Information & Ethics Committee on Oct. 19th, 2010

From your testimony here today, it seems to me that your office is embarking on some relatively major initiatives--the DVA issue, the Google issue, and the Facebook issue, among others. In your opinion, do you presently have sufficient resources to carry out the mandate you've been given by Parliament?

In your opinion, Ms. Stoddart, in the fulfilling of your office's mandate, are you receiving cooperation from all departments and agencies within the Government of Canada?

As I have indicated, we've concluded the second round.

We're going to go to the third round now. You will have five minutes each.

We're going to start with Ms. Bennett.

Ms. Bennett, you have five minutes.

Somehow it makes it easier for a commissioner if the departments actually have a culture of divulging when there's been a mistake. We've learned from the airline industry that you don't lose your licence for making a mistake; you lose your licence for failing to report a mistake.

I think in the ongoing interest of the privacy of Canadians, departments need to feel comfortable reporting a possible or real breach in the data, such that it turns into a learning culture, where you could tighten this up because the department says, whoops, this happened.

Yet we all know that within departments there's a sort of risk-averse culture. If you've made a mistake or almost made a mistake, there's a sort of gotcha feeling or a reluctance to admit that there was a mistake.

Do you think we're getting there, that departments are feeling more comfortable reporting a possible breach or a real breach rather than waiting until it is caught or comes from a complaint-based system?

When asked about resources, you said that you thought you had sufficient resources to do the audit within Veterans Affairs. In terms of the privacy impact assessments, It looks like you've had a 60% jump in submissions. Do you think you have enough resources to do these in a timely fashion?

We congratulate you on getting rid of the backlog, which is the complaints-based system, but do you have the tools to do it proactively with audits and impact assessments? How do you decide which would be the most important ones to do, given the limited resources?

Mr. Chair, in terms of this committee, will we write a report that would allow the commissioner more flexibility in terms of the way she administers her budget? Is it possible for us to do that, Mr. Chair?

Definitely: we can write any report we want, and that report would go to government, Ms. Bennett. Perhaps we can ask the commissioner to elaborate on that. There are probably results of some of the problems that this office had before Ms. Stoddart became the commissioner. This particular office has had problems in the past, as we're all aware, and there may be some constraints as a result of previous issues.

Am I right in that, Ms. Stoddart?

In some of the legislation that died on the order paper, you had some concerns. Have you been consulted on what was the previous Bill C-46, Bill C-47...? Do you anticipate that your concerns will be dealt with if those bills are tabled again?

But do you routinely see bills beforehand for a privacy assessment?

So do they table things that could be a problem and then find out afterwards?

Thank you very much, Ms. Bennett.

Mr. Albrecht, five minutes.

Thank you, Mr. Chair.

Thank you, Commissioner, for being here today.

I'm a recent appointee to this committee, so I don't have the long institutional memory that many of my colleagues here have. I just want to follow up a bit on the training or the provisions for members of the community to know what their obligations are.

On page 11 of your report, relating to the mortgage brokers, you indicate:

The Mortgage Brokers, Lenders and Administrators Act, 2006 requires mortgage brokers and agents to undertake specific training concerning the provision of mortgages. While we found that brokers and agents had undertaken this mortgage training, no agents from the mortgage broker companies that we audited had been provided with formal and ongoing training under company-specific privacy practices, or their responsibilities under PIPEDA.

I think it's quite possible and probable that many of the employees or individual brokers or agents had actually acted in ignorance and may not have been aware that there actually had been a privacy breach.

Now, I'm sure that most departments have strict safeguards to ensure that personal information is secure and that their employees are well trained in their efforts to protect their documents. I understand you said a few minutes ago that in your next three years you're going to focus more on the training aspect, especially related to private agencies, but my question is, what kind of current training does your department do beyond what private companies like this, or even individual departments in government, would provide to their own employees?

The second part of that question is this: if you could guess, what percentage of the breaches that occur would you think are simply human error, or ignorance, as opposed to wilful ignoring of the guidelines?

Do I have any time left, Mr. Chairman?

Go ahead, Mr. Albrecht.

In relation to your international investment of time and energy, would you have a rough idea as to what percentage of your department's resources are invested in developing international policy to address the issues you've mentioned in your statement about the resolution to see privacy considerations becoming embedded in the design?

Would you have a rough idea as to what percentage would be committed to that international component? Because the computer world is a borderless world, as we know.

Thank you, Mr. Albrecht.

Ms. Freeman, you have five minutes.