Information & Ethics Committee on Feb. 13th, 2024

Evidence of meeting #103 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was information.

A recording is available from Parliament.

On the agenda

Federal Government's Use of Technological Tools Capable of Extracting Personal Data from Mobile Devices and Computers
Committee Business

MPs speaking

John Brassard
Damien Kurek
Anthony Housefather
René Villemure
Matthew Green
Larry Brock
Iqra Khalid
Parm Bains
Glen Motz
Pam Damoff
Michael Barrett

Also speaking

Mario Mainville  Chief Digital Officer, Competition Bureau Canada
Scott Jones  President, Shared Services Canada
Kathy Fox  
Luc Casault  Director General, Corporate Services, Transportation Safety Board of Canada
Daniel Mills  Assistant Deputy Minister, Enterprise IT Procurement and Corporate Services Branch, Shared Services Canada
Pierre-Yves Guay  Deputy Commissioner, Cartels Directorate , Competition Bureau Canada

12:20 p.m.

President, Shared Services Canada

Scott Jones

For me, the privacy impact assessment hits multiple points.

Primarily, it's to ensure we've struck the appropriate balance between the objectives we have to do, for example in the course of an administrative investigation, which is to protect the information and also to follow through on the responsibilities that are conferred upon us by the government with the privacy rights of our employees. As well, it's to make sure we've gone through and done a thorough evaluation to make sure we understand what those implications are, so that we've either put controls in place or we found a way to balance.

Should we need to use a tool that's a bit more invasive than we would like, it's to make sure we've found a balance. For example, that's why we put it in a lab in a secret facility with security-cleared people and very limited access. I can't open the forensics labs, for example. I can't go into it.

12:20 p.m.

Liberal

Iqra Khalid Liberal Mississauga—Erin Mills, ON

Thanks for that.

The Privacy Commissioner has said that obtaining judicial authorization is not a replacement for privacy impact assessments. In your opening remarks, you talked about the fact that you have to get the warrants before you have those invasive procedures done.

Where do you stand on that?

12:20 p.m.

President, Shared Services Canada

Scott Jones

We are not a law enforcement agency, so we have no path to obtain a judicial warrant. My authority is under the Financial Administration Act, as the deputy head, to conduct administrative investigations. Like I said, those are very limited in terms of scope and these tools are used when it's necessary and they're required.

I'll give an example. As Shared Services Canada employees, we do not take our phones out of the country. If the phones or laptops, etc., are taken out of the country, we use these tools to confirm that no documents were taken from the device or that there was no malicious software installed, etc. It's used to confirm our security status and security settings. That's an example of where we'd use these tools.

12:20 p.m.

Liberal

Iqra Khalid Liberal Mississauga—Erin Mills, ON

Thank you.

Mr. Mainville, I have the same two questions for you, if that's okay with you.

12:20 p.m.

Chief Digital Officer, Competition Bureau Canada

Mario Mainville

The PIA for a government agency helps us balance our program and our responsibilities to enforce the Competition Act with the privacy needs of Canadians. That's what the PIA is. The primary goal is to systematically assess and proactively address any potential risks associated with new or modified programs.

12:20 p.m.

Liberal

Iqra Khalid Liberal Mississauga—Erin Mills, ON

Thank you.

12:20 p.m.

Director General, Corporate Services, Transportation Safety Board of Canada

Luc Casault

We agree with the commissioner. It's not a replacement. Obtaining consent does not replace our obligations to have a PIA.

We have had a PIA since the program was created. We have updated it through some of the years. The PIA covers the data we collect. We ensure that all the data we collect is covered in our PIA and assessed against the privacy concerns.

After discussion with the office of the commissioner, we agree with the office that, based on where we're at, it would be a good idea to update that.

The tools don't make for a PIA. Just because you purchase a tool doesn't necessarily change the way you use the data. That's why it wasn't done as a PIA for the tool. However, certainly we believe it is appropriate at this time to update our PIAs, especially with some of the new directions that are coming out from the Treasury Board on this aspect.

12:20 p.m.

Liberal

Iqra Khalid Liberal Mississauga—Erin Mills, ON

Thank you. I appreciate that.

I'll come back to you, Ms. Fox.

What more can you do to engage with the Privacy Commissioner to ensure that trust in public institutions is maintained, especially when there's intrusive technology on people's phones being employed by the government?

12:20 p.m.

Kathy Fox

Again, we are not using the tool that was mentioned in the report in any way to interact with employees' phones, government-issued or otherwise. We're only using the tool to extract data under our mandate for the purposes of conducting our investigations, and only the relevant data that we need. The device is returned intact to the owner. Again, we've put this under appropriate security measures in terms of stand-alone computers, limited access and the proper use of retention policies and so on.

We have engaged with the Office of the Privacy Commissioner as recently as last week to just reconfirm our position on this.

12:25 p.m.

Liberal

Iqra Khalid Liberal Mississauga—Erin Mills, ON

Thank you.

Mr. Jones, I have the same question for you.

12:25 p.m.

Conservative

The Chair Conservative John Brassard

Give a quick response, please.

12:25 p.m.

President, Shared Services Canada

Scott Jones

I actually have met the Privacy Commissioner. It was one of the first things I did when I took over this job, and it was to talk about how we start to look at emerging technologies. This is one of those areas where, frankly, it's a best practice that we should have implemented, and that's why we're doing one now.

12:25 p.m.

Conservative

The Chair Conservative John Brassard

Thank you, Ms. Khalid and Mr. Jones.

Mr. Villemure, go ahead for two and a half minutes.

12:25 p.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

Thank you very much, Mr. Chair.

Mr. Jones, from what I understand, you are new to Shared Services Canada.

12:25 p.m.

President, Shared Services Canada

Scott Jones

I've been there since September.

12:25 p.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

All right. Thank you very much.

I would now like to go back to Mr. Mainville and follow the same line of thinking as my colleague.

The capacity for action associated with these tools is very different from that of the tools of 1996. You said you didn't conduct a privacy impact assessment in part because there already was an assessment for the program.

Is a privacy impact assessment considered a bit too complicated, unnecessary or a task you can put off until tomorrow? What do you take into consideration?

12:25 p.m.

Chief Digital Officer, Competition Bureau Canada

Mario Mainville

An assessment was conducted to determine whether we had to conduct a full PIA. During that assessment, we determined that the changes made to the information that we had gathered and to the way it had been handled didn't require a PIA.

As I said earlier, we started the process to request advice on the subject following the Privacy Commissioner's testimony.

12:25 p.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

So you stayed in contact with the Privacy Commissioner on this.

12:25 p.m.

Chief Digital Officer, Competition Bureau Canada

Mario Mainville

Yes.

12:25 p.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

The tools used by the RCMP came up in the context of another committee study. I understand we're not talking about the same tools as those we're discussing today, but it was said that it was like when a microphone used to be inserted in the lamp. Honestly, I have to say it's the same thing. I believe that privacy-related expectations are different these days.

You're forging ahead, and I congratulate you on that, but I'm nevertheless disappointed to see that so many departments and agencies haven't done this.

Mr. Mills, earlier my colleague asked you how many departments and agencies had used the tool in question. I would like you to reply to that question in writing so we can make an informed decision.

Mr. Chair, how much time do I have left?

12:25 p.m.

Conservative

The Chair Conservative John Brassard

You have 30 seconds left.

12:25 p.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

That's good.

Ms. Fox, you say you only use this type of tool in an investigation. That's quite specific. Does the fact that it's an investigation release you from the obligation to do a privacy impact assessment?

12:25 p.m.

Kathy Fox

No. We're required to comply with the Canadian Transportation Accident Investigation and Safety Board Act or the Privacy Act. However, our enabling statute authorizes us to gather information for investigations related to our mandate, but we're also required to protect that information and to use only the information we really need to determine what happened in the incident in question.

12:25 p.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

Do those two acts contradict each other?

12:25 p.m.

Kathy Fox

No, I believe there will always be statutes that grant access to information for specific purposes or mandates, such as transportation safety investigations. If we didn't have access to information, we wouldn't be able to determine what happened or what should be done to prevent an accident. This is a situation in which the public interest is important. We also have to comply with the Privacy Act, but it's a matter of balance.