Information & Ethics Committee on Oct. 19th, 2010

Yes, and we miss her.

We have investigations under the act, and they can be broadened into systemic investigations. This tends to be inquiries into a particular set of facts around a particular individual or a series of individuals, looking maybe at patterns and practices, but always related to a specific event.

An audit is I think what we usually understand by its name. It's a general sampling, according to the best scientific principles of representivity, into the practices and the observances of personal information protection in an organization.

We do both investigations, mostly because people complain to us about something. Sometimes we initiate our own investigations, like the Google Wi-Fi one.

What I've announced is that I thought the best tool for Veterans Affairs, given what we were learning, was to do an audit. So that would be a department-wide audit, but only on personal information protection measures.

It would be a major, major, major operation; I would need quite a few mandates, I think, to accompany that. Our audits usually take a year, although I hope this one could be done faster, and that's in a relatively small department. It's a very big operation.

Now, in Veterans Affairs, yes, I believe we do.

No. Nobody that I heard of in the international data protection or IT community was talking about what happened. What was happening was unbeknownst to all of us until this spring. One of the länders'--they're like the German provinces--data protection supervisors, who have jurisdiction over a lot of the private sector in Germany, started a discussion with Google that quickly became public because they suspected that Google was scooping up personal information.

As I remember the newspaper reports, Google initially denied it, in retrospect because they did not know themselves that they were scooping up personal information. That's how they store...and that's just in April-May of this year.

I'm not a huge personal specialist in this, but I understood that the initial operation was to do a street mapping. Then they were interested in picking up Wi-Fi transmission points for the development of other services, geo-location services. But they didn't understand--because of internal, I'd say, organizational problems--that in doing that they also got the personal information that was unencrypted and not password-protected.

I know that at the office.... In fact, Assistant Commissioner Elizabeth Denham, who was responsible for this area, said they had a plan to go on and use geo-location data, which is another field to be exploited by those who are in that business, but nobody had an idea that it involved collecting unprotected information as well.

Okay. I'll say that overall they were cooperative, but that maybe there were a few sticky points.

We're doing what's called “scoping the audit”, which involves basically setting up a work plan. This may take a couple of months--Veterans Affairs has offices not only in Prince Edward Island, but also here in Ottawa and across the country--for deciding how we are going to do the work, whether we'll have to contract it out, whether it will be in-house staff that will do it, just how big the sample size will be, and so on. I'd say there's a good few months of planning.

We'll be acting to see how this situation that was uncovered in our investigation--and that we and other people read about in media reports of other veterans who dealt with the department--actually came to be. Were there any policies or were they just not followed? How widespread were the problems and what is being done to fix them? What further steps should the department take to make sure that this can't happen again?

I don't have an idea on that, because we simply look at the very particular circumstances around one person. We didn't go back and sample to see if this was an old practice or a relatively new one. I think perhaps our audit will give us a better idea of that.