Evidence of meeting #96 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was estonia.
A recording is available from Parliament.
Programme Director, National Cyber Security, e-Governance Academy
If I may add, the very typical situation in different countries is that different organizations have developed their systems themselves, and the systems are not interoperable. That's the very basic problem.
The second problem is how to ensure security if you establish connectivity between different systems. That's the typical situation in different countries. That's exactly what we are dealing with on a daily basis.
Senior Expert, e-Governance Academy
I still want to stress how important digital identity is, because without this strong system of digital identity, people cannot use their very personal secure public services. This is their ID card, which has already been in use for 15 years. It's a very basic element of the secure economic system in Estonia. Raul, of course, can explain how it also protects security of data in the Estonian system.
Conservative
The Chair Conservative Bob Zimmer
Thank you, Ms. Vandenbeld. That's time.
Next up, for seven minutes, is Mr. Kent.
Conservative
Peter Kent Conservative Thornhill, ON
Thank you very much, Chair, and thanks to both of you for your patience as we try to overcome some of these technical challenges. I'm still having some difficulty in hearing everything that you say through the messages, but we'll continue. That may be a reflection more of my age than of the technical shortcomings.
Mr. Rikk, some years ago in a parliamentary study of the defence of North America, an authority on cyber told us that any defences and any security applications were at best temporary because as the Internet was designed on an open principle, an open concept, so sooner or later the best security can always be breached.
Given that you are neighbours to one of the greatest cyber-vandals in the world today, how intense and constant is your maintenance of the security of your system?
Programme Director, National Cyber Security, e-Governance Academy
I can assure that the situation is exactly as it was in the report [Technical difficulty—Editor].
Conservative
The Chair Conservative Bob Zimmer
Just hold on, Raul. Your sound is completely gone now.
Raul, is your mike close to you when you're speaking, or is it farther away? If you can get the mike a little closer to you, that would help us out a lot.
Programme Director, National Cyber Security, e-Governance Academy
We have the mike at the other side of the table, but the wire wasn't—
Conservative
The Chair Conservative Bob Zimmer
If you can bring it closer to you, that would help a lot, because we're getting a lot of echo. It's very difficult to hear what you're saying.
Programme Director, National Cyber Security, e-Governance Academy
Can you hear now?
The wire is...I have to sit closer, then.
Conservative
The Chair Conservative Bob Zimmer
If that's possible, it would be appreciated. Our interpreters are having great difficulty translating.
Programme Director, National Cyber Security, e-Governance Academy
Maybe you can turn the camera so that you can see us better. Now we are next to the microphone.
Is it okay now? Can I continue?
Conservative
Programme Director, National Cyber Security, e-Governance Academy
I will confirm that the study that you were referring to is correct. Our approach to cybersecurity is that it is a continuous process. We work on a daily basis to make it better and better and to coordinate with general ICT development.
Here's just one example. The whole security system that we use in Estonia is based on a state-of-the-art encryption system. Encryption is this technology that needs to be updated at least every two or three years. We have a specific department to deal with that. It does studies about encryption and supports the implementation of new encrypting systems every second or third year.
Conservative
Peter Kent Conservative Thornhill, ON
If I could follow on, then, what devices do citizens use to access the service? Do you have an encryption key with a rotating password on it? How do you handle that?
Programme Director, National Cyber Security, e-Governance Academy
That's exactly what Liia Hänni was talking about regarding the ID cards that we use. We call them ID cards, but from the security point of view, it is an encryption device that every citizen has in Estonia. On the ID cards, we have a chip that contains a cryptoprocessor, so basically, when a citizen uses an ID card, they actually use an encryption system.
Conservative
Peter Kent Conservative Thornhill, ON
This question is in regard to one of your points on the baseline cybersecurity principle of no overlapping databases. Have you centralized the databases of all of the different services that you have on this interchange? Have there been problems with various institutions being reluctant to relinquish authority?
Programme Director, National Cyber Security, e-Governance Academy
We have not centralized the databases, but the logic behind no overlapping databases is that we don't collect the same data in different databases. For example, if we have a population registry containing basic information about citizens and residents, then when police forces create their own police database, we don't allow them to collect the same basic information there. They have to take the most recent information from the population registry.
The idea is that different state institutions have authority over certain data. If they are allowed to collect this data and keep it in their database, then nobody else can collect and keep the same data. In this way, we keep the data in order at the state level.
Senior Expert, e-Governance Academy
This is a once-only principle that is applied in Estonia. It is that government cannot ask for my data if I have already contributed this data to some other information system in Estonia.
Conservative
The Chair Conservative Bob Zimmer
Thank you, Mr. Kent. Again, you have my deepest apologies for this situation. It was supposed to be all sorted out before, but it seems we can hear now and that things are moving along.
Next is Ms. Quach.
NDP
Anne Minh-Thu Quach NDP Salaberry—Suroît, QC
Thank you, Mr. Chair.
Thank you to our two witnesses from Estonia.
I'd like to know what kinds of oversight and data protection mechanisms the Government of Canada should deploy to prevent security breaches and digital attacks. The case involving Facebook and its sharing of users' personal data comes to mind. It's all over the media right now. Do we need to take legislative action? What kinds of resources do we need to deploy to ensure people's data are properly protected, investment-wise or expertise-wise?
Programme Director, National Cyber Security, e-Governance Academy
There is no single answer to that, because when we talk about security, there are three main categories that we need to keep in mind.
One is confidentiality. The breaches can be against confidentiality.
The second is data integrity. It means, for example, that in the population registry where we have citizens' names, there is nothing secret about the names, but we have to keep the integrity of this data. We have to protect it so that nobody can access the population registry and change my name, for example.
The third aspect is availability of information. It means that we have to protect the network and data communication so everybody can access the data when it's needed. It's always these three aspects when we talk about cybersecurity.
When it concerns, for example, Facebook, then there is nothing to do with availability, I believe. Your question was targeted to personal data protection, and in this case, only regulations are of use because they put the responsibility to the company that provides the service. That's exactly why the European Union implemented the new General Data Protection Regulation that gives the power over the data to the owners of the data, the citizens, and imposes better control over the companies that provide digital services.
NDP
Anne Minh-Thu Quach NDP Salaberry—Suroît, QC
I missed part of your explanation. I heard what you said only at the end, about citizens being in control of their data security. However, when a breach does occur, how can the government make sure that it is reported or even that sanctions are imposed? I'm not sure whether Estonia has any sanctions in place.
Who is the authority making sure that data are protected and that corrective measures are taken in the event of a breach? If it's the responsibility of citizens, they aren't necessarily equipped to detect privacy violations. When it comes to government services, who provides that oversight?
Programme Director, National Cyber Security, e-Governance Academy
That's what the General Data Protection Regulation is all about, putting in place different mechanisms to control the digital service providers. One very similar principle is that, for example, as a data owner, I must always get an overview of how my data is used. For example, if I use Facebook, when I approach Facebook and want to know how Facebook has used my data, they have to give a total overview of how they have done it. Also, if I want some data erased, they have to do it. Also, the third principle is that companies cannot make long-lasting commitments. For example, if the company asks whether I'm willing to give power over my data to them for 10 years, then this is not legally possible. The next day I can approach the company and say that I don't want them to use my data anymore, and they have to delete it. There are several regulatory mechanisms to control them.
Also, if something happens, there are very big sanctions against the companies, up to 4% of the annual global turnover. These regulation are bringing big changes, at least in Europe, to companies that provide digital services.
NDP
Anne Minh-Thu Quach NDP Salaberry—Suroît, QC
Who is the authority ensuring that oversight? Does your privacy and ethics commissioner make sure that all of those laws are followed and that private service providers are subject to oversight? Is that who takes care of that?