Information & Ethics Committee on May 1st, 2008

Evidence of meeting #31 for Access to Information, Privacy and Ethics in the 39th Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was institutions.

A recording is available from Parliament.

On the agenda

Privacy Act Reform

MPs speaking

Paul Szabo
Charles Hubbard
Carole Lavallée
Mike Wallace
Glen Pearson
Mike Allen
Paul Crête
Luc Harvey

Also speaking

Ken Cochrane  Chief Information Officer, Treasury Board Secretariat
Donald Lemieux  Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat
Nancy Holmes  Committee Researcher
Clerk of the Committee  Mr. Richard Rumas

4:10 p.m.

Chief Information Officer, Treasury Board Secretariat

Ken Cochrane

This is where privacy starts to drift into security. We also have the security policy for the Government of Canada. When we look at security, I'd say there are three main areas. One is the physical security of our buildings and facilities. The second is personnel security and screening, because those are all factors in the loss of information. The third is IT security. That whole policy area really deals with that.

When you look at IT security, specifically, first of all, you want to make sure your facility is sound. The security policy with respect to facilities very much deals with how you need to secure a facility so that people can't go in and take things.

In the case of laptop computers and mobile computing, the information technology security part deals with the way you need to store information if you are going to be mobile. There are very specific rules in place as to what should be on mobile equipment. If it's there, you need to encrypt it and protect it.

If you're using mobile equipment to gain access to government, there are very specific rules on how you need to access government services through secure channels and secure networks. There's a lot of regulation within government to control all those elements.

4:10 p.m.

Conservative

Mike Allen Conservative Tobique—Mactaquac, NB

Maybe you can clear something up for me, because I've obviously misunderstood. You say “The second management policy instrument that we are responsible for is the Privacy Impact Assessment Policy, which was implemented in 2002.” You go on to talk about it, and the next paragraph says “We are currently reviewing this policy and we are working in close collaboration with the Office of the Privacy Commissioner on this matter.”

This is six years later, and this was actually implemented. But you say “We expect that our review will be completed within this fiscal year.” What does that mean? I've obviously misunderstood that. Why would you be reviewing that six years after it was implemented? What is that review? What is the context of it?

4:10 p.m.

Chief Information Officer, Treasury Board Secretariat

Ken Cochrane

This falls within the broader space of policy suite renewal. Before we began the exercise on policy suite renewal, the Government of Canada had a whole series of management policies that departments needed to follow. I believe that the number of management policies when we began the review was about 180. Our sense was that this was a very large number of rules for departments to try to follow. As we've gone in, we've tried to collapse and combine things, as much as possible, into logical chunks. We've reduced the 180 policies to about 44.

In this particular case, we had two separate policies. One was on PIAs, privacy impact assessments, and one was on privacy. We've put them together, because they logically fit together. This is not so much reassessing the privacy impact assessment itself as it is putting it in the family. As we put it under the umbrella so it's easier for departments to use, we'll work with the Privacy Commissioner to make sure the process for privacy impact assessments is most logical.

4:15 p.m.

Liberal

Le président Liberal Paul Szabo

Mr. Crête, please.

May 1st, 2008 / 4:15 p.m.

Bloc

Paul Crête Bloc Montmagny—L'Islet—Kamouraska—Rivière-du-Loup, QC

Good afternoon.

The Privacy Commissioner wants the authority to disclose information in the public interest on government institutions' management practices in the area of privacy. Ultimately, from what I understand, it wants to take snapshots of the efficiency of each of the organizations and make them public.

What do you think of that recommendation? Should we include it in the act?

4:15 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

I wasn't here when Ms. Stoddart made that comment. I don't know under what circumstances she made it.

In fact, under the act itself and the policy, there are restrictions on departments that want to disclose... There are rules, under the policy and the act itself, for departments wishing to disclose personal information.

If I correctly understood the example she gave, this is a photograph that—

4:15 p.m.

Bloc

Paul Crête Bloc Montmagny—L'Islet—Kamouraska—Rivière-du-Loup, QC

I'm not talking about a photograph, but rather a snapshot of the situation, of the management by an organization. She would like us to be able to show the management practices of such and such a government institution or another in the privacy field, and for that to be included in the act so that the public can judge the efficiency of each of the organizations.

4:15 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

I think I understand now.

In fact, she would like there to be greater understanding of the statistics and an annual report to Parliament. One of the things I mentioned about the Accountability Act is that the Treasury Board President was specifically mandated to gather statistics, which we were doing in any case, as part of our role.

Obviously, we haven't restricted ourselves to our discussions with the Office of the Information Commissioner; we also have discussions with the Privacy Commissioner.

4:15 p.m.

Bloc

Paul Crête Bloc Montmagny—L'Islet—Kamouraska—Rivière-du-Loup, QC

Do you think it would be desirable for that power to be included in the act? It isn't right now.

4:15 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

For the moment, as part of our role, we're exploring the possibility of adding it to the policy and of working with the Commissioner's office to try to reinforce certain areas.

4:15 p.m.

Bloc

Paul Crête Bloc Montmagny—L'Islet—Kamouraska—Rivière-du-Loup, QC

In another connection, a directive on social insurance numbers covers government organizations. This week, we had quite an extravagant example: Chrysler lost a data base containing 250,000 names of individuals and their social insurance numbers. We're also surprised that the private sector has people's social insurance numbers.

Does your directive provide that every organization must protect the use of that informaion and that it may only transmit it to private sector individuals in exceptional cases or specific cases prescribed by regulation?

4:15 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

That field is shared with Service Canada. We are responsible for monitoring government institutions with regard to social insurance numbers.

I would like to emphasize that a social insurance number is also a piece of personal information. However, the Privacy Act makes no mention of social insurance numbers. In 1988, I believe, we issued a policy on that matter. Social insurance numbers are such important pieces of personal information that we established a policy in an attempt to control them.

4:15 p.m.

Bloc

Paul Crête Bloc Montmagny—L'Islet—Kamouraska—Rivière-du-Loup, QC

Does your directive provide that the use and transmission of that information by the private sector is controlled for every organization?

4:15 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

The directive itself provides that institutions must restrict that use in accordance with their mandate. Our website provides a list of statutory reasons for which social insurance numbers can be used, as well as the programs that are authorized.

4:20 p.m.

Bloc

Paul Crête Bloc Montmagny—L'Islet—Kamouraska—Rivière-du-Loup, QC

Does it mention instances in which they may be transmitted to the private sector?

4:20 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

If I may supplement that, I think that will answer your question. In some cases, there may be programs or acts as a result of which there may be a sharing with other sectors. That's provided for in the agreements between the departments and—

4:20 p.m.

Bloc

Paul Crête Bloc Montmagny—L'Islet—Kamouraska—Rivière-du-Loup, QC

Would it be appropriate to have a similar directive for the private sector on the use of SIN numbers as a result of the excesses that have occurred in the various departments?

4:20 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

In the private sector, SIN numbers are considered a piece of personal information. They should therefore be protected. Regardless of whether it's DNA or whatever, it's protected in the same way. Unfortunately, there may be cases in which personal information—SIN numbers or other items—may be disclosed. As Mr. Cochrane said, the aim is to protect them as far as possible.

4:20 p.m.

Liberal

The Chair Liberal Paul Szabo

Thank you.

Monsieur Harvey.

4:20 p.m.

Conservative

Luc Harvey Conservative Louis-Hébert, QC

I'll continue in the same vein as Mr. Crête. If I'm not mistaken, a social insurance number is required when a cheque is issued. Yes or no?

4:20 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

Yes.

4:20 p.m.

Conservative

Luc Harvey Conservative Louis-Hébert, QC

So a private business winds up with a social insurance number if it issues a pay cheque to its employee. It has no other choice but to obtain its employee's social insurance number.

It's not a problem for me if the business has the SIN number. But how does it manage to let it escape? Is its ability to make money from that list of social insurance numbers regulated or limited? Are there any safeguards against that?

4:20 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

I mentioned that there are agreements between the departments and the private sector. It's the same thing for the banks. At Revenue Canada, for certain provisions, the banks must have access to social insurance numbers. That's protected in the private sector by PIPEDA. Those institutions are governed by that act at the federal level. There are comparable acts in other provinces and territories, where that information is protected as personal information. On the one hand, it all makes sense.

For us, the SIN is a number that was created by the federal government. In the private sector, as a result of agreements with the departments, or programs or acts, businesses have that number. It's protected at the federal level by PIPEDA and by a provincial statute such as the Ontario—

4:20 p.m.

Conservative

Luc Harvey Conservative Louis-Hébert, QC

Are there coercive ways to ensure that private businesses are prudent in the way they protect social insurance numbers or personal information that they may hold on their employees?

4:20 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

Do you mean with regard to identity theft?