Evidence of meeting #67 for Human Resources, Skills and Social Development and the Status of Persons with Disabilities in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was information.
A video is available from Parliament.
12:40 p.m.
Conservative
The Chair Conservative Ed Komarnicki
Okay, but before we get to that question, we should probably resolve what you're asking for.
With respect to the first of the two requests, you're saying it's up to the committee to decide if that's provided. On the second request, you will provide the information. Did I get that right?
12:40 p.m.
Deputy Minister, Department of Human Resources and Skills Development
I'm sorry, Chair; I'm having a little trouble understanding the back and forth here.
12:40 p.m.
Conservative
12:40 p.m.
NDP
Ryan Cleary NDP St. John's South—Mount Pearl, NL
Yes, I requested two things: a copy of the new policies and procedures on the handling of personal data be presented to the committee—
12:40 p.m.
Deputy Minister, Department of Human Resources and Skills Development
I will provide the committee with anything the committee asks for.
On the second request, which specifically was the investigation report, I'm anticipating that there may be some elements of that report dealing with individuals that I may not be able to share with the committee because of legal limits, but I will be as forthcoming as I can.
12:40 p.m.
Conservative
The Chair Conservative Ed Komarnicki
Here's what we'll do. If you want to put forward those two specific items for production in terms of a motion, we will deal with that as a committee after you've left and make a decision on that, but we won't interrupt the flow of evidence.
Did you wish to put that in the form of a motion?
12:40 p.m.
Conservative
The Chair Conservative Ed Komarnicki
Okay. Then we'll deal with that after you have left, but we'll continue with your questions.
We did stop your clock, so go ahead.
12:40 p.m.
NDP
Ryan Cleary NDP St. John's South—Mount Pearl, NL
Thank you, Mr. Chair.
Just so I understand this correctly, in terms of the missing hard drive and in terms of the missing USB port, did they both go missing from the same building in Gatineau?
12:40 p.m.
NDP
Ryan Cleary NDP St. John's South—Mount Pearl, NL
At what point was the RCMP called in to investigate?
12:40 p.m.
Associate Deputy Minister, Department of Human Resources and Skills Development
Do you have the date?
12:40 p.m.
NDP
Ryan Cleary NDP St. John's South—Mount Pearl, NL
I am going to move to another question and you can answer that in a minute.
One thing that was pointed out, Mr. Shugart, in your opening remarks was how there's protection here for a potential privacy breach for six years. Then in another question, I think Mr. Daniel asked you about whether there could ever be guarantees that personal information won't be used nefariously, and the answer was that there can never be guarantees. My question is this: what happens after this six-year timeframe that you've outlined? What happens after that?
The way I understand it, these 583,000 Canadians in the first case and the 5,000 in the second case are potentially going to be looking over their shoulders for the rest of their lives, so what happens after six years?
12:40 p.m.
Deputy Minister, Department of Human Resources and Skills Development
We do not preclude, Chair, that the period could be extended. We will be monitoring and evaluating at that time what has occurred over this period. On the basis of a risk assessment, we do not preclude that it would not be extended.
12:40 p.m.
Conservative
The Chair Conservative Ed Komarnicki
Your time is up, Mr. Cleary. Thank you very much. We didn't interrupt for a discussion on the motions in respect to your time.
We will now move to Mr. Butt, but before we do that, if you have an answer to his previous question, go ahead.
12:45 p.m.
Associate Deputy Minister, Department of Human Resources and Skills Development
The minister's office notified the RCMP on January 7.
12:45 p.m.
An hon. member
Was that in both cases?
12:45 p.m.
Associate Deputy Minister, Department of Human Resources and Skills Development
No, it was only in the one case.
12:45 p.m.
Conservative
The Chair Conservative Ed Komarnicki
All right. Is that clarified?
We will then move to Mr. Butt.
Go ahead.
12:45 p.m.
Conservative
Brad Butt Conservative Mississauga—Streetsville, ON
Thank you very much, Mr. Chair.
Gentlemen, thank you all for being here today. I have very much appreciated your straightforwardness in this matter, your candour in responding to the questions, and the wholesome way that you've approached this issue, which we all agree is completely unacceptable. There's not a single person in this room who doesn't believe that these two incidents were completely unacceptable.
I appreciate the approach the department has been taking in dealing with this situation. I'm one of those who believe that you also have to look beyond an incident or incidents like this to ask what we are going to do to make sure it doesn't happen again.
What are we going to do to improve our safeguards and our processes and procedures? That is the line of questioning that I'm going to go with: where do we go from here—how to get to zero, as we say it is our goal to do?
I want to get you to comment quickly, to reiterate the direction that the minister has given to you, which as I understand it is to review the ways that employees handle Canadians' data, fix any gaps that allowed this to happen, update network security practices to prohibit external hard drives, and provide more mandatory training for all employees in the proper handling of sensitive and personal information and on the new security policies.
Is that the direction, Mr. Shugart, that you are taking from the minister in what you are doing on a go-forward basis now?
12:45 p.m.
Deputy Minister, Department of Human Resources and Skills Development
Yes, it is indeed.
I would also indicate that we are open to the advice of the Office of the Privacy Commissioner for any additional advice that may be forthcoming or actions that we should take. Similarly, we have consulted with third party experts in the industry. We are open to advice and best practices from any quarter that can help us achieve the standard we are after, but yes, that is the direction.
Let me indicate two particular areas. The data loss protection software that will be put in place, as I understand it—and my colleague the chief information officer can correct me if I wander into the swamp—will be deployed throughout our system, allowing us to monitor when there has been any inappropriate transfer of data. That's built right into the software. The system can be designed such that the folks who monitor such things will know when, in effect, a flashing light goes on and says that data has been transferred in an inappropriate way, against the protocol or the standard. We would then be in a position to go in and ask, in a very precise area, why that data was transferred in a way that's not appropriate.
That's a technological response, but what we're after is avoiding any inappropriate handling or transfer of data in the first place. The very merit of our institution is founded on human dignity—that's why we protect individuals' information—and concern for human beings, and that's why we have the programs we do.
The other side of that coin is that human beings run the system, and there can never be any absolutely fail-safe system. However, in terms of that human culture, we want to be an organization that is excellent in everything we do, one in which individuals know their part in the larger scheme of things and will handle Canadians' information carefully and sensitively and according to the rules.
That's what we're after, and that's the direction in which we're going.