Evidence of meeting #142 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.
A video is available from Parliament.
4:20 p.m.
Conservative
The Chair Conservative Bob Zimmer
Thank you, Mr. Gourde.
Next up, for five minutes, is Mr. Erskine-Smith.
4:20 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
Thanks very much.
I have some questions about digital ID, but my first question is more privacy focused.
On October 24, I made a purchase at the Ontario Cannabis Store, and it took weeks for the purchase to be delivered because the Ontario provincial Conservative government can't even sell weed right. Eventually it arrived, and it was recorded on my credit card statement. That's fine. I'm a Canadian citizen. It's legal to purchase cannabis online, as it ought to be. It's not legal in the United States though, so we hear stories about Canadians crossing the border and being asked if they have consumed cannabis in their lifetime, because it remains a crime in most places in the United States.
What assurance do I have as a Canadian that the credit card statement that acknowledges my transaction of a licit purchase in Canada but an illicit activity in the United States is protected and secure, and that my privacy is safe?
4:20 p.m.
General Counsel and Vice-President, Canadian Bankers Association
On that point, if you're talking about where that transactional data information is housed—let's say for example it is housed in the U.S.—the only way that data could be accessed for the purpose of seeing whether or not you are meeting this question would be through a formalized warrant process under the Patriot Act.
I don't anticipate that as being something that would be a real problem. I don't think it would be applied that way. That legislation's really intended to address cases of national importance, not an individual's particular use of a substance. I don't see that being something that would be of concern.
4:20 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
Have banks turned their minds to the question, when Canadians are engaged in legal activities here that are illegal where we would commonly travel, like the United States, of ensuring that the records of those activities are not liable to be accessed by American authorities in any way?
4:20 p.m.
General Counsel and Vice-President, Canadian Bankers Association
Just to clarify that, we would have contractual protections to ensure they're not shared, although there would be the possibility that you could have a proper warrant served in that country. However, I can't anticipate that a warrant would be served in that context, because if it were something so significant as to come under the Patriot Act, I would imagine it to be something in the nature of a national crime, not an individual, one-on-one use.
4:20 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
I'm less worrisome, in all probability.
With respect to digital ID, in your opening comments I noted you are ready and willing to help the Government of Canada. We had Alex Benay in front of us and he spoke about federated digital ID as well, and some steps they've taken toward that. From the perspective of the Canadian Bankers Association, what are the next steps that have to be taken to get us closer to this federated digital ID?
4:25 p.m.
Vice-President, Banking Transformation and Strategy, Canadian Bankers Association
What's extremely important is the work being done by DIACC on the pan-Canadian trust framework, PCTF. For a lot of the questions that have been asked so far by this committee and the things we have spoken to—privacy, data security, standards that operate across borders, transparency of governance, open standards—the intent is to have them be worked out and put in place through the pan-Canadian trust framework.
In terms of timeline, the anticipated completion of the trust framework is next year. There are discussion drafts that are being produced right now for public comment, so targeted for 2020.
That's a crucial first step. The standards include privacy by design, so there are 10 principles underlying a digital ID ecosystem.
The other great thing about the DIACC pan-Canadian trust framework process is that you have different levels of government at the table, different private sector players at the table, and technology companies that could help build a solution from a tech perspective. That creates the interoperability.
On principle, the federal government is in the process of developing, or is intending to develop, with, I think it's Sign-in Canada, its own digital ID solution, but you have SecureKey's digital ID solution, which also is intended to meet what the PCTF will look like. That allows the federal government, for instance, or a provincial government, to say that you can use either. If you go to New Brunswick right now, where they're running pilot projects on digital ID, you can log in to the New Brunswick pilot project by entering either your New Brunswick government-issued digital ID or your SecureKey Concierge digital ID.
To me, that is the immediate next step. Another broader part of it, where the Canadian Bankers Association has been playing a role, is just socializing the concept, ensuring, as one of the MPs just said, that Canadians feel safe. They need to understand the product, because Canadians hear about cyber breaches all the time. That's also the educational and promotional part of digital ID.
4:25 p.m.
Conservative
The Chair Conservative Bob Zimmer
Thank you, Mr. Erskine-Smith.
Next up for five minutes is Mr. Kent.
4:25 p.m.
Conservative
Peter Kent Conservative Thornhill, ON
I'd like to continue on that point. One of the challenges in Canada, unlike Estonia, is public skepticism about the protection of on one hand their health records and on the other hand their financial records. That's with regard to the CRA, not necessarily with banks, although as Mr. Angus said, certainly fraud is an increasing problem and there are any number of ways. Although the banks have countered it quite effectively, I too have had credit card breaches where the bank has notified me within minutes of an attempted use of a card and its number.
Would the private sector recommend pilot projects on a fairly limited, even a semi-regional basis, given the fact that generationally we have Canadians who do not use digital devices to any great extent at all, even with regard to still insisting that there be a human teller at their bank and that their transactions be conducted on paper? Would you recommend a scaled-down, fairly narrow pilot project, unlike New Brunswick, but perhaps urban centres first, in a certain reduced way?
We've seen in Ontario, for example, in Toronto, an inability to implement the digital exchange of medical information between GPs, specialists, hospitals, clinics and so forth. They've been talking about that for 20 years now, and it's still an incomplete, imperfect project. Would you suggest pilot projects in one particular area? It could be health care or CRA-related, but again, on a very limited scale, could developing a success model give confidence to more resistant demographics to embrace and to engage?
4:30 p.m.
Vice-President, Privacy & Data Governance and Chief Privacy Officer, Symcor Inc.
I believe doing a pilot makes practical sense for a number of reasons. Just the sheer scale of trying to onboard folks and communicate and educate individuals about what this means would be untenable.
In terms of conducting a pilot, however, I would urge that it be on an opt-in basis, for the purpose of developing something with the intention of iterating, so ensuring that you're not trying to bite off everything and be perfect, but just beginning that engagement.
It would also be a really practical way to start introducing the concept, especially if it's set out so it's an optional activity where the folks in charge of developing the solutions would take that information. Having that public engagement would be an interesting model, but certainly knowing and understanding going in that it would be an iterative process would be important.
I believe that's really what privacy by design principles are really about. It's about understanding what the requirements are up front, then all along the way it's going back and checking whether we met those initial requirements and met that intent. Then it's taking that feedback and iterating again and again.
4:30 p.m.
Vice-President, Banking Transformation and Strategy, Canadian Bankers Association
Thank you.
I want to underscore that on the public skepticism point, I agree one hundred per cent. We talk a lot about innovation these days, definitely in the banking industry, and obviously this committee has been looking at digital transformation in the government context. Crucial to consumer trust is knowing that primarily, the privacy data security will be protected.
That's our starting point. Part of building that, as I referenced earlier, is this public education role that I think the public sector and the private sector have. It is explaining to people that digital ID isn't a company you just heard of, SecureKey, handing over all your data. They are not actually seeing it, right? Going through that explanation process using as plain language as possible is very helpful.
Then, we need to ask whether the people in the ecosystem are abiding by the standards and principles. Can everyone agree on them, and are they at a high enough level?
There's a difference between having a bank, or a telecommunications company or a provincial or federal government authenticate you online versus Facebook or any other social media company, solely because those are self-created identities. There's no fundamental, government-issued identity underlying that.
When you talk about digital ID and parsing out public appetite, it's just going to be public appetite as well, based on who you're bringing to the ecosystem, what kind of products they are offering, and the optionality and convenience for the consumer.
4:30 p.m.
Conservative
Peter Kent Conservative Thornhill, ON
In the case of the New Brunswick parallel projects, the two approaches, is there any early evidence that would give a taste of the user satisfaction?
4:30 p.m.
Vice-President, Banking Transformation and Strategy, Canadian Bankers Association
I couldn't find much information on it. It seems to be a fairly closed pilot project that's just beta testing the technology on both sides: the New Brunswick government's technology as well as the SecureKey Concierge, which has been in place for a while.
I'm sorry. I didn't quite respond to the pilot project point.
It's interesting. You have heard from both me and Ms. Shea today about the importance of pilot projects in use cases, but if you take something like SecureKey Concierge, about seven million to eight million users are now signed up to the system. It started in 2012, so in seven years that's a significant part of the Canadian population. You never know with a pilot project how it might take off and really demonstrate a broader social desire for something that, frankly, makes Canadians' lives easier.
4:30 p.m.
Conservative
4:30 p.m.
Vice-President, Banking Transformation and Strategy, Canadian Bankers Association
Exactly.
4:30 p.m.
Conservative
4:30 p.m.
Liberal
Anita Vandenbeld Liberal Ottawa West—Nepean, ON
Thank you very much for sharing your expertise with us today.
I think it was you, Ms. Shea, who talked about the fact that there will be cyber-attacks, and that one of the best ways to get around that is by sharing intelligence.
Who did you mean in terms of sharing intelligence?
4:30 p.m.
Vice-President, Privacy & Data Governance and Chief Privacy Officer, Symcor Inc.
I believe the concept of sharing intelligence is going to be increasingly important, and sharing intelligence across sectors is going to be something that will be very important to consider.
Within various industry sectors there are limitations in terms of information being shared. At Symcor we have a limited use case around providing the capability for our clients to do limited information sharing for the purpose of detecting fraud, not cyber-attacks—that's something we'd like to get to—but fraud. The intention is really to have a locked-down, controlled process that is very focused on the intent of that use case, which is to get ahead of those bad actors before the event, or the effect of that event, actually happens.
Certainly public-private partnerships are an area of discussion south of the border. Having a framework to be able to share that intelligence with that purpose will be increasingly important.
Overlaying that, however, is having strong privacy governance and oversight, because often there is this tension between security.... We need as much information as possible for the purpose of getting ahead of the bad actors quickly, but I think there is definitely a point in the middle that can be met. It's about enabling increased data sharing, but under a privacy governance umbrella.
4:35 p.m.
Liberal
Anita Vandenbeld Liberal Ottawa West—Nepean, ON
Moving from the private sector to government, how would that work? As you've indicated, sharing anything, even between departments, let alone between government and the private sector, could raise a lot of privacy concerns. How do you ensure that you're sharing information for the purposes of keeping out or learning what the bad actors are doing, so that you can secure your systems, without creating those access points to share information?
4:35 p.m.
Vice-President, Privacy & Data Governance and Chief Privacy Officer, Symcor Inc.
It definitely requires a layered approach from the infrastructure to be able to do this. Having security privacy embedded into that design is really critical. Certainly in the Estonian model there is discussion around the use of blockchain as being a potential opportunity to enable that. Dr. Cavoukian has discussed the importance of having privacy by design embedded into that, and not assuming that would take place.
The other layer is also around the legislative framework and being able to enable that sharing, but again, it's very use case specific. I must stress that trust will underpin everything, and having a legitimate, purposeful, reasonable reason to do this data sharing is going to be absolutely critical. The implementation is really going to be about the standard people, process and technology in ensuring that you have that ongoing process to keep it working.
4:35 p.m.
Liberal
4:35 p.m.
General Counsel and Vice-President, Canadian Bankers Association
There can be sharing that doesn't involve personal information. The banking industry has had a number of public-private partnerships over the years whereby we shared threat intelligence, so you can actually share the types of cyber-threats we're seeing.
With the introduction of the Canadian Centre for Cyber Security, we see that as the hub that will then build on these types of initial partnerships and make them much broader, so sharing between the private sector and the government. Then, also, there is the added benefit of sharing internationally.
We are very much looking forward to participating in that hub.
4:35 p.m.
Liberal
Anita Vandenbeld Liberal Ottawa West—Nepean, ON
How would emerging technologies impact this? I'm thinking in particular of artificial intelligence. Is this an area where artificial intelligence could be applied in order to be able to detect those types of threats?
4:35 p.m.
General Counsel and Vice-President, Canadian Bankers Association
Absolutely. This is all about connecting the dots, so the more you can harness artificial intelligence to do the analytics to make those connections, the better.
4:35 p.m.
Vice-President, Privacy & Data Governance and Chief Privacy Officer, Symcor Inc.
I totally agree with Ms. Mason. Artificial intelligence and machine learning are technologies that can actually enhance privacy, because they take out that human element.
I also would like to reiterate the importance of having that use case and staying very true to the use case. There isn't going to be a one-size-fits-all opportunity, so you need to ensure that you have a framework, and that for each and every use case you want to undertake, you have a way to guide it from beginning to end.