Information & Ethics Committee on Feb. 28th, 2019

But if the information is anonymized, where is that consent?

If we had said we're embracing open data and we want certain aggregated, anonymized information to make the provision of services cheaper, better and more focused, a lot of people would have been really excited about it. Canadians are progressive with that mindset of moving to digital. It's almost more about how you do it than about what you do.

To Matt's point about treading lightly, you need to go slowly with it in that way, plan your communications carefully, but I think we all firmly believe that Canadians are ready for this. It's just a question of execution.

That's a big question.

I think Canadian privacy legislation is not something we should just say is insufficient. There are some good privacy frameworks here. It's a question of what are those definitions? What is “real risk of significant harm”? What does that mean to a company like the companies we help, who are trying to determine what they should tell the government when there is a security or privacy breach?

We need to make it more practical for companies and individuals to abide by these frameworks. I'm not saying that we should go all the way to GDPR. I'm sure we all have varying opinions on GDPR. Matt is shaking, now.

The reason people are abiding by GDPR is that there are financial fines behind it, and that's why there are a lot of—

—consultants making a lot of money on it, and all of that.

We shouldn't go all the way in that direction, but we need to make it easier for Canadian business to consume that type of regulation in Canada. We need to keep that strong privacy framework, but make it easier for businesses to consume.

Could I just elaborate for a second on Ira's comment and respond to your question on whether we should we go all the way to a GDPR-type answer?

The answer is yes. I think the global push towards having governments protect citizens, balanced with citizens maybe becoming less interested in privacy on an individual point level, raises the interest of government to protect citizenship collectively.

But what Ira said is really important and I tried to address it tangentially as well, which is making the expectations really clear about how to handle and manage data so that people understand what they are expected to do and how they're expected to do it before you start pushing stuff to the online realm. That is really very useful.

I can't tell you whether or not we need to make a change to our regulations, policies and practices, but at the very least making those transparent and easier, so that—

There is a lot bundled into that question—

—and I'll try to set it out.

Firstly, I'll say that when you collect data, it's an addictive process. It's easy to do. You collect large amounts of data and you can't lose what you don't have. When I say “go slowly”, I want to reiterate that I see people on their worst days very often dealing with breach management. I see the outcome and aspects of the failure to do the things that I am advising to do.

How to balance out the issues of what data to collect, why you're collecting it, making sure that there is consent for its use are the real keys to answering your question, I think.

When we have historical data, consent to use might be very difficult to derive. I can't tell you what consent I gave to the data I gave to the federal government five years ago. I don't remember and can't tell you. I don't remember signing anything away. It was probably in the fine print. You can make a studied case that I did somehow give you, the government, my consent to do that, but if I didn't have clarity about that, if it weren't communicated correctly to me, then I am going to be very unhappy with you when you use the data exactly the way you said you might.

I think that communication and clear consent is probably at the centre of the Statistics Canada case in particular. But I would say, don't collect data you don't need, and be very clear about how you're going to use it and get clear consent for how you're going to use it if it's personal information.

It's part of the service.

Oh, oh!

Yes. The short answer is, yes, it's a problem.

I think we have to think about this in a very different way.

The challenge we have today with the architecture of the Internet is that every web service delivery organization is on its own when it comes to registering customers online. We can see what that's produced for all of us in the room. Some of us have ten passwords, some of us have 25, some of us have 100. Some of us have 100 but it's really just one, because it's all the same password.

So what we see in this model is that when everybody is by themselves, the only way we can have confidence that someone is really who they say they are is by having a very thorough enrolment process. This is particularly acute in government because your duty of care is so high. The consequence is that oftentimes the customer can't get through this process, and when they do, the problem is that you have all of the data. So when you get breached, you have to remediate all of the data.

We only have this problem online. In person, it's not as much of a problem. In person, we already collaborate and co-operate when it comes to identity. When I want to get a bank account, I bring in a government-issued ID and something from somewhere else and I can get a bank account. When I want to prove I've lived in Ontario for six months, I bring my bank statements to show I've been living at that address for that long. We already co-operate in the real world in doing these identity services. It's only online where we have this challenge.

So one of the things I would put to you is that one of the things you should be thinking about is not merely solving this from the government point of view but thinking from an economy point of view. The challenge, and one of the reasons the banks are here and they want to be in on the scheme, is that from a banking point of view, this is not that interesting from a revenue point of view. They want to be able to open bank accounts online and they want to take the risk problem down. The challenge they have is that they can't verify that the driver's licence is real. What the crooks do is to take a real driver's licence like mine, scratch my photo out, stick their photo in it and go get a line of credit; and they're defenceless against that type of attack.

What the banks want the government to do is to get its house in order and to make all government-issued documents ready to participate in the digital economy.

Back in 2008, Minister Flaherty put together a task force here in Canada to talk about how we were going to make digital payments work. That task force ran for about two years. I participated in it and the report that was produced by Pat Meredith—who did a very good job of running the task force—said that you can't have a digital economy and can't do digital payments without having digital identity.

With digital identity, the point is that it has to work across the economy. It's not about solving health care. It's not about solving the CRA's problem. It's about solving it for the consumer across the economy, because when you look at your own life, the counter is that you have to show up with your driver's licence to get the thing you want, and that takes a long time.

Oh, oh!

Yes.

Yes.