Evidence of meeting #96 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was estonia.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Liia Hänni  Senior Expert, e-Governance Academy
Raul Rikk  Programme Director, National Cyber Security, e-Governance Academy

10:05 a.m.

Programme Director, National Cyber Security, e-Governance Academy

Raul Rikk

We have actually measured how younger and older people approach this voting process. The statistics are quite interesting. They show that young people take more time to vote, and the elders do it more quickly and efficiently. They don't surf on the voting website, but they follow exactly the procedure that they're supposed to follow, while the younger generation just surf and don't always push the correct buttons. It shows that members of the younger generation know very well how to play Minecraft or how to use Facebook, but not necessarily how to use ID cards and follow official procedures.

10:05 a.m.

Conservative

The Chair Conservative Bob Zimmer

That's interesting.

I just want to clarify who.... I only have three names on the list. I thought I saw more hands over here. I just have Mr. Baylis, Mr. Erskine-Smith, and Mr. Picard. We'd like Mrs. Vandenbeld, as well. Maybe just hold your hands up if I didn't get your names. Okay, so we have Ms. Murray and Mr. Cullen again.

Okay. We'll proceed with Mr. Baylis for up to seven minutes.

March 22nd, 2018 / 10:05 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

Thank you.

I have some questions for you, Ms. Hänni. I've looked at this excellent slide and how Estonia has arrived at this very comprehensive system, but obviously you didn't start there. If we were going to think about building something like this, where would we start? Is it the population register, the unique identifier? What would be the process?

10:05 a.m.

Senior Expert, e-Governance Academy

Liia Hänni

That's a good question and a very important question.

I think what definitely is needed is an electronic identification system. In Estonia, it's based on the unique identifier of citizens. I know that in Canada there is no population register for the whole country, just provincially, so you definitely should think about how you ensure a strong identity for your citizens.

Second, since you have a great number of datasets that are not connected to each other, that belong to different agencies, you should think about how to build up a system in which data will move, and once you have this capacity for data to move when necessary, then, of course, a system to protect data integrity should be in place.

In Estonia, with X-Road there are different technical facilities to protect data, but basically, in connecting datasets with X-Road, there is a check on privacy issues, there is a check on security issues, and there is a very defined authority, a different institution to make the data work properly.

You have very good systems already, with lots of data online, and a good vision about open government, so I think it's a matter of political will to make these basic new decisions to have not only good separate information systems but to see Canada, the physical environment of Canada, as one system. This is, I think, the work you face now.

10:10 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

When you were building your system, were there concerns? I know you talked about how it integrates into the democracy itself. Were there concerns that you had to overcome? You mentioned one of them, electronic voting with older people, but in a general sense, as you were moving towards this highly digitized society, how did you bring your population along with you?

10:10 a.m.

Senior Expert, e-Governance Academy

Liia Hänni

I think the Estonian population was quite positive about this use of technology. Even when we introduced electronic voting, a bigger part of society was not using the Internet, but still people who were not using the Internet were very positive. There wasn't that kind of opposition to the use of technology in Estonia, in my opinion.

What was right, what parliament did, was put some basic legislation in place, such as the digital identity we introduced in 2001. The digital signature is the most-used electronic service in Estonia. We don't need to sign documents on paper anymore. We use digital signatures, and there's a huge economy of resources, time, and money in having this opportunity at hand now.

The Estonian e-government development was not one project. It was step by step, but we made the right decisions at the right times. Digital identity use, legislation, and technology for that X-Road, and this interoperability layer we have were all necessities, because we had in Estonia a similar situation to what you have in Canada. There were different datasets not working together, and the X-Road exchange layer was a necessity to overcome this situation. Because of that, now we don't need to count how many electronic services we have, and it's very easy to have new electronic services, to put together information and data we have in our systems.

In Estonia, government can only use my data based on law. Data cannot be used by the government unless the law gives the authority to government institutions to ask for and use my data, and this is very important and different from private businesses, where gaining my consent may be the driving force to use my data.

10:10 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

I have one other question. You've clearly consulted with a number of different countries on things, and people have come to see and learn from Estonia. Are there some lessons on what we should avoid, some dangers, some pitfalls that we should be aware of if we start to go down this path, something you might have seen other countries do wrong?

10:10 a.m.

Senior Expert, e-Governance Academy

Liia Hänni

Our experience is that all the countries we are working with are in favour of having good electronic services, but to have a system, the governments should be able to make quite radical changes to the attitudes they have had up to this moment. Electronic government development is not so much about technology or a new information system; it's about innovation, about innovative co-operation among different ministries. Interoperability is technology, but it's also about how to overcome the silos in state administration, how to get all organizations to work together. This is the most important challenge that many countries still face.

10:10 a.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you, Mr. Baylis.

Next up is Mr. Erskine-Smith.

10:10 a.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Thanks very much.

I have a couple of really short questions and a couple of longer ones. I'll start with the short ones.

We've previously spoken about how when government officials access information, there is a record and it's transparent. What's the penalty if government officials improperly access that information?

10:15 a.m.

Programme Director, National Cyber Security, e-Governance Academy

Raul Rikk

In this case, we don't have defined penalties. Every time this kind of incident happens, we have an investigation, and then there is a court decision as to what the penalty is going to be.

10:15 a.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

It depends upon the seriousness of the misconduct. Okay.

Our Privacy Commissioner recently commented in the media in relation to worries about digital government services, but it seemed that his primary concern—we'll have him here at a later date—was the government collecting public information about citizens, whether it be on Facebook or otherwise.

Does Estonia engage in these practices? Is this part of digital government?

10:15 a.m.

Programme Director, National Cyber Security, e-Governance Academy

Raul Rikk

Our government doesn't collect data from Facebook. The only data that our government collects is as Liia has mentioned, according to the legislation directly from the data owners, the citizens.

10:15 a.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

Great.

I can imagine that some senior citizens in my riding, who perhaps don't use the Internet as much as I or others might, would have some concerns about customer service moving to being completely digital and about how they would lose the services that they have or about not being able to get someone on the phone to have the ancillary services to support their access to the digital environment.

What is the Estonian experience? If I'm having difficulties with digital government service, who do I turn to?

10:15 a.m.

Programme Director, National Cyber Security, e-Governance Academy

Raul Rikk

If you have difficulty, you can always go to the government service centre and get help there, but the digital solutions or services scheme is that if I want to do it over the Internet, I don't need to go to the government service centre. I can do all my digital operations or interaction with the government wherever I am—in Canada, Australia, or New Zealand. It doesn't matter. As long as I have Internet connectivity, I can use all services that are available.

10:15 a.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

We haven't discussed this. We've seen X-Road. We've seen the no-overlap concept in databases. We have your list of various ways that security and privacy are protected. How is blockchain used in protecting the privacy of Estonian citizens?

10:15 a.m.

Programme Director, National Cyber Security, e-Governance Academy

Raul Rikk

That's a very good question, because there has been a lot of hype about blockchain in recent years. Everybody talks about it, but we use it to make digital signatures secure. We started to use blockchain logic before the name was even invented. Once we issued the first ID card in 2002, blockchain logic was already implemented in the system.

What we basically do is to put the old digital signature or the fingerprints of the digital signatures onto the new digital signature. Basically, we link different digital signatures to each other so that whatever happens with encryption in the future, we can still have the secure link of the digital signatures.

10:15 a.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

With regard to other countries adopting more digital government, Finland, I've read, is straight up wanting to use X-Road. Other countries are developing their own systems.

Is Finland the only country looking to use the same technology that Estonian digital services are based on? Are other countries doing the same? How is that working?

10:15 a.m.

Programme Director, National Cyber Security, e-Governance Academy

Raul Rikk

That's what we are working with on a daily basis. Finland is one country. We have done this in other countries as well, although not so much in Europe, but it depends on different countries' approaches to the data exchange. We believe it is the best solution to how you can connect different databases. None of the organizations need to change what they already have; they just implement the security layer onto the existing systems.

I don't have the answer to why most of the countries have not started to use it.

10:15 a.m.

Liberal

Nathaniel Erskine-Smith Liberal Beaches—East York, ON

We haven't really discussed private sector collaboration. Perhaps you can explain. I see in the chart that the citizen is beside the government is beside business.

How is individual private and personal information shared with businesses in the private sector in this context? What different sectors have access to this information through digital government services? What best practices preserve people's privacy?

10:20 a.m.

Programme Director, National Cyber Security, e-Governance Academy

Raul Rikk

Each time the private sector wants to use personal data or they want to get connectivity to the X-Road environment, they have to prove their need to the data protection inspectorate. They have to justify why they need it. The data protection inspectorate allows them to use the personal data. Mostly the private sector provides service. They have certain data about citizens and they provide this data for the government service.

For example, there's the electronic tax declaration. The banks have information about personal incomes. Banks create the reports. I can go to the banking service and allow my bank to send this data to the Estonian tax board, which can take this information and put it on my tax declaration. I don't need to do that. That's how it works. The private sector generates certain information, and they can provide it to the government through the secure X-Road.

10:20 a.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you.

Mr. Cullen is next up.

10:20 a.m.

NDP

Nathan Cullen NDP Skeena—Bulkley Valley, BC

Thanks.

I'm wondering if there are any prescriptions in the law about where the servers must be located. Do they all have to be based within the boundaries of Estonia, or do you have a scenario in which some of the private sector partners that you have or government services can be located outside the country?

10:20 a.m.

Programme Director, National Cyber Security, e-Governance Academy

Raul Rikk

There are limitations concerning the critical or essential services. Banking systems are one of them. For example, after the 2007 attacks, some Swedish banks wanted to take the data from Estonia and keep it in Sweden. The Estonian Parliament regulated that the data concerning banking information must also be located in Estonia. They can keep it in Sweden or other countries if they want to, of course in an encrypted way, but it must also be in Estonia so that if something happens with Internet connectivity, it doesn't affect the provision of service.

10:20 a.m.

NDP

Nathan Cullen NDP Skeena—Bulkley Valley, BC

You may have covered this already. I was just reading through the history of why Estonia has come so far on electronic government services. It has been referred to a few times, but I still don't understand the e-minded coalition government in 2001. Was there an election in 2001?

We're in politics; people can say “blockchain”, and I can nod, but I really have no idea of what we're talking about. I can read it six times and still not fully understand what we're talking about. In any case, there was some political energy at the turn of the last century to bring Estonia down this path. Was there a political event, an economic crisis? Did something precipitate this sort of political consensus to take such a long and relatively bold step?