Information & Ethics Committee on Oct. 19th, 2010

Your question concerns a number of issues. I do not know whether the Blackberry belonging to your colleague was provided by the government, so if it met government standards. In principle, it should be encrypted. From what I have understood, government Blackberrys are encrypted—the ones at my office are. Perhaps it would be a good idea to protect them with a very good password.

This brings me to one of the audits that we conducted, which suggests that the PIN to PIN function is not used. When the PIN to PIN function is used, it seems, according to my experts, that the department or Parliament server is not being used. So, the signal can be intercepted by quite basic equipment.

Finding one's personal information on a Blackberry is not necessarily bad, to the extent that no one had access to it because it is protected by a password.

Thank you for your question. The agencies in question noted their inability to erase the information at the workshop, since the workshop was not really set up to erase personal information. We will do a follow up in two years' time.

I think Canada is well respected for its balancing of these two rights. We have a very thorough process. It's not in all countries, for example, that things like the airport scanner, to take that particular one, are referred to the Office of the Privacy Commissioner for a privacy evaluation. I think that has attracted a certain amount of attention. I know that on the level of scholarship, there are a couple of international scholars who are interested in working with us on how to balance the principles of privacy protection with national security imperatives.

Well, yes, one wonders. The rules have been there for a long time. In fact, 10 years ago, the commissioner who preceded me, Bruce Phillips, did an investigation of this kind and found that there were an enormous number of computers that were not being wiped clean.

My take on this is that at the end of the 1990s we were all just starting to work with computers and maybe we didn't realize that everything is indelible unless it's specially wiped and so on. But we thought, for interest, that we would follow up 10 years later to find out what was happening.

In our sample, 40% of the computers had not been completely wiped. There was still personal information on them--in fact, national security information--in spite of the clear directive that has been around for more than 10 years, and in spite of, I would say, increasing popular personal individual knowledge of what happens on the computers we all work with, whether they're little BlackBerrys or much more powerful ones.

This was a bit of a surprise to us. It's not that the rules aren't there, but I guess busy people forget that, or the job's half done. That's another audit we'll be following up on in two years.

Yes. In fact, educating small and medium-sized businesses would be an objective for the next three years--if I continue on for three years--because we realize, partly because of the work of these two university professors, that big business, like the big insurance companies, the big banks, and so on, are following the rules pretty well. They're pretty sophisticated. We rarely have serious complaints against them now, and if we do, they're quite rapidly settled.

The issue with small and medium-sized businesses is that this is seen as an extra financial burden—and it probably is—for them, as just another thing they have to do. We're working on a program, particularly out of Toronto, where a lot of Canadian business is centred, to take some of the tools that have been developed by big business and, with them, try to adapt them. So these would be tools that small and medium-sized businesses could access free of charge through our office so that they don't have to go out and spend $200 or $300--sorry, $3,000--on a custom-made.... There should be something that is reasonably adapted, that can be scaled down from the bigger business experience.

Oh, oh!

Not that I'm aware of, no.

The recommendations are shown to them. They have a chance to comment on them, to make factual corrections to the report and so on. Whether we negotiate, as you say, or try to arrive at a consensus, depends on the type of issue we have.

Here we have an issue where it seems there were multiple illegitimate accesses to somebody's personal information, so it's not something that you can really negotiate on, going backwards. But forward, I didn't hear that there was any objection by the department or the officials to any of the recommendations that we made going forward, nor indeed to an audit.

For taking “immediate steps”, I would say in the days and weeks that follow. If this is a widespread issue, it's pretty critical.

Exactly.