Evidence of meeting #135 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was going.
A video is available from Parliament.
4:10 p.m.
Conservative
4:10 p.m.
Conservative
Peter Kent Conservative Thornhill, ON
Thank you very much, Chair.
Thank you all for attending and informing us today.
Professor Clarke, you touched on the necessary balance between the public and private sector in developing effective digital government, whether only at the federal level or subsequent levels of government in Canada. We have two examples. One is the failed—or failing—Phoenix pay system, where the procuring agency cut some of the complexities that the digital developer recommended to have an effective system in catching up with contracts, distributing pay and so forth. Then the button was pushed too early on that incomplete system, and we have the disaster we see today.
On the other hand, we have Toronto's Sidewalk Labs, where the city has pretty much given over all control to the Google sibling Sidewalk Labs and allowed it to develop...in great secrecy—more secrecy than many Torontonians and digital authorities would like, to the point that Jim Balsillie, formerly of BlackBerry, said, “[it] is not a smart city. It is a colonizing experiment in surveillance capitalism”.
How do we find that balance? Does government have to better educate itself to be an informed buyer and an informed overseer of the way a digital government service would be developed and operated?
4:10 p.m.
Assistant Professor and Public Affairs Research Excellence Chair, School of Public Policy and Administration, Carleton University, As an Individual
That's a great question.
I didn't have time to bring it up in my remarks. I think that, if you're focusing on the question of digital service, design and delivery, procurement is a huge part of that conversation.
I think there are two interesting things happening in the procurement space right now. One, as I mentioned in my remarks, is that, early on, a lot of digital government enthusiasts, particularly with the dawn of open data, thought that governments wouldn't have to produce a lot of their digital services. That model didn't pan out, for a number of reasons. One of the big ones was that there are a lot of core services that governments are going to have to continue to develop, both citizen-facing but also internal corporate systems such as pay systems or email systems. In response to that, one of the things we've seen is an interesting return to the state on the procurement front, where we're seeing leading digital governments investing quite a lot in their internal capacity to be smart shoppers in this space.
I would say that both Sidewalk Toronto and the example of the Phoenix pay system originated in part from the same problem. In the case of Toronto, the waterfront board—and in the case of the Government of Canada, I guess it would have been Public Works—didn't have sufficient expertise to make smart choices about what systems they needed. This is part of what something like the Canadian digital service is attempting to remedy by bringing people in-house in government who can design contracts sensibly to procure what they need.
The other interesting thing that I think is happening in this space is how we originally ask what we need from the system. This is moving away from designing, in particular, citizen-facing services around government structures and internal government needs. Instead, it is borrowing from a field of work called design thinking to begin early on with deep research into users and how they're going to use the service. You would then structure any procurement you might need to do and any service design around that.
Something like Phoenix could have been prevented in many ways by doing that kind of work early on and realizing the complexities of the system and what you would have needed. That user testing allows you, in particular, to experiment on a small scale before you sign onto a long-term contract—what we call legacy contract—which often anticipates what you're going to need from a digital service before you've even tried it. If you look historically and globally at the big IT failures, you see that it's these legacy contracts that didn't begin with small-scale user testing that lead to the big failures we see. HealthCare.gov was mentioned, for example.
4:15 p.m.
Conservative
Peter Kent Conservative Thornhill, ON
Professor, thank you very much. That was very helpful.
Professor Roy.
4:15 p.m.
Professor, School of Public Administration, Dalhousie University, As an Individual
The Sidewalk Labs example is interesting. I'm a little more hopeful on that front that, perhaps, with more transparency and open negotiation, a framework will emerge that balances the public and private interests. I think these sorts of examples are going to be very important to learn from going forward.
The one additional point I would make, beyond Amanda Clarke's comments, is that there needs to be a mechanism in place to facilitate the public dialogue that we're talking about. I know that right now the Government of Australia is appointing and creating the position of a new chief data commissioner. I can't speak to it in too much detail, so I won't pretend to be an expert there. The U.K. government, of course, has a chief data officer.
As important as the Privacy Commissioner is—and I'm not suggesting a diminishment of his role in any way—there does need to be a way of thinking about data as an open asset as well, and engaging with the public and stakeholders about what the appropriate trade-offs are in moving forward. The idea of having a position, whether in the executive branch or a new potentially independent position, that could reach out to the citizens more could be one way of facilitating the public dialogue that we're all in agreement is required going forward.
4:15 p.m.
Lecturer in Public Policy, Digital HKS, Harvard Kennedy School, As an Individual
I will just make two comments.
First, I would say that one thing that makes this topic particularly challenging and that I want to make sure we understand in this room is that we're talking about moving from systems that we call vertically integrated, in which you're dealing with a system such as passports, to a system in which we're thinking about something that combines levels of horizontal systems that enable you to then quickly deliver new services on the top, so that the passport delivery reaches in and grabs information from various horizontally layered services.
The reason I appreciate your question, Mr. Kent, is that I am much more concerned about the governance when you have these horizontal layers, because if you get the governance wrong on something that's vertically integrated, it's very costly—to speak to Professor Clarke's point—but it can be remedied over some medium- or long-term piece, and it doesn't impact all the other things that are going on in government. If we get the governance wrong for one of these horizontal layers, however, it's actually quite serious, because then everybody who builds on top of it is impacted by it.
It's absolutely imperative, then, that this committee think very deeply about the privacy implications, the security implications, the design implications of this approach, because it has knock-on effects for what happens to everybody else.
I think it's very likely that some of these horizontal layers will be held and owned by the private sector. It is unlikely, for example, in the long term, that the Canadian government will build and maintain its own cloud. It will probably have a private sector actor doing that.
One thing that then becomes potentially challenging is that the private player is determining what investments to make, how to expand that infrastructure and what future capabilities it's gong to have. Those choices will constrain what the Government of Canada can do and may even be made in a way that constrains us from choosing competitors when building things further downfield.
We'd better be really sophisticated and nuanced, therefore, in understanding how these players are acting, because they may choose to constrain us in ways that are not immediately apparent to us.
4:20 p.m.
Conservative
4:20 p.m.
NDP
Charlie Angus NDP Timmins—James Bay, ON
Thank you, Mr. Chair.
Well, I have my government phone here and I get messages all the time telling me that I have to do such-and-such function right away, and I try to do the function and then it says that I'm not allowed to do it, because it won't recognize my phone.
That's all interesting, but it's not what our committee is here to discuss. We are the privacy, ethics and accountability committee; we're not the government operations committee. There are many cool things and many neat things we could do. We could try saying that we're doing better government services, and if we believe that we can turn it all around, I think that's great. But our committee's job is to protect citizen rights, end of story.
I am a little concerned, Mr. Eaves. Maybe I heard wrong. Were you quoting Nora Young when you talked about citizens having to be data activists and governments having to challenge privacy rights? What was that quotation?
4:20 p.m.
Lecturer in Public Policy, Digital HKS, Harvard Kennedy School, As an Individual
I don't think that was me, sir.
4:20 p.m.
Professor, School of Public Administration, Dalhousie University, As an Individual
That was me.
The quote itself was limited to the “data activists” part. It wasn't suggesting that citizens need to challenge governments, just to be clear on that.
4:20 p.m.
NDP
4:20 p.m.
Professor, School of Public Administration, Dalhousie University, As an Individual
I was pointing out that sometimes governments need to restrict privacy rights for a variety of reasons or think about limits to privacy rights, whether for service improvements or service integration in terms of information sharing, or for a whole host of security reasons when information is shared for a variety of reasons in terms of focusing on public safety and things of that sort.
I wasn't suggesting that governments don't respect privacy rights. I'm just suggesting that privacy is one consideration that governments need to balance with other considerations. Nora Young's point was more that citizens need to have a certain sense of responsibility for their own data ownership and to be thinking about what transpires with their data and doing their best to try to understand it.
4:20 p.m.
NDP
Charlie Angus NDP Timmins—James Bay, ON
Okay, thank you.
Mr. Eaves, I was very interested in your saying that you were more concerned about what your own government will do with your information. We are told all the time that people get information only for good reasons. Police go to get information from telcoms only because it's important, but they do it time and time again without a warrant, which undermines basic principles of the judiciary.
In Canada, time and time again, we have issues of private information that has been gathered. How do we secure the rights of citizens, maybe from the security state, or maybe from people who think that someone may be a terrorist or that someone is just problematic? They have the capacity to access all that data without any protections.
Are you concerned about limits and how we protect citizen rights?
4:20 p.m.
Lecturer in Public Policy, Digital HKS, Harvard Kennedy School, As an Individual
My second grand point was about our breaking the social contract. I think some people don't trust the state, so they don't want to share information at all. Others think the state is simply not capable, so they're happy to hand over data because they don't think the state is actually capable of weaving that data together to do anything interesting with it. Other people are quite comfortable and don't mind; they trust the government.
I think the model that we're talking about with the Estonians is just so radically different from what we have today that we need to have a very intentional dialogue about what the new social contract might look like. In Estonia, one thing they do that I think is an important piece of that social contract is logging who's accessing information about, say, Mr. Angus. You can log in at any point and see who took a look at your data, and then you can complain. You can ask why this police officer or this doctor is looking there. I was talking to the chief information officer of Estonia, and he said that in the early days they prosecuted some people very aggressively who were looking at data they shouldn't have, in order to reset the culture inside government about what was appropriate behaviour.
My sense is that this type of activity is probably going to have to happen with us, but it will need to be balanced with the police forces, who are going to want access with a legitimate warrant.
4:20 p.m.
NDP
Charlie Angus NDP Timmins—James Bay, ON
For sure, if anything, it would be with a warrant. With government, we've had CRA people who have spied on people's financial information. If there is a protection mechanism so we can actually see that something has been looked at.... Maybe sometimes it legally is—and if it's legal to look at it, then it's useful—but we need to know that.
I'm concerned, though, about what you said about the building of the infrastructure. Is it going to be public? Is it going to be private? We have the issue with Sidewalk Labs and Google. Google was kicked off Apple's apps because they couldn't be trusted and they were spying on people, and yet we're going to let them do the infrastructure of a major urban city. How do we say that, if we're going to have public spaces, they're going to be...? How do we trust Google? I don't trust them.
Amanda Clarke asked if she could answer that.
4:25 p.m.
Assistant Professor and Public Affairs Research Excellence Chair, School of Public Policy and Administration, Carleton University, As an Individual
I think you're right to bring up the Sidewalk Toronto example as something we wouldn't want to emulate, but perhaps that's just where that begins and ends. I think the one thing we can learn from that disaster is exactly how this committee and other policy-makers shouldn't structure the involvement of private actors in digital service delivery or in digital projects.
I agree with Mr. Eaves that there will invariably be private actors involved in the infrastructure, which our governments are going to be relying upon to protect privacy, but also to design and deliver services and manage data.
I think the real question becomes, how can we structure those contracts in a way that allows us to prevent some of the problems that I think Mr. Eaves has rightfully put on the table? But also—
4:25 p.m.
NDP
Charlie Angus NDP Timmins—James Bay, ON
I just have a minute left, so I'm going to have to interrupt you there.
4:25 p.m.
Assistant Professor and Public Affairs Research Excellence Chair, School of Public Policy and Administration, Carleton University, As an Individual
Yes, of course. Go ahead.
4:25 p.m.
NDP
Charlie Angus NDP Timmins—James Bay, ON
On indigenous data, I worked for a first nation government. They always said, “Just give us your data. We love you people. We want to work with you. Give us your traplines. Give us your sacred sites and we'll help map them.” The only power the community had was their data, because Indian Affairs controls everything else. The communities are not going to turn over their data.
How do you think we can have a conversation about the rights of indigenous sovereignty, given the 250 years of bad faith in Canada? How can we have a conversation about what data means to an indigenous community and how to protect it? I think it's very important that you raised that.
4:25 p.m.
Assistant Professor and Public Affairs Research Excellence Chair, School of Public Policy and Administration, Carleton University, As an Individual
Yes, I think those are all key questions. As I said, this isn't my area of expertise. There is some really interesting work that OpenNorth has led, working with first nation communities in B.C. There's also some really progressive work in this space from New Zealand. I really think that bringing some indigenous voices to the table here would be important, because, as you note exactly, data is power. Data is power that these communities have, and traditionally, Canada has not used data in ways that lifted up indigenous communities, to put it softly. Quite frankly, I think we can find very good examples of data being used to marginalize and oppress. It's part of a violent colonial history. So, it's a really important piece of this discussion that needs to take place here.
