Evidence of meeting #101 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was use.
A recording is available from Parliament.
11:35 a.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Okay. At a future date, if we went in camera, is that something we could discuss without the media and the public present?
11:35 a.m.
Chief Information Officer, Department of Natural Resources
That's correct.
11:35 a.m.
Conservative
The Chair Conservative John Brassard
Thank you, Mr. Green and Mr. Pelletier.
That concludes our first round of questioning.
We're going to go to five, five, two and half, and two and half, starting with Mr. Brock.
Go ahead, sir.
11:35 a.m.
Conservative
Larry Brock Conservative Brantford—Brant, ON
Thank you, Chair.
Thank you, witnesses, for your attendance today.
I want to start by looking at first principles. This study essentially arose after a report by the CBC late last fall on how the Government of Canada and various departments—two of which are before the committee today—had used software and hardware to spy not only on the federal public service but on Canadians.
We found out about this particular incident probably years after the fact, and the information was obtained through an ATIP request by a professor at York University, an expert in privacy, who had some concerns about the ability of government officials to spy on employees and Canadians. He received information regarding the contracts—there were two contracts with the departments—he was reviewing. Radio-Canada received these contracts, and Radio-Canada reached out to both the departments for an explanation regarding their use of this spyware.
I wanted to lay the ground rules out, because I think doing so is important for the first question I will pose, which will be for National Resources. There appears to be a little bit of a disconnect, and I want you to help explain this particular issue. Radio-Canada reached out to your department. I don't know who it was in particular, but your department confirmed that you had the software, you had the hardware, but you had not provided the PIAs in relation to that. That's one issue.
Then I saw in a report by the CBC following the appearance of the Privacy Commissioner—this was in a report dated February 2—that National Resources Canada told the commissioner, after his appearance I would imagine, that it had bought the data extraction tools but never used them.
Why then would you tell Radio-Canada you did this, but you've never used PIAs, and then conversely tell the commissioner that you had the tools but never used them? Do you see a bit of a disconnect there?
11:35 a.m.
Assistant Deputy Minister and Chief Financial Officer, Department of Natural Resources
Thanks for the question. Hopefully I have understood it.
From our perspective, I'll state the facts as I know them, and hopefully that will address your understanding.
We purchased the tool and we have it, and from my understanding we've had it since 2018. The tool has been available to us but has never been used. We don't have anyone in the department right now who can use it, and if we were to feel that, based on a security situation we would need to use a tool like this, based on a clear mandate, then from there we would automatically turn around and fill in a PIA to ensure that we were doing things the right way.
From our perspective, we've never used it, and if we were to use it, given the need from a security perspective, we would automatically do a PIA.
11:35 a.m.
Conservative
Larry Brock Conservative Brantford—Brant, ON
Over the years your department has probably had instances of employee misconduct. Would that be fair to say?
11:35 a.m.
Assistant Deputy Minister and Chief Financial Officer, Department of Natural Resources
I cannot speak for—
11:35 a.m.
Conservative
11:35 a.m.
Chief Information Officer, Department of Natural Resources
I think it's fair to say so, yes.
11:35 a.m.
Conservative
Larry Brock Conservative Brantford—Brant, ON
In the course of those investigations, did you ever use software and hardware similar to the ones we're talking about today?
11:35 a.m.
Chief Information Officer, Department of Natural Resources
It's possible, but you wouldn't necessarily need to have the tools. The tools help enhance our ability, but it could be done manually.
11:40 a.m.
Conservative
11:40 a.m.
Chief Information Officer, Department of Natural Resources
We did not to my knowledge, but within the framework on privacy impact assessment, departments have the ability to work within what is called personal information banks. Those contain predetermined types of information that we as a department would want to access from our employees. It is my understanding that, when we work within that set of information, we are within our mandate.
11:40 a.m.
Conservative
Larry Brock Conservative Brantford—Brant, ON
Do you understand that there's a directive by the Treasury Board—
11:40 a.m.
Chief Information Officer, Department of Natural Resources
That's correct.
11:40 a.m.
Conservative
11:40 a.m.
Chief Information Officer, Department of Natural Resources
On the programs, that's correct.
11:40 a.m.
Chief Information Officer, Department of Natural Resources
NRCan has that.
11:40 a.m.
Conservative
11:40 a.m.
Conservative
The Chair Conservative John Brassard
Thank you, Mr. Brock.
We have Mr. Bains for five minutes.
Go ahead, please.
11:40 a.m.
Liberal
Parm Bains Liberal Steveston—Richmond East, BC
Thank you, Mr. Chair.
Thank you to our guests for joining us today. You all have very important roles to play.
My first question is for the Department of Natural Resources. Do you believe the data, assets and lab systems that NRCan operates are protected and secure?
11:40 a.m.
Assistant Deputy Minister and Chief Financial Officer, Department of Natural Resources
Yes. From our perspective, this is our mandate, and we do what we can to monitor and ensure that they are protected.
11:40 a.m.
Liberal
Parm Bains Liberal Steveston—Richmond East, BC
What do you do to make sure that they're protected? How do you monitor and protect that?