Evidence of meeting #31 for Access to Information, Privacy and Ethics in the 39th Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was institutions.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Ken Cochrane  Chief Information Officer, Treasury Board Secretariat
Donald Lemieux  Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat
Nancy Holmes  Committee Researcher
Clerk of the Committee  Mr. Richard Rumas

4 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

Because of the nature of the mandate of the policy suite renewal, it's limited to the policy realm. And again, we are working in lockstep with the commissioner on this.

4 p.m.

Conservative

Mike Wallace Conservative Burlington, ON

I appreciate that. Thank you very much.

Thank you, Mr. Chairman.

The Chair Liberal Paul Szabo

Mr. Pearson.

4 p.m.

Liberal

Glen Pearson Liberal London North Centre, ON

To Mr. Cochrane, when the Privacy Commissioner was here, she thought it would be a good idea to have a legislative requirement for government departments to demonstrate that they need to collect information. It was interesting when she said that. I would like to know what procedures are currently in place when you do that. Also, what is your system for notifying people that you need this information?

4 p.m.

Chief Information Officer, Treasury Board Secretariat

Ken Cochrane

We understood that requirement was suggested. It is in fact a requirement of the current policy. Mr. Lemieux is just pulling out that piece; perhaps you want to refer to it. I think it will answer the question. But it is well understood by departments that they must follow through on that step initially.

4 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

Just in general terms. It's in chapter 2-2. We provided the committee with a binder that has the guidelines. I appreciate that there's quite a bit.... It says something about the information that we give our ATIP community, I guess. So it's chapter 2-2, page 1. It says:

The legislation states that government institutions shall not collect personal information unless it relates directly to an operating program or activity. The policy requires that institutions have administrative controls....

It goes further. The policy requires that institutions have administrative controls in place to ensure they do not collect any more information than is required. And it goes on.

So there is already something in the policy in addition to the legislation, and again, as Mr. Cochrane mentioned, policy is binding on these government institutions to limit the collection of personal information when they're starting off on a new program.

4 p.m.

Liberal

Glen Pearson Liberal London North Centre, ON

Why, then, is she calling for a legislative requirement if you're saying it's already in there? I'm just trying to understand.

4 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

I haven't had a discussion, nor have any of our officials, on why they feel that it should be there. Perhaps she's looking at other jurisdictions, or she's had discussions. I really can't say.

Glen Pearson Liberal London North Centre, ON

The legislative requirements that you just read out to us from your binder, are they applied--

4:05 p.m.

Chief Information Officer, Treasury Board Secretariat

Ken Cochrane

I should just clarify. They're policy requirements.

Glen Pearson Liberal London North Centre, ON

I'm sorry. You're right, thank you.

Are they applied equally across all the departments of government on this issue?

4:05 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

It's binding on every institution, all 250 now, to do that.

Glen Pearson Liberal London North Centre, ON

To what degree are they monitored by the Treasury Board to make sure that's done?

4:05 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

I think the way the mechanism is done--the watchdog, the mechanism, the framework that was set up in the legislation.... There is what they call the four-to-eight. The Privacy Commissioner has audit powers, and she and her staff can come in and do an audit of whether or not they're managing four-to-eight. That's on the collection--which is what I referred to--and the use and disclosure of personal information. So the way the regime in the act was structured is that the commissioner, who has audit powers, can go in there. It can be done also based on a complaint from an individual that it's not being done properly.

So that is the mechanism. The act did not set up a situation where both Treasury Board and the Privacy Commissioner would have the same role of auditing. They specifically gave the Privacy Commissioner those audit roles, subject to, of course, complaints by individuals, which I mentioned.

Glen Pearson Liberal London North Centre, ON

Can you compare for me, then, the policy that you have with PIPEDA and the collection of information? Are they comparable?

4:05 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

Unfortunately, I'm not an expert on PIPEDA because it's Industry Canada legislation. It's not the legislation I work with. I want to be quite frank with you that I'm not the expert to be able to do that. But the regime that they set up in PIPEDA is different from what's in the Privacy Act. I can't really evaluate it. That would require a detailed study. I'd hesitate to do so without having done that.

Glen Pearson Liberal London North Centre, ON

That's fair enough.

The Privacy Commissioner was saying that she feels there's a need, when information is collected, for it to be done in as open and transparent a way as possible. I'm not saying she was implying that it wasn't being done that way, but can I ask what your policies are on that or how you pursue that?

4:05 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

Again, Mr. Chairman, I haven't had the benefit of the exact context in which she said that. She may have seen that.... I'm not even aware that she's reported on that in an annual report, although she may have.

I have no particular knowledge that there's a shortfall there or that there's something she has observed. Certainly, as I said, we have regular meetings. There's nothing specific that has been brought to my attention to say that is an issue--and I tend to have regular meetings.

Glen Pearson Liberal London North Centre, ON

Well, what specifically do you have that keeps a transparent accountability mechanism? I'm digging a bit here, I know, but I'm just trying to understand where she's coming from.

4:05 p.m.

Chief Information Officer, Treasury Board Secretariat

Ken Cochrane

Mr. Lemieux will correct me, I'm sure, but I'm thinking that when we look at this, part of it is that the privacy impact assessment to some degree marries in with this process. So although you're collecting information, part of it is impacting it, and that's a very transparent process. A report is produced, a serious assessment is done. It is published on their website. It is made available to the commissioner. That's a very public part of the process, and I believe that's done as they establish any new information holdings.

4:05 p.m.

Executive Director, Information, Privacy and Security Policy, Treasury Board Secretariat

Donald Lemieux

One thing that I might add that I probably should have mentioned earlier is the tie-in it has with the InfoSource. That's the publication I referred to. I always say it's one of the most important parts of the legislation, because you can have all the rights you want, but if you don't know what type of information the government holds on you, then it's a sort of hollow right. In InfoSource there are what they call “personal information banks”, and there is a lawful responsibility on behalf of the heads of the institutions to describe their personal information banks. So that's the transparency element that the public will be able to see.

The Chair Liberal Paul Szabo

We'll now move to Mr. Allen.

4:05 p.m.

Conservative

Mike Allen Conservative Tobique—Mactaquac, NB

Thank you, Mr. Chair.

Thank you, gentlemen, for being here today.

I've been a longstanding member of the committee, and there are a few things that intrigue me about your presentation, especially on current issues on privacy.

First, Mr. Cochrane, your role is CIO. What intrigues me, with respect to the policies, is identification assessment and the mitigation of privacy impacts and risks. Given all the government information systems we have, the majority of which are disjointed, what kind of risk assessment has been done on those systems? How does that fit within the new Privacy Act? How are you trying to deal with the number of information systems that are collecting information?

4:10 p.m.

Chief Information Officer, Treasury Board Secretariat

Ken Cochrane

That's a very good question.

It's one of the challenges of the role of CIO. There are a number of different groups within the CIO branch of Treasury Board Secretariat. Mr. Lemieux has the privacy and access to information people. We have a group that focuses on what we call enterprise architecture. We have another group that focuses on information management. You can see very quickly that there are overlapping and complementary elements.

The people who look at enterprise architecture draw a map of what the government looks like. They look at whether there is common information and try to create a map so that when we move forward and add new systems, processes, or programs, there's a good understanding of the ability to reuse and affect information that already exists. That's a very important discipline and one that we follow very closely. They work in close cooperation with Mr. Lemieux's area.

The information management people, on the other hand, develop basic models of what information should look like in government. If we hold human resources information in 60 different institutions, we should follow a standard. And if we're looking at geomatics information, it should follow a standard so we can look at it in a coherent fashion and understand it overall. I think that really supports the work Mr. Lemieux does as people change information or modify information. It allows us to look at things holistically.

One of our most important assignments in the chief information officer branch is to establish standards for government operations. When you're in unique business lines, that's fine. But when you're in business lines where information crosses over, we establish common standards so we can understand the information much more effectively.

4:10 p.m.

Conservative

Mike Allen Conservative Tobique—Mactaquac, NB

We continue to hear these horror stories. You believe that all this information is secure, then someone steals a laptop, and it's gone. Then you hear that people's personal information or social insurance numbers were on it.

What kinds of safeguards do you anticipate putting in place to make sure that the assets are protected as well? Are there provisions for that?