Evidence of meeting #142 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.
A video is available from Parliament.
Conservative
The Chair Conservative Bob Zimmer
Thank you, Mr. Angus.
Next up, for seven minutes, is Monsieur Picard.
Liberal
Michel Picard Liberal Montarville, QC
Thank you.
I have a three-part question. What is your understanding of open banking systems? What is your take on this from a security standpoint? Would that be a model, if it's good, that could be followed in the case of government?
Vice-President, Banking Transformation and Strategy, Canadian Bankers Association
As I'm sure you know, the government issued its first formal consultation paper on open banking in January. We put in a submission, along with other stakeholders, in February. I'll get into that in a second.
Since the deadline in February, we've been in conversations. I would say it's very early days on open banking. The way we approached our comments was really to think through the risks that we think are posed. Those were aligned with what the government identified in its consultation paper: concerns around consumer protection, privacy, financial crime and financial stability. We focused primarily on the first three, and we talked about potential risk mitigation strategies, both from a regulator perspective and from a more industry-led solutions perspective.
That's how we have framed our thinking on open banking. It's really early days, and we're continuing to have discussions with the government when it asks us to provide some views. However, yes, it's early days and there's still a lot to come.
Vice-President, Privacy & Data Governance and Chief Privacy Officer, Symcor Inc.
Sorry, do you mind if I add to that?
Vice-President, Privacy & Data Governance and Chief Privacy Officer, Symcor Inc.
Symcor provided a submission to that call for papers as well.
Our recommendations really came down to what I had outlined earlier this afternoon in terms of recommendations primarily around privacy by design and security by design. As well, we had a framework to assess all actors in that ecosystem, with the concern potentially being vulnerabilities, essentially the weakest link vulnerabilities, so having an appropriate assessment process to ensure everyone in that ecosystem was maintaining at least a minimum level of privacy and security.
Essentially, what we recommended was ensuring that privacy and security was really cherished above all—so we were thinking about the utility, the convenience of open banking—and also that protecting Canadians was really paramount.
I think that, again, as Marina mentioned, it's early days. It is an important mandate for the government to be considering and looking at, especially with developments internationally. I also believe that it's an opportunity to look at international standards. Again, it's a little bit of go slow to go fast, potentially.
Liberal
Michel Picard Liberal Montarville, QC
Actually the system managed, duplicated data everywhere, and the open banking system concept proposes that we have just one place where the data is, and the exchange of information where the different data needs to be combined and used.... If you have a unique system where you have unique data—at least unique sources—the apparent beauty of it is that you don't look everywhere. It's just in one place. You need a very sophisticated security system to avoid a breach, because if you are breached, you lose everything. Is it a calculated risk?
Vice-President, Banking Transformation and Strategy, Canadian Bankers Association
I think you've hit on, absolutely, what our key concerns were as the Canadian Bankers Association around cybersecurity and financial crime more broadly in the context of open banking, where, as you know, the customer consents to have their personal and financial information transferred to another provider, whether it's a bank or perhaps a fintech that's not as stringently regulated as banks.
Once that happens, and if that information then goes further down the line, the third party provider provides it to another party, we worry about both the increased connectivity and the proliferation of entities having access to the data. That definitely makes it harder in the case of a cyber-attack to determine your points of vulnerability, number one and number two. Again, not all third party providers will be regulated the same way.
We were pleased to see in the budget this year the announcement of the cybersecurity legislation forthcoming, but we worry about entities that might not be subject to comprehensive regulatory oversight on both privacy and on cyber.
Liberal
Michel Picard Liberal Montarville, QC
Ms. Shea, in your opening remarks you mentioned the word “trusted” many times. What are the criteria for someone to be a trusted supplier? In business, there's no such thing as trust—
Vice-President, Privacy & Data Governance and Chief Privacy Officer, Symcor Inc.
So—
Vice-President, Privacy & Data Governance and Chief Privacy Officer, Symcor Inc.
The term “trusted provider” to me is really that you have a commitment to what your values and standards are right from the get-go, and that you have support from the top of the organization all the way to every layer.
Essentially, that's necessary to actually do what you promise to do. It's not enough to just have a statement or a policy saying you're going to protect privacy. You really need to have the infrastructure, the communication, the buy-in across everybody who is involved in delivering a service. They need to understand, number one, what their goals and obligations are, and number two, that they have the tools to be able to execute on those things. That really requires a commitment. It requires understanding across the entire organization, and understanding really comes down to making things simple and easy for anyone to be able to understand what they have to do to achieve that trust or to achieve that commitment. In this case, we're talking about privacy, so what does that mean? It means making everyone understand.
At Symcor, we did this by implementing a set of data values. We have a set of data values that stand for privacy, accountability, compliance and trust, and we leverage these values to be able to communicate to everyone. It's not just a bunch of things that are buried in a policy. These are the things that you commit to doing every day. That communication is enforced through a lot of interesting and fun activities. We host an annual data privacy day, where we have quizzes and games. We have training. Our data values are actually represented by a little mascot, which is actually an owl. He's quite popular across the organization. People look forward to his little notes and messages.
It's about doing what you say you're going to do, and then standing behind it with the commitment, whether it be a financial commitment, because it does require that level of commitment as well—
Conservative
The Chair Conservative Bob Zimmer
Thank you, Monsieur Picard.
Next up, for five minutes, is Monsieur Gourde.
Conservative
Jacques Gourde Conservative Lévis—Lotbinière, QC
Thank you, Mr. Chair.
I'd like to thank the witnesses for being here today.
In this digital ID universe, I think Canadians not only deserve, but also have the right, to know that their personal information will be kept confidential. I'm concerned about digital data being stored outside Canada, where the data would be subject to foreign laws, not Canada's.
Do you think Canadians' digital data should be stored in Canada so we can more easily address problems that arise in the future, or can we assume foreign laws are comparable to Canada's and thus we have nothing to worry about?
General Counsel and Vice-President, Canadian Bankers Association
I'll have Ms. Mandal speak to the actual data component of digital data, but in regard to the requirement that information be kept secure, as I said earlier, our privacy framework enables us to have data in Canada and outside Canada provided we have appropriate contractual and other measures to ensure the same level of safety.
Vice-President, Banking Transformation and Strategy, Canadian Bankers Association
On the data point as it ties into digital ID, I want to make sure we understand. I know you've heard from SecureKey, and I'm using SecureKey as an example because they are a live, private-public sector partnership that is in market.
The triple-blind authentication they talked about means no one has actually seen data. Let's say I go to the bank, or I use my bank credentials to log in to the CRA. The bank doesn't know that; the CRA doesn't know who my bank is, and SecureKey doesn't see any of that. The way the technology works is that no one is seeing anything. It's all done in such a way that, obviously, I am opting in, I am consenting, or I am proactively using the product. Digital ID isn't that flow of data back and forth; it's not the open banking situation. It's really just the authentication and attribute validation components of it.
Conservative
Jacques Gourde Conservative Lévis—Lotbinière, QC
Earlier, you recommended that these new technologies be implemented within an appropriate time frame to make sure they are useful and work well. By time frame, do you mean one to three years, three to five years or 10 years?
Vice-President, Privacy & Data Governance and Chief Privacy Officer, Symcor Inc.
I just want to make sure I understand the question. It's about the horizon to implement technologies in a safe way.
I believe it's an ongoing process, so I don't necessarily believe there's a specific time element tied to this. Technologies are not all on an equal playing field right now. Some are much more mature than others. If you look at large players that have invested significant amounts of time, energy and funding into those technologies where there is history, those are things that could be more readily adopted.
I would caution, however, as new technologies come to market, that we need to have an effective way to do proper assessment to ensure that those technologies are achieving the actual goal. That goes beyond just privacy and security to ensuring that the utility and functionality are doing what was originally intended. I believe it's not one size fits all. There could be a tiered approach to doing an assessment of technologies in terms of established technology in the marketplace versus ones that are emerging.
Conservative
Jacques Gourde Conservative Lévis—Lotbinière, QC
In terms of conducting effective assessments, should these new technologies be deployed gradually, starting with a single sector, city, region or province, say, as opposed to the entire country, so as to avoid the kinds of problems that arose with other services?
Vice-President, Privacy & Data Governance and Chief Privacy Officer, Symcor Inc.
That's an excellent recommendation. Essentially, if you assess once, you can apply it multiple times, and that's an important efficiency play. As I mentioned earlier, Canada Health Infoway has a structure whereby they certify a technology. This essentially enables others to leverage that technology within the health care industry without having to do the same assessment over and over again.
Vice-President, Banking Transformation and Strategy, Canadian Bankers Association
I can add to that. I completely agree that is a great idea. It's a way to iteratively test without putting customer information at risk. To flag a couple of places where it's happening, in New Brunswick the government has rolled out digital IDs—I'm specifically talking about the technology around digital ID—only on a pilot project basis. In British Columbia, I believe that's the intent as well.
Illinois is using digital ID specifically for tracking who's licensed to be a doctor, so there's that kind of use case as well. Maybe the need is very high there for whatever reason. There are use cases based on the technology used, as well as those based on the type of identification authentication problem you're trying to solve for.
