risk of building complex infrastructure from scratch. Canada's banks already operate across the country and around the world. We have robust, interconnected electronic systems that citizens can access from branches, bank machines, home computers and mobile phones. These networks are up and running 24 hours a day, all year long. More importantly, banks are already held to a high standard when it comes to collecting and safeguarding the personal information of customers. For banks, the privacy of their clients' data and personal information is at the core of what they do. Banks are subject to rigorous oversight to ensure this data is held accurately and securely, from one end of the transaction to the other.

The third step in our federated model involves passing legislation that would allow business and government to accept digital ID. Banks must know their clients as part of Canada's fight against money laundering and terrorist financing. That involves thoroughly gathering and maintaining customer information and financial intelligence subject to strict regulations. lt's true that some client ID requirements under anti-money laundering and anti-terrorist financing legislation have been modified to allow non-face-to-face verification; however, the rules continue to be rooted in physical ID.

Our industry is ready and willing to work with Treasury Board, the Department of Finance, ISED and other departments and agencies to explore ways to accommodate the technologies of the connected age.

The government is already starting to explore other ways to update financial transactions, and blockchain and artificial intelligence are pushing into new frontiers. With these developments, the demand for digital ID will only grow more urgent. Banks stand ready to contribute energy and resources to build a federated model for Canada.

Thank you for your time. I look forward to answering any questions you may have.

Good afternoon. I would like to thank you, Mr. Chair, and also the members of the committee, for the opportunity to speak with you today on such an important topic and to share perspectives as the government endeavours to understand how to improve services for Canadians while also protecting their privacy and their security.

My name is Della Shea. I am the Chief Privacy and Data Governance Officer at Symcor and I offer my comments this afternoon based on approximately 20 years of experience leading internationally recognized data privacy and security programs at Symcor.

For those of you who may not be familiar with Symcor, we are one of Canada's leading providers of business process outsourcing services to the financial services sector. We offer a diverse portfolio of traditional and also digital services, including payment processing, statement production, document management and also fraud analytics. We also provide services to other organizations in retail, utilities and telecommunication sectors and more recently also to some governments. We have close to 2,000 employees, who work across Canada.

You've asked how government can improve services for Canadians while also protecting their privacy and their security. In addressing this question I'd like to share some of my insights as well as experiences gleaned from actually embedding privacy and security into our services at Symcor.

In this regard, my comments will focus on establishing and maintaining trust, and specifically on three core tenets that underpin trust: first, privacy by design and data stewardship; second, the role of trusted service providers in a digital ecosystem; and third, a consistent legislative framework. I will address these in turn.

First, as many of you and members of the privacy community are aware, the concept of privacy by design calls for privacy to be taken into account throughout the planning and service delivery process. In short, privacy must be an organization's default mode of operation. Governmental bodies will have to take a similar approach. My recommendation is to establish controls on the way governments design their systems. The privacy by design framework should be used in order to embed privacy into operations.

A second concept closely related to privacy by design is data stewardship. Data stewardship and being an effective data steward is about actually operationalizing the accountability model that has been set forth under Canadian privacy legislation. As Canada's privacy commissioners have highlighted, it is about the clear acceptance of responsibility for the protection of personal information under their control.

As the government considers its approach to rendering services to Canadians, I would urge the adoption of a data stewardship model. At a very practical level, this means maintaining accountability for protecting Canadians' privacy and security.

Next, I would like to briefly touch on the critical role of a trusted service provider in the digital ecosystem. The shift to platforms and ecosystems has already happened. This represents the future for all organizations, including governments. The new digital ecosystem has brought the opportunity to create new and innovative operating models and new partners, intermediaries and also collaborators.

Under the Canadian private sector privacy legislative framework there is an elegant rule that organizations are responsible for the personal information in their custody and control, including when this information is also transferred to third parties.

It is critical for government to establish a working model that consists of trusted service providers and intermediaries in this digital ecosystem. This will consist of a model whereby organizations are held to a consistent standard to minimize the likelihood of systemic vulnerabilities, but more generally to provide confidence in the digital ecosystem and digital service delivery.

In a similar vein, as a matter of gaining and maintaining public trust, there must be consistent and robust privacy rules for the private sector and the broader public sector for data processing activities, to avoid any gaps in privacy coverage.

In short, all players in the digital landscape, both private sector and public sector, need to be following consistent and robust privacy legislation. The role of government will be fundamental in establishing consistent, robust privacy rules applicable to the digital ecosystem.

This brings me to my conclusion. The data strategy road map for the federal public service published last fall outlines a comprehensive vision to overcome silos and leverage data as a valuable asset. I applaud the government for embarking on this study to consider privacy and security as it undertakes this journey.

I would encourage the government to design a maturity model that will scale to the future, one that not only considers privacy and security at the foundational level of digitizing government services but also contemplates a fully digitized society where everyone and everything is connected to a fluid and ever-expanding ecosystem.

Thank you. I look forward to your questions.

Thank you for the question.

I know that the CBA's white paper, for those of you who have had a chance to review it, does talk about two countries in particular, Estonia and India, which are quite different for a number of reasons from Canada. We thought, as I think this committee did as well, that Estonia is sort of a model example within the specific context and culture of that country. I would say the similarities between the lessons learned from Estonia for Canada is the paramount importance of privacy and data security. My understanding is the federal government's digital exchange project adopts similar technology to what underlies X-Road. Those are two things we can take from Estonia.

I would say that pretty much after that everything is quite different. The federated model works with Canada's governance. We have multiple levels of government. A foundational identity documents it with different levels. Birth certificates sit with provincial governments. Citizen and immigration documents sit with the federal government. The federated model makes sense because of that decentralization. I think when we look at the private sector involvement.... I think in Estonia it was pretty much a government top-down position, as it was in India, whereas in Canada we already have movement. We have things that are in flight right now. I'll talk about a couple of things probably a few more times through my comments today.

The Digital ID & Authentication Council of Canada was created coming out of the task force on payments that was appointed by former finance minister Flaherty, because the task force on payments said that for digital payments to work, you absolutely need digital ID. DIACC has at the table provincial governments, the federal government, telcos, banks and credit unions. They have come together to create a pan-Canadian trust framework that would ideally underlie all players in the digital ecosystem in Canada.

I would like to suggest a few things.

In my comments, I had suggested having a maturity model and actually realizing that you can't do everything all at once, so have patience, in terms of how you are going to achieve a goal of having a digital service, having a digital government and ultimately, a digital society. That is the road ahead of us. It's being patient and having a maturity model to clearly articulate how you're going to accommodate individual citizens from all different walks of life.

Dr. Geist, in one of his earlier comments when he appeared before this committee, talked about the universal access issue. I think that's a very important issue to think about and address, especially when you are considering the geographical limitations and challenges of Canada. Being able to provide universal, affordable access is going to be a major challenge for Canada.

Underpinning this is also understanding that not everybody, even if they had access, would have the capability of being able to partake in government services. There's the educational component and it becomes a very important piece of the puzzle.

I would recommend that the government look at a parallel way of implementing the onboarding of individuals and also to be patient. It is going to be a journey. Not everyone is going to have an equal playing field in getting onto that new ecosystem.

I would like to suggest the importance of shared intelligence. I think that, going into a digital transformation for the government, you will have cyber-attacks. There will be threats. I think that's a given, so it's ensuring that you have designed security into the systems at the very beginning and not looking at it as one type of control, but rather a multi-layered set of controls.

At Symcor, as an example, our strategy is really about having a multi-layered approach to security, so right from the data layer to the application layer and in the infrastructure and network. It's really about having that layered approach.

I think we also have to think about the importance of shared intelligence and having a framework. From a legislative and policy perspective, this is going to require some thought to enable data sharing across entities for the purpose of getting ahead of those potential bad actors that are attacking the system.

I think that fundamentally, it absolutely has to be a public-private partnership in Canada. As I indicated in my earlier response, government owns the foundational documents proving identity, so I don't see stand-alone solutions, at least none that are in flight in the market right now.

One solution that is a private sector solution done in partnership with the banks is SecureKey Concierge. I know that you heard from SecureKey a couple of weeks ago.

In terms of your question, SecureKey's product addresses all three of those things, I would say, but not so much the economic growth one, just because it's a limited use case right now. It allows access to more than 80 government services. It gets rid of the users who may only access the CRA once or twice a year but may access their bank online every week or two. It really takes away from the proliferation of user names and passwords. They only have to remember the one to log in to their account.

Then there's the question of outdatedness. Again, you're getting rid of the physical need to tie in to the CRA and other government services.

As to the economic growth one, digital ID is a pretty nascent market in Canada from both a public sector and a private sector perspective. As we see the market develop at both levels, public and private, I think we'll see more use cases that address the economic growth point.

I think that biometrics would be somewhat challenged, from a legislative barrier perspective, on the email front. There are no commercial bank initiatives around digital ID and authentication that rely on biometrics, to my knowledge, not in Canada for sure, but even—I'm trying to think—globally.

The one example of biometrics being used in digital ID that I can think of is the project currently being developed in Ontario in support of the Ontario effort towards digital ID, which I believe is called eID-Me. It was done in partnership with a financial technology company and would have your identifier, for Ontario government purposes only, on your phone. It would be password linked and biometric—either thumbprint or facial recognition. Globally and in Canada, it would be, I'd say, the major one that attempts to go the biometrics route rather than the bank log-in credentials route..

Again, the private sector is different because of the legislative requirements. I think the key for considering having a biometric type of device is, similar to the NEXUS model, that it's really a consent-based model. That would be pivotal, because requiring a biometric of all Canadians, I think, would be a very challenging path to go down.

Exactly.

It's a really good point, making sure that you have that risk-benefit paradigm and giving people the option, making it transparent.

Certainly, if it is an option for citizens and they are adopting it as part of making their lives more convenient, I think it would be something worth exploring. Pivotal to it, though, is having really robust security and having governance around the security process—

Yes.