Information & Ethics Committee on Feb. 19th, 2019

CDS works with a limited number of partner departments at a time. We don't have that sort of horizontal data. We aren't privy to the kinds of threats that various departments are seeing in the back-end systems that we don't touch.

That's probably not a question for me.

I don't have the data readily available for state actor versus individual actors. At this point, we're trying to operate with the idea that an attack could come from someone in a basement, all the way to a state actor and everything in-between. We have people who are knocking on the front door of government systems hundreds of thousands of times a day.

We've been able to centralize some of our infrastructure with Shared Services Canada in order to build a moat around this. We've created a new national cybersecurity centre that was launched this year. It's trying to bring the private and public sectors together as well, because an attack on one sector can often bleed into another. Critical infrastructure is an example.

When we're designing our services, we have to bake in security from the beginning. You heard me speak about the architecture review board that we created. The security lens is applied for every major digital project moving forward in the government and over the last 12 months.

I'll start, and you may want to jump in.

Just to be very clear, we're not advocating putting our government information in one big system, one big data lake or one big pool of information.

For example, the Canada Revenue Agency is responsible for the business number in our policies. It doesn't mean that the information is not located in other places as well. We're not advocating for a central system.

I think that—

Yes. For privacy breaches, luckily Ruth's team is responsible for overseeing and being involved in these discussions. On the cyber front, we have another executive director who works closely with Shared Services Canada and with CSEC on major incidents. They do make their way into the office of the CIO on a daily basis.

Ruth, I don't know if you want to comment on privacy breaches and the process.

Yes, I can speak to that a little bit.

Institutions have a responsibility or an obligation under our Treasury Board policies to report privacy breaches that are material in nature, both to the Office of the Privacy Commissioner and to TBS. We work quite closely with the Office of the Privacy Commissioner to compare notes on those reports.

At TBS, we make a range of tools available to institutions to support them to identify, manage and do the reporting aspect of this. We work with the OPC and follow up with institutions where that's warranted.

Yes, from a cultural perspective you heard my colleague Aaron mention the fact that we have to get to a place where escalating issues are not necessarily seen as a negative, but a positive. There have been some good steps taken toward that throughout the public service. We've had a lot of support from senior government officials on the transparency required to raise some of these issues, and we're seeing deputy ministers, ADMs, and DGs asking for an update on the red status of either projects or breaches.

Culturally speaking it's going to continue to be a work in progress. There's some good momentum on that side in the public service from a transparency perspective, but Ruth probably has some details on the two-year action plan we're developing in partnership with the departments and the Privacy Commissioner's office.

We had the benefit of some recommendations from the Privacy Commissioner in his last annual report on exactly this issue and that office's concerns about the varying numbers of breaches reported. Often, the institutions up that decision about what to do and what not to do. I think institutions are working in good faith on that, but we want to be doing some work over the next two years.

We're developing a two-year action plan. We've shared it with the Office of the Privacy Commissioner, because we want their input before it's finalized, and we'll be working in partnership with them to deploy it.

It will be focusing on increasing awareness about the nature of personal information, what a breach is and how to report a breach. Also, at the recommendation of the Office of the Privacy Commissioner, we're focusing a lot of those efforts on the IT and security community, because they are the people on the front lines when there could be a compromise or information could be lost. Therefore, we want to make sure they have the instinct to say that personal information was involved in this.

We have a small team working on this in partnership with government institutions. We're hoping we'll be able to make a difference on that front over the course of the next two years.

Thank you.

Yes. Sign In Canada itself is in its infancy. In the last few years we have been focused on the rules framework underneath it instead of the technology.

We have been working on the pan-Canadian trust framework with the provinces, NGOs, non-profits and the corporate sector as well. It's essentially a set of rules that we all agree to abide by to respect each other's identities.

If a province abides by the pan-Canadian trust framework, it should be good enough for the federal government and for a bank. It's more of a federated model. It matches the governance framework of the country more.

I fall victim to them myself as well, and I have a vested interest in ensuring that these things don't happen.

Sign In Canada will essentially permit you to choose the “no wrong door” approach to services, accessing federal services from a province or a territory, or vice versa, and possibly from your bank as well. We do have the security regime to put this in place, but we didn't have the rules framework in place.

Sign In Canada means that you could have access to ESDC services from CRA. Also, we are in active discussions on possible pilots and projects with the provinces, where we would give federal services through the provincial ID system as well.

It's very different from the Estonian model, which is a singular approach to it. We are taking more of a “no wrong door” approach to services, as long as a rules-based approach is followed.

Yes. As part of the new governance that we put in place roughly 18 months ago when we changed the Financial Administration Act to create standards, we changed the governance process around the architecture review board. It means that any one of these kinds of major projects has to go through this review board, where privacy is looked at.

Another part of this may possibly be legislative impediments as far as data-sharing is concerned, which is another tombstone piece of work that we have to do. We have been in conversations with the Privacy Commissioner's office on those, for example, as well.

I suspect that the dialogue will continue to increase as we do more and more digital services between my office and the Office of the Privacy Commissioner.

We can certainly make any of that documentation available. We've also started a legislative review process, so we can look into—