Human Resources Committee on Feb. 14th, 2013

Not exactly. The two are actually independent from each other.

The people in question are clients of financial institutions. When they make a request to obtain additional credit or a mortgage, or to increase their credit limit, the institution will see the notation on their Equifax file indicating that they might have been involved in an incident. According to their protocol, financial institutions will then be able to ask for additional proof of identity.

My colleagues can elaborate, but subject to anything we may learn in the investigation, it seems to us that given the requirement for encryption and the fact that the information transferred was not encrypted, it's pretty clear that the policy was not followed.

The policy was in place and the requirement was in place, but the indications we have are that the policy was not followed.

The devices are to be stored in a secure locked cabinet. The investigation will look at what the circumstances were when that the device, the hard drive in particular, was not in that locked cabinet.

At one point we knew that it was, right? The evidence points to it being in the cabinet. What we know is that it's unaccounted for at this time, and we are looking to understand how that came to pass.

Chair, first I need to say that we don't have the results of the investigation with respect either to certainty about the individuals involved or the circumstances. Therefore, to go further than that would be conjecture. Mr. McColeman will understand that I won't do that.

I can say, however, that a number of things would be taken into account in such situations with respect to what discipline is appropriate, including the genuine awareness of the individual employee. Responsibility by a manager, for example, would be expected to be greater than that of an employee, and an employee who deals constantly with this kind of information would have a greater expectation of compliance than one who was unaccustomed to it. These are all illustrations of that factor, that criterion of awareness.

Motivation—the intent of the individual—is clearly a factor in any decision about discipline. Again, I won't theorize in this situation, but intent is clearly a factor. The gravity of the situation is a factor, as is the degree of remorse of an individual and the willingness to comply. We would take all of that into account in deciding each individual case, based on what we know.

Of course, one has to have clear knowledge before acting on the basis of discipline. We would take all of that into account in deciding where on that continuum an appropriate action would be taken.

Again, I don't want to stray too far, Chair, into the realm of conjecture, but I think I can say that as a consequence of deepening our culture and our training and our awareness of these issues, one ought to be able to expect a higher standard in the future.

As I indicated before, the code of ethics includes both the range of disciplinary action that can be taken and the obligation for personal information protection. To the extent that we deepen the cultural awareness and the rigour and the extent of the training and so forth, in this issue particularly we will be able to raise the awareness and commitment of employees. I have to say that of course we have many areas where public servants have mandatory obligatory training, and that is appropriate. As our CIO knows only too well, and we all do as managers, the area of information technology security and information management is itself becoming more and more complex and broad and intertwined, and in order to achieve that desirable state of culture that I've referred to here, we do need to raise our game in terms of awareness and commitment of employees.

Against that backdrop, I think that employees should expect that we will be going about this in a strict fashion.

I think the reason is that from the early days—from the November 5 period to the end of November, roughly—we were looking for an asset. What was on that asset was not well understood. The extent of the information that was on it became clear on December 6. At that time we began to react swiftly, in terms of the actions taken. The searches intensified, and, as I mentioned, the privacy commissioner was notified as of December 14.

The search for the hard drive and the security incident protocols call for corporate security to become involved. That took place on November 28, once the management of the department was notified. At that time the protocols kick in and the notification up the line takes place and we became aware of the incident.

Until that time the employees were looking for a hard drive. As of December 6, in terms of moving quickly, once it became clear that we were dealing with 583,000 lost records of students and the information for 250 employees, we had a short time between that and the notification of the Privacy Commissioner. We intensified the search, and once that was done and we came to the view that the likelihood of finding it was low, we notified the Privacy Commissioner.

No, I wouldn't, and I don't want to be misunderstood as in any way saying that what occurred was acceptable. It wasn't, but with the information we had at the time that we had it, we believe we acted appropriately with respect to our protocols for the Privacy Commissioner.

We were continuously searching for the assets. At the same time that we became aware of the content, we immediately began the process of informing people and putting in place throughout that period the additional measures—hardware, software, and so on—for prevention of such things in the future. On all three of those paths we were proceeding, we believe, appropriately, given the gravity of the situation, which we do not in any way question.

Chair, as to the first, I will undertake to provide the committee with whatever information the committee asks for.

With respect to the second, I will provide any information that we can that is not precluded by the statutes of Canada.