Information & Ethics Committee on Feb. 21st, 2019

Good afternoon, bonjour, and thank you for your invitation to speak today. My name is Meg Davis. I am the chief development officer at Waterfront Toronto. With me is Kristina Verner, Waterfront Toronto's vice-president of innovation, sustainability and prosperity. She has worked in the field of intelligent and smart communities for over 20 years. We are pleased to have the opportunity to share with this committee background on Waterfront Toronto and our Quayside project, and the roles and responsibilities of Waterfront Toronto and our innovation funding partner, Sidewalk Labs.

Of particular interest to this committee, we also want to address the policy considerations presented by the Quayside project and Waterfront Toronto's perspective on those matters. Let me assure the committee that Waterfront Toronto is approaching the Quayside project with the full force of the fundamental right to privacy, beyond the strict letter of the law.

For those of you not familiar with Waterfront Toronto, we were created in 2001 by the Government of Canada, the Government of Ontario and the City of Toronto. We were given a mandate to transform 800 hectares of former industrial lands on the shores of Lake Ontario into thriving neighbourhoods that grow our economy and improve the quality of life. I'm proud to say that the revitalization of Toronto's waterfront is the largest urban redevelopment project currently under way in North America, and it is one of the most significant waterfront revitalization efforts ever undertaken in the world.

This unique tri-government model is clearly working. Since Waterfront Toronto's inception, we have helped generate over $10 billion in new private sector investment and create 26 hectares of new public spaces, including award-winning iconic parks such as Canada's Sugar Beach and Corktown Common. This investment helped create over 14,000 full-time years of employment, 5,000 new residential units, about 600 affordable housing units and 1.5 million square feet of commercial office space to date.

As members of this committee are aware, in March 2017, Waterfront Toronto launched an international request for proposals seeking an innovation and funding partner to transform part of the waterfront called Quayside. This innovation and funding partner would help create a plan for the future neighbourhood and address key priorities, including fighting climate change by radically reducing energy consumption and household waste; offering affordable housing to families and single people alike; reducing traffic congestion and improving road safety for drivers, pedestrians and cyclists; and creating jobs and prosperity by serving as a testbed for Canada's clean tech, building materials, and broader innovation-driven sectors.

The goals we set for Quayside are about using innovation and new ideas to deliver a better, more affordable quality of life. Protecting data and privacy are integral to the realization of these goals.

Like you, Waterfront Toronto is committed to ensuring the use of technology to facilitate better services for people, while at the same time absolutely protecting personal privacy.

After a rigorous competitive selection process, Sidewalk Labs was selected as our innovation and funding partner. Their sole job at this point in time is to prepare for our consideration a master innovation and development plan, or MIDP, for Quayside. They are spending up to $50 million of their own money to prepare this plan. As Kristina will elaborate, the plan will be subject to approval, which is contingent upon the protection of privacy as a condition.

Waterfront Toronto has developed a rigorous process to evaluate the MIDP. This evaluation will use subject matter experts and a due diligence panel, and it will seek public input on the MIDP through consultations. The plan will be reviewed by all levels of government and Waterfront Toronto's board of directors. If approved, any MIDP proposals will be subject to all usual federal and provincial regulations, and municipal planning approvals.

To be clear, if the MIDP proposed by Sidewalk Labs does not deliver on these priorities in a manner that is in the public interest, then the proposed plan will not be approved by Waterfront Toronto and will not be implemented.

I'd like now to turn the microphone over to Kristina Verner to discuss our approach to the protection of privacy.

Thank you, Meg.

I know that the protection of privacy is top of mind for every member of this committee as it is for Waterfront Toronto and the public we serve, and I appreciate this opportunity.

As Meg just stated, any individual component selected for implementation at Quayside will be subject to all applicable laws from all levels of government. This of course includes Canada's privacy laws.

While Canada's privacy laws, relative to the rest of the world, have proven remarkably effective, we recognize that technology is changing all the time, and this requires Canadian privacy law to evolve. As a result, I want the committee to know that Waterfront Toronto is approaching the Quayside project with an expectation of the protection of the fundamental right of privacy well beyond the strict letter of the law. We know that if this project is going to proceed, it must reflect Canadian values on privacy.

We are guided in this effort by expert committees and advisers, all three levels of government and continuous, ongoing public consultation.

To this end, Waterfront Toronto has established the digital strategy advisory panel to guide us on how to best incorporate data privacy, digital systems and the safe and ethical use of new technologies while ensuring digital inclusion in the next phase of waterfront revitalization, starting with the Quayside project.

The panel is led by Dr. Michael Geist, the Canada research chair in Internet and e-commerce law at the University of Ottawa and a senior fellow at the Centre for International Governance Innovation. I understand that Dr. Geist appeared recently before this committee.

We are also working closely with Chantal Bernier, who spent nearly six years leading the Office of the Privacy Commissioner of Canada, as interim privacy commissioner and as assistant commissioner. She now serves as the national practice lead of privacy and cybersecurity at Dentons. Chantal is here with us today. We also regularly seek insight from former three-term Ontario privacy commissioner Ann Cavoukian.

I would like to specifically outline some of the key commitments that Waterfront Toronto has made to protect privacy in this project.

First, in addition to all existing legislative and regulatory requirements, we are committed to the principles of privacy by design. A plan for Quayside would only be approved if it adheres to these principles.

Second, with respect to the protection of personal information ,there will be no preferential treatment to any Alphabet company, including Google, regarding linking to, sharing or the use of personal data.

Third, data cannot be used for advertising purposes without express positive consent.

Fourth, any personal information will be de-identified at source, unless express consent is knowingly and explicitly given for a specific purpose.

Fifth is minimization of data collection so that only the data needed and identified for a limited and specified purpose would be collected.

Sixth, our commitment is that data collected for the Quayside project will be stored in Canada.

Sidewalk Labs has already committed to abiding by all of these key requirements. We agree with what Ann Cavoukian has often said. We are looking to create a smart city of privacy on Toronto's waterfront and we are firmly committed to working with our government stakeholders to ensure that this is precisely what is delivered.

At this point I'll turn it back to Meg.

Thanks, Kristina.

Over the past year we have conducted broad public engagement to help inform and shape the MIDP to be proposed by Sidewalk for our consideration. Thousands of people have participated in our consultation process to date, and we intend to hear from thousands more before we finish. We expect to receive the first draft of the MIDP soon. It will be made available for public input. Only after that public consultation will Waterfront Toronto begin the evaluation process.

Waterfront Toronto will continue to work with federal, provincial and municipal policy-makers to ensure that the public is well served. Technology and its impact on cities raises questions that are being debated around the world. Quayside is an excellent opportunity for Canada to get these answers.

Thank you for your invitation to present today. We look forward to your questions.

Thank you.

Mr. Chair, honourable members of the committee, it's our privilege to be here today to discuss the security and privacy of data and information when delivering digital government services.

The Information Technology Association of Canada, also known as ITAC, represents some 340 member companies, from the very largest multinationals to the smallest SMEs. We are the leading voice of Canada's ICT industry, an industry that includes some 37,000 companies, most of which are small and medium-sized enterprises. The industry generates over 1.5 million jobs, contributes more than $77 billion annually to the GDP, and invests over $4 billion in annual R and D, which is the largest private sector industry contribution to the nation's R and D.

ITAC is appearing before you today in support of its efforts for the development of a robust, competitive, sustainable digital economy and digital government in Canada. In recent years, ITAC has partnered with the federal government in various fora to help modernize the government's IT procurement processes and enhance the government's ability to successfully leverage IT and ICT to improve the delivery of public services.

The committee's study comes at an opportune time. The Government of Canada, as was pointed out by some of your witnesses earlier this week, has an ambitious vision for transforming and providing digital services to Canadians. Addressing security and privacy risks is a prerequisite of this transformation. Canadians expect and deserve digital government services that provide effective security and privacy.

The key question for the committee is how the Government of Canada can both achieve its vision for digital service delivery while also protecting security and privacy. It is ITAC's view that by adopting a balanced approach and by adjusting elements of its current data classification system and security framework, these two objectives are both compatible and interdependent.

I'll now ask Michael Fekete, chair of ITAC's legal committee, and counsel for Microsoft at Osler, to speak.

Thank you, André.

It's clear that the Government of Canada has recognized the need for a balanced approach. This is reflected in the Government of Canada digital standards, which call for a balanced approach to managing risk and implementing appropriate privacy and security measures. Similarly, the Government of Canada's cloud adoption strategy requires departments and agencies to adopt a structured risk management approach that takes into account the integration of cloud services in their government IT services.

The Government of Canada has adopted a cloud-first strategy. It did that last year. Notably, it was the last of the countries that make up the Five Eyes to do so. The rationale for a cloud-first strategy has been clearly articulated in the government's own white paper on data sovereignty and the public cloud.

The paper indicates that cloud computing represents a significant opportunity to address a number of inherent risks that the government is currently facing. These include: aging IT infrastructure, through which the government's mission critical IT infrastructure is aging and at risk of breaking down; cyber hygiene gaps, whereby the government's inability to quickly identify assets and perform timely patching and remediation of known vulnerabilities leaves it exposed to cyber-threats; the availability of non-cloud solutions—increasingly, industry is providing only public cloud solutions or focusing their development efforts on cloud services, and the on-premises software we've been accustomed to in the past is no longer available in the same way—and of course the government's plan to digitally transform the delivery of government services.

Cyber hygiene in particular is something I want to draw attention to, as there is an increasing recognition that cloud providers often implement and manage better IT security controls than internal IT teams. Cloud providers are investing billions of dollars to address security of data, going well beyond what any customer can do on its own. By enabling state-of-the-art machine learning and AI solutions, cloud providers are protecting customers at machine speed from the latest known and even unknown threats.

Despite the many benefits of cloud services and a cloud-first procurement strategy, it's clear that the Government of Canada is lagging behind other governments in terms of cloud adoption. It's important to recognize that cloud is different, and doing government digitally is different. To be effective, federal digital services need to be redesigned. This requires in many cases a redesigning of existing policies and processes.

New technologies will need to be explored, including artificial intelligence and the Internet of things, to power digital services. These new technologies are available through the cloud. Generally, they aren't available without accessing the cloud.

The other thing to note is that there are international best practices from which important insights can be drawn. By way of example, the United Kingdom's G-Cloud is considered a model for digital government and cloud adoption. Cumulative sales under the G-Cloud framework up to July of last year were over £3.5 billion, with 46% of total sales by value and 69% by volume having been awarded to small and medium-sized enterprises.

The success of the U.K. approach followed deliberate policy changes that supported implementation of the U.K. government's cloud-first policy. These changes included a simplified data classification regime, non-prescriptive security requirements, accountability for decisions to procure bespoke solutions, and a willingness to accept a supplier's contract with a wrapper of government terms.

While each of these changes is important, the first two warrant additional discussion in the context of the committee's deliberations.

The U.K. streamlined its data classifications so that information assets are classified into only three types: official, secret and top secret. Each data type attracts a baseline set of security controls providing appropriate protection against typical threats.

Significantly, U.K. government guidance indicates:

ALL routine public sector business operations and services should be treated as OFFICIAL.... This includes: Personal information that is required to be protected under Data Protection legislation or other legislation (e.g. health records)

It's noteworthy that virtually all routine information within the government is treated as official, which is the lowest standard. That includes even sensitive personal information such as health records.

Information classified as official in the United Kingdom constitutes 90% of all U.K. government data. This data is deemed to be suitable for processing in the public cloud and is not subject to geographic limitations on processing. Rather, a risk-managed approach has been adopted, with U.K. government departments and agencies being required to evaluate a cloud service against 14 cloud security principles. These principles serve as a checklist for effective security safeguards without prescribing how a cloud provider needs to demonstrate compliance.

When contrasting the U.K. approach with Canada's, it's clear that the Government of Canada's framework for protecting security and privacy is underpinned by a materially different data classification system and security framework. Canada has nine different data classifications, with personal information—which is typically treated in the U.K. at the lowest level— generally being classified as Protected B.

Once data is classified as protected or higher, specific security and privacy protections set out in Government of Canada policies and directives apply.

For example, data that is classified as Protected B is subject to stringent requirements governing data residency, security clearances and departmental security controls. These requirements are often incompatible with the supply of public cloud solutions.

A cloud service is, by definition, a non-customized shared service that relies upon economies of scale achieved through standardization. To the extent that a government procurement mandates that a service provider satisfy security or privacy requirements that have not already been operationalized, the procurement is on its face incompatible with the supply of a cloud-delivered solution. Because data classifications in Canada are matched with security requirements that are incompatible with cloud services, it is not surprising that cloud adoption within the Government of Canada is lagging behind adoption in the United Kingdom.

The U.K. experience does not display a reckless approach—

Sure.

Just let me end by saying that the U.K. is not reckless in its approach. It has made policy choices to ensure that it can access cloud services to enable digital government. There are opportunities for Canada to learn from the U.K. approach and, I would say, modernize some of its existing policies to better enable access to the cloud and to the digital services that the government wants to deliver.