Evidence of meeting #103 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was information.
A recording is available from Parliament.
Conservative
The Chair Conservative John Brassard
Thank you, Mr. Villemure and Ms. Fox.
Mr. Green, I'm going to allow you three minutes as well since that's what I gave Mr. Villemure.
NDP
Matthew Green NDP Hamilton Centre, ON
Thank you.
I'm going to ask all of you the following two questions.
First, in the case where you're using a tool on a mobile device or computer that your employees do access—this is just your opinion—do you think it would be judicious for your institutions to consult the OPC before deploying that use?
Second, would adding a legal obligation in the Privacy Act to conduct PIAs and to submit them to the Office of the Privacy Commissioner of Canada make the process clearer for your institution, and in particular, for government institutions in general—so both your department and all departments?
My asking these questions is not a gotcha. It's to hopefully have a report that provides us with clear recommendations to the government to improve the processes, so you don't have to be here again for these types of scenarios.
Director General, Corporate Services, Transportation Safety Board of Canada
In terms of using this technology for employees, yes, of course we will consult with the Office of the Privacy Commissioner, as this would be a totally new use. I don't really foresee our ever doing that.
In terms of your second question, I think the better mechanism to get to what we need is more awareness and training of employees, and this committee is doing a good job by actually holding these sessions and bringing that awareness up front. I think the directive is being reviewed. If we can add awareness and training to that, I think it would go a long way, more than—
NDP
President, Shared Services Canada
From my perspective on the administrative investigation side of things, I think it's important that we continually update our processes, adding in best practices and learnings from other departments and consulting the labour relations experts at Treasury Board. Certainly, having the advice of the Privacy Commissioner there is important in terms of the establishment of the program. We use these tools very rarely in that case.
For the access to information and privacy side, it's important to note that, once these records are under control, this is about us responding to the legal obligation, so we use those very restrictively. However, for example, every once in a while we get a request for all of the text messages sent from my phone. We use this tool to get them—
NDP
President, Shared Services Canada
—and that makes it quick, because it's very hard. I don't actually.... I can't tell you how to get them off my phone.
NDP
Matthew Green NDP Hamilton Centre, ON
I appreciate that. I do have to go to the last department.
Mr. Mainville, go ahead.
Chief Digital Officer, Competition Bureau Canada
For your first question, we are a law enforcement agency. We have section 29 of the Competition Act, which requires us to conduct our investigations privately, so that's the beginning of the privacy. It would be very hard for us, on a transactional basis, to go to the commissioner of privacy.
For the second question, yes, I think it would be beneficial if we were all expected to do PIAs on our programs—not specific tools—and then, when those tools change, if they drastically change, to revise the PIAs.
NDP
Matthew Green NDP Hamilton Centre, ON
We did establish that your tool did drastically change from 1996.
Chief Digital Officer, Competition Bureau Canada
And we are looking at establishing a PIA.
Conservative
The Chair Conservative John Brassard
Thank you, Mr. Green.
There are two more five-minute question rounds, one each for the Conservatives and the Liberals.
Mr. Kurek, you have five minutes. Go ahead. Start now, please.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
Thanks very much, Chair.
To the folks at Shared Services Canada, one of the companies in question here is Cellebrite. I know there are media reports about how the technology can both violate privacy, but also they've had a tech breach. I think it was 1.7 terabytes of data, of information, was made public. One of your big roles is being able to provide, in this case, a very powerful tool.
What processes do you have to make sure that the tools you're procuring actually respect the privacy rights of Canadians, both those that might be used outside the administrative purposes of government, for the purposes of investigations—whether that be agencies we have here or others this committee has heard from—or for administrative purposes, for example, making sure that, for a company that has some pretty serious accusations against it, privacy and rights are protected in that process? What is your process?
President, Shared Services Canada
There are quite a few elements to that question. The first piece is that, when we're procuring, we procure for requirements, so we need a certain capacity or capability to do some aspect. That's what we'll look for. As part of that, there is also a security assessment that's done. We work with our partners at the Communications Security Establishment to ensure supply chain integrity, to make sure that the ownership....
Then lastly, it's how those tools are used and how we deploy them, so for example, any tools like this we use in an isolated lab so that the data stays under our control, in our physical possession and physically isolated as well.
Conservative
President, Shared Services Canada
That last step is for us as a department. How we do the evaluation of the software is a standing process for how we are working with the Communications Security Establishment.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
When the article first came out with some revelations and some really serious questions, and a lot of questions.... We've been able to answer a few of those. Again, I'll recommend proactive privacy impact assessments. With respect, all of you operate under acts that were passed by Parliament, and the Privacy Commissioner is an officer of Parliament. Utilize that service, because government is a function of Parliament, not the other way around.
Those are protocols you've created to ensure that this technology is used within that secure room and not connected to the Internet—that sort of thing. Is that what Shared Services Canada has done?
President, Shared Services Canada
That's what we've done in terms of administrative investigations, but for any forensics assessment, yes.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
I am curious. There were 13 departments and agencies referenced. Some were no surprise—for example, the TSB and the RCMP—but then there were others where there are outstanding questions and we don't know whether it was for administrative purposes, etc.
Are there any additional departments to the 13 referenced in the article that have utilized the software you have through Shared Services Canada? Are there other departments that would have utilized that software, beyond the 13 referenced in the article?
President, Shared Services Canada
I don't have a list.
I don't know, Dan, if you have seen anything. I don't think so, though.
Assistant Deputy Minister, Enterprise IT Procurement and Corporate Services Branch, Shared Services Canada
I don't think so, but as I mentioned earlier, we can provide the committee with a list of all departments that have used it, if they are in addition to the 13 that were listed in the article.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
I think there are two very distinct things. There is the administrative side of things, ensuring that employees' rights are protected and whatnot, and then there is the investigative side of things, whether it's because of an airplane crash or a competition circumstance, as in the case of our other guest here.
If you could delineate the difference between those circumstances, where it was used for administrative purposes versus for investigative purposes, I think that would be very helpful.
Further, it would be nice to know about judicial authorization, but I suspect that probably goes beyond the mandate of what Shared Services would be able to provide. Am I correct in that assumption?
President, Shared Services Canada
I don't think we would know the purpose of the tool, other than making a guess at the mandate. We can certainly look at which departments or agencies have procured through us, but we wouldn't know what purpose they were using it for.
For example, the RCMP is not going to tell me what tools they use in a police investigation.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
You're the IT service providers, so you're not going to get answers. If you could provide that information and if you know about both the administrative purposes and investigative purposes, that would be very helpful for us to answer what are the still serious outstanding questions that I think many Canadians have.
