Information & Ethics Committee on Oct. 6th, 2016

It's the biggest law firm in the world.

I would say that we have to be even more careful, and we are even more careful, first of all because our information is solicitor-client privileged. It is therefore protected not only as personal information but also by the duty of confidentiality towards our clients.

Secondly, because we are worldwide, we have to make sure that we have worldwide protection. At the same time, the advantage of being worldwide is that we have the same footprint as our clients. Our clients love the fact that they can come to just me, yet I can connect to the whole world to respond to their issues as they occur in the whole world. We therefore need interoperability and that interoperability must be secure.

Obviously we pride ourselves on having that extremely secure environment that is governed by a very sophisticated governance architecture, as you will imagine, that allows us to be truly well coordinated and yet completely secure.

Having investigated government organizations for six years, I do have quite a bit of sympathy. In fact it's interesting, because the audit that Mr. Guénette was referring to is an audit that I actually supervised. While we made recommendations for improvements, we were very much aware of their challenges.

There are 400,000 employees, do I have that right?

No, it's 40,000.

You see? In my empathy I made the number bigger.

Oh, oh!

There are 40,000 employees of various levels who need to reply to people who call from everywhere, as Monsieur Dusseault was saying. They need to reply, so they need to have access to the files, yet it has to be controlled. It can't go out. It's sensitive information. That's the first complexity, that it's operational, with so many people at so many levels.

The second complexity is that the government does want to have access to some of the information. For example, we know that “follow the money” is key to uncovering illegal activities. That means there has to be some authorized access in spite of all the protections. That's another complexity.

Then, with 400,000 people in the public service—this number is correct—that's a lot of people to monitor. That's a lot of people who could have a grudge, who could have some malicious intent. I've seen lots of them. I haven't seen them only in government. I've seen them in the private sector as well. If you look at the internal threats to data security and the external threats to data security, you realize that the risk is very high.

One advantage we have in our law firm, since you made the comparison, is that we're all lawyers. We are all lawyers who have a vested interest in this business flourishing, and therefore we have a culture that favours, that helps, data security. In the government, however, you can have a disgruntled employee. You don't have an employee who at the same time has a personal investment of money in the business. You have different contingencies to contend with.

I can tell you about one agency for which I have a lot of sympathy. It was also very operational. Their main challenge was their disengaged staff. Because the staff was disengaged, the staff did not exercise the proper discipline that they should have.

This is a case where PIPEDA is a good model to follow. I think the government got it right in PIPEDA for mandatory breach notification. That means, first, it is only notification where there is a real risk of significant harm. You don't want to alarm people for nothing.

The harm could be either moral or financial. It could be to reputations or to relationships, but you need to take into account significant harm.

The obligation to notify is not specified in a specific timeline. It is as soon as possible, which I believe speaks to due diligence yet does not constrain the organization in what are technologically more defined delays than what could be specified in law. Also, the notification must go to both the affected individuals and to the Privacy Commissioner.

To go to your last point, how it helps is that when you notify individuals then you empower them to take measures to protect their personal information.

Sometimes, for institutions to define a material privacy breach tends to be a challenge. One institution will deem something as a material breach and another will not. I know additional standardization is an ongoing effort across the government.

Because the level of sensitivity is discretionary, you could have something that is extremely sensitive but implicates only one individual, whereas you could have something of very low sensitivity that implicates hundreds, sometimes thousands. It's left to the discretion of each institution to determine whether something is deemed to be a material privacy breach, and to therefore notify the Privacy Commissioner's office, as well as the Treasury Board.

At times, for standardization across the government, in my view, yes. There could be some value added with more benchmarking and more criteria.

Obviously, the Canada Revenue Agency takes into account the sensitivity of the information that's disclosed in assessing the severity of the breach. We have medical information, financial information, and personal identifiers like social insurance numbers. Those kinds of things would very obviously trigger the reporting of a breach, anything that could lead to the risk of identity theft or fraud.

However, to your point, and to speak a bit to what Madame McCulloch was alluding to, there are different types of breaches. One type of breach we see a lot in the CRA has to do with misdirected mail. The volume can appear to be high from an absolute number perspective, although I would flag that from a percentage point of view, given the 110 million pieces of mail that we move in a year, it is less than 0.001%. However, a piece of correspondence that went to the wrong address, wasn't opened, and was sent back to us, we log as a security breach internally. This isn't something that would warrant flagging to the Privacy Commissioner.

A security breach that has to do with an employee willfully accessing taxpayer information outside his normal duties is treated very differently. If I'm not mistaken, the 20 or 21 cases that were flagged with the Privacy Commissioner all had to do with wrongful access to taxpayer information by employees. There's quite a range, and different departments' business would very obviously be quite different. There is a certain amount of flexibility, which is built into the current framework, that's useful.