Evidence of meeting #133 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was services.
A recording is available from Parliament.
3:50 p.m.
Conservative
3:50 p.m.
Conservative
Peter Kent Conservative Thornhill, ON
Thank you, Chair.
It's good to see you again, Commissioner, and your partners today at the table.
Given the significant differences between the Estonian model and Canada today.... The digital identity in Estonia covers literally a person's entire lifetime, not just their health and tax information but their education.... It covers just about every aspect of their daily life.
From reading your remarks, you seem to see the first stage of digital government, should it come to Canada, as beginning at the federal government level alone. Is there any practicality in trying to get into those areas where there is a sharp divide and no overlap with provincial and municipal jurisdictions?
3:50 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
A very significant difference, of course, between Estonia and Canada is that we're a federal state whereas they're a unitary state. That creates certain difficulties in Canada in setting up a system, difficulties of various orders. These could be technological, but there are also different administrations and different legislation. I don't think it's inconceivable that there could be a system that would share information between the federal and provincial governments, but given the complexity of the Canadian federal state, it's probably more practical to start at one level.
3:50 p.m.
Conservative
Peter Kent Conservative Thornhill, ON
Did you observe or have you read the transcript of Dr. Cavoukian's and Dr. Geist's appearance before committee this week?
3:50 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Yes.
3:50 p.m.
Conservative
Peter Kent Conservative Thornhill, ON
Could you offer some of your general observations? Dr. Cavoukian had some very significant concerns.
3:50 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I'll put it in my terms.
I think the Estonian model is interesting in that the risk of digitized government services based on a common digital identifier, in the worst-case scenario, would be that the government, whether only the federal government or governments generally, would have a single profile of that individual. That is, of course, very difficult to reconcile with privacy.
One of the apparent virtues of the Estonian model is that the data is not centralized. It continues to reside in a large number of institutions, and there's a technological pathway with appropriate legal authority authorizing the information to be reused from one department to another. The decentralized aspect of the Estonian model, I think, at first blush, seems a positive feature that reduces what would otherwise be a risk.
You mentioned concerns that were expressed.
3:50 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Can you be more specific?
3:50 p.m.
Conservative
Peter Kent Conservative Thornhill, ON
I don't have the transcript in front of me, but basically, as I read many of the remarks that Dr. Cavoukian returned to, the cybersecurity of that digital information as it moves from the several repositories to whoever is requesting or accessing that information is vulnerable. The guarantees of absolute security do not yet exist.
3:55 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
There is no question that technological systems are vulnerable to breaches. I'm not sure there will ever be a system that is free of that risk. I think, legally speaking, if digital services occur, it's important that there be a legal obligation for government to apply strong technological safeguards. Technologically, in Estonia, as you know, there are blockchains and encryption. These are state-of-the-art systems. Do they guarantee that there will not be breaches? No.
3:55 p.m.
Conservative
Peter Kent Conservative Thornhill, ON
In your opening remarks you mentioned trust and consent. Again, a significant difference between Estonia and Canada is a very compliant population after the breakup of the Soviet Union, and a very forceful new democracy determined to create digital government from scratch.
Given Canadians' natural skepticism and generational cynicism about the digital world, and given Cambridge Analytica, Facebook, Aggregate IQ, all of the scandals and now controversy over Sidewalk Labs and people's concern about exposure, privacy, personal content, who owns what and how it's accessed, do you think that on that level alone it will be an uphill battle to get the consent of Canadians for this kind of digital government in any reasonable period of time? I'm talking about perhaps a decade, in our lifetimes.
3:55 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I think Estonian officials mentioned that even in Estonia, the systems are not implemented overnight. There are a number of steps.
I think technological safeguards are crucial. Legal safeguards are crucial. I will say that probably incremental implementation, where government has a chance to demonstrate that the system deserves trust, may lead us towards trust in the population. There's no question that currently, Canadians are concerned that their privacy is not being respected.
3:55 p.m.
Conservative
3:55 p.m.
NDP
Charlie Angus NDP Timmins—James Bay, ON
Thank you, Mr. Chair.
Mr. Therrien, it's always a pleasure to have you at our committee.
I want to follow up on your final statement about the question of trust and whether or not Canadians should be expected to trust a system such as this.
On my beat in this file over the years, I've seen that every year we have data breaches. Some are extremely significant data breaches, such as the loan information of a quarter million or more students, and recently, 80,000 individuals compromised through CRA.
In your work, is the number of breaches changing because technology is changing? Is it a standard...? Year in and year out, are we seeing some pretty significant, plus smaller, breaches? In terms of government departments, are you seeing much of a change?
3:55 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I would not say that we're seeing significant improvement in these matters. It's a huge challenge to build that trust; there's no question.
I'll use an example, because I think it's telling on many levels. As you know, the government implemented a pay system called Phoenix that was criticized on a number of levels. We, the OPC, investigated the security and privacy safeguards that were in place, or not, with respect to the Phoenix system. One of the very concerning things we found during that investigation was that there was a deliberate decision by government officials not to put in place strong monitoring of who had access to personal information in the system, because it would be costly, would delay the system, and so on and so forth.
Directly to your question, I don't see many improvements. I would say it is absolutely essential that before these systems are implemented more broadly—to go back to attitudes—that government officials have an attitude of ensuring that safeguards are in place before the systems are implemented.
4 p.m.
NDP
Charlie Angus NDP Timmins—James Bay, ON
I thank you very much for that response. It leads me into where I was concerned.
I've been here 15 years. I see my colleagues on the other side and they're flush with the hope of new believers that we have finally come to the kingdom of salvation and government will work; whereas, over the years I've become a skeptic, an agnostic.
4 p.m.
Some hon. members
Oh, oh!
4 p.m.
NDP
Charlie Angus NDP Timmins—James Bay, ON
I'm like the St. Thomas of government operations. I've sat on committee after committee where we were sure that bigger was better, that government always.... Whenever they were looking for who was going to get the contracts, they wanted to go as big as possible. Bigger was not better. Bigger was much more expensive. Bigger was always tied with deals, and the deputy ministers and who got the deals and who didn't.
Then we had Phoenix. I guess I would turn around to citizens in my riding and say, “Look at Phoenix. Do you trust?” In terms of the safeguards that need to be in place, would you not think it would be an extremely complex set of safeguards, that we would be able to assure Canadians that they can trust all their financial information, all their personal information, their life history with a department or a government that has, year in and year out, serious breaches in many and almost all of the serious, major departments?
4 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
It's complex, but I would say it's within human capacity. It probably speaks to the need to implement this incrementally because systems cannot be changed overnight, so you start incrementally, I think. Of course, I would start with...there is no choice but to make government services digital for all kinds of reasons, including to improve services to the population. It's not a question of not doing it because it's too complex and daunting, but in implementing this policy there should not be short shrift given to policy safeguards, legal and technological safeguards.
4 p.m.
NDP
Charlie Angus NDP Timmins—James Bay, ON
Thank you for that.
Certainly, I know the people I deal with would prefer to have people actually answering phones if they had questions as opposed to getting their digital data quicker. We will always see them go with digital solutions as opposed to having people answer the phones.
I'm concerned about whether this is a one-way path or a two-way path. If I want to find my CRA information and I have a digital card, I can find that. It was suggested by one of my Liberal colleagues that it would be a great way for government to contact citizens.
To me, that's very concerning. If I am obligated to do everything online, if I have to give all this information online, there's the necessity, I think, of saying that this is so I can obtain services I want, but not necessarily for government to be able to contact me about what they want.
Do you see that if we have a two-way communication, it changes the nature of this, and the privacy rights of citizens become much more at risk from potential abuse?
4 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
The situation you describe is exactly why I say it is essential to look very closely at the legal framework within which either data will be shared from one department to another, or a second department will be able to reuse data that the first department has à la Estonia.
It starts with the right legal framework, which limits the circumstances where a department calls on a citizen because another department has offered a service. That's extremely important. We have rules already in sections 4 to 8 of the Privacy Act. Yes, they can be reviewed, but it's not a bad place to start either. That's an important part of the foundation. Then I think the technology follows the principles that have been adopted with safeguards ensuring that, technologically speaking, data banks cannot talk to each other unless there's a legal authority to do that.
It starts with a well-defined and well-thought-out framework. Call it sharing. Call it reuse of information.
