Information & Ethics Committee on Feb. 19th, 2019

Great. I will be doing my address in both languages, if you want to connect your headphones right away, and I apologize in advance to the translators: I get quite excited because this topic is very important to me. I will try to make sure I speak slowly.

Thank you, Mr. Chair, for the invitation to appear here before the committee today.

As you mentioned, with me today is Ruth Naylor, executive director of the information and privacy policy division.

I will start with some brief remarks, after which, I will be happy to answer the committee's questions.

Mr. Chair, in the age of smart phones, social media and apps that do everything, Canadians have a growing expectation that their government will provide them with services as easily as Expedia, Amazon or Netflix do, which is why the Government of Canada is embracing digital tools to provide Canadians with the reliable, accessible and secure services they expect, while at the same time protecting their privacy.

We believe that better service and privacy are not at odds with each other, thanks to technological improvements that allow these protections to be built in from the concept and development stages.

As chief information officer of the Government of Canada, I am responsible for providing strategic direction and leadership in information management, information technology, security, privacy and access to information across the Government of Canada.

Therefore, my office has taken steps to promote digital services and better protect Canadians' personal information.

For example, the Government of Canada recently adopted a set of digital standards that help departments and agencies design better services for Canadians. They ensure that government makes investment decisions that increase security and privacy, builds in accessibility from the start, and allows for more collaboration while working in the open. These standards are being put into action with the next-generation HR and pay initiative, which is to identify options for an alternative HR and pay solution.

Working through our agile process, these digital standards are being used to assess whether vendors can meet government business outcomes, including delivering a solution that is secure and respects the privacy of users. The digital standards allow us to define how the future of government services will be delivered in a digital age, while enabling us to be more agile, open and user-focused at all stages of design.

The initiative to develop the next-generation human resources and pay solution is an example of what can be achieved when the standards are applied successfully.

The process will take a few more years yet, and much work lies ahead, but the results to date are promising.

In addition to digital standards, we are developing rules and guidelines based on best practices to help departments and agencies with the digital transition. For instance, in the spring of 2018, the government approved targeted changes to the Policy on Management of Information Technology and the Policy on Information Management.

The targeted changes are meant to address a number of issues. These include improving governance and oversight of information technology, or IT, overall, and strengthening the role of the chief information officer of the Government of Canada and that of departmental chief information officers.

As recently as December 2018, we updated the Directive on Management of Information Technology.

More specifically, as part of our digital exchange strategy, we adopted modern procedures related to application programming interfaces, known as APIs.

I apologize for the technical term.

Our changes have made Government of Canada services and data accessible via APIs, promoting the re-use and sharing of data across departments and with Canadians.

The API standards also enable the private sector to streamline services in co-operation with government and ensure Canadians' security and privacy.

In December 2018, we also updated our rules on enterprise architecture, which is the coordination of information, applications, technology, security and personal data.

The changes we've made support open standards and open source programs, “cloud first” principles, as well as ethical data collection and data security principles.

Ultimately, with these changes, staff will be able to work more efficiently government-wide thanks to a better convergence of technology and policies and opportunities for dialogue from the beginning of the procurement process.

These measures are key in order for the Government of Canada to develop a comprehensive digital strategy for the long term.

A key focus of the proposed policy is to integrate security and privacy at the investment and design stage of government services, programs and operations. The proposed digital policy will continue to be developed over the course of this year.

Along with our partners at the Canada School of Public Service, we've also created a public sector digital academy, the first ever in Canada. The academy will be giving our employees the leading edge skills they need to deliver the digital government services Canadians expect. An important part of this curriculum is privacy.

As we move forward on digital service delivery, we're also collaborating with provincial and territorial governments, as well as the private sector, to create rules to commonly accept and trust digital identities.

Canadians don't need to know how government is organized or the intricacies of federal, provincial and territorial jurisdictions when they try to access services.

To improve service delivery, we'll focus on the needs of the user rather than the organization of government, and enable Canadians to conveniently and securely access online services across jurisdictions. For example, we are building a digital identity ecosystem to support the use of trusted digital identities by Canadians to access services across jurisdictions. These jurisdictions include all orders of government, private sector and even international partners.

Specifically, development has begun on an initiative called “Sign In Canada”. Through this common access point, Canadians across the country will be able to access their government services online using their federated trusted digital identity. Sign in Canada will also support the digital service strategy and our efforts to federate identity across the government of Canada.

In addition, we are establishing a digital exchange platform to help enable departments to share their data with each other and the outside world in a modern, secure and unified way. This would be similar to Estonia's X-Road, which you've heard about. Just as Canadians don't need to know how government is organized to access services, citizens expect government not to ask repeatedly for the same information.

Furthermore, we've adopted mandatory procedures in relation to enterprise architecture and begun a preliminary conceptual analysis review to ensure alignment. We've also established an enterprise architecture review board, made up business and technology representatives from across government. In managing the information Canadians share with us, we want to ensure their privacy is respected while enhancing interoperability government-wide. This work is still in the early stages.

We are committed to improving service delivery by investigating a “tell us once” user experience. This means that Canadians could possibly provide key information once and not be repeatedly asked for the same information when dealing with different departments and agencies. My staff is currently examining government business processes, policies and legislation to identify any barriers to implementing this service vision. With this in mind, we need to look at the rules around information-sharing and how we could, with the right checks and balances in place, allow more efficient information-sharing across departments and agencies that provide services to Canadians.

My staff is also working closely with the Office of the Privacy Commissioner to benefit from advice on our plans and initiatives to advance digital government. We've heard from the Privacy Commissioner that privacy should not be characterized as a barrier to innovation. We look forward to continuing to work closely with the Privacy Commissioner to rethink how we can best protect the personal information of Canadians.

To meet our privacy obligations, we have to do the hard work of developing digital services that are citizen-centred and protect the personal information of Canadians. To that end, we're collaborating on a number of fronts in order to share best practices and learn from the work of others. To harness the power of technological advances, TBS and PSPC have been working to develop innovative and agile procurement tools to meet the current demands of the public service.

We recently worked together to build the first list of AI suppliers. They had to demonstrate that they had the necessary resources and skills and had adopted ethical AI practices. To safeguard privacy, this initiative is aligned with, and builds on, the government's direction and our current policy development work.

This initiative promotes the use of new tools, while providing concrete direction and oversight to limit unintended consequences for Canadians. To develop a meaningful strategy, we worked transparently with international experts, industry leaders and government officials who will oversee its implementation.

This is part of our concerted effort to open up government that was recognized in September when the World Wide Web Foundation's Open Data Barometer ranked Canada first in the world alongside the United Kingdom for its open data leadership. Each of these areas, such as Al, data, cyber and privacy do not exist in silos. They are intertwined with each other and with other sectors to such an extent that it is impossible to know it all.

Technology continues to dissolve traditional boundaries, which is why it's essential that we continue to work as one government, recognizing that all aspects of our businesses are being touched more and more by technological advances.

Success in digital government means providing the seamless, integrated services people have come to expect—services that meet people's needs and expectations of government, and that ensure government stays relevant in people's lives. This obviously includes protecting the privacy of Canadians.

Charting this course for modern digital services, including privacy protections, will keep Canada on the cutting edge of citizen support and engagement.

In closing, I want you to know that I look forward to the committee's report and recommendations on this important issue. Thank you.

Thank you, Mr. Chair; and thank you to the committee and Alex.

With me is my colleague John O'Brien, director of security and reliability engineering at the Canadian Digital Service. Before CDS, John was with the Communications Security Establishment as a technical lead for malware analysis and automation, or put more simply, John knows how the bad guys operate.

For those of you who are less familiar with CDS, we're a digital consultancy in government, for government. We're part of the Treasury Board Secretariat and we work side by side with Mr. Benay's organization. CDS was established only 18 months ago, with a mandate to help this government improve how it designs and delivers digital services by providing direct, hands-on help to federal departments to make digital services faster, simpler, more accessible and secure. In the process, we help build capacity in those departments to do modern service design and delivery.

For example, we've been working with Veterans Affairs Canada to improve how veterans and their families find and access benefits; with Immigration, Refugees and Citizenship Canada to help newcomers to Canada reschedule their citizenship tests online; with the Royal Canadian Mounted Police to help victims report cybercrime and online fraud; with our colleagues in Mr. Benay's office to make connections to government websites more secure; and with the Canada Revenue Agency to help Canadians with low income file their taxes and access related benefits.

I'm American.

Before I arrived in Canada last spring, I had the privilege of leading a similar initiative in the U.S. to bring new tools, practices and approaches into government to better serve the public. In 2013, I was a presidential innovation fellow. We were told on our first day as fellows that it was a bait-and-switch program, and sure enough, many of us who signed up for six-month fellowships stayed for four years.

My colleagues and I went on to create the service delivery unit called 18F in the aftermath of the failed initial launch of healthcare.gov. I served as 18F's first director of delivery and then as executive director. I'm also a former lawyer.

As Mr. Benay pointed out, digital isn't just about bringing services online. As our U.K. colleague Tom Loosemore once put it, digital is about “Applying the culture, practices, processes and technologies of the Internet era to respond to people's raised expectations.”

Technology is not without its challenges, but it's not usually the hard part. We only half joke at CDS that we're a change management office disguised as a digital service office half the time.

How do we go about designing and developing government digital services that are both easy to use and secure? There are lots of answers to that question, but I want to touch on five important practices that CDS tries to demonstrate in every project we take on, and that historically have been more the exception than the rule in government, but that is changing rapidly.

Those practices are, first, to apply research and design practices that put people first, not rules and processes; second, to deliver and improve continuously; third, to assume there will be failures and to be good at reacting to them; fourth, to work in the open; and finally, to have strong feedback loops between delivery and policy.

In regard to the first, CDS relentlessly focuses on the people who use government services. In practice, this means working with users continuously to find out what they need, not just what government needs from them. We know that among those needs, security and privacy are critical and non-negotiable. To meet those needs, we factor them into how we build and deliver services from the outset, and continuously throughout deployment and development. This allows us to test our assumptions with the people who will use the service. If you've never witnessed user research, it can be eye-opening and profoundly humbling. It lets us develop a mutual understanding about what data is actually necessary to complete a service transaction and provide a first-rate experience.

By engaging with users early on and throughout the design of a service, we're able to develop an ever-improving understanding of their specific needs, concerns and preferences, including what and how much personal data we need to deliver a great service, how long we need to retain that data, and how we can provide assurances about how we will handle it, and when appropriate, delete it.

Talking directly and often to the people we serve is critical to building in privacy and security from the start, which brings me to the second point about how we work.

We develop digital services iteratively, employing practices and tools that enable continuous, incremental improvement. How does this promote more secure systems? The Canadian Centre for Cyber Security publishes a list of the top 10 IT security actions organizations can take to minimize the likelihood and impact of a cyber intrusion, and one of their key messages is to keep your systems patched and up to date, such as the regular updates you make to your phones from Apple, Google or BlackBerry.

This seems simple, but it's an issue for organizations everywhere. To do this well and in a timely way, services need to be built in such a way that frequent improvements are the norm, not the exception. The harder it is to make changes to your system, the longer it will take to create and disseminate fixes when a vulnerability is discovered.

Some government systems in operation today deploy changes only a few times a year, other than urgent patches, and even a simple change request can take more than a year to work its way through the long queue, get coded, and survive a lengthy, manually driven gauntlet of review, compliance tracking, testing, staging, and perhaps a little silent prayer before it goes live.

By contrast, most of the websites that you interact with every day, built by companies like Amazon, Google and Shopify, release dozens or hundreds of changes every day, safely, quickly and painlessly, into the public. This process is commonly referred to as continuous delivery, and it's how we build things at CDS, too. Updating systems to improve reliability, to fix problems, and to adapt to users' changing needs and expectations is easier, faster and more reliable this way. Making this model of continuous delivery and improvement the norm in government is both a problem of technical debt and a problem of delivery practice. Modernizing our systems and how we manage changes to those systems is the single-most effective thing we can do to improve the security posture of those systems.

This brings me to my third point. Continuous delivery enables you to act quickly when something goes wrong—not if, but when. In a perfect world, every system would be 100% secure. Of course, we don't live in that world. Cybersecurity best practice is to make the rational assumption that failures and breaches will happen, and to plan accordingly. Leading organizations make the most of the lessons learned after every such incident, large or small, to improve their resilience. We conduct blameless post-mortems after incidents, creating an environment where staff feel psychologically safe and confident in being fully open and honest about errors and mistakes. We learn more and improve more by acknowledging failures than by hiding them. It's healthier for organizations to encourage discovering and surfacing the root causes of failures than for people to fear being blamed for circumstances outside their control.

Fourth, we've all witnessed the blowback against organizations that stay silent about security incidents or other kinds of project failures for far too long. This is one reason why we work in the open—that is, in full view of the team, and whenever possible, the public. Building our services in the open by default reduces risk. This might seem counterintuitive. It is a stubborn myth that secrecy is good for security. In practice, developing software in the open allows others to contribute to, stress-test and critique our work. It provides more incentives for everyone to get the code right instead of taking shortcuts that might not be exposed in a tightly held environment. It gives us the opportunity to discuss openly the decisions we're making and the potential trade-offs. It allows us to create a culture of learning from mistakes, and it shares our work with others—a perk of which we've been the beneficiary many times already.

The U.K. government encapsulates this in a simple design principle, “Make things open: it makes things better”. The same principle appears in our government's digital standards.

This brings me to my final point about how we go about delivering secure, easy-to-use services to the public. Mike Bracken, who led the U.K.'s government digital service through its first four years, once wrote that “in an analog world policy dictates to delivery, but in a digital world delivery informs policy. This is what agile means for Government and its services”.

Working with and listening to our users, putting working prototypes in front of them as quickly as possible, and continuously improving those services is the best way to not only learn what works for our users, but also learn which policies are working, how others are not, and how we should update them to keep pace with modern expectations. This is somewhat of a shift from traditional policy development, which is often divorced, organizationally, from implementation. Everything is figured out months, maybe even years, before it lands at the people who will be impacted by it, at which point, unsurprisingly, it may sometimes miss the mark.

We believe that the practices CDS employs and promotes every day, practices encouraged by the digital standards, are the best way to meet public expectations for better, more integrated services that are also more secure and more responsive to the privacy needs of Canadians.

Having done this in two countries, I feel certain of this: change is hard, and it doesn't happen overnight. However, we're making headway in meeting the public's expectations for user-friendly, efficient, secure service delivery, and we look forward to making more and greater progress.

Thank you. I'd be happy to answer your questions.

The talent cloud is an experiment by a select few public servants who thought that we could look at a different model for bringing employees into the Government of Canada. We tend to take a decent amount of time to bring employees in, and the goal is to bring staff and employees into the Government of Canada within about 30 days. It's still the goal. It has not been achieved yet, but we're working towards it.

By using some of the techniques that my colleague Mr. Snow mentioned, they were able in the last year to launch a beta, open-source, very low-cost prototype where we're now hiring people within roughly 40 to 50 days. We're addressing the need to bring people in quickly in government.

The system also looks at the concept of the gig economy that's out there, where people in the technology field are increasingly choosing short-term assignments as opposed to a 35-year career with the public sector, which makes their coming in and out very difficult.

What we're trying to do with the talent cloud, which is still experimental, is to facilitate that trend and give otherwise contract employees the rights to have access to pensions and benefits. They may choose to come to work for six to 12 months at a time with our talent cloud solution, then leave for a few years and come back in. In the technology space, that's extremely useful, because it means that people stay relevant, people work in different sectors, and they're bringing in different perspectives. We're making that concept of a porous public sector increasingly a reality thanks to the work of the talent cloud team.

The core principles that you need to stick to to maintain and gain the public's confidence are transparency and acknowledgement.

When we talk about iterative service development, we talk more about user research and understanding these users at a more micro than macro level, which might be more conducive to the use of AI. For any number of veins, when we're talking about using large amounts of data and algorithms that may or may not be perceptible by most of the public, it is core to be as transparent as possible and have an open conversation with private, not-for-profit and public sectors about what constitutes appropriate oversight of AI. That's more in Mr. Benay's wood house than mine.

It's a very good question.

Estonia is one example. You've raised some important points of difference. We also have provincial and some pretty significant municipalities across the country. We are not Estonia. It's important both culturally and legally speaking to recognize that. However, there are a lot of things we've learned from the Estonians. We've learned how to share data in a secure way. We've learned that they can deliver digital services and increase privacy at the same time. They've shown the world that this can be done. For us it's a question of scale, and it is a question of technical debt and legacy, to your point.

We've put in place some governance measures over the last year wherein we are asking departments to come and have conversations about their solutions earlier through a mandated enterprise architecture review board where every functional group is represented at the table, from security to privacy to applications to service delivery, to make sure that we're having the right conversations and not doubling down on legacy systems because that's the easier thing to do, and that we're having the conversations on moving to cloud, on protecting citizens' data, on artificial intelligence and on new governance challenges that some of these technologies pose.

We've systematically been bringing the conversation closer to investment decisions, because that's where some of the decisions are made, and we often live with the repercussions.

We took a first step towards that. The short answer is “not yet”.

It is a group that is fairly new, but we did take a first step towards that when Canada led a joint declaration on responsible artificial intelligence usage across all of the countries. That now means we can go back into our respective countries and work with our industry to make sure that we start respecting some of these rules. The next step will be to bring corporations into the D9 conversations and start working together.

The answer is that it's a beginning. It's not necessarily as mature as you would have described.

Not on the D9, but Canada is in a treaty with nations in Europe that requires us and all those nations to provide a single source of—

No.

We're required to provide a single source of procurement opportunities across federal, provincial and local governments, academic and health institutions by, I believe, 2022. This is way outside my wheelhouse. We've been discussing and working on that with PSPC. They would be the right folks to talk to about that.

I'll answer from a technological perspective, and by that I mean there's a lot we can learn from what the Estonians have done with their X-Road, their data-sharing platform. We brought some of the founders into Canada twice over the last year to start re-creating our own similar platform, but from the Canadian perspective. We have provinces and large municipalities; we are not Estonia. From that perspective, we've learned a lot.

We've also learned a lot around the need to continuously update laws, for example, in the context of a digital age. We've learned the fact that they do data governance very well. They decree that an organization is the holder of that piece of data, and that becomes very rigidly implemented.

There are a lot of things, regardless of scale of countries, values and background, that we should look to and we actually are looking to. We've learned a lot from them.

We've also learned a lot from our other D9 partners. For example, Portugal has a very good digital identification system that might actually be closer to Canadian systems than those in Estonia.

We do look to Estonia on technological leadership, but in some cases, we're seen as leading in values and ethics around ethical AI and responsible AI usage, so they're learning from us. It has been a very good relationship that way.

Certainly. I'll comment on both aspects.

The reason that we're trying to design—and this gets back to Mr. Snow's point—this in a way that we don't impose the structures of government on service delivery to citizens is that we just want them to see us as the Government of Canada and to make it as seamless as possible for them to access services. We do have structures, we do have laws, we do have processes within the Government of Canada, but with technology we may actually be able to represent our existence and our delivery of those services in a very different and much more intuitive way to citizens. That's what we mean by those comments: how do we streamline things for citizens? It's not what we think they want, but from talking to them, which goes some of Aaron's points, knowing what they want.

In light of that, what we've been able to do with, for example, the next generation system of Phoenix is to take a good hard look at the lessons learned that were produced by the OAG, by the Goss Gilroy report, by committee reports, and apply those lessons so that we could say they were lessons learned in the replacement of Phoenix.

For example, in the procurement exercise we're currently running, we've had user expos conducted across the entire country where we're putting the actual competing technologies that are going through this process in the hands of users for them to test and give us their comments, putting accessibility experts in a room and testing things. By putting the user at the centre of it, we've been able to change the decision mechanism from a process as Aaron was outlining it, to what the HR administrator or pay administrator, the everyday public servant, will need. We've actually embedded them in the procurement process in a way that's not been done before.

So we are able to show that we can actually move some of these issues on procurement in a very [Inaudible-Editor], where we have included everybody in the process from the beginning, including the Parliamentary Budget Officer, who sits in on our meetings once in a while, to unions and heads of bargaining agreement agents. It's been a very inclusive tent; it's been a very large tent. We have “privacy by design” principles being applied to the procurement process as well. And all of our documents, for the most part, as long they don't interfere with the procurement process, are publicly available on a portal so that people can see our transition as we're going through this and feed into the process. We're showing that we can do the thing differently. It's our first step into this space and we'll see how this goes.