Evidence of meeting #96 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was estonia.
A recording is available from Parliament.
9:25 a.m.
Programme Director, National Cyber Security, e-Governance Academy
In Estonia we have a data protection agency, and every European country that belongs to the EU must have such an agency. The agency has the power to supervise everything related to data protection.
9:25 a.m.
Programme Director, National Cyber Security, e-Governance Academy
Actually, it's an area where the EU has put a lot of attention in the last 10 to 15 years.
9:25 a.m.
Programme Director, National Cyber Security, e-Governance Academy
I don't have the figures, but concerning the Estonian files, the agency has about 100 people. It's not a massive organization, but I would say that over the years their role has become more significant, because the whole of society has been digitized.
9:25 a.m.
Conservative
The Chair Conservative Bob Zimmer
Thank you, Ms. Quach.
Next up, for seven minutes, is Mr. Erskine-Smith.
9:25 a.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
Thanks very much.
Previously when this committee did a study on sharing of information, witnesses suggested that an act put in place by the previous administration was too permissive of sharing of information. When you have a “tell us once” principle and you have agencies in Estonia that are able to access, using the secure data exchange, individuals' information more easily, how do you address the concerns about sharing of information that is perhaps too permissive?
9:25 a.m.
Programme Director, National Cyber Security, e-Governance Academy
In our situation, actually there is not a single agency that can get access to all exchanged information. That's why what you see on the slide is each route. This secure data exchange environment we also call the secure Internet. It works the same way as the Internet. The data exchange happens among different organizations or among the organizations and citizens. All this information exchange is encrypted and blocked, and nobody else can see it. There is no single agency that can see the contents of the information exchanged.
In the case of the security agency or a police investigation, they must have a code, permission, to do the investigation. It happens according to the regulations of investigations. In principle, everybody can only see the data that they are allowed to see. That's why we see the routes on the slide. You can first of all enter into the system as a citizen or a government official or a businessman; in each case you see a different view. It also depends on your personal role. You can see only those datasets that you are authorized to see.
9:25 a.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
Thank you.
I know we have concerns here in Canada sometimes about identity theft. A classic example right now and for the last number of years is that scammers call people, particularly seniors but others as well, pretending to be our revenue agency.
Your citizens have an identity card that can potentially access all of the government services. I recognize you said there's encryption and that the card is in fact encrypted, but how does Estonia address identity theft of these cards, potentially? Has that been a concern? What are the processes you have in place to address that?
9:30 a.m.
Programme Director, National Cyber Security, e-Governance Academy
It might be surprising, but since we implemented the electronic ID cards, we have not had identity theft cases. We have had cases regarding their Facebook activities, but that's not the same thing. Regarding ID cards and accessing and using government services, we have not had any identity theft cases. That's because of the ID card.
Just to be correct, the ID card is not encrypted, but the ID card itself is an encryption device. By using my ID card, I can create secure connectivity to government services, or also private services—for example, banking services.
The ID card is issued by the government in the same way as passports. It's electronic and specifically designed for cyberspace. By that government process of identifying persons and issuing ID cards, we ensure that nobody can steal another person's identity.
9:30 a.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
Thanks very much.
I've read about the Estonian system. When public officials access a citizen's information, there is a record of it. Perhaps you could speak to the transparency of the system. I would view my privacy as better protected if I knew when government officials were accessing my information, and why. How extensive is that documentation? What does that look like in Estonia?
9:30 a.m.
Programme Director, National Cyber Security, e-Governance Academy
The system works this way. When I want to access government services, I have to go to the state portal, which is basically the Internet site where all government services are listed and presented. When I log in to the state portal, I will see first all the information that the government has about me: my name, whether or not I have a driver's licence or medical insurance, and whether or not I own real estate or vehicles. I can see all the information that the government has about me.
Second, I also can see if there are some cases where government has used my data. For example, when I drive on the streets with my car and the policeman checks my licence plate number, the police patrol car doesn't stop me. They just type in my licence plate number to get all sorts of information about me, my vehicle, and other aspects. When the police patrol does that, it is immediately recorded. I will see later in the state portal that this policeman accessed my data because he did this patrol and I will see when exactly he did it. I get an overview of that.
In the same way, if I go to the doctor and the doctor sees my medical information, there will be a record of that. I will see it later, as an overview.
This way, the government provides the transparency. They show what data they have about me and how they have used it.
9:30 a.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
I'm pretty well out of time, I think, so I'll give back my 10 seconds.
9:30 a.m.
Conservative
9:30 a.m.
Conservative
Jacques Gourde Conservative Lévis—Lotbinière, QC
Thank you, Mr. Chair.
I'd like to stay on the same topic and discuss the state portal.
Is it a multi-purpose portal where a number of departments can go to retrieve information with or without citizens' consent?
9:30 a.m.
Programme Director, National Cyber Security, e-Governance Academy
This portal is designed for citizens and for residents as well. There are different.... Let's put it this way. Different state agencies provide different electronic services. Altogether, we have about 1,500 different electronic services. If you want to access these services, you can do it directly through the agencies' websites. If you don't know exactly what kinds of services are there, you can enter through the state portal. All these different state services are listed there.
9:35 a.m.
Conservative
Jacques Gourde Conservative Lévis—Lotbinière, QC
Can other public or private organizations, or businesses, use the state portal to retrieve information that could be of use to them in their work?
9:35 a.m.
Programme Director, National Cyber Security, e-Governance Academy
Maybe you can clarify your question.
9:35 a.m.
Conservative
Jacques Gourde Conservative Lévis—Lotbinière, QC
All right.
Can private companies, political parties, or others access the information in the state portal for their own gain?
9:35 a.m.
Programme Director, National Cyber Security, e-Governance Academy
No, absolutely not. That's the information that only I see. Not even different state institutions see that. Only I see the whole picture that concerns me. Different state agencies see only the portion for which they are responsible.
9:35 a.m.
Conservative
Jacques Gourde Conservative Lévis—Lotbinière, QC
What threshold do you apply to the data in the portal to determine what is considered public information? It provides a person's name and address, but does it stop there? For instance, are public telephone numbers, cell phone numbers, or email addresses considered public information? Where does the threshold lie?
9:35 a.m.
Programme Director, National Cyber Security, e-Governance Academy
Information is very specifically described in the public information law. We have specific law that describes what information is public, what is personal, and what is for administrative use. The whole system, the technical system, is built according to this law.
9:35 a.m.
Conservative
Jacques Gourde Conservative Lévis—Lotbinière, QC
Some websites list the cell phone numbers of nearly everyone on the planet, even though those devices are the private property of citizens. Is there any oversight of those kinds of sites?
9:35 a.m.
Programme Director, National Cyber Security, e-Governance Academy
Yes, exactly. The control is done by the data protection inspectorate, the same agency that I mentioned before. They have the authority to oversee all activities in the digital world.
9:35 a.m.
Senior Expert, e-Governance Academy
Generally the information in government databases is not public information. This is personal information, all about me, but in Estonia to get that from the different databases is based on my private identification code. This is very basic for digital identity in Estonia, and also this special number gives me access to different databases that contain data about me. Personal identification codes are basic for Estonian data exchange and privacy protection.
