Information & Ethics Committee on April 1st, 2014

Evidence of meeting #16 for Access to Information, Privacy and Ethics in the 41st Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was documents.

A video is available from Parliament.

On the agenda

Growing Problem of Identity Theft and its Economic Impact
Committee Business

MPs speaking

Pat Martin
Mathieu Ravignat
Paul Calandra
Laurie Hawn
Lawrence MacAulay
Patricia Davidson
Scott Andrews
Alain Giguère
Jacques Gourde
Bob Zimmer
Tilly O'Neill-Gordon

Also speaking

Louis Beauséjour  Assistant Deputy Minister, Integrity Services Branch, Service Canada, Department of Employment and Social Development
Robert Frelich  Director, Enterprise Identity Services Divison, Service Canada, Department of Employment and Social Development
Lu Fernandes  Director General, Passport Program Integrity Branch, Department of Citizenship and Immigration
Michael Jenkin  Director General, Office of Consumer Affairs, Department of Industry
Peter Bulatovic  Director, Investigation Division, Passport Program Integrity Branch, Department of Citizenship and Immigration

11 a.m.

NDP

The Chair NDP Pat Martin

Good morning, ladies and gentlemen.

We will convene the meeting. We're here today to study the growing problem of identity theft and its economic impact. We're pleased to begin our study with witnesses from the Department of Employment and Social Development, Mr. Louis Beauséjour and Mr. Robert Frelich. That will be from 11 to 12, and then a separate panel will begin.

Mr. Beauséjour and Mr. Frelich, you have about 10 minutes for opening remarks, and then we'll open it up to questions from the floor.

You have the floor, sir.

11 a.m.

Louis Beauséjour Assistant Deputy Minister, Integrity Services Branch, Service Canada, Department of Employment and Social Development

Mr. Chair, members of the committee, good morning.

My colleague Robert Frelich and I are pleased to appear before the Standing Committee on Access to Information, Privacy and Ethics.

We are pleased to provide you with information that will assist you in your study on the growing problem of identity theft and its economic impact upon citizens and businesses, and the steps that businesses and law enforcement agencies are taking to protect Canadians from identity theft.

One of my duties as Assistant Deputy Minister of Integrity Services at Service Canada is to implement processes and administrative measures linked to the issuance of social insurance numbers.

As you may know, Service Canada is the service delivery arm within Employment and Social Development Canada. The department delivers over $100 billion in programs and services every year related to different programs, such as employment insurance, Canada student loans, Canada pension plan, and old age security. And the social insurance number is used by all of these programs.

But the use of the social insurance number is not limited to Employment and Social Development Canada. Many other federal departments and agencies, such as Canada Revenue Agency, RCMP, Canada Border Services Agency, and Department of Justice, use the SIN and the social insurance register, or the SIR, on a daily basis.

As the SIN is an important element to ensure that the right benefit is provided to the right person at the right time, it plays a central role in identity management.

Today I will explain how our practices in the issuance of the social insurance numbers and the administration of the social insurance register improved over the years to increase the integrity of the social insurance number program and to reduce the impact and the incidence of identity fraud.

The evolution of the SIN program can be broken down into four periods with respect to integrity measures put in place to protect the SIN.

The first period is what I call the early years, from 1964 to 1976. The SIN program began in 1964 as a register for two federal government programs: unemployment insurance, now employment insurance, and the Canada Pension Plan.

Shortly afterwards, its use was extended to the Canada Revenue Agency for tax reporting purposes. Since then, the SIN program has grown to become a unique identifier for more than 50 federal programs or services and is a staple in the lives of Canadians.

At that time, there was little integrity in the issuance of social insurance numbers. For example, employers were allowed to ask for SINs to be issued to employees, clients were not required to present identification, and if someone had lost their SIN, another number was issued and assigned to them.

The second period is from 1976 to 1996. I will qualify that period as a time of increased integrity of the paper-based processing of SIN issuance.

Starting in July 1976, the SIN program began requiring clients to provide identification documents to prove their identity, and applications for a SIN had to be made by the client. Employers could no longer request a SIN to be issued for their employees.

At the beginning, a large number of identity documents were accepted for SIN issuance, including secondary identity documents, such as a driver's licence. However, at the end of this period, almost all secondary documents were no longer accepted for SIN issuance, and SIN agents were using primary documents such as birth certificates and documents issued by Citizenship and Immigration Canada.

In the period spanning from 1996 to 2006, we began transitioning from a largely manual and paper-based approach to integrity towards system changes that would begin to automate integrity measures.

In November 1996, the first of such changes was implemented. An electronic link with Citizenship and Immigration's database was established, allowing for the verification of identity and status of permanent and temporary residents who arrived in Canada after 1972.

In 1998, the Office of the Auditor General began looking closely at the SIN program. I would like to take a few moments to share with you the various conclusions the office reached, because that period was a seminal moment in the administration of the SIN and the SIR.

In its 1998 and 2002 reports, the Auditor General's main findings were that the proof of identity procedure needed to be improved, that existing information sources had to be used more effectively, that the information in the SIN database was not always complete and accurate, and that there were more SINs in circulation than there were Canadians over the age of 20.

To address these issues, important initiatives were implemented with regard to the administration of the SIN and the SIR which had positive consequences on government efforts against identity theft and fraud. We implemented the dormant flag, introduced an expiry date for social insurance numbers issued to temporary foreign workers, and developed a proof-of-identity internal intranet reference website.

The dormant flag identifies SINs that have not been active for a period of five consecutive years or more—meaning that there was no income-related activity, such as filing taxes, or interaction with government programs during this period. Since then, someone with a dormant flag on their SIN file must provide original proof of identity to have their SIN reactivated, an original birth certificate if born in Canada, or Citizenship and Immigration Canada documents if born outside of the country.

This reactivation is done either in person at a Service Canada centre if they reside in Canada, or by mail if they reside outside of Canada. In addition, to better assist agents in detecting potential identity fraud and theft, the SIN proof-of-identity internal Intranet reference website was developed in 2003. Through this website, agents responsible for the issuance of SINs have access to detailed information on what to look for in identity documents to ensure their authenticity.

Building on the recommendations to make better use of different sources of information, the department signed agreements with all 10 provinces, beginning with Ontario in 2005, to develop electronic links between provincial vital statistics agencies and the Social Insurance Register. Under these agreements, we are able to validate the information found on provincial birth certificates, as well as to receive death data from provinces which is matched against the SIR. This allows us to identify records of deceased individuals, preventing further payments from federal programs from being issued.

Moreover, these agreements integrate the ability for parents to apply for a SIN for their child at the same time as they register the birth with provincial authorities.

Finally, in the most recent period, since 2006, the department put in place two important features to assist the administration of the SIN: the certified training of agents and the SIN code of practice. Through our certification program, agents are specifically trained in the issuance and administration of social insurance numbers, and since 2006, only certified agents can issue SINs to clients. The SIN code of practice, which is a public document available on our Internet site, provides standards and guidance to users of the SIN—individual Canadians, employers, or other stakeholders—in understanding their responsibilities with respect to the SIN.

For instance, the code advises employers on how to handle employee information, especially social insurance numbers. It emphasizes employers' key role in detecting and preventing SIN related fraud, as illegal employment and income tax evasion are two of the main motives for this type of fraud. In the code, employers are prompted to immediately report suspected misuse of a social insurance number to Service Canada.

We began receiving birth and death data electronically from Ontario in 2006.

The first province to have validation of birth certificate information was British Columbia in 2008. Currently, there are electronic links with eight provinces, with the remaining two planned to be in place by 2016.

We are pleased to report that our work and efforts were recognized by the Office of the Auditor General in 2009 and 2011. The Auditor General recognized the measures taken by the department to address concerns of past audits, indicating that the department achieved significant improvements on the issues that have been raised.

Now, l'd like to talk about the two most recent initiatives made to the SIN program aimed at increasing its integrity: the redesign of the SIN mail channel and the termination of the SIN card. Given that SIN applications by mail represented only 4% of the 1.5 million SIN requests processed in a year, that approximately 55% of these requests were rejected due to errors in the application forms, and that the mail channel's identity management measures were not as robust as those of the in-person channel, SIN requests can no longer be made by mail, except for individuals in remote areas, or by those who have extenuating limitations, or by those who are from outside the country.

The department was also aware of integrity issues related to improper use of the SIN card. The SIN card was never intended to be an identity card as it does not contain any security features or identifying attributes. However, the convenient wallet-sized format of the SIN card led many recipients to carry it in their wallet, despite the department advising not to do so. As of yesterday, individuals no longer receive a SIN card, but instead receive their SIN in a letter. This initiative will contribute to the prevention of identity theft and fraud related to the potential loss or theft of SIN cards.

The social insurance number is central to the administration of many programs. Since 1964, we have made much progress in developing a robust social insurance number program that assists departments and governments in the administration of their benefits, while protecting clients from identity theft and fraud.

We are continually working with key stakeholders, such as other government departments, the provinces and territories, and the private sector, to identify what more can be done to reduce risks of identity fraud and theft. We are also regularly assessing our processes and policies to make them more secure and more robust, while providing a high level of services to Canadians.

We would be pleased to answer any questions you may have.

11:15 a.m.

NDP

The Chair NDP Pat Martin

Thank you very much, Mr. Beauséjour.

We will begin immediately, then, with the official opposition and Mr. Mathieu Ravignat.

11:15 a.m.

NDP

Mathieu Ravignat NDP Pontiac, QC

Thank you, Mr. Chair.

Thank you to the witnesses for being here.

It wouldn't be an understatement to say that Canadians are worried about their private information and that the possibility for breaches of their private information have increased since the advent of various social media. The legislation we have in place is definitely not robust enough or even modernized enough to ensure the protection of Canadians and their private information. I think the apparatus of government is suffering a little bit from that as well.

I have a more specific question for you. In the privacy commissioner's report tabled recently, we can find the following paragraph on page 21:

Notwithstanding the above, we would like to highlight that there may have been more personal information compromised as a result of the loss of the hard drive than was reported by ESDC to affected individuals.

Would you care to elaborate on why compromised personal information was not disclosed to individuals specifically? Why didn't the ministry choose to report this?

11:15 a.m.

Assistant Deputy Minister, Integrity Services Branch, Service Canada, Department of Employment and Social Development

Louis Beauséjour

I'm not well placed to talk about all the details of that specific breach, because I'm not directly in charge of the program where it occurred. My understanding is that we were moving really fast to try to inform clients and that we didn't inform them of the key elements of information that we understood could have been on the hard drive at the time.

11:15 a.m.

NDP

Mathieu Ravignat NDP Pontiac, QC

So why do you think the commissioner has said more personal information compromised may have not have been reported to affected individuals?

11:15 a.m.

Assistant Deputy Minister, Integrity Services Branch, Service Canada, Department of Employment and Social Development

Louis Beauséjour

Do you mean which information that could have been? I don't have that detail with me.

11:15 a.m.

NDP

Mathieu Ravignat NDP Pontiac, QC

Okay. It would be interesting if you could forward that information to the committee because it's pretty fundamental that Canadians know and the affected individuals know all the types of information that were lost in their cases, and that be....

11:15 a.m.

NDP

The Chair NDP Pat Martin

I was just going to interrupt, Mr. Ravignat, as well, but go.

We'll let you have the point of order.

11:15 a.m.

Conservative

Paul Calandra Conservative Oak Ridges—Markham, ON

The witnesses are here to talk about identity theft. They are not here specifically to talk about the report so they wouldn't be prepared in any way to talk about the report or the breaches.

Now I would imagine we can certainly talk about issues around protecting identity, but I'm just not sure whether we're giving the witnesses.... We're putting them in a very bad position to try and talk about a report when we didn't actually invite them here for that purpose.

11:15 a.m.

NDP

The Chair NDP Pat Martin

Let me just deal with it as a point of order. You're challenging relevance, I think, would be the only legitimate point of order you might be raising, and I would rule you don't have a point of order. Questions of that nature are certainly relevant to the subject matter we're talking about.

But I wanted to be clear. Mr. Ravignat, are you making reference to the loss or theft of the student loan records within the—

11:15 a.m.

NDP

Mathieu Ravignat NDP Pontiac, QC

That's correct. Yes.

11:15 a.m.

NDP

The Chair NDP Pat Martin

—580,000 student loans or student loan information?

11:15 a.m.

NDP

Mathieu Ravignat NDP Pontiac, QC

That's correct, Mr. Chair.

11:15 a.m.

NDP

The Chair NDP Pat Martin

I'm going to allow the line of questioning. I don't see it as a legitimate point of order.

Answer to the best of your ability, Mr. Beauséjour.

11:15 a.m.

NDP

Mathieu Ravignat NDP Pontiac, QC

So you would be willing to forward that information to the committee?

11:15 a.m.

Assistant Deputy Minister, Integrity Services Branch, Service Canada, Department of Employment and Social Development

Louis Beauséjour

The department will be forwarding that information.

11:15 a.m.

NDP

Mathieu Ravignat NDP Pontiac, QC

Thank you for that.

Although the Minister of Employment and Social Development said that he accepted the Privacy Commissioner's recommendations, as noted in the report, the half-million Canadians who were the victims of the loss of these records expect their government to take action.

What real measures are you going to take over the next few months to respond to the commissioner's recommendations?

11:20 a.m.

Assistant Deputy Minister, Integrity Services Branch, Service Canada, Department of Employment and Social Development

Louis Beauséjour

As we indicated in the report, we have already taken a certain number of very real measures to respond to these recommendations.

In light of the incident we immediately reviewed and reinforced our procedure and protocol involving IT security specifically pertaining to the handling of personal information on portable storage devices such as USB keys and external hard drives.

As well we took action to strengthen training for employees regarding the proper handling of sensitive data such as personal information.

To be a bit more specific we have new stricter protocols that have been implemented. Unencrypted external hard drives are no longer permitted in the department.

11:20 a.m.

NDP

Mathieu Ravignat NDP Pontiac, QC

Were these measures in place in 2013?

11:20 a.m.

Assistant Deputy Minister, Integrity Services Branch, Service Canada, Department of Employment and Social Development

Louis Beauséjour

In response to the events in 2013, we implemented them immediately. We did not wait for the Privacy Commissioner's recommendations to improve measures that were already in place at the time, in order to reinforce the protection of private information.

11:20 a.m.

NDP

Mathieu Ravignat NDP Pontiac, QC

Very well. Thank you.

In a digital world, it's important the loss of information be dealt with in a very rapid way because of the consequences, but it took two months for some of these cases to be revealed.

Can you explain to me why it took that long?

11:20 a.m.

Assistant Deputy Minister, Integrity Services Branch, Service Canada, Department of Employment and Social Development

Louis Beauséjour

There are a number of things the department had to do. It took a bit of time before we realized the hard drive was missing. After that we did a number of searches in the building to find the hard drive. After that it also took some time to determine what was specifically on the hard drive. Those are all the different things that were between the time we found the hard drive and the time we were in a position to report.

11:20 a.m.

NDP

The Chair NDP Pat Martin

Thank you, Mr. Beauséjour. We'll have to leave it at that. Thank you very much.

Your time is up, Mr. Ravignat.

Next, for the Conservatives, is Mr. Laurie Hawn.

April 1st, 2014 / 11:20 a.m.

Conservative

Laurie Hawn Conservative Edmonton Centre, AB

Thank you, Mr. Chair.

Thank you to our witnesses for joining us.

I'd like to talk about not so much the misplaced records, because it's hard to tell, if x number of records are misplaced for whatever reason, what the net result is.

Can you speak about the frequency of actual breaches, of cases in which somebody has actually used someone else's SIN card or SIN inappropriately?