Evidence of meeting #136 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was services.
A video is available from Parliament.
Conservative
The Chair Conservative Bob Zimmer
I just have one last question.
Mr. Benay, you talked about using Google Docs as part of the interaction, I guess, with our citizens. It's ease of interaction, too, is key to it all. But one thing our committee's been concerned about is the state of collection and the huge data companies that they are, whether Amazon, Google, Facebook, etc. We see this marriage happening: It might be that we eventually go to vote on Facebook. Maybe there's an app that we use. Maybe that's a subjective thing to think about, but a concern to a lot of us in this room.
As you're part of our bureaucracy that's making this system for government, what recommendations, regulatory-wise, would you make on some of these big-data platforms? You've established the fence around our data, as Canadian citizens.
Maybe this is more for Mr. O'Brien. What regulations would you, in your personal opinion, apply to these big-data companies?
Director, Security and Engineering Reliability, Canadian Digital Service, Treasury Board Secretariat
I think that in terms of regulation, I would completely pass that over to Alex.
I'm going to go back to my earlier point that—
Conservative
The Chair Conservative Bob Zimmer
Let me ask it as a citizen, though. You're ones who use these. You use Google, I'm sure, and all the rest of them.
Director, Security and Engineering Reliability, Canadian Digital Service, Treasury Board Secretariat
I think transparency is the key in that. I'm not going to speak ill of any companies, but there are some companies that are very good about being transparent in how they do security of their cloud services, for example. Google, Microsoft, Amazon all publish very good security white papers about what they do to protect the information in their systems. They also tend to try to be as transparent as they can on the data they're collecting. In a lot of cases, I think sometimes people just don't understand the things they're agreeing to. I think those are some of the things that have been done in the U.K. and in the EU with GDPR in getting more informed consent. I would leave it at that, but I think Alex probably has certain things to say.
Chief Information Officer of the Government of Canada, Treasury Board Secretariat
Yes, it's maybe a three-part answer. I think we need to get better at understanding that there are certain pieces of data that are okay to be on some of these platforms, and there are other pieces of data that are not. Personal information, I would say, is too unclear at this point, but it doesn't mean that we can't look at the discussions with these vendors and suppliers around the values that we want to bring in how we manage personal information, the requirements around security.
Some of the work we do on policy, for example, should be completely transparent and open when we're talking about algorithmic impact assessments, because these things will impact a citizen directly. Putting that on Google Docs and, frankly, 10 other platforms, is not necessarily an issue. That's the first part.
On the other part, I would like to just bring standards into the conversation versus regulation. I think there is an opportunity to start with better standard-setting across the country. During my time in the private sector, and when I was at OpenText, I would often run into other countries that had set standards for themselves that, frankly, possibly would put their own organizations or enterprises into advantageous positions. I think we need to look at standards as both offensive and defensive mechanisms, and find ways to actually start looking at these standards as a first step.
With regulations, the problem is that they could stifle innovation—you'll hear that a lot from the private sector and some of my former colleagues—but they're possibly a step. There are probably some other steps you could look at before diving directly into regulations, because they are a double-edged sword.
Chief Executive Officer, Canadian Digital Service, Treasury Board Secretariat
Obviously the policies and whether those vendors are encrypting at rest, whether they're encrypting in transit, whether they're taking various steps to protect data are part of the equation. The other part of the equation is, how are we protecting our own account management? Making sure that we are using password managers, making sure that we are using that second-factor authentication that is available on many of these systems at this point—and increasingly will probably start to become required—are steps that government can also encourage and help explain. So there's a role there as well.
Conservative
Executive Director, Information and Privacy Policy Division, Chief Information Officer Branch, Treasury Board Secretariat
No, I don't have a response on that issue.
Conservative
NDP
Charlie Angus NDP Timmins—James Bay, ON
Before we rise, I just want to bring to the committee's attention my view that we should have a discussion on the minister's announcement that she's going to have the procedure and House affairs committee look at the potential threat of Facebook to the electoral system. We've done this work. I find it surprising. All the work that we've done has been recognized internationally. A few months out from the election, our committee is being completely sidelined. Our report has been sidelined. We've heard nothing back. I think we should raise a concern with the minister. If she wants to know about the threat posed by Facebook, and undermining the platform, we have done all of this work.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
I understood that Minister Gould was on our list.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
Right. I would say it is fair game to ask her all sorts of questions, including about this. It would make no sense for PROC to undertake a study that we've already pursued and completed.
Conservative
The Chair Conservative Bob Zimmer
I can write them a letter to explain what we've actually done, and send the report along with it, if that would help.
NDP
Charlie Angus NDP Timmins—James Bay, ON
Yes, that's what I would suggest, Chair, that we send it to her, and the committee as well, to say that this work has been done. We spent a year on it, and we did travel internationally.
Conservative
Charlie Angus NDP Timmins—James Bay, ON
I would like to move a motion that you write a letter. Certainly, I think the minister should appear, but we should also write a formal letter to the chair of PROC and to the minister saying that we've done this work. It seems absolutely crazy to start from scratch.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
I did not see the appearance, but my expectation was that she was asked questions and that this was an off-the-cuff remark. I have no idea, though. Obviously, she's aware that we conducted a study. I wouldn't spend your time writing letters. When is she scheduled to appear?
Conservative
The Chair Conservative Bob Zimmer
I'm not sure. Our current clerk is under the weather today. We'll find out when he comes back.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
Oh, I see. Okay.
I think this is a fair conversation to have, to impress upon her the work that we've done and to ask her why she thinks PROC is the appropriate place instead of our committee, and whether she has additional questions that she thinks the committee should perhaps pursue. The committee that is already well briefed and versed should be pursuing it. We've already got her. If you want to write letters, feel free, but I think she's coming.
NDP
Charlie Angus NDP Timmins—James Bay, ON
My only concern is that if that committee has been given instructions to start, our conversation with her will be irrelevant. I think they should be made aware as well that we've done this work. We'd be more than willing to advise them.
Liberal
