Evidence of meeting #27 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was personal.
A recording is available from Parliament.
11:40 a.m.
NDP
Pierre-Luc Dusseault NDP Sherbrooke, QC
In short, if the information of millions of taxpayers who use the service were in the hands of an unauthorized, malicious person because the My Account program is not secure, there is no measure for compensating citizens whose data has been stolen?
11:40 a.m.
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
That's my understanding.
11:40 a.m.
Marie-Claude Juneau Director, Access to Information and Privacy, Canada Revenue Agency
Indeed, there are no measures of that kind at this time. There is nothing to that effect in the Privacy Act.
If we lost information, or if information were compromised, we would act in accordance with the current statute. If the recommendations on the subject suggest something different, we would have to see how the Agency would react in such a situation.
11:40 a.m.
NDP
Pierre-Luc Dusseault NDP Sherbrooke, QC
Thank you.
I'm going to broach another subject.
The Privacy Commissioner also recommended that the coverage of the Privacy Act be extended to other federal government institutions—ideally, to all of them. It is proposed that thePMO and ministers' offices be included within the ambit of the Act as well.
At our last meeting, we heard representatives from British Columbia, Nova Scotia, and Newfoundland and Labrador. I asked them whether their ministers' offices and their premier's office are subject to the Act, and to my great surprise, all three of them answered yes. I wonder whether this is ideal and feasible. Ms. Bernier will be able to answer this question.
Upon visiting several government Web sites, including the PMO Web site, citizens are asked to provide their email address so they can receive government updates. It's nothing partisan, but data collection is involved. Would it be appropriate to make this subject to the Privacy Act?
11:40 a.m.
Counsel, Privacy and Cybersecurity, Dentons Canada
Definitely, and for several reasons.
First, there is currently a legal vacuum with respect to this type of personal information held by politicians' offices and political parties.
I've read this committee's previous studies. You discussed the question of whether political parties should be subject to the Privacy Act. I won't get into that, because it's not the subject of your question.
To answer your question, I would say that it would fill in a legal gap if ministers' offices were made subject to the Act. When a party is in power, it becomes the manager of the state, and exercises state powers. It should therefore be accountable for compliance with fundamental rights and for the constitutionality of state action.
If the Privacy Act were extended to ministers' offices and the Prime Minister's office, it would, indeed, be a positive development.
11:40 a.m.
Liberal
The Vice-Chair Liberal Joël Lightbound
Unfortunately, Mr. Dusseault, your time is up, but we will come back to you later.
Mr. Saini, the floor is yours.
11:45 a.m.
Liberal
Raj Saini Liberal Kitchener Centre, ON
Good morning.
The question I have is for Ms. McCulloch, and Monsieur Guénette and Madame Juneau, because you represent two institutions, and because of the amount and volume of information that you contain.
Madame McCulloch, you mentioned that Shared Services covers 43 departments. Do you have any kind of written agreement in terms of the departments and in terms of the agencies? Because now that we have moved from paper records to digital records, there is always this tendency sometimes to over-collect data. How do you prevent that sharing?
11:45 a.m.
Director, Access to Information and Privacy, Shared Services Canada
The Shared Services Canada Act was made very explicit when it relates to the Access to Information Act and the Privacy Act. Shared Services Canada is responsible for managing the IT infrastructure, so managing the shell, but the content—all of the data residing in our data centres, even the content of emails within our networks—belongs to and is still under the control of the partner organization. Shared Services Canada, for the purposes of the Access to Information Act and the Privacy Act, has no control over the data that is residing on the IT infrastructure.
However, we are fully responsible and accountable, and work very closely with the partner institution in ensuring that the necessary privacy and security controls are in place in the management of that IT infrastructure, and when managing privacy breaches. While the data might be under the control of partner organizations—in other words, they would respond to access requests, because it's their data—if there's a breach that results from some sort of unfortunate IT infrastructure incident, Shared Services Canada would work side by side with the partner organizations to ensure that the breach is contained and managed, and the necessary corrective measures are in place. It's a shared responsibility.
11:45 a.m.
Liberal
Raj Saini Liberal Kitchener Centre, ON
You've mentioned there are 23,000 servers across Shared Services Canada. If one person worked in a department or agency, would they have access? Would they have complete access to that information, irrespective of whether it was relevant to their department or agency?
11:45 a.m.
Director, Access to Information and Privacy, Shared Services Canada
No. The partner organizations only have access to the data that is part of their mandated program activities, which is the personal information, as well as all government information holdings that are specific to their departmental program activities.
Canada Revenue Agency, for example, would not have access to the personal data of the Canada student loans program, which is managed by another federal government institution. It's siloed from that perspective.
11:45 a.m.
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
Mr. Chair, if I may add, in response to the question, specifically for the Canada Revenue Agency, the controls go even further than that. Twice a year, we do have a mechanism whereby we assess our employees' access to relevant applications and portions of the service. Even for Shared Services employees, they're covered by that and have been since the creation of SSC in 2011. They've complied with this ever since.
We do, twice a year, assess whether the job functions have changed, and whether some SSC employees no longer require access to specific servers or databases. That's adjusted on a real-time basis.
11:45 a.m.
Liberal
Raj Saini Liberal Kitchener Centre, ON
You're such an important organization here in Canada, and you must get foreign requests for information. Once that information leaves Canada, how do we prevent that information from being disseminated or divulged in another jurisdiction where we don't necessarily have control? Do you have written sharing agreements with other countries, and how enforceable or how relevant are they?
11:45 a.m.
Assistant Commissioner and Chief Privacy Officer, Public Affairs Branch, Canada Revenue Agency
There are two parts to that question. We do have about 350 information sharing agreements. About 160 of these are with 46 federal organizations, and those are information agreements to share information across departments, and 186 are with provincial or territorial departments. There are some clearly established provisions in these information sharing agreements that outline the purposes for which the information is being shared and the acceptable use.
As to the extent to which these agreements are enforceable legally, my understanding is that these agreements have more of an MOU-type of reach, if you will. I would hesitate to go further on that, unless Madam Bernier has views on the enforceability of these types of information sharing agreements.
11:50 a.m.
Counsel, Privacy and Cybersecurity, Dentons Canada
Yes, I can certainly complete that in the sense that there are laws about how information can go from one country to another. The tax laws, as you know, are fundamentally international because there are agreements between countries to ensure that tax is recovered. Those are usually reflected in law, with FATCA being the most recent and most publicized example.
It's definitely enforceable. It's definitely accompanied by restrictions, and those restrictions stem from privacy law. In other words, would the federal government send tax information, through a request from, let's say, the French government? It is all subject to the privacy laws here and the privacy laws in France.
11:50 a.m.
Liberal
Raj Saini Liberal Kitchener Centre, ON
I'll use the 30 seconds. I have one question for you, Madam Bernier.
In PIPEDA, or when you have the difference between the private and public model, you have informed consent where you opt in and opt out. Do you think that is something we should investigate on the public side, also? In 30 seconds or less....
11:50 a.m.
Counsel, Privacy and Cybersecurity, Dentons Canada
No. It goes back to my answer to Ms. Rempel. The pivotal notion of legitimacy in the public sector is necessity. The pivotal notion of legitimacy in the private sector is consent.
11:50 a.m.
Liberal
The Vice-Chair Liberal Joël Lightbound
Thank you very much.
It's time for the second round of questions. This time, the maximum duration will be five minutes.
Mr. Kelly, you have the floor.
October 6th, 2016 / 11:50 a.m.
Conservative
Pat Kelly Conservative Calgary Rocky Ridge, AB
Thank you, Mr. Chair.
With Shared Services, I was a little surprised at the low number of requests that the department received, 123 under the Privacy Act, of which 120 were completed before the end of the reporting period. It's not clear to me exactly how long that really is, but it sounds like it's at least within the length of time in which you're expected to complete them.
During our study of access to information, we heard from both your department and other departments—perhaps we didn't hear from yours—that received access requests. We heard repeatedly that compliance was a problem with the resources available, and that backlogs, when they happened, were the result of insufficient resources and other system problems, which we've tried to address through improvements.
Why do you think you have so few requests under the Privacy Act? The first and most obvious thing that occurred to me was whether anybody knows and understands your department and the enormous volume of information handled there. I don't think I had ever heard of Shared Services until I became a member of Parliament. Are there people out there who don't know they ought to be making requests to your department?
11:50 a.m.
Director, Access to Information and Privacy, Shared Services Canada
It connects nicely with my response to the previous question.
It was made very explicit in the Shared Services Canada Act that, for the purpose of exercising rights of access under both the Access to Information Act and the Privacy Act, the data that resides within SSC's IT infrastructure, whether it's the data centres, the email solutions, the networks, is not under the control of Shared Services Canada, but in fact under the control of partner organizations. The access requests, under both acts, must be filed by the government institution that has the mandated program activity, and therefore, overall responsibility for managing that information and making it available.
Shared Services Canada does not have a high volume of requests under the Privacy Act, contrary, for example, to the Revenue Agency or Immigration Canada or ESDC, and other government departments. Their primary bread and butter is the handling of personal information in the delivery of programs and services, such as taxpayer administration and employment insurance, but Shared Services Canada does not deliver program activities of that volume where we handle person information.
We'll have some personal information in terms of email authentication, IP addresses, that type of administration, but we don't administer federal program activities that hold known—
11:55 a.m.
Conservative
Pat Kelly Conservative Calgary Rocky Ridge, AB
Understood, but you are the conduit through which 43 departments, 50 networks, 485 data centres, and 23,000 servers operate.
Many Canadians have concerns about privacy. There are many different ways with which Canadians may be concerned about their privacy, from the careless use by an individual in a department, to cyber-attacks and threats, or errors or negligence, or any of the things that could happen among all of these different networks and servers.
Of the requests that were made to you, are there issues of people being concerned about unreported data loss or that kind of thing?
11:55 a.m.
Director, Access to Information and Privacy, Shared Services Canada
The majority of the Privacy Act requests we receive pertain to human resources matters. It's employees or former employees of Shared Services Canada who are looking for their information.
I think the government, through various means, has made it known that Shared Service Canada manages the IT infrastructure, but that the control of the data for the purpose of individuals to exercise rights of access.... The online tool, for example, makes it very clear that individuals have to direct their requests under both the Access to Information Act and the Privacy Act to the government organization that is responsible for administering that program.
We do receive a certain number of what we call misdirects, but our numbers are not that high on the Privacy Act side. You're absolutely correct.