Information & Ethics Committee on Oct. 6th, 2016

Nobody does it ideally. The remedies you referred to are very fragmented. For example, the passenger protect program does have a remedy whereby if you are stopped because of the no-board list—we've all heard about the seven-year-old boy who was denied boarding because he happened to have the same name as someone who's on the list—there is a remedy process. It takes a very long time, but Minister Goodale has already announced that they're looking at addressing that. In fact, it is part of the green paper “Our Security, Our Rights” that is being put to consultation.

My answer to you is that, sadly, I cannot answer because the level of transparency that would be needed to know the answer to your question is simply not there. Every country must step up.

Since this was something that happened at a very high level, I'm going to ask Ms. Juneau to explain the details of the relevant procedure.

There is indeed a procedure within the Agency. We work with the Agency's security officer, who is our first point of contact. Incidents must be reported to that person, and that person must prepare a report.

A bit earlier, we spoke about the criteria we use to assess how serious the breach is. Ms. Juneau is consulted to determine whether there has been a breach of privacy, and if there has been, the measures to be taken are discussed. If the risk evaluation matrix provides for it, we contact the taxpayer. That's part of the steps to be taken.

Ms. Juneau, would you like to add something on the subject?

Yes, certainly.

As Mr. Guénette just mentioned, the Agency follows a well-established process for reporting all types of incidents. Following an incident, the Security and Internal Affairs Directorate conducts an investigation and sends us its findings. The question to be determined is whether there's been a security breach. If there has been we report the breach to the Privacy Commissioner. We also have a disciplinary framework at the Agency. Based on that framework, we verify how the breach was reported, and whether a disciplinary measure is applicable in such a case.

As for what we do to mitigate the impact of security breaches, I will come back to the example you gave concerning the CBC. When the incident occurred, what we did in terms of access to information and privacy measures was to verify the processes implemented by the Agency, and determine where surveillance or review could be enhanced with a view to preventing such a situation from recurring.

Another process was developed too. A private firm verified whether our processes were indeed adequate, and whether there were still shortcomings. Following that audit, the firm made a few recommendations. The measures it recommended were mainly about systems, system audits, and quality assurance. We have implemented those procedures, to prevent such situations from recurring.

Thank you very much for the question.

Mr. Chair, two types of actions were taken in that regard. One is more technical, and the other is about employee education.

From the technical standpoint, we're continuing to implement measures. In fact, I alluded to them in my preliminary remarks. They have been and are continuing to be put in place, in order to better document and control employee access to Agency databases and applications. As I was mentioning, reviews are done twice a year, to ensure that if there are changes to the duties of certain employees, and access needs to be reviewed, it's done.

Improvements were also made so that an "audit trail" can be created in the National Audit Trail System. This makes it possible to detect accesses not tied to certain duties, and to notify managers of those accesses. So measures were put in place so that managers can receive automatic notifications of this kind. For example, I might need to speak to Ms. Juneau because I received an indication that she accessed some information that doesn't seem to fit with her duties. Several applications are subject to this type of audit.

Yes, they're in operation, but they continue to be improved. We anticipate the work will be finished in 2017—that is, by the end of next year. Those are the more technical elements.

However, since that 2009 audit, a lot of emphasis has been placed on employee education. We have certain data that enables us to identify the cases where privacy breaches are reported the most. This is because, as you were saying, what needs to be reported is now clear to employees, compared to the situation five years ago. There's the Integrity Code, to which I've referred. There's also the Integrity Framework. Added to that are the communication initiatives we've implemented, and mandatory training. There are several indicators on our performance management dashboard. As Chief of Privacy, I must check on the extent to which employees are doing training, and the extent to which they're consulting the available information. For example, we recently made a video available. Based on the most recent numbers we have, it was viewed more than 12,000 times by employees. The video explains the kinds of privacy breaches that can occur inadvertently.

All this to say that a major communications effort has been made in this regard, and certainly must continue. We see—and I think the data support this—that there is now a better understanding of the importance of protecting personal information, of what can constitute a privacy breach, and of the procedure to follow so these breaches can be identified when they arise.

Obviously, it's my successor who is now keeping track of the subject, and he is the one who can answer this question. I can only speak to the situation up until June 2014. At that time, I was very convinced that the Agency was taking our recommendations very seriously. The recommendations identified shortcomings, but these were taken seriously. I can't discuss the current situation, but when I was present, I was seeing a real effort on the Agency's part.

The Personal Information Protection and Electronic Documents Act would have to be amended to create a separate part, because the statute applies to the private sector, and is based on the consent paradigm, as part of business activity. In other words, I give my personal information in exchange for a good or service. That is not at all what is happening when information is given to a political party.

PIPEDA should be expanded to include all non-governmental relationships. It should contain a part applicable to business activities, which is the case at present. This covers situations where personal information is imparted in a transactional context. There should be a part applicable specifically to political parties.

Thank you for this very good question, but unfortunately, I don't have the answer. I will do some research and ensure the answer is sent to the committee in the coming days. I apologize.