Information & Ethics Committee on May 1st, 2008

No criminal penalties are provided for in the policies, whether it's ours or that of Service Canada.

That's not my field, the field of the policy—

You're talking about a theft, a crime. That's a justice matter. If someone steals an identity or does something illegal with personal information belonging to someone else, I would say that is more of a Criminal Code matter. The RCMP or the police would conduct an investigation, if there was a theft or some form of abuse. That's straying a little from my area of responsibility.

I believe Mr. Cochrane would like to add something regarding identity theft.

May I answer in English?

In the area you're talking about, if there were to be sanctions or whatever, PIPEDA needs to deal with that with respect to private industry. As Mr. Lemieux says, it's a criminal matter when information is stolen, so we're into the criminal side of this process.

Identity is an area we're also engaged in on behalf of the Government of Canada. It's a new area. Different institutions determine the information required to verify that you are who you say you are and I am who I say I am. We're working collectively on identity standards across the country, with all the jurisdictions. We're also speaking to the banks and others about identity standards. Is my social insurance number, my driver's licence, and my passport sufficient to identify me? It's an area we're very active in right now. I don't have a solid answer. I can't tell you three things we'll accept.

It's all part of registering and establishing the person. We're a little outside of our discussion here. But registering and establishing a person is the most important part of the process. As an institution, you need to determine that you're satisfied that this is Mr. Lemieux. Once you've done that, we have tools we will put in place as part of identity management.

I agree. It's a leading-edge area for all of us: the Americans, the British, the banks, and everyone else. It's an area we're very active in. The possibility exists that we will put some controls in place. From a policy perspective, what that means in terms of legislation--

You'd be happy if she didn't.

Like so many of these things, it cuts across a bunch of areas. If you're talking about federal public servants, you already have some human resources issues if someone is mishandling information. Employees have clearances so that they can handle information at a certain level. It breaks down into Protected A, Protected B, Protected C, Secret, Top Secret, and that kind of thing. As an employee, you're limited in what you have access to. If you don't have access to that information, or you shouldn't have access and you do, then perhaps there's a sanction from a human resources perspective.

There are also various disciplinary measures. If someone has access who has committed an offence, we're looking at the Criminal Code.

Absolutely. It cuts across security, privacy. If there's a breach, it's a Criminal Code offence. It could be a number of things.

There is policy around the use of electronic networks, which really allows people to have access to systems and so on, so there are very strict policies.

Mr. Chair, there are a couple of things I'd mention on that front.

First of all, there's the work we did at the Treasury Board Secretariat going back a couple of years now, maybe three years, on the U.S.A. Patriot Act. There had been a complaint in B.C. regarding some employees, and the federal government became engaged because we were talking about the transfer of personal information. We got involved, our division got involved—because of its policy role in terms of sharing personal information—in developing some tools, some guidelines for government institutions when it comes to contracting and sharing information. We worked very closely with the Privacy Commissioner, and we issued a report, I believe just over a year ago maybe—years seem to come and go pretty quickly here—called Privacy Matters, in which we gave pretty solid policy direction on what should be done.

We're also working on additional guidelines and advice on transborder data flow. We've actually shared a document with the Privacy Commissioner on issuing guidelines on that, and we're still going back and forth. It's obviously an area that's sensitive, and I think everyone's aware of that, so we're just trying to be as careful as we can.