Information & Ethics Committee on Feb. 6th, 2024

Evidence of meeting #101 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was use.

A recording is available from Parliament.

On the agenda

Federal Government's Use of Technological Tools Capable of Extracting Personal Data from Mobile Devices and Computers

MPs speaking

John Brassard
Damien Kurek
Iqra Khalid
René Villemure
Matthew Green
Larry Brock
Parm Bains
Michael Barrett
Mike Kelloway
Pam Damoff
Anthony Housefather

Also speaking

Sophie Martel  Acting Chief Information Officer, Department of National Defence
Francis Brisson  Assistant Deputy Minister and Chief Financial Officer, Department of Natural Resources
Dave Yarker  Director General, Cyber and Command and Control Information Systems Operations, Department of National Defence
Pierre Pelletier  Chief Information Officer, Department of Natural Resources
Aaron McCrorie  Vice-President, Intelligence and Enforcement, Canada Border Services Agency
France Gratton  Assistant Commissioner, Correctional Operations and Programs, Correctional Service of Canada
Bryan Larkin  Deputy Commissioner, Specialized Policing Services, Royal Canadian Mounted Police
Nicolas Gagné  Superintendent, Royal Canadian Mounted Police

11:20 a.m.

Pierre Pelletier Chief Information Officer, Department of Natural Resources

Sure.

From a challenge perspective, it would potentially be how heavy the bureaucracy would be if, let's say, the Privacy Commissioner would require a specific, full-fledged PIA for an investigation. Departments are expected to have some degree of control within what's called the personal information bank. Within a workplace environment, you're expected to have some data that is shared with your employer. Most of the investigations would fall within what's accepted within a personal information bank. If anything goes beyond that mandate and scope, that's where a PIA would be required. A PIA should be very specific, and usually departments are well within the security protocol to work and support these operations.

11:20 a.m.

Conservative

The Chair Conservative John Brassard

Thank you.

11:20 a.m.

Chief Information Officer, Department of Natural Resources

Pierre Pelletier

Having a good understanding of what that entails as we evolve the policy will support this guidance.

11:20 a.m.

Conservative

The Chair Conservative John Brassard

Thank you, Mr. Pelletier.

Mr. Villemure, you have the floor for six minutes.

February 6th, 2024 / 11:20 a.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

Thank you, Mr. Chair.

I want to thank all the witnesses for being here. I'll ask both departments the same questions, starting with National Defence.

Ms. Martel, has your department purchased tools to collect data from mobile devices or computers?

11:20 a.m.

Acting Chief Information Officer, Department of National Defence

Sophie Martel

As I said earlier, we purchased tools to protect our networks.

Our mandate is to protect and secure the confidentiality, integrity and availability of data on our networks. We purchased tools to investigate networks, not people.

11:20 a.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

What are these tools?

11:20 a.m.

Acting Chief Information Officer, Department of National Defence

Sophie Martel

I would like Mr. Yarker to answer this question.

11:20 a.m.

BGen Dave Yarker

We have a number of tools of this nature, but I won't go into them all today. As we said earlier, we have operational concerns related to security and our tools.

11:20 a.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

In short, what were the tools purchased for?

11:20 a.m.

Acting Chief Information Officer, Department of National Defence

Sophie Martel

We purchased them to investigate the networks and for the networks.

11:20 a.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

There are people on the networks.

11:20 a.m.

Acting Chief Information Officer, Department of National Defence

Sophie Martel

Yes. We agree that collecting information on the network means collecting data packets and personal information. That said, there are strict procedures for handling this information. People have received the necessary training and security clearance. They follow these strict procedures.

11:20 a.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

The privacy impact assessment wasn't done in this case, right?

11:20 a.m.

Acting Chief Information Officer, Department of National Defence

Sophie Martel

As part of the work to protect our networks, we comply with the Privacy Act, the Financial Administration Act and all relevant Treasury Board standards.

We're also looking at the need for a privacy impact assessment. We started this type of assessment in the case of Microsoft 365.

11:20 a.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

Do you agree with the Privacy Commissioner of Canada that some departments and agencies, including yours, are violating certain administrative provisions of the Privacy Act?

11:20 a.m.

Acting Chief Information Officer, Department of National Defence

Sophie Martel

We currently use these tools in compliance with the Financial Administration Act, the Privacy Act and all Treasury Board standards.

11:20 a.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

Do you think that following the letter of the law is enough to generate trust?

11:20 a.m.

Acting Chief Information Officer, Department of National Defence

Sophie Martel

We can ensure that people trust us. Our role is to protect the networks in order to protect Canadians.

11:20 a.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

You said something earlier that surprised me. When it comes to privacy, expectations are lower.

11:20 a.m.

Acting Chief Information Officer, Department of National Defence

Sophie Martel

Sorry, could you repeat that?

11:20 a.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

You spoke about the expectation of privacy, which is lower in the case of a government device, for example, than…

11:20 a.m.

Acting Chief Information Officer, Department of National Defence

Sophie Martel

I probably meant that, to use a government device and have a network account, employees must fill out a questionnaire. They know that they will be monitored for network security reasons.

11:20 a.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

Okay. Thank you.

I would now like to turn to you, Mr. Brisson, from the Department of Natural Resources.

As you said earlier, your department purchased tools but didn't use them. Why did you purchase the tools and why didn't you use them?

11:25 a.m.

Assistant Deputy Minister and Chief Financial Officer, Department of Natural Resources

Francis Brisson

Thank you for the question.

Our department uses various tools, mechanisms and protocols. I must say that we don't always need to use these tools to conduct investigations. The department's internal investigations concern the actions of public servants, for example.

The various tools include our computer investigation tool, which is available as needed. This tool can help us speed up searches and gather information, for example. However, we haven't needed to use it for queries. That said, it's part of our toolbox.