Evidence of meeting #102 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was pia.
A recording is available from Parliament.
12:25 p.m.
Liberal
Anthony Housefather Liberal Mount Royal, QC
I'm going to ask the Canada Revenue Agency's representatives the same question. How do you ensure compliance with directives?
12:25 p.m.
Acting Director General and Deputy Chief Privacy Officer, Access to Information and Privacy Directorate, Public Affairs Branch, Canada Revenue Agency
We have a privacy management framework in the agency. We have a chief privacy officer as part of that privacy management framework. The pillar is privacy by design.
We monitor the completion of things like privacy assessments. In fact, we have key performance indicators that measure that. Quarterly updates are provided to senior management on the completion of privacy assessments.
12:25 p.m.
Liberal
Anthony Housefather Liberal Mount Royal, QC
Let's say, not only isolated to this issue but on other issues where you deal with the Treasury Board, there's an ongoing dialogue, as I understand it, between Revenue Canada and the Treasury Board. Is that correct?
12:25 p.m.
Acting Director General and Deputy Chief Privacy Officer, Access to Information and Privacy Directorate, Public Affairs Branch, Canada Revenue Agency
Yes, and it's also with the Office of the Privacy Commissioner.
Our privacy management framework takes all dimensions of privacy into account and monitors all portions of that from a policy perspective as well as a practice perspective.
12:25 p.m.
Liberal
Anthony Housefather Liberal Mount Royal, QC
The vast majority of these interactions would occur at the departmental level. Is that right? They wouldn't be with politicians. It wouldn't be Minister Anand entering your premises to start directing you as to how to apply Treasury Board rules. You deal with bureaucrats at the department.
12:25 p.m.
Acting Director General and Deputy Chief Privacy Officer, Access to Information and Privacy Directorate, Public Affairs Branch, Canada Revenue Agency
Yes. Privacy is an obligation of all parts of the agency. Senior management is regularly engaged in those obligations and understands those roles and responsibilities.
12:25 p.m.
Liberal
12:25 p.m.
Chief Compliance and Enforcement Officer, Canadian Radio-television and Telecommunications Commission
It's the same thing. The CRTC is in compliance with all federal government requirements.
Even more to your point about a minister, we are a quasi-judicial independent tribunal. We're even one step further removed.
12:30 p.m.
Liberal
Anthony Housefather Liberal Mount Royal, QC
Thank you so much.
I think my time has probably lapsed.
Thank you, Mr. Chair.
12:30 p.m.
Conservative
The Chair Conservative John Brassard
Yes, it has.
Thank you, Mr. Housefather.
Mr. Villemure, you have the floor for six minutes.
12:30 p.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
Thank you Mr. Chair.
Thanks to everyone for being here.
As you know, this parliamentary committee's work often involves reassuring the population about matters of concern to them, as is the case here.
I'm going to begin with the Canada Revenue Agency's representatives.
People are a bit scared of the Canada Revenue Agency. They don't talk about it much. They prefer to have it behind them rather than in front of them. That's why trust is so important. Trust is how we feel about someone without any need for evidence. It's spontaneous.
The story published by the CBC mentioned that the Canada Revenue Agency had not done a PIA. But your evidence this morning says otherwise. Could you please explain the difference between the two versions.
12:30 p.m.
Director General, Criminal Investigations Directorate, Compliance Programs Branch, Canada Revenue Agency
I can try.
We have indeed had the PIA process in place since 2016. The assessment is for the program as a whole, and not the tools. When we were asked about it, we may not have been as accurate as we might have been with our answer. That may have caused some confusion.
So we have, since 2016, had a PIA in place for the program under which the tools in question are used.
12:30 p.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
Do you believe there should be a PIA for the tool in question?
12:30 p.m.
Director General, Criminal Investigations Directorate, Compliance Programs Branch, Canada Revenue Agency
My understanding is that the PIA is for the program. That's why we did what we did. In our assessment, we say that our experts use some tools when electronic devices are seized in order to extract information.
So there really is a PIA and it's been there since 2016.
12:30 p.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
It might be useful to tell communications people that they should be very specific. In fact, several witnesses told us that what had been reported did not altogether reflect what they had said, or that they were no longer confident about what they had answered. That's when mistrust begins, when the intent is anything but. And that's not desirable, particularly given that things move quickly when the Canada Revenue Agency is involved.
So my understanding is that the PIA that has been in place since 2016 is for the overall program, not the tool, and that the latter is used under the circumstances that you mentioned.
12:30 p.m.
Director General, Criminal Investigations Directorate, Compliance Programs Branch, Canada Revenue Agency
That's right.
12:30 p.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
Okay. Thank you.
Mr. Harroun, I'll ask you the same question.
People are not knowledgeable about the CRTC. They think that all it does is regulate the airwaves, but it does much more than that.
As it turns out, your organization, in response to a journalist's question, said that it had not done a PIA, and you are now saying that this type of assessment has been in place since 2014.
How can the two versions be reconciled?
12:30 p.m.
Chief Compliance and Enforcement Officer, Canadian Radio-television and Telecommunications Commission
Thank you very much for the question.
I think we're in the same position as our colleagues.
A big question the reporter asked, I believe, was very specific. It was, “Do you have a PIA for this specific tool?” The response was “no.”
As I indicated, we do have a PIA for the program, which is typically how PIAs work. It's for the entire program where those digital forensics tools are identified. It's not by name. For example, if it became a different name, if it became “Cellebrex” or “Cellebrite 2.0”, then that PIA would no longer be valid. It's for the tools overall.
12:30 p.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
Would you say that a PIA should be done for the use of a specific tool, or rather that the program covers everything?
12:30 p.m.
Chief Compliance and Enforcement Officer, Canadian Radio-television and Telecommunications Commission
I would suggest that the program PIA covers it all, because it is very specific about the use of digital forensic tools and evidence gathering, etc.
12:30 p.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
Do you believe there are less invasive ways of obtaining the same results?
12:30 p.m.
Chief Compliance and Enforcement Officer, Canadian Radio-television and Telecommunications Commission
It would be extremely challenging. For example, we use the digital forensic tools to gather information. For example, we all carry computers in our pockets. At the end of the day, these are now minicomputers. It's not like a laptop computer, where you can remove the hard drive, analyze that hard drive and put it back in. The only way into this phone and to know what's in this phone is to, literally, through this port—which is how Cellebrite works—connect to the phone. It makes a digital copy, a forensic evidentiary valid copy of that phone, and then Cellebrite allows us to analyze it and to preserve it for investigation purposes, for Federal Court purposes, etc.
12:30 p.m.
Bloc
René Villemure Bloc Trois-Rivières, QC
Thank you very much for your answer.
We are here to legislate. In that capacity, what might we do to allay people's concerns about the use of these sorts of tools, which will certainly increase given the speed with which technology is developing? Concerns like this don't do anyone any good.
What more can you do to reduce their anxiety?
12:35 p.m.
Chief Compliance and Enforcement Officer, Canadian Radio-television and Telecommunications Commission
As the regulator, we implement any legislation put forth by parliamentarians. If there were suggestions, be it through the Privacy Commissioner or others, that there should be changes to specific aspects, the CRTC would undertake to meet all those obligations.
12:35 p.m.
Bloc