Evidence of meeting #30 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was rcmp.
A recording is available from Parliament.
12:25 p.m.
Assistant Deputy Minister, Corporate Services, Department of Citizenship and Immigration
It's the same. Of the thousands that we processed last year, we had 55 material privacy breaches. They were all reported to the OPC and to Treasury Board Secretariat, but also the individuals were notified by letter.
If the mandatory reporting meant that we had to provide all of the same private information to the commissioner, then it would, in effect, constitute another privacy breach. We wouldn't be keen on that, but what we do now is an event summary, basically. That's fine.
12:25 p.m.
Conservative
12:25 p.m.
Liberal
Bob Bratina Liberal Hamilton East—Stoney Creek, ON
First of all, Mr. Mundie, I was curious to know whether you thought a wall would be a useful thing to build along the border and how much it might cost, but I'll leave that for later.
12:25 p.m.
Director General, Corporate Secretariat, Canada Border Services Agency
All right. Thank you.
12:25 p.m.
Liberal
Bob Bratina Liberal Hamilton East—Stoney Creek, ON
Is there a typical kind of complaint? You get this great number of complaints and only 88 were filed against you or the Privacy Commissioner. Can you give me an idea of the nature of the complaints that you deal with?
12:25 p.m.
Director General, Corporate Secretariat, Canada Border Services Agency
I know that Dan Proulx can give the answer to that one much better than I can.
12:25 p.m.
Director General, Corporate Secretariat, Canada Border Services Agency
There's a range of reasons. Dan can elaborate.
12:25 p.m.
Director, Access to Information and Privacy Division, Canada Border Services Agency
Yes. The most common complaint that we have today is delay. With the increase in requests that we have, trying to respond to some 11,000 privacy requests a year, the obvious complaint and the number one complaint is time delay. We're taking too much time to get back to the requester.
That said, our time compliance in 2015-16 was pretty good. It was around 88%, but a handful of people still want it to be faster and they file delay complaints.
The other common complaints are obviously against exemptions invoked. If we protect information from disclosure, people want to know why or they challenge our decisions.
The other type of complaint we get is not strictly about processing an ATIP request, if you will. It is about use and disclosure complaints, when people think that the CBSA misused their information. That's another type of complaint that is also common to receive.
12:25 p.m.
Liberal
Bob Bratina Liberal Hamilton East—Stoney Creek, ON
Thanks. That's helpful.
Mr. Peirce, you stated that a number of personal information banks are unique to CSIS, including investigational records and security assessments and advice. How is the data in these banks accessed remotely? Is it a secure flow? Wherever that data is held, how do agents access that data in a secure manner?
12:30 p.m.
Assistant Director Intelligence, Canadian Security Intelligence Service
Access to those systems is always in a secure environment, and we require certification of the environment in which access will be provided. We have to be in effectively a SCIF situation to receive access to a database.
12:30 p.m.
Liberal
Bob Bratina Liberal Hamilton East—Stoney Creek, ON
To our friends from the RCMP, data collected in the field has to move through some sort of chain to get to a secure place. Is that part of the educational nature of what you were talking about earlier in speaking to 750 divisions across Canada about how to deal with that? Is that something you're concerned about and you want to assure is done properly?
12:30 p.m.
A/Commr Joe Oliver
Absolutely. Again I'll go back to the safeguards that are put in place. One of the biggest threats of privacy breaches or information leaks is actually the insider threat. We spend a lot of time with respect to security, screening individuals, and making sure that the right people have access to the right information, and that they are screened at the right level. When it comes to access to RCMP information systems, we actually, in each, have two-factor authentications, so the individual has a password plus a physical token or a key in order to access the data system. Then, the security architecture ensures that it meets certain security requirements, based on the type of information being held. Most of our information is held at the protected A or protected B levels. Then when it gets into national security we will have our classified environment where the security controls are enhanced.
12:30 p.m.
Liberal
Bob Bratina Liberal Hamilton East—Stoney Creek, ON
Ms. Beck, on the notion of foreign nationals, those outside Canada can obtain access by hiring a Canadian representative and filing a request. That's how it's done now. The recommendation was that foreign nationals should be able to submit a request, but you're saying it would just be too cumbersome. The complaint we have is that these agents sometimes rip off people who are making legitimate attempts to become Canadian citizens or who have other issues.
Do you have any thoughts about how that system could be improved?
12:30 p.m.
Assistant Deputy Minister, Corporate Services, Department of Citizenship and Immigration
I guess that's really more of a comment about the access to information legislation rather than about privacy. Is the solution to give them the option to apply under privacy and then it's free, or is the solution to amend the legislation on access to information? For instance, the fee structure is different, or there are different approaches, whether you're making an access to information request as a business or as an individual.
12:30 p.m.
Liberal
Bob Bratina Liberal Hamilton East—Stoney Creek, ON
We hear that resources are often a problem in all of the matters that we're discussing.
12:30 p.m.
Assistant Deputy Minister, Corporate Services, Department of Citizenship and Immigration
Yes, and I would just reiterate that we are trying to put—remember we talked about it last time—more information up online so people can go in and access their own cases. The more we can do that, the easier it will be.
12:30 p.m.
Conservative
The Chair Conservative Blaine Calkins
Mr. Blaikie, go ahead for our final official round of questioning.
Then I have Mr. Saini, myself, and Mr. Long on the list. That should use up the rest of the hour.
Mr. Blaikie.
12:30 p.m.
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
I think this question is more for Mr. Peirce and Mr. Oliver.
You guys are in an industry where technology is changing a lot, and you obviously have to keep on top of those technological changes in order to be able to do the job well. One of the issues that has come up in the study of the Privacy Act, because it is from 1983 and hasn't been changed for a long time, is that it is not particularly well adapted to new technology.
Do you have any advice for us on how to recommend that the legislation be changed, not just so that it fits the technology as it is right now, but so that it's a law that continues to apply in the next five years or 10 years when the technological landscape is going to be quite different in a way that it doesn't become cumbersome and challenging for your own operations?
12:30 p.m.
Assistant Director Intelligence, Canadian Security Intelligence Service
I don't have an answer that's going to solve all the problems for the next five years or so as technology evolves. Certainly, though, the broad principles set out in the act are very important for guiding us. We live up to the purpose of the act and not just the specific provisions of the act. We should be enunciating principles and perhaps even modifying the principles going forward in a way that ensures there is a clear idea as technology evolves and touches privacy in different ways. Our practices ought to evolve in the same way with the guidance that we would follow.
12:35 p.m.
A/Commr Joe Oliver
I would support the remarks of my colleagues, but I would also, in relation to one specific recommendation, create a legal obligation with government institutions to safeguard personal information. In the age of information technology, we need to be very mindful of the cyber-threats that exist, and we need to put in place the necessary IT security infrastructure in order to protect that information.
I will also say with respect to this recommendation that the approach to safeguard should be risk-based. I say that because some of the security control measures. If they were consistently applied, and if the measures that are put in place by my colleagues at CSIS were then applied to other government information, the costs would be huge. We need to take a measured approach for risk-based safeguards, based on the type of information being held and based on the threats that exit against that information. Then we must put in place measured security controls that will be cost-effective, but also meet the objective of protecting the information.
12:35 p.m.
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
Thank you.
Would anyone from the other departments want to weigh in on that, or is that a good enough answer?
12:35 p.m.
Assistant Deputy Minister, Corporate Services, Department of Citizenship and Immigration
Good luck with that.
I didn't know, but you're recommending or somebody is recommending a review every five years. That will help, rather than every 30 years, to keep it broad and big-picture and to give us wiggle room. We like that too.
12:35 p.m.
Conservative
The Chair Conservative Blaine Calkins
Reviewing it every five years hasn't been a problem. I think getting something changed every five years has been.
We have about 24 or 25 minutes left.
Colleagues, I'll try to keep it around five minutes for the extra time. If you need it, that's fine, but don't feel you have to take it. We haven't heard from Mr. Long yet either. I try to let every member here....
Mr. McLeod, I know you're visiting and sitting in, but if you have something that you'd like to ask, then by all means feel free to participate.
We'll now move to you, Mr. Saini, to finish your line of questioning.
12:35 p.m.
Liberal
Raj Saini Liberal Kitchener Centre, ON
I just want to follow up on a point you raised, Mr. Peirce, on the sharing agreements with other countries. You said they were very specific. If data is shared with another country and that country feels that data of an impending threat must be shared, how does that work? Is there a protocol to inform us that they will be doing this? Do they do it before they share that information, is it done after, or is it not done at all?
I recognize that you have certain protocols in place to make sure that this is contained within the sharing agreement with another jurisdiction, but it may be that this jurisdiction, for whatever purposes in its own political geography, may need to share it with someone else. Is there a mechanism whereby they would inform the department that this information is about to be shared and these are the reasons for it, to seek your permission, or to tell you after?