Information & Ethics Committee on March 21st, 2024

Evidence of meeting #109 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was question.

A recording is available from Parliament.

On the agenda

Federal Government's Use of Technological Tools Capable of Extracting Personal Data from Mobile Devices and Computers
Decision of the Royal Canadian Mounted Police (RCMP) to Not Pursue a Criminal Investigation in Relation to the SNC-Lavalin Affair

MPs speaking

John Brassard
Anita Anand
Stephanie Kusie
Iqra Khalid
René Villemure
Matthew Green
Michael Barrett
Pam Damoff
Francesco Sorbara
Larry Brock
Parm Bains
Anthony Housefather
Damien Kurek

Also speaking

Dominic Rochon  Deputy Minister and Chief Information Officer of Canada, Treasury Board Secretariat
Mario Dion  Former Conflict of Interest and Ethics Commissioner, As an Individual
Konrad von Finckenstein  Commissioner, Office of the Conflict of Interest and Ethics Commissioner
Michael Aquilino  Legal Counsel, Office of the Conflict of Interest and Ethics Commissioner

11:15 a.m.

Liberal

Anita Anand Liberal Oakville, ON

As minister, I must ensure compliance with and the enforcement of the Privacy Act and all other legislation. Of course, when I heard the news, I discussed it with my team. I know that my team will take the necessary steps to contact the departments. At first, we didn't know all the facts. However, we now have a methodology that will help us get on track.

11:20 a.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

Thank you, Minister.

Mr. Rochon, were you surprised?

11:20 a.m.

Deputy Minister and Chief Information Officer of Canada, Treasury Board Secretariat

Dominic Rochon

I wasn't in this position at the time. However, I gather that it came as a surprise that not all the requirements were clear to the departments. Departmental programs and activities had to undergo a privacy impact assessment. The measures were in place for this to happen in most departments. However, the current version of the directive on privacy impact assessment gives departments some leeway in deciding whether to update the assessments if these new technological tools are used. This leaves room for interpretation.

That's why the minister explained that the directive would be updated. We'll be introducing components that specifically explain that the use of new technological tools requires updated assessments.

11:20 a.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

A department or agency, whose name escapes me, told the committee that its most recent privacy impact assessment dated back to around 2006. That was before the invention of Twitter. This seems negligent to me. We can't turn a blind eye to the fact that a technological revolution—such as the one currently under way—affects privacy.

I agree that there are still some grey areas, which you'll shed light on. In a number of cases, people said that the assessments seemed incidental, so not essential. I know that they aren't mandatory. However, according to Ms. Anand, they're required. If they aren't mandatory, there won't be any compliance.

11:20 a.m.

Deputy Minister and Chief Information Officer of Canada, Treasury Board Secretariat

Dominic Rochon

A privacy impact analysis is mandatory.

11:20 a.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

Yes.

11:20 a.m.

Deputy Minister and Chief Information Officer of Canada, Treasury Board Secretariat

Dominic Rochon

If you already conducted a privacy impact assessment for your program and you already know that someone will be investigated, whether it's under the Canada Border Services Agency Act or in relation to taxation, for example, I think that it goes without saying that a privacy impact assessment should have been carried out to explain the impact on the information.

If you do this through interviews, if you look at a person's belongings, or if you use a slightly more accurate tool to look for specific information, it doesn't necessarily mean that there will be any additional impact on the...

11:20 a.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

Let me give you an example that doesn't come from this period of committee business. Last year, an RCMP official spoke to us about the use of investigative tools. In the past, microphones were placed in lamps. However, a microphone in a lamp and an iPhone in our bed aren't the same thing. The information is more specific, but the potential violation is much more extensive.

11:20 a.m.

Deputy Minister and Chief Information Officer of Canada, Treasury Board Secretariat

Dominic Rochon

Absolutely. I completely agree with you. That's exactly why I'm saying that an assessment is needed.

11:20 a.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

Yes.

11:20 a.m.

Deputy Minister and Chief Information Officer of Canada, Treasury Board Secretariat

Dominic Rochon

In your example, I would say that the assessment should conclude that an updated privacy impact assessment is needed.

11:20 a.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

Ms. Anand, it's required, but not legally required. For the 13 organizations in question, there weren't any consequences. They were updated and informed. However, there weren't any consequences in line with the offence or violation committed.

11:20 a.m.

Liberal

Anita Anand Liberal Oakville, ON

There weren't any, because the Privacy Commissioner didn't find any violation of the act. We'll clarify...

11:20 a.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

I just want to get back to my 30 seconds, because it isn't much time.

If the commissioner didn't receive a complaint, he obviously didn't find a violation. You said many times that the commissioner didn't receive any complaints. However, the lack of a complaint is no guarantee of compliance.

11:25 a.m.

Deputy Minister and Chief Information Officer of Canada, Treasury Board Secretariat

Dominic Rochon

I can try to answer the question.

The Canada Revenue Agency officials said that a privacy impact assessment was carried out. They said that the agency used these tools.

I don't think that the use of these tools will come as a surprise. We aren't surprised. We want to make sure that, when people start using these types of tools, they update their privacy impact assessments. In this case, we followed up. Within a week, we followed up with our questions to find out whether a privacy impact assessment was carried out and whether it was asked...

11:25 a.m.

Conservative

The Chair Conservative John Brassard

Please wrap up quickly.

11:25 a.m.

Deputy Minister and Chief Information Officer of Canada, Treasury Board Secretariat

Dominic Rochon

I could provide a bit more information in writing, if you want.

11:25 a.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

Thank you, Mr. Rochon.

11:25 a.m.

Conservative

The Chair Conservative John Brassard

Thank you, Mr. Villemure.

We'll go to Mr. Green for six minutes. Go ahead, please.

11:25 a.m.

NDP

Matthew Green NDP Hamilton Centre, ON

Thank you very much, Mr. Chair.

Welcome to the committee, Ms. Anand. I've certainly had the pleasure of working with you in other committees.

I want to give you the opportunity to summarize, at least for my understanding, a couple of key questions related to the testimony of previous witnesses before the committee. It seems that there are some significant gaps between what the directives are and the mandate coming from the Treasury Board, and how this is actually being implemented across the various departments and agencies.

I believe you mentioned in your remarks some upcoming changes related to the Treasury Board. As I understand it, you're embarking on modernizing your own department's adherence to PIAs. Is that correct?

11:25 a.m.

Liberal

Anita Anand Liberal Oakville, ON

We are offering, and are continuing to work on, this revised directive on PIAs. We're going to update it. I will be publishing it in the summer.

What we need to clarify is maybe at the heart of your question. We want to specify that if you change your software, for example, you're going to need a PIA going forward. You can't rely on previous PIAs once new software or new tools are being used. Those are the types of clarifications we want to make.

Again, in response to the previous question and this one, it is within the purview of deputy heads to make sure they are enforcing every Treasury Board directive, policy and guideline, not only this one. Deputy heads actually have the ability to suspend, demote and terminate if they find a violation of the law and Treasury Board policy. This will continue to be the case, including with the updated PIA directive.

11:25 a.m.

NDP

Matthew Green NDP Hamilton Centre, ON

I want to note that this is a directive from the Treasury Board to ministries. Am I correct?

11:25 a.m.

Liberal

Anita Anand Liberal Oakville, ON

That's right.

11:25 a.m.

NDP

Matthew Green NDP Hamilton Centre, ON

Yet the general culture was that....

I'm going to say that the way I viewed the testimony of many who came before us earlier was that they treated it as almost being optional.

Suffice it to say that you've already delegated the authority to the ministries, but how do you, as the the President of the Treasury Board, intend on ensuring that your directives are adhered to across the whole range of departments and agencies?

11:25 a.m.

Liberal

Anita Anand Liberal Oakville, ON

I want to specify that PIAs are not mandatory. They are basically a checklist that deputy heads can go through to make sure that personal information is being protected.

My role relates to the Privacy Act as a whole and being the person responsible for the administration of the Privacy Act. That's going to include issuing policy requirements to which departments must adhere and, as I said—