Evidence of meeting #34 for Access to Information, Privacy and Ethics in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was audit.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Jennifer Stoddart  Privacy Commissioner, Office of the Privacy Commissioner of Canada
Chantal Bernier  Assistant Privacy Commissioner, Office of the Privacy Commissioner of Canada

12:35 p.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

I don't know details about how they do it, but that's what we found.

12:35 p.m.

Conservative

Blaine Calkins Conservative Wetaskiwin, AB

That's interesting. I can see where the information could be useful to a law enforcement agency, for example, if it is keeping surveillance on a person who has large sums of cash. Who is to say that the individual may have just sold a property or some large-value asset and is just taking the cash? There can be legitimate and illegitimate reasons for carrying large sums of cash. If the question is never asked, how would they even know, other than going through...? It just seems to me to be quite....

I thank you for bringing that up. I will be sure not to have more than a twenty on me when I go through security.

I'm going to refer to my personal life before I was a member of Parliament. You talked about the educational component of making people aware. I taught computer systems technology at Red Deer College. I am a graduate of computer systems technology. I am a little bit dated now because I have been here for a number of years and technology is advancing at a rapid pace. I'm just wondering, when we went through the accreditation process of having our diploma, we went through ASET, the Association of Science and Engineering Technology Professionals of Alberta. They would give us accreditation for our diploma so that graduates leaving that college would be recognized. It was a recognizable accreditation process.

Does your office ever get involved in making sure that anybody who has these accreditations actually has the wherewithal and knowledge they need? Do you make sure that somebody who graduates with a piece of paper has the knowledge? There is no official society out there for computer professionals. It's all voluntary. Is there anything that your office is doing to make sure those folks who are graduating, supposedly with the knowledge to maintain information systems and databases that would have all of this information, are actually trained to the level or standard that would satisfy most Canadians enough to know that whether they work in the public service or private sector, they are fully functional in the legislative requirements for the duties they would be doing? It seems to me that would be a logical place for an intervention.

12:35 p.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

No, we don't, is the short answer, largely because education and training are the province of the provincial commissioners. They may be doing something.

Where it came up indirectly—and again, I'm not trained in this area, as you are—was in our Staples audit. We were amazed. This was the third intervention with Staples. This was the third time we heard there was a problem with Staples not being able to wipe the devices clean. I had understood from my IT people that, yes, devices can be wiped clean without destroying the hard drive or whatever are the essential parts that make it function. In the course of the audit, Staples—and this is what I understand from the people who did the audit—continued to say that it was not possible to do this.

This makes one wonder about the issue you are bringing up regarding the qualifications or ability of people who are in charge of processes like that. It comes up indirectly, because if businesses and the government are getting bad advice, we wonder how well the people are trained.

12:35 p.m.

NDP

The Chair NDP Pierre-Luc Dusseault

Mr. Calkins, unfortunately you are out of time. You had seven minutes and forty seconds.

We will now start our five-minute round.

Mr. Angus, you have the floor.

12:35 p.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

Since my colleague Mr. Calkins was surprised that his seven minutes were up, I will follow up on one of his questions, which he might have wanted to follow up on in my five minutes. It concerns the issue of large amounts of cash.

I find this very interesting. Someone may carry a large amount of cash on a plane once. Perhaps the person just sold a house. Normally when you sell a house it is done through a bank. If someone carries large amounts of cash on two or three flights, that would seem to me to be a very large red flag, not that people pay attention to all of these flags, because they are drowning in data. As the Privacy Commissioner, when you are doing the audit, how do you decide what is an appropriate red flag to pass on and what is an inappropriate red flag?

12:40 p.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

At this point, I have told you most of what I understand about the audit. Chantal Bernier, who supervised this audit, could perhaps complete my answers for you.

12:40 p.m.

Assistant Privacy Commissioner, Office of the Privacy Commissioner of Canada

Chantal Bernier

The main point is that this information was collected outside the legislative authority of CATSA. There is absolutely no legal requirement to take it. It is not illegal to carry this amount of cash domestically. We were told that the reason they did that was almost for convenience. Because they needed to keep an eye on international flights in relation to carrying large amounts of cash, they did it for all flights. Hence, they gathered more information than they were allowed to. They easily conceded that they would stop that practice to be in compliance with the Privacy Act.

12:40 p.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

Part of it is that it's so easy to gather information, so easy to share information, and there are certainly concerns that you raise about integrating privacy into public safety initiatives. You have a pretty powerful statement that a new generation of mobile devices, remote sensors, high-resolution cameras, and analytic software have revolutionized surveillance practices and greatly facilitated the global collection, processing, and sharing of data. This unchecked accumulation could have negative effects on citizens and could have consequences by constraining people's fundamental right to go about their business in anonymity and freedom from state monitoring.

It's so easy to gather all this data under so many different strands. We have international police agreements and services, and they share data, and they have a reason to share data. Again, we deal with people crossing the border. Do they get stopped? There's a red flag that shouldn't be there. There's no legitimate reason for an authority to have that red flag, but they get stopped, and they can be greatly harassed.

How can you audit this kind of information, this kind of sharing, since it is so easy to do?

12:40 p.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

That was, honourable member, in fact the very subject of an audit about what we did in maybe 2004-05, the sharing of information on border situations. We went to a large number of localities in Canada and just observed and looked at how the information was being recorded, and so on, and we made a lot of recommendations. We were shocked that sometimes things were kind of phoned across the bridge—“X is coming over, take a good look”, or something like that. I believe this has improved, because we followed up on that audit and the implementation.

More than that, your question, honourable member, speaks to the importance of updating Canada's privacy legislation, which is the authority that the government has to deal with personal information and the authority that I have to look into its information handling practices. In previous sessions of Parliament I brought the issue of reforming the Privacy Act, which hasn't been looked at for 30 years, or hasn't been changed in 30 years, to this committee. The committee made a number of recommendations. I believe there were some 12 recommendations. Not only do we have to look at PIPEDA, but I think we should also look at the Privacy Act.

12:40 p.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

You're talking about the specific information that is shared. It's shared with the police services, the Insurance Bureau of Canada, and also with Interpol and American law enforcement. There were 200 million times when it was accessed through 40,000 access points in 2009. You say that a third do not have standards for ensuring protection. Are we talking about over 13,000 access points in Canada or is that internationally?

12:40 p.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

A third of all those who have access privileges to the CPIC system have not defined within that organization or institution who it is exactly that designated the individuals, so it becomes impossible to track who in an organization has accessed something without justification. As you know from reading media reports, every so often somebody in a police force accesses a database where he or she has no business.

12:45 p.m.

NDP

The Chair NDP Pierre-Luc Dusseault

Unfortunately, I have to stop you there.

Ms. Davidson now has five minutes.

12:45 p.m.

Conservative

Patricia Davidson Conservative Sarnia—Lambton, ON

Thank you, Mr. Chair, and thanks very much for being here, Commissioner and Ms. Bernier. It's great to have you back again. Certainly, I don't think the issue gets any easier, that's for sure. I think it becomes much more difficult as we venture further into the electronic age every year.

I was interested in the public education portion you were talking about, and I just want to ask a couple of questions about it. I think you had indicated that from grades 7 to 12 you were already involved with education, and that this year you were moving it to grades 4 to 6. Also, this year you were introducing more information for small business.

Can you tell me how you disseminate that information? You talked about curriculum, but is that something that is written into the provincial curriculums in all of the provinces? I realize that it's up to the provinces to decide what goes into the curriculum, at least in Ontario, and I'm assuming it is in the other provinces. I know, not from this issue but from other issues, that it's very difficult to get something added to the curriculum.

Is it in all provinces, or do you know that?

12:45 p.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

I don't know that. As you say, honourable member, this is a provincial matter. We're always very careful to stay within our own jurisdiction, unless we are invited to do something. What we have concentrated on doing is making the tools and information available on either our website or through things we can distribute when they are requested.

There is an agency, the Media Awareness Network, I believe, that works with school boards across Canada. If they request information, we can give it to them through this Media Awareness Network. It is just an additional resource for teachers, without formally going through the channels.

We also have, in our contributions program, $500,000 a year we can distribute to non-profit organizations. Just yesterday I attended the launch of materials for grades 6 to 9 in Quebec, where an organization had developed a very interesting teacher's guide and guide for students that it is going to distribute. It's talking with contacts in the rest of Canada, and it could possibly be translated and used for classrooms.

We do things in a more informal way.

12:45 p.m.

Conservative

Patricia Davidson Conservative Sarnia—Lambton, ON

What about small business? How do you reach that group?

12:45 p.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

For small business we have an online tool already on our website. We go through the organizations that are involved with small business—

12:45 p.m.

Conservative

Patricia Davidson Conservative Sarnia—Lambton, ON

Do you mean the chambers of commerce and those types of things?

12:45 p.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

Yes, they are specific organizations that reflect small business. We're particularly talking with the chambers of commerce now to organize activities for the coming fiscal year.

12:45 p.m.

Conservative

Patricia Davidson Conservative Sarnia—Lambton, ON

One of you indicated that you were looking at a mobile privacy app being developed.

12:45 p.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

12:45 p.m.

Conservative

Patricia Davidson Conservative Sarnia—Lambton, ON

Can you comment any more on that? What is the timeframe, or what might the parameters be, or are you that far on yet?

12:50 p.m.

Privacy Commissioner, Office of the Privacy Commissioner of Canada

Jennifer Stoddart

No, I can't. I have someone here who could probably talk to you more about the mobile app. I don't know more about the details, but we're bringing it out.

I can tell you, though, related to that and related to the younger segment of the population, that we're developing a graphic novel on privacy, because young people like to read graphic novels, it seems. This is supposed to be launched sometime in June. I don't know what it's going to look like or what it's about. The theme is “protect your privacy”. It's trying to reach this audience in a way that speaks to them.

12:50 p.m.

Conservative

Patricia Davidson Conservative Sarnia—Lambton, ON

That sounds interesting and timely in the age we are in today.

Do I still have some time?

12:50 p.m.

NDP

The Chair NDP Pierre-Luc Dusseault

You have 30 seconds.

12:50 p.m.

Conservative

Patricia Davidson Conservative Sarnia—Lambton, ON

Quickly, going back to what Mr. Mayes had asked about, if somebody trying to cross the border is incorrectly profiled, is there an option for the individual to report that through your office? How does that work? I think you indicated, too, that audits could be based on concerns being expressed. What is the individual's option in an instance like that?