Human Resources Committee on Feb. 14th, 2013

Thank you, Chair.

Members of the committee, I'm Ian Shugart, the deputy minister of HRSDC. With me are the associate deputy minister, Ron Parker, the ADM of the learning branch; Al Sutherland, the head of our legal services, here to discuss issues of the statutes that govern our work; and the chief information officer of the department, Charles Nixon.

I just want to say that given the seriousness of these events and the issue before the committee this morning and before the department over the last several weeks, I had asked Mr. Parker, as the associate deputy minister, to take personal charge of the response, the follow-up, and the oversight of all of these matters. For many days over the last couple of months this has been virtually a full-time preoccupation for our associate deputy minister.

Chair and members of the committee, as the chair has said, we're here before you in regard to two security incidents in the department involving missing electronic storage devices containing personal information.

As my minister has said, and I repeat for the management of the department, the incidents are unacceptable. Sensitive personal information was stored on unencrypted portable storage devices and not properly secured. This should not have occurred.

The minister has also announced the measures we are taking to prevent these types of incidents from reoccurring.

On behalf of Human Resources and Skills Development Canada, I say to the committee that I apologize for the incidents.

I wish today to take this opportunity to offer to the committee a detailed account of what happened in the two cases, describe the actions we took in reaction to them, and the measures we have since put in place to mitigate impacts and prevent such incidents from happening again.

Let me begin with a chronology regarding each event. In both cases the activities were related to confirming the incidents, investigating the incidents, strengthening practices, and informing Canadians.

First, let me address the missing hard drive. On November 5, 2012, an HRSDC employee at national headquarters in Gatineau discovered that an external hard drive was missing and reported it to their manager, who was the only other person who knew the exact location of the device. The manager confirmed that they had not removed the hard drive. Other employees on the floor were then asked if they had seen or borrowed a hard drive. They had not.

The external hard drive was in a secure-access building, in a secure-access area, and was stored in a cabinet with a lock.

The team undertook multiple efforts over many days to search for the missing hard drive, including speaking to all members of the team and a number of searches of the employee's office, the employee's floor, and other floors in the building.

The missing hard drive was brought to the attention of the director on November 22, who then asked all managers and employees within the division to undertake additional searches for the hard drive. Again, efforts were focused on the recovery of this missing asset.

Former employees, and one former manager, from the same group as the employees were also questioned. Commissionaires and the local area network technician were also contacted and asked if a hard drive had been turned in, or picked up by someone. No device had turned up.

On November 26, the Director General was advised that the missing hard drive was the one used to create a backup of files from a network drive as part of a process to migrate files from one area of the server to another. Some personal information on clients and employees was stored on the network drive, and as a result, senior program management was advised immediately of the missing drive.

Search efforts by branch employees continued, and the departmental security officer was advised of the missing drive on November 28. As well, corporate security then began a number of activities to locate the missing drive, including detailed sweeps of the physical premises and interviews with current and former employees in the area from which the hard drive had gone missing. There was no evidence of malfeasance, and it was considered most likely that the hard drive was somewhere on the premises of the building.

At this time senior management requested that an analysis be undertaken of all the files located on the hard drive in order to determine what information had been lost. As a result of the analysis, completed on December 6, it was discovered that the external hard drive contained personal information on approximately 583,000 Canada student loans borrowers, including student names, dates of birth, social insurance numbers, telephone numbers, addresses, and Canada Student Loans balances. It also contained the personal contact information of 250 departmental employees. It was not password-protected or encrypted.

Extensive search efforts at the building where the hard drive was stored continued from December 8 to December 14, including additional comprehensive sweeps of the building's ground floor by the regional security office and the analysis of all of the Learning Branch's existing hard drives' contents. These efforts failed to recover the hard drive, and the department first informed the Office of the Privacy Commissioner on December 14 that an external hard drive containing personal information was missing.

From mid-December to the end of December there were further management interviews with employees and building management, and other similar hard drives were collected for analysis.

In the first week of January, a formal internal investigation was launched. Simultaneously, corrective measures were developed and Canadians were informed of the loss of the hard drive on January 11.

At this time, there is still no evidence of malfeasance or an indication that the personal information has been accessed or used for any fraudulent purpose.

In a separate and unrelated incident, a USB key with personal information also went missing.

On November 14, 2012, personal information was put on the USB key and given to an employee working on a secure floor in HRSDC.

The USB key was used on November 15, but on November 16 the employee could not locate the USB key and informed management. The same day departmental security officials were notified that the USB key could not be located. Extensive searches of the employee's office and the affected floor were undertaken by departmental security officers and by commissionaires from November 16 . The employee searched their home, and the taxi driver with whom the employee travelled home on November 15 was contacted and the taxi was checked. A team of employees also searched all files, filing cabinets, washrooms, furniture, and offices on the affected floor. Cleaners working on the floor were interviewed.

The USB key contained information on 5,045 individuals and was not password-protected or encrypted. The device contained the following type of information for each individual: social insurance number; surname; generic medical conditions by way of codes from the International Classification of Diseases; birth date; other payers, such as Workers Compensation; level of education; occupation; and Service Canada processing centre.

The department first informed the Office of the Privacy Commissioner on November 22 that a USB key containing personal information could not be located and that search efforts were under way.

Searches have continued since the incident, and another major effort was made on December 7 when an official, along with a team of employees, conducted yet another extensive search of the employee's office.

Notification letters were mailed to 5,000 affected individuals or their guardians on December 19.

I now want to highlight all of the actions we are taking as a result of these two incidents, and the measures we put in place to prevent similar incidents from happening again.

The department has strengthened its policies for the security and storage of personal information. Our actions focus in the areas of information hardware, information software, and our culture regarding the handling of personal information.

In regard to hardware, we have newer, stricter protocols. Portable hard drives are no longer permitted. Unapproved USB keys are not to be connected to the network.

In addition, there have been risk assessments of all portable security devices used in the department's work environment to ensure that appropriate safeguards are in place. These assessments will continue on a regular, ongoing basis.

With respect to software, we will be implementing new data loss prevention technology, which can be configured to control or prevent the transfer of sensitive information, and in regard to our culture of handling information, we are reinforcing the critical importance of the proper handling of sensitive personal information through annual mandatory training to be provided to all employees.

We are increasing awareness, and communication events and disciplinary measures will be implemented for staff, up to and including termination, should the strict codes of privacy and security not be followed. We have also taken actions to mitigate the impact on the Canadians affected.

We have alerted affected clients so that they can take the necessary steps to protect their personal information. This has been done through public announcements, by providing special information on dedicated web pages, by sending out letters to affected individuals and by the establishment of dedicated 1-800 toll-free information lines to respond to questions regarding both the missing USB key incident and the missing hard drive incident.

The affected social insurance number records have been annotated in the social insurance register to indicate that the social insurance number was involved in an incident and to ensure that any requests for changes or modifications undergo an enhanced authentication process. The department will also notify individuals for whom we have current contact information if the department notes any suspicious activity with respect to the client's social insurance number record. As a further caution, the department has purchased a customized package from Equifax Canada, which is a unique solution tailored specifically to this incident and is available to anyone who may have been affected. This credit protection is a reliable and appropriate strategy that will assist in preventing misuse of personal and credit information.

Through its agreement with Equifax, the department is able to offer, free of charge, its customized package to affected individuals who provide their consent to receive this service.

The notation will stay on credit files for a period of six years unless affected individuals choose to have it removed. The notation will alert credit grantors that data may have been compromised, and lenders will then take additional steps to verify the person's identity before granting credit or opening or using accounts.

Mr. Chair, the protection and security of personal information is a cornerstone of the department's mission. We are confident that we have taken the right steps in this situation, and we are making sure that they are followed to safeguard the personal information entrusted to us.

Thank you.

Yes, we confirm that.

I believe—subject to your confirmation, Ron—it's 19, which is down a small, but to us important, two from the previous year.

We regard that as something to be brought to zero and maintained at zero if at all possible.

We do have effectively a threshold that takes into account the nature and the seriousness of a breach, as well as the ability to contain a breach of any kind very quickly. There are, from time to time, incidents of that nature, and if we become aware of an incident, we move very quickly to contain it, but the threshold for informing the Privacy Commissioner is not a high threshold. We are frequently in touch with the Privacy Commissioner.

With respect to our practices, we take advice from the Privacy Commissioner. In this situation, we have, throughout the circumstance, been in touch with the Office of the Privacy Commissioner and taking advice, whether formally given under their terms of reference or counsel or practical direction. If an incident occurs and it is of a small scale and readily containable, we may not in that case inform the Privacy Commissioner.

Thank you, Chair. I'll go as far as I can, given that the advice I give the government is necessarily between my minister and me.

I can't speak for other departments, but I can point to the fact that the Treasury Board itself has directives and policies in place that do apply to all departments, including HRSDC. It is the responsibility of departments to apply those in a manner that is relevant to their mission. For our part, we seek to do that.

I can tell you that there are mechanisms at the officials' level within the bureaucracy to review and stay on top of these issues, and to learn from any incidents that occur in order to adopt best practices and to continue to make the business culture of all departments as sensitive as possible to privacy and IT security. The Treasury Board does have a responsibility to update their policies and directives from time to time. That's, generally speaking, the regime that we live under.

Maybe I could start by asserting, as we may a number of times during this hearing, that culture is at the very individual level, so for all of this to work in a very large organization, all managers, all employees, have to be aware of the policies and directives, and they have to live it.

We do that through training, and we have, as I mentioned, committed to upgrade our focus on training in this particular area. However, between training events the employees have to build it into their DNA.

In these cases, it clearly was not sufficiently in the DNA of the employees. That is what a business culture is, and our obligation is to facilitate the protection of information through the software and the hardware and the policies and to put in place the training.

I'm going to invite Mr. Parker to add to that.

In response to your question, there were two particular policies that are relevant here: first, employees have a responsibility to report incidents; second, data that's sensitive should be encrypted before it's put on any particular portable storage device.

As the deputy said, it seems the employees did not encrypt the data as would have been required.

Perhaps, Chair, I could respond to the honourable member's third question, and then Ron and Al can give the details on the other two.

I believe that staff are now very well aware. I think in an organization as large as ours one could expect—and I think it's the reality—that some staff are more aware throughout, and others are less aware or seized of the importance. Part of the focus on training being mandatory and being for all employees is to try to do our best to make sure there are no gaps, so that there is no employee in the department who can say he or she didn't realize that was the standard. If there have been such gaps in employee awareness, we want to close those gaps.

Generally speaking, I can tell you that in the organization we have taken some encouragement from the fact that employees have cooperated fully, including in the assessment of devices in the organization. We wanted our staff to be so concerned about this that they would drop whatever was necessary to drop in order to comply with the direction that we were going, but not so terrified that they would go underground. We believe that given the response of employees—their response in meetings and information sessions and so on—they have responded in that fashion.

I'll stop there and turn to my colleagues for the details.

In terms of the immediate actions, initially the incident, as the deputy explained, was treated as a case of a missing asset—something to be found—with the belief that it was on the premises, still in the building.

As that set of searches became less likely, it pointed to a lower likelihood of the drive being found. Corporate security and the regional security officers were advised, which is the standard protocol. They began, then, a series of professional searches for the drive, and interviews were continued through the month of December into early January, when the likelihood of recovery of the asset seemed to be very low. At that point we launched a formal investigation that entailed professional investigators and we took the steps to begin to inform Canadians in early January.

Mr. Parker referred to the protocols that we have, and I referred earlier to our standard, our approach, to the Privacy Commissioner's office.

As soon as we were aware of the likelihood of this information having gone and being not likely to be recovered, we knew, without any question, that the Office of the Privacy Commissioner needed to be engaged, and that's when we took that action.

It was in the minister's office that involving the RCMP and referring the matter to the RCMP was taken.

In the department, I might just say that we have absolutely no issue with that. That decision was taken on the basis of the seriousness of the situation we are in. It will be, of course, up to the RCMP to determine how they wish to deal with that request.

We will work in the appropriate fashion with the Privacy Commissioner's office for the investigation that they are undertaking and on anything that the RCMP decides to undertake, and on our own internal investigations to ensure transparency and openness and compliance with those investigations, and also to ensure appropriateness of information so that the integrity of any investigations that occur is not compromised.

Ministers are responsible to Parliament, Chair, for ultimately all matters within their jurisdiction, including the policies of the government and the appropriate conduct of officials in their departments. By convention and in many cases by formal instrument of delegation, those authorities are delegated to departmental officials. That is often spelled out in the regulations to statutes and sometimes in the statutes themselves.

By convention, ministers are responsible for policy and officials advise ministers on policy. Officials are responsible for the administration of their departments.

I would say, Chair, that any incident involving the compromise of personal information is not acceptable. I cannot imagine, being informed of the situation of even one Canadian's personal information having not been properly handled or having been compromised, that I would say it is acceptable.

I don't believe, Chair, that I used the words "only now". I explained what we have done in response to this incident. Based on what we have learned from this incident, we have strengthened those policies, procedures, and practices.

I would not agree, respectfully, with any characterization that there were not policies in place in advance. Clearly there were; there are directives and were directives in place before. What we have done is to strengthen the protocols and strengthen the hardware and software rules and provisions in the system to further protect Canadians' personal information.

The questions, Chair, that we put to employees were intended to canvass all possibilities about what may have happened. We included among those possibilities inappropriate handling of the hard drive.

That was in no way intended to suggest that we would find that behaviour acceptable. Indeed, the questions were not intended to assume anything about what had happened. We were simply being exhaustive in our questioning of employees to elicit any information we could about what had happened.

Our priority in that situation was to recover the asset and the information that it contained. That was the purpose of questioning. In no way does it imply that we would regard any such behaviour as acceptable.

We certainly don't depend on miracles. We were being diligent about the search, and when we came to the conclusion or the strong supposition that the material was not likely to be found, you'll recall that I said we continued even after that to search exhaustively. We informed the Privacy Commissioner at that point.

I informed the minister quite early on that we were engaged in this search, and we kept the minister informed about the involvement of the Privacy Commissioner and about every critical step of our investigation and about what we were learning as we went.

Could I ask my colleague whether there's anything that he would want to add to those facts?

On the Privacy Commissioner side, we informed the Privacy Commissioner's office on December 14, followed up with a written contact on the next Monday, and have consulted the Office of the Privacy Commissioner throughout the piece to work to find the appropriate ways to manage the incident and to inform Canadians.

We did not make any assumptions, and even now we have not made assumptions, about precisely what happened. That is why investigations have been undertaken, including our own internal investigation.

We can say—and the committee will appreciate that it's not possible to prove a negative—that we encountered no evidence of malfeasance, and none of the monitoring that has been done since has given us any reason to believe that malicious activity has been undertaken, but that in itself does not deal with the seriousness of the incident. Given the numbers involved, the decision was made—I think not unreasonably—that the RCMP should have that information and be asked to consider their response.

Indeed there is. The obligations of employees, Chair, in regard to the handling of personal information are set out in the code of ethics. There's a standard code of ethics for the public service overall, which is in the domain of the Treasury Board, and then each department takes that foundational code and applies it to its own mission, its own circumstances, and makes it precise.

In our case, as I've indicated, protection of personal information is so critical to our mission that it is in our code. Employees are required to abide by the code in all aspects of information and so on. Breaches of the code of ethics are considered on a case-by-case basis, and disciplinary action for breaches can include termination. Should there ever be an incident that involves criminal elements, then obviously penalties outside the department's responsibility for public service discipline would come into play through due process of law, etc.

The principal way of dealing with this is through the contract that we have established with Equifax.

About 50,000 affected former students have enrolled in that service. We have no evidence thus far that there has been any fraud or other inappropriate activity. There is a special 1-800 number that is set up for affected clients to phone. We have not had any calls indicating fraud has been observed.

In addition, we have established notations in the social insurance registry so that each social insurance number has a special notation that the client was potentially affected by the incident. In the event that the national identity service's centre receives a request to change the social insurance information or request a card, a special flag will come up and the client will be requested to provide the appropriate identity documents and photo identification.

We have looked back to what has been happening with the social insurance registry prior to and after the loss of the information and there has been no change in the pattern of requests or the nature of requests that have come in.

Thank you, Mr. Chair.

Overall in the major programs that HRSDC administers, there are about 28 million clients per year who are in our databases. We deal with roughly 84 million transactions per year across those major groupings, including Canada Student Loans, the Canada education savings program, the Canada Pension Plan, old age security, and employment insurance. We have a lot of transactions and we have a lot of Canadians as clients. In terms of their—

We'll skip that.

Okay. We'll come back to it.

We've examined the data carefully. There are some former students outside of the 2000-2006 period, about 2,800 students overall. They fall mainly in 2007. There are about 2,600 students in 2007, and after—

No, there is no information on the parental side.

We have answered 200,000 calls overall, and of that amount in total, about 65% are affected clients. Prior to the notification letters going out, it was running about 50-50 in terms of affected students versus non-affected students, and since that time, since the letters were received, the contacts have been—

We feel that the response is appropriate and that it is a strong response. It's a two-fold response through the contract with Equifax. The specialized, customized contract that we have will flag any attempt to increase credit or change credit information, and coupled with the monitoring of the social insurance registry—

Mr. Chair, we are exploring the possibility of arrangements with other credit bureaus and financial institutions.

I'd be happy to, because there has been a lot of confusion on this issue.

Some people have been confusing the lost wallet service with the customized credit alert package that has been prepared by Equifax for the department. There are some important differences. For one thing, the lost wallet service is not available across the country, but more importantly, it provides a lesser standard of service. For instance, the lost wallet service is only available for three months. The service we've purchased from Equifax is the industry standard of six years.

The second thing is that the lost wallet service doesn't provide prevention or fraud mitigation for clients the way the credit alert system does. What the credit alert service does is notify the credit grantor that the person's ID has potentially been involved—

The contract with Equifax and its value are commercially confidential. The reason the cost is commercially confidential is that the competition would be able to break it down to a per-unit cost. Thus, we've agreed to keep it commercially confidential.

According to policy, the data should have been encrypted before it was copied to any portable device, and clearly it was not. The policy is there. The investigation will look at why it was not encrypted and the steps to look further into what the issues were.

The changes we've embarked upon are critical and key. It will be night and day in terms of the level of protection.

First, with respect to the information hardware, all of the USB keys that we—

I think, Mr. Chair, we understood the question to be an elaboration of the measures that we have taken in response to these incidents which, as I understood it, was included in the order.

Only approved USB keys will be allowed, and the department is acquiring a large number of encrypted USB keys. As a result, portable hard drives are no longer allowed to be plugged into the network, nor are personal devices that use a USB connection. We are monitoring the network and accessing the network on a regular basis and moving to ensure that none of these devices are connected, which is a big step in preventing the movement of data off of the network, which is encrypted.

The other significant measure is the implementation of the data loss protection software. This will tell us exactly what sensitive information is on the network, where it is, and how it's stored, and it will allow us to take appropriate measures to make sure it's secure.

I repeat, the network is encrypted. It will also allow us to deal with the movement of the data. We can control or prevent the movement of data once this software is in place. These are very important measures that we're taking in response to the incident.

We have not looked at that particular issue at this time.

Mr. Chair, I don't think we can ever offer guarantees. What we can offer is the assurance that, as Mr. Parker has said, we are monitoring things extremely closely, both through the Equifax arrangement and through the annotations in the social insurance register, to spot any suspicious activity that could give rise to suspicion. That suspicion alone would be the basis for the individual and for HRSDC to take appropriate action.

Again, quite obviously we are very pleased that we have absolutely no indication at this point of malfeasance or of misuse by any third party of any of this information.

I'm afraid the answer will be very similar. We're exploring the possibility of engaging with other credit bureaus and financial institutions to gain incremental services. At this moment, that's all that we can say about where we are.

At the moment, yes, the contract is with Equifax.

We contacted approximately 320,000 people.

That is why we put out announcements, posted documents on our website and made efforts to have this out in the media in order to be able to contact the students whose current information we didn't have.

There have been 200,000 calls so far. As Al said, we sent 326,000 letters. Some of those people may still contact us.

The students have to call the call centre to have access to the program. They have to opt in for the protection of their private information. That is the only way to do so safely.

In terms of services, we have a customized package for our clients. There is a notation on the Equifax file that tells financial institutions that people's privacy may have been compromised. In those cases, the financial institution will ask clients to provide additional proof of identity if they want to increase their credit limit, to get a new credit card, or for any other transactions like that.

In addition, as mentioned, there is a call centre specifically for our Equifax clients. Those services will be provided for six years. After six years, we will have to review the situation closely.

Also, we have added notations to the social insurance numbers that might have been affected. For any changes to social insurance numbers, additional proof of identity will be requested.

Not exactly. The two are actually independent from each other.

The people in question are clients of financial institutions. When they make a request to obtain additional credit or a mortgage, or to increase their credit limit, the institution will see the notation on their Equifax file indicating that they might have been involved in an incident. According to their protocol, financial institutions will then be able to ask for additional proof of identity.

My colleagues can elaborate, but subject to anything we may learn in the investigation, it seems to us that given the requirement for encryption and the fact that the information transferred was not encrypted, it's pretty clear that the policy was not followed.

The policy was in place and the requirement was in place, but the indications we have are that the policy was not followed.

The devices are to be stored in a secure locked cabinet. The investigation will look at what the circumstances were when that the device, the hard drive in particular, was not in that locked cabinet.

At one point we knew that it was, right? The evidence points to it being in the cabinet. What we know is that it's unaccounted for at this time, and we are looking to understand how that came to pass.

Chair, first I need to say that we don't have the results of the investigation with respect either to certainty about the individuals involved or the circumstances. Therefore, to go further than that would be conjecture. Mr. McColeman will understand that I won't do that.

I can say, however, that a number of things would be taken into account in such situations with respect to what discipline is appropriate, including the genuine awareness of the individual employee. Responsibility by a manager, for example, would be expected to be greater than that of an employee, and an employee who deals constantly with this kind of information would have a greater expectation of compliance than one who was unaccustomed to it. These are all illustrations of that factor, that criterion of awareness.

Motivation—the intent of the individual—is clearly a factor in any decision about discipline. Again, I won't theorize in this situation, but intent is clearly a factor. The gravity of the situation is a factor, as is the degree of remorse of an individual and the willingness to comply. We would take all of that into account in deciding each individual case, based on what we know.

Of course, one has to have clear knowledge before acting on the basis of discipline. We would take all of that into account in deciding where on that continuum an appropriate action would be taken.

Again, I don't want to stray too far, Chair, into the realm of conjecture, but I think I can say that as a consequence of deepening our culture and our training and our awareness of these issues, one ought to be able to expect a higher standard in the future.

As I indicated before, the code of ethics includes both the range of disciplinary action that can be taken and the obligation for personal information protection. To the extent that we deepen the cultural awareness and the rigour and the extent of the training and so forth, in this issue particularly we will be able to raise the awareness and commitment of employees. I have to say that of course we have many areas where public servants have mandatory obligatory training, and that is appropriate. As our CIO knows only too well, and we all do as managers, the area of information technology security and information management is itself becoming more and more complex and broad and intertwined, and in order to achieve that desirable state of culture that I've referred to here, we do need to raise our game in terms of awareness and commitment of employees.

Against that backdrop, I think that employees should expect that we will be going about this in a strict fashion.

I think the reason is that from the early days—from the November 5 period to the end of November, roughly—we were looking for an asset. What was on that asset was not well understood. The extent of the information that was on it became clear on December 6. At that time we began to react swiftly, in terms of the actions taken. The searches intensified, and, as I mentioned, the privacy commissioner was notified as of December 14.

The search for the hard drive and the security incident protocols call for corporate security to become involved. That took place on November 28, once the management of the department was notified. At that time the protocols kick in and the notification up the line takes place and we became aware of the incident.

Until that time the employees were looking for a hard drive. As of December 6, in terms of moving quickly, once it became clear that we were dealing with 583,000 lost records of students and the information for 250 employees, we had a short time between that and the notification of the Privacy Commissioner. We intensified the search, and once that was done and we came to the view that the likelihood of finding it was low, we notified the Privacy Commissioner.

No, I wouldn't, and I don't want to be misunderstood as in any way saying that what occurred was acceptable. It wasn't, but with the information we had at the time that we had it, we believe we acted appropriately with respect to our protocols for the Privacy Commissioner.

We were continuously searching for the assets. At the same time that we became aware of the content, we immediately began the process of informing people and putting in place throughout that period the additional measures—hardware, software, and so on—for prevention of such things in the future. On all three of those paths we were proceeding, we believe, appropriately, given the gravity of the situation, which we do not in any way question.

Chair, as to the first, I will undertake to provide the committee with whatever information the committee asks for.

With respect to the second, I will provide any information that we can that is not precluded by the statutes of Canada.

I'm sorry, Chair; I'm having a little trouble understanding the back and forth here.

I will provide the committee with anything the committee asks for.

On the second request, which specifically was the investigation report, I'm anticipating that there may be some elements of that report dealing with individuals that I may not be able to share with the committee because of legal limits, but I will be as forthcoming as I can.

No.

Yes.

Do you have the date?

We do not preclude, Chair, that the period could be extended. We will be monitoring and evaluating at that time what has occurred over this period. On the basis of a risk assessment, we do not preclude that it would not be extended.

The minister's office notified the RCMP on January 7.

Was that in both cases?

No, it was only in the one case.

Yes, it is indeed.

I would also indicate that we are open to the advice of the Office of the Privacy Commissioner for any additional advice that may be forthcoming or actions that we should take. Similarly, we have consulted with third party experts in the industry. We are open to advice and best practices from any quarter that can help us achieve the standard we are after, but yes, that is the direction.

Let me indicate two particular areas. The data loss protection software that will be put in place, as I understand it—and my colleague the chief information officer can correct me if I wander into the swamp—will be deployed throughout our system, allowing us to monitor when there has been any inappropriate transfer of data. That's built right into the software. The system can be designed such that the folks who monitor such things will know when, in effect, a flashing light goes on and says that data has been transferred in an inappropriate way, against the protocol or the standard. We would then be in a position to go in and ask, in a very precise area, why that data was transferred in a way that's not appropriate.

That's a technological response, but what we're after is avoiding any inappropriate handling or transfer of data in the first place. The very merit of our institution is founded on human dignity—that's why we protect individuals' information—and concern for human beings, and that's why we have the programs we do.

The other side of that coin is that human beings run the system, and there can never be any absolutely fail-safe system. However, in terms of that human culture, we want to be an organization that is excellent in everything we do, one in which individuals know their part in the larger scheme of things and will handle Canadians' information carefully and sensitively and according to the rules.

That's what we're after, and that's the direction in which we're going.

Let me pick up on one of the first points you made with respect to examining current practices.

With their employees, each assistant deputy minister in the department is examining their practices around the movement and storage of data. Employees, I believe, are taking these incidents as seriously as we are, and we are pursuing in nitty-gritty detail exactly how information is stored and how it is moved branch by branch within the department, right down into the trenches.

This is a very intensive process. We're meeting with each unit throughout the department and looking at what they're doing in the verification of their data or inventories and how they're storing that information.

Mr. Chair, Mr. Butt will know that I won't enter into the hypothetical, but the range of potential, at the one end of the spectrum, is of course termination, and that is explicit to staff in the policy and in the code of ethics. That obviously is a very severe measure and has to be justified concomitantly by severe behaviour.

Beyond that spectrum, if there is any malfeasance involved on the part of the employee—and sadly, we know that in the public service's history there have been occasions when criminal behaviour has been undertaken—the full force of the law is available and waiting to deal with any such situation.

I would say that throughout that spectrum, for individuals who are part of the “pay at risk” system, that element would be brought into play. Behaviour in this area could play into decisions about promotion and advancement, and there are measures such as suspension that can be a part of that arsenal of discipline.

It is the same. We've been in touch with the employees formally by letter and have offered exactly the same services.

I was just going to say, Chair, that I don't want to be evasive, but I think I have to regard that as hypothetical. I wouldn't be comfortable in venturing into that area at this stage.

You indicated “should” something happen, and “if”. Let me just say that our action plan involves very careful monitoring at our end and via the service provided by Equifax, and we will be following this very carefully.

I'm not in a position to speak hypothetically about what the government would or wouldn't do in a situation—

Well, the circumstances itself are hypothetical, and I'm not in a position to comment on that area. I just don't want to venture into that hypothetical realm at this stage.

My information is also from Equifax. Maybe it's something you need to work through with Equifax. The discussions we've had have been very direct and have been senior as well. The lost wallet service is a service that is not available nationally. It's not available—

My understanding and what they've told me is that it extends for three months.

The other difference is the lost wallet alert is of a different standard than the credit flag. The credit flag requires the credit grantor to ask additional questions requiring enhanced authentication, which is different from the lost wallet service, which doesn't have the same requirement and compulsion to it.

My understanding from Equifax is that the requirement is higher. In addition, too, there are the customized services we're getting with the client services, whereby they will take time to explain the service and the options that folks may have, including taking off the service and what they may do to improve. It's a package of services that we've purchased.

We've asked Equifax a number of times, because we have heard the comment out there that you've heard as well, and they have assured us that the package of services that we've provided is significant. It is something that has a cost attached to it, and it is not the same as the lost wallet service.