Evidence of meeting #101 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was use.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Sophie Martel  Acting Chief Information Officer, Department of National Defence
Francis Brisson  Assistant Deputy Minister and Chief Financial Officer, Department of Natural Resources
Dave Yarker  Director General, Cyber and Command and Control Information Systems Operations, Department of National Defence
Pierre Pelletier  Chief Information Officer, Department of Natural Resources
Aaron McCrorie  Vice-President, Intelligence and Enforcement, Canada Border Services Agency
France Gratton  Assistant Commissioner, Correctional Operations and Programs, Correctional Service of Canada
Bryan Larkin  Deputy Commissioner, Specialized Policing Services, Royal Canadian Mounted Police
Nicolas Gagné  Superintendent, Royal Canadian Mounted Police

11 a.m.

Conservative

The Chair Conservative John Brassard

Good morning, everyone.

I'm going to call the meeting to order.

Welcome to meeting number 101 of the House of Commons Standing Committee on Access to Information, Privacy and Ethics.

Pursuant to Standing Order 108(3)(h) and the motion adopted by the committee on Wednesday, December 6, 2023, the committee is resuming today its study of the federal government's use of technological tools capable of extracting personal data from mobile devices and computers.

Today's meeting is taking place in a hybrid format, pursuant to the Standing Orders. Members are attending in person in the room and remotely using the Zoom application.

I just want to remind everyone—I know the witnesses are aware of this—that the earpieces are not to be close to the microphones because that does cause feedback for our interpreters and potential injury as well.

I'd like to welcome our witnesses for the first hour this morning.

From the Department of Natural Resources, we have Francis Brisson, assistant deputy minister and chief financial officer, and Pierre Pelletier, chief information officer. From the Department of National Defence, we have Dave Yarker, director general, cyber and command and control information systems operations, and Sophie Martel, acting chief information officer.

We have five minutes for the opening statements.

I assume, Mr. Yarker, that we're going to go with you, sir, or is it Ms. Martel?

Sophie Martel Acting Chief Information Officer, Department of National Defence

I'm actually the one, Mr. Chair.

11 a.m.

Conservative

The Chair Conservative John Brassard

Go ahead, Ms. Martel.

11 a.m.

Acting Chief Information Officer, Department of National Defence

Sophie Martel

Mr. Chair and members of the committee, on behalf of the Department of National Defence and the Canadian Armed Forces, thank you for inviting us to the Standing Committee on Access to Information, Privacy and Ethics.

My name is Sophie Martel, and I am the acting chief information officer. I am the functional authority responsible for the department's entire information and communication technology program. I ensure that National Defence and the Canadian Armed Forces have a reliable, secure and integrated digital environment that meets operational needs.

My team delivers information and communication technology to support the core functions of defence, which are intelligence, surveillance, reconnaissance, communications, cyber-warfare, command, management and cybersecurity. The defence chief information officer is also responsible for the development and operational availability of the cyber-force within the Canadian Armed Forces cyber-command.

I'm joined today by the director general of cyber and command and control information systems operations, Brigadier-General Yarker.

Brigadier-General Yarker is responsible for the organization and execution of cyber operations and exercises within the Canadian Armed Forces, including the digital forensic function and the maintenance of key national command and control infrastructure.

I would like to emphasize that the protection of personal information is a top priority, and the Department of National Defence is committed to doing everything possible to protect that information. However, there has to be a balance. There's only a limited expectation of privacy when using our IT systems and mobile devices because they are subject to monitoring for the purposes of system administration, maintenance and security, and to ensure policy compliance.

Our monitoring is compliant with applicable government policies and standards.

In conclusion, I wish to reiterate that the Department of National Defence and the Canadian Armed Forces will continue to deliver on their mandate while protecting personal information.

My colleague and I would be pleased to address any questions you may have. As a matter of policy and to ensure operational security, we cannot disclose details on the use of specific equipment or on systems used operationally.

Thank you.

11:05 a.m.

Conservative

The Chair Conservative John Brassard

Thank you, Ms. Martel. You did not use all your speaking time. It's good for the committee, which will be able to ask more questions.

Mr. Brisson, you have the floor for five minutes for your opening remarks.

Francis Brisson Assistant Deputy Minister and Chief Financial Officer, Department of Natural Resources

Good morning, and thank you very much.

Thank you for this opportunity to speak about Natural Resources Canada's use of technological tools to safeguard our technological and data assets and ensure the consistent evolution and growth of our scientific endeavours.

I would like to recognize that I am speaking to you from the traditional unceded territory of the Algonquin Anishinaabe people. We recognize Indigenous peoples as the customary keepers and defenders of the Ottawa River watershed and its tributaries. We honour their long history of welcoming many nations to this beautiful territory and uphold and uplift the voice and values of our host nations.

As noted, I am Francis Brisson, the chief financial officer and assistant deputy minister responsible for corporate management services at Natural Resources Canada. My primary responsibilities include corporate services, human resources, information technology and security. Our department's chief information officer and CIO, Pierre Pelletier, who is here with me today, is responsible for the management, implementation and usability of information and computer technology at NRCan.

NRCan is both a science-based and a policy and economic organization. It is critical for NRCan to ensure its core functions remain resilient and responsive to internal and external threats. Threats affect not only our digital data but also our physical systems and devices. As the complexity of our digital environment grows, so does the risk of compromising our systems and assets. These risks include data breaches, intellectual property theft, service disruptions, financial setbacks and security threats.

Protecting against and responding to risks requires regular and sustained effort. Our department, like others, has many different systems, policies and tools to manage and respond to risks. Addressing and responding to threats can require forensic software tools. NRCan purchased a licence for magnetic forensics to have this tool in our tool kit, but we have never used it.

I would also underline that should the department have business requirements to use this software or similar software, NRCan will follow protocols and requirements for appropriate use and privacy impact assessments.

Thank you for your attention. Pierre Pelletier and I are pleased to answer your questions about our work.

11:05 a.m.

Conservative

The Chair Conservative John Brassard

Thank you, Mr. Brisson. You also took less time than anticipated. That's good. The committee members will have more time to ask their questions.

We'll start our first round of questions.

Mr. Kurek, you have the floor for six minutes.

11:05 a.m.

Conservative

Damien Kurek Conservative Battle River—Crowfoot, AB

Thank you very much.

Thanks to our witnesses for joining us here today.

Certainly I, as well as members of this committee and many Canadians, were concerned when the reports in the media came out that what would be, I think, accurately interpreted as quite invasive technology was being used. Certainly there was concern, which has led to the point we're at today, in light of some erosion of trust that has taken place in regard to governmental institutions over the last number of years in particular.

I do have a couple of questions. I'm going to start on the privacy impact assessment side of things. I'll ask this to both departments.

We heard from the commissioner last week that neither of your departments has submitted privacy impact assessments. Perhaps you could, in about 30 seconds—and I'll start with DND, and then go to NRCan—describe to me where that is at, whether or not you have submitted the privacy impact assessments, and whether or not you plan to?

DND, I'll start with you.

11:05 a.m.

Acting Chief Information Officer, Department of National Defence

Sophie Martel

Thanks for the question.

We have a number of privacy impact assessments on the go right now. From a CIO point of view, as we are responsible for the security of our network, we follow the FAA, the standards of Treasury Board and all the laws. Outside that, if there's a need for a PIA, we actually work on it. For example, at this point in time we're looking at Microsoft 365, because we're starting to record information and do transcripts, and we're starting to look at what this will imply from a PIA point of view.

11:10 a.m.

Conservative

Damien Kurek Conservative Battle River—Crowfoot, AB

If I'm interpreting that correctly, the process is ongoing, but you have not submitted to the Information Commissioner a PIA regarding observation of devices?

11:10 a.m.

Acting Chief Information Officer, Department of National Defence

Sophie Martel

Currently, a number of them in the department are ongoing.

11:10 a.m.

Conservative

Damien Kurek Conservative Battle River—Crowfoot, AB

Okay.

NRCan...?

11:10 a.m.

Assistant Deputy Minister and Chief Financial Officer, Department of Natural Resources

Francis Brisson

Good morning.

From our perspective, like we said at the beginning in our opening remarks, we did purchase the tool. It was a tool we've purchased to have in our tool kit, and we have not used it from our perspective. One thing I wanted to reiterate and assure the committee of is that, should we plan on using the tool, that would be done only through a security mandate and clear protocols would be followed. Should we be using the tool, we will be doing a PIA from our perspective should that be the case.

At this point, we haven't used it. Should it be used further to an approved mandate from our chief security officer, we'd look at doing a PIA as we moved forward.

11:10 a.m.

Conservative

Damien Kurek Conservative Battle River—Crowfoot, AB

I appreciate that. I think one of the concerns we've heard is about a little bit of a disconnect. We had the commissioner last week talk about how he's happy to work with departments and agencies, yet had not received PIAs. Especially in light of hearing NRCan has procured software that would be capable of doing this, certainly, I would hope that the PIA process is ongoing and even could be done prior to the procurement of such software.

When it comes to tools capable generally of extracting personal information—I'll start with NRCan—has your department used a tool like that in the past?

11:10 a.m.

Assistant Deputy Minister and Chief Financial Officer, Department of Natural Resources

Francis Brisson

From an NRCan perspective, we have tools and we have to monitor our system and so forth from that perspective. We ensure we are respectful and we support the policies around all of that. From our perspective, there are tools we are using to ensure we gather information, but it's done in the context of TBS policies and so forth.

11:10 a.m.

Conservative

Damien Kurek Conservative Battle River—Crowfoot, AB

Has information ever been gathered from people who are outside of the organization? I'm not talking about employees, but from people outside of the NRCan organization. Has information ever been gathered using these sorts of tools by your department?

11:10 a.m.

Assistant Deputy Minister and Chief Financial Officer, Department of Natural Resources

Francis Brisson

The tool we've talked about, the forensic, has never been used, and should it be used, it would only be used internally. All the monitoring systems we have from our perspective in that space are used for internal purposes for within the organization and for administrative purposes in line with security requirements following a clear security mandate as we move forward.

11:10 a.m.

Conservative

Damien Kurek Conservative Battle River—Crowfoot, AB

I'll ask the same question to DND, and could I get it in 30 seconds or so?

11:10 a.m.

Acting Chief Information Officer, Department of National Defence

Sophie Martel

Yes. In 30 seconds, we investigate networks, not people. In order to investigate networks, we do need to use tools to ensure the confidentiality, the integrity and the availability of data. That's following the FAA, the Treasury Board standard and the Privacy Act.

11:10 a.m.

Conservative

Damien Kurek Conservative Battle River—Crowfoot, AB

Has it ever been used on anybody outside of DND or the Canadian Armed Forces?

11:10 a.m.

Acting Chief Information Officer, Department of National Defence

Sophie Martel

It's used to monitor our network, only our network.

11:10 a.m.

Conservative

Damien Kurek Conservative Battle River—Crowfoot, AB

Thank you.

I guess this is unsolicited advice, but especially in light of some of the media reports that have come out on this, I would hope there's a more proactive approach across departments and governments. The Information Commissioner wants to work with departments. Rebuilding some of that trust that's been lost is certainly something I would encourage all those who are...and I'll probably say it again: Let's work hard to make sure we can rebuild that trust that needs to be there with Canadians.

Thank you.

11:10 a.m.

Conservative

The Chair Conservative John Brassard

Thank you, Mr. Kurek.

Everyone's making my job really easy today. That was right on time.

Ms. Khalid, you have six minutes exactly, hopefully. Go ahead.

Iqra Khalid Liberal Mississauga—Erin Mills, ON

Oh, oh! We all have wishful thinking, Chair.

Thank you so much to our witnesses for being here today.

What I'm hoping to do is to talk to each department individually, so my questions will be similar for both of you.

First and foremost, to National Defence, what is the purpose of a privacy impact assessment to you?

11:15 a.m.

Acting Chief Information Officer, Department of National Defence

Sophie Martel

The purpose of the privacy impact assessment is to make sure that we protect the information of citizens.