Information & Ethics Committee on April 8th, 2014

Mr. Chair, thank you to the committee for inviting the Canadian Human Rights Commission to contribute to your study on the growing problem of identity theft and its economic impact.

I would like to introduce my colleague, Maciej Karpinski, senior research analyst with the commission's protection branch.

Today, I would like to touch upon three main points. First, I will briefly talk about the Canadian Human Rights Commission and how we promote and protect human rights, and ensure equal opportunity for Canadians. Second, I will discuss the commission's 2010 report on identity certification and the importance of ensuring that measures used to certify a person's identity comply with human rights principles. Finally, I will share with you our recommendations on how to avoid being discriminatory in this area.

I will begin with a short description of the commission and its mandate.

We are mandated by Parliament to administer the Canadian Human Rights Act and monitor compliance of federal organizations with the Employment Equity Act.

We receive discrimination complaints regarding employment and services provided by organizations under federal jurisdiction. This includes the federal public sector, as well as private sector companies involved in industries such as transportation, telecommunications and banking.

We also participate in major human rights cases before tribunals and courts, including the Supreme Court of Canada.

The commission works to prevent discrimination and promote the development of sustainable human rights cultures. We do this by providing organizations with research, policies and tools to promote understanding of and compliance with the Canadian Human Rights Act.

One of these tools is the Human Rights Impact Assessment for Security Measures, which I will touch upon later in my remarks.

The report you have asked us to speak about today was published in 2010. It was part of a research initiative related to national security and human rights. Our objective then was to help national security organizations strengthen their identity certification practices in a way that respects human rights principles.

While our report focused on national security organizations, its conclusions, we believe, are relevant for any public or private organization that offers services for which identity information is required. We therefore hope that the information contained in this report will be of assistance to the work of this committee.

Our report demonstrates that the most common forms of identity certification tools used are at risk of being discriminatory based on the prohibited grounds of discrimination set out in the Canadian Human Rights Act. And that is for two reasons.

First, the method may be inaccessible to an individual or a group of individuals. Second, discretionary decisions rendered by officers in validating identities may lead to discrimination.

Our report has shown that there are two main types of metric systems used for identity purposes. The first is uni-modal, which is using just one metric of identity information, and the second is multi-modal, which is using a combination of two or more metrics.

For example, a uni-modal system might rely exclusively on fingerprints. This may be inaccessible to people who do not have fingers or whose fingerprints have been affected by their working conditions and/or their age. By contrast our study found that multi-modal biometric systems offer a degree of inclusiveness that can often address the limitations of uni-modal systems. Multi-modal systems not only have the capacity to help protect human rights, but also have the ability to build a stronger and more trustworthy security system.

At the time of the review, the personal identity certifier card in the United States was identified as an effective multi-modal system. This card stores both fingerprints and facial-scanned biometrics for each enrolled federal employee or contractor. Though it primarily uses fingerprint biometrics, digital facial imaging is used when it is not possible for a federal employee or contractor to provide fingerprints, or if there is an anomaly.

In dealing with these important issues, human rights law provides guidance for determining whether an otherwise discriminatory measure can be justified. This includes looking at: first, the extent to which the measure is necessary; second, whether there are less discriminatory ways of achieving the same objective; and third, the extent to which the infringement on human rights outweighs the benefits gained by the measure.

Situations may also arise where users may require an exemption. Policies and practices to reasonably accommodate these individuals should therefore be included as part of the development of any measure. Should there be no reasonable alternative for a given biometric, it is up to the organization employing the biometric to demonstrate that sufficient measures have been taken to explore other less discriminatory ways of achieving similar results.

Based on these principles, we developed the human rights impact assessment for security measures. This tool outlines the steps to take during a security measure's life cycle to ensure that security standards, policies, and practices are both effective and respectful of human rights.

We believe that by applying a human rights impact assessment before a security measure is finalized, we can not only improve a security measure's effectiveness and efficiency, but also save time and money while bolstering public support for new and existing security initiatives.

That is what we mean when we call on organizations to apply a human rights lens to a proposed policy or procedure.

Thank you for your attention. We'd be happy to take your questions.

Good morning, Mr. Chair, and thank you very much.

Good morning to members of the committee.

My name is Susan Gardner-Barclay, and I am assistant commissioner of the public affairs branch and chief privacy officer of the Canada Revenue Agency, or CRA.

I am joined this morning by Helen Brown, our director general of the security and internal affairs directorate at the CRA's finance and administration branch.

We are very pleased to appear before you today to support you in your study on the growing problem of identity theft, by speaking about the measures the CRA has in place to protect taxpayer information.

As one of the Government of Canada's largest institutions, the CRA has more interactions with Canadians than any other department. In 2012-13 alone, over 27 million Canadians and businesses filed tax or benefit returns. The CRA collects approximately $400 billion annually in taxes and duties, and distributes $22 billion in credits and benefits to Canadians. Our call centres receive 20 million calls a year, and we process over 150 million pieces of mail. As a result, we have one of the largest personal information data holdings in the Government of Canada.

The trust that Canadians place in the CRA to protect their information is the cornerstone of Canada's system of voluntary self-assessment. Further, section 241 of the Income Tax Act and section 295 of the Excise Tax Act prohibit the disclosure of taxpayer information by any employee of the CRA unless specifically authorized under these acts. Breach of these provisions is a criminal offence subject to strong penalties up to and including imprisonment.

That's why the CRA has an extensive number of safeguards in place to protect Canadians' personal information and, in turn, reduce the risk of identity theft.

First and foremost, the agency has worked diligently to promote a strong culture of integrity among its employees.

Our code of ethics ensures that staff are aware that the protection of the privacy rights of taxpayers is central to their responsibilities and that this responsibility continues even after they leave the CRA.

In 2012, the CRA launched its integrity framework, all of its policies, programs and systems that work together to protect the integrity of the agency. The framework ensures that the high standards established to protect taxpayer privacy are communicated to all employees and managers, and that the CRA's performance against those standards is carefully monitored and reported.

The CRA also works closely with the Privacy Commissioner of Canada to ensure that protections are strong and any areas of improvement are addressed.

In 2009 and 2013, the Privacy Commissioner conducted audits of the CRA's privacy management regime. In these audits, the commissioner recognized the immense scope and complexity of the CRA's operating environment, as well as the agency's established culture of security and confidentiality. Of course, she also noted areas for improvement that focused on the consistent and timely completion of privacy impact assessments; the completion of risk assessments for all IT systems that process taxpayer information; strengthened monitoring of employee access to CRA computer systems; and improved processes for sharing information internally about privacy breaches. The CRA agreed with all recommendations, and significant progress has been made in responding to them, with many activities already completed.

This includes the creation of the role of chief privacy officer in April 2013. I assumed that role when I was appointed as Assistant Deputy Commissioner of the Public Affairs Branch and Chief Privacy Officer in October of last year.

As chief privacy officer, I am responsible for overseeing all decisions related to privacy at the CRA and to champion and report on personal privacy rights within our organization.

The CRA is also actively pursuing many other program, policy, and technology changes to strengthen our privacy management. These include building on our front-end controls that ensure employees have only the access to CRA computer systems that they require in order to perform their duties, and strengthening our back-end controls to build on our automated systems so that the CRA can better monitor and analyze the full range of actions performed by employees on their computers.

New information-sharing protocols have also been established within the agency to ensure accurate reporting and monitoring of privacy issues, and we have put in place an integrity advisory committee, chaired by the commissioner of the CRA, with an external integrity adviser as part of its membership. We are also conducting an organization-wide exercise to verify that privacy impact assessments are up to date for all agency programs or initiatives requiring one.

The CRA is keenly aware that, due to the nature of the information holdings we have, a breach of personal information may hold the potential for that information to be used in identity theft or other criminal activities.

The nature of information breaches that occur at the CRA is extremely varied, and can range from an employee mistakenly accessing the wrong taxpayer file in the course of his or her work, to misdirected mail, which in fact, constitutes 95% of the CRA's information, data and privacy breaches, and to rare instances where the personal information accessed could potentially be used for fraud or financial gain.

It's important to note that many of the breaches identified by the CRA do not constitute privacy breaches, as no personal information was disclosed. However, when the CRA discovers a privacy breach has occurred, the breach is assessed in accordance with Treasury Board policies and procedures to document and evaluate all potential risks to the affected individual.

In instances where there is reasonable potential that an individual may have been harmed by the privacy breach, that individual is informed. The Privacy Commissioner is also informed according to Treasury Board guidelines.

Before I conclude, l'd like to take a few moments to address what the CRA does to warn Canadians about third party phishing schemes that attempt to masquerade as the CRA in order to gain sensitive personal information from the victim. This year's tax season has seen a significant growth in these types of schemes and the CRA continues to take a variety of measures to warn Canadians about them. Our website provides easy to find information on what these scams look like and what to do to reduce the risks of identity theft. We also use tax alerts and news releases to the media, and frequently highlight this information to Canadians through our corporate Twitter account.

To reach communities such as seniors or other vulnerable groups who may not have access to the Internet, we have a proactive media strategy that offers interviews to specialized media, and in a variety of languages depending on the region, including Punjabi, Hindi, Cantonese, Greek, and Italian. We also have a strong network of intermediaries, seniors and youth organizations, multicultural groups, police associations, tax preparers, among many, who distribute our information to their clients and communities. We partner with other government organizations to spread the word through such events as fraud prevention month. When identity theft does happen, the CRA can and will flag taxpayer files to guard against suspicious activity.

In short, Mr. Chair, the CRA is working to ensure controls are in place, and that we continue to assess and improve those controls.

Our responsibility to protect Canadians' information is fundamental to who we are and what we do, and we continue to dedicate significant effort to meeting the expectations of Canadians in this regard.

We'd be very happy to take your questions.

Let me begin by giving you a bit of context around the numbers that appeared in written question 255, which I think is the question you're referring to.

That response indicated that the CRA had experienced around 2,900 information, privacy, and data breaches in the time period requested. Some 2,800 of those were actually misdirected mail. That constitutes about 0.001% of the 150 million pieces of mail that the CRA handles in any given year.

Having said that, we certainly understand that we need to take strong measures in any instance where a taxpayer's information ends up where it shouldn't be. We do have measures that are aimed at addressing misdirected mail specifically, and my colleague Helen Brown can speak to that.

I'll also mention the number of initiatives that we have put in place as a result of the two Office of the Privacy Commissioner audits we had in 2009 and 2013, which I referred to in my opening remarks.

We essentially now have a tiered response to managing information security and privacy breaches.

Our first line of defence, of course, is our employees. We have a very strong code of conduct that makes it absolutely clear to our employees what their responsibilities are with regard to security management.

We have ongoing staff training and awareness. We have a mandatory course for security for all of our employees at the CRA. We now have extensive information-sharing protocols within the CRA that help us to identify and address breaches when they do occur, particularly between our security and advisory directorate and our ATIP directorate, which has responsibility for monitoring these things.

We now have active controls at the front end of our technological systems which ensure that only the computer systems that employees need to access to do their jobs are those that they can access. We now have very strong back-end controls and are working to actually strengthen those through some technological changes that we'll have in place over the next two years We will put in place systems that will allow us to very carefully monitor employee activity on all of our computer systems, right down to what files they're accessing, how they're accessing them, and what information they're looking at on those files.

We have a very strong regime of policies and practices that go along with that, including a very strong discipline policy that situates unauthorized access as a significantly serious offence within the disciplinary regime. We have a very strong oversight process, which includes my office. It includes the integrity advisory committee that I referred to, and of course, the OPC, which takes great interest in our privacy regime.

Thank you for your question.

It's a very important issue. Our goal would be to have no misdirected mail, if that were possible, and we've put many steps in place.... I don't know when your situation occurred personally, but what we've put in place in the last year is a protocol whereby as soon someone advises us that there has been misdirected mail, our security people get back to them within a day and we find a way to retrieve the misdirected mail.

Our norm is that we're getting it back within four days. Of the mail that's misdirected, we manage to retrieve 95%. We look to see what the cause of the problem was so that we can try to reduce the risk of its happening again, and we advise the taxpayer, if we feel that there's been the potential for harm.

My first response to that question is that as our first line we would try to retrieve it as quickly as possible. The second thing, if we find out about the misdirected mail, is that we advise the taxpayer, if we think there's a risk of harm, and encourage them to contact the CRA. We can either provide them with some support with Equifax, the credit services, and/or we can put a flag on their file so that we are aware that there's a concern there might be identity theft.

There are 150 million pieces of mail that we manage; around 120 million of that correspondence is correspondence coming from the CRA, and the remainder is correspondence coming back in to the CRA. It is 150 million in total.

That's correct.

That's a good question.

It's about 1,600.

We have no evidence that that this has ever occurred. A significant majority of the misdirected mail that is sent out doesn't actually contain any personal information, as well.

We have not looked into the frequency of theft or the frequency of use of information that might have been stolen. What our report focused on was what types of information we're using and what types of metrics we're using to certify the identity of Canadians, whether to gain access to services or access to Canada, etc., and whether those measures are having a negative human rights impact, and what we can do to prevent negative human rights impacts.

We found that ensuring that measures are consistent with human rights principles is not done at the expense of security; it strengthens security. They work together.

We participate quite actively on two levels. The first is around the access to information community. We participate in interdepartmental standing meetings of ATIP personnel. Information is exchanged on best practices. As a matter of fact, we recently gave a presentation to other departments on the creation of the chief privacy officer and its mandate in other departments. Also, Ms. Brown participates in a similar community of departments that look at departmental security measures.