Good afternoon. I would like to thank you, Mr. Chair, and also the members of the committee, for the opportunity to speak with you today on such an important topic and to share perspectives as the government endeavours to understand how to improve services for Canadians while also protecting their privacy and their security.
My name is Della Shea. I am the Chief Privacy and Data Governance Officer at Symcor and I offer my comments this afternoon based on approximately 20 years of experience leading internationally recognized data privacy and security programs at Symcor.
For those of you who may not be familiar with Symcor, we are one of Canada's leading providers of business process outsourcing services to the financial services sector. We offer a diverse portfolio of traditional and also digital services, including payment processing, statement production, document management and also fraud analytics. We also provide services to other organizations in retail, utilities and telecommunication sectors and more recently also to some governments. We have close to 2,000 employees, who work across Canada.
You've asked how government can improve services for Canadians while also protecting their privacy and their security. In addressing this question I'd like to share some of my insights as well as experiences gleaned from actually embedding privacy and security into our services at Symcor.
In this regard, my comments will focus on establishing and maintaining trust, and specifically on three core tenets that underpin trust: first, privacy by design and data stewardship; second, the role of trusted service providers in a digital ecosystem; and third, a consistent legislative framework. I will address these in turn.
First, as many of you and members of the privacy community are aware, the concept of privacy by design calls for privacy to be taken into account throughout the planning and service delivery process. In short, privacy must be an organization's default mode of operation. Governmental bodies will have to take a similar approach. My recommendation is to establish controls on the way governments design their systems. The privacy by design framework should be used in order to embed privacy into operations.
A second concept closely related to privacy by design is data stewardship. Data stewardship and being an effective data steward is about actually operationalizing the accountability model that has been set forth under Canadian privacy legislation. As Canada's privacy commissioners have highlighted, it is about the clear acceptance of responsibility for the protection of personal information under their control.
As the government considers its approach to rendering services to Canadians, I would urge the adoption of a data stewardship model. At a very practical level, this means maintaining accountability for protecting Canadians' privacy and security.
Next, I would like to briefly touch on the critical role of a trusted service provider in the digital ecosystem. The shift to platforms and ecosystems has already happened. This represents the future for all organizations, including governments. The new digital ecosystem has brought the opportunity to create new and innovative operating models and new partners, intermediaries and also collaborators.
Under the Canadian private sector privacy legislative framework there is an elegant rule that organizations are responsible for the personal information in their custody and control, including when this information is also transferred to third parties.
It is critical for government to establish a working model that consists of trusted service providers and intermediaries in this digital ecosystem. This will consist of a model whereby organizations are held to a consistent standard to minimize the likelihood of systemic vulnerabilities, but more generally to provide confidence in the digital ecosystem and digital service delivery.
In a similar vein, as a matter of gaining and maintaining public trust, there must be consistent and robust privacy rules for the private sector and the broader public sector for data processing activities, to avoid any gaps in privacy coverage.
In short, all players in the digital landscape, both private sector and public sector, need to be following consistent and robust privacy legislation. The role of government will be fundamental in establishing consistent, robust privacy rules applicable to the digital ecosystem.
This brings me to my conclusion. The data strategy road map for the federal public service published last fall outlines a comprehensive vision to overcome silos and leverage data as a valuable asset. I applaud the government for embarking on this study to consider privacy and security as it undertakes this journey.
I would encourage the government to design a maturity model that will scale to the future, one that not only considers privacy and security at the foundational level of digitizing government services but also contemplates a fully digitized society where everyone and everything is connected to a fluid and ever-expanding ecosystem.
Thank you. I look forward to your questions.