Evidence of meeting #104 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was use.
A recording is available from Parliament.
Associate Professor, As an Individual
I believe they're telling the truth, but I believe the law and the policies have not kept up with the capabilities of these devices and what they're capable of.
Liberal
Pam Damoff Liberal Oakville North—Burlington, ON
Well, I think employees have to take some onus on themselves when they're doing something for work. I also think that if there's a suggestion of harassment or wrongdoing by the employee, regardless of where you work, your employer should have the ability to use the proper legal tools, including with your phone, to investigate allegations of wrongdoing.
My time is up, Chair. Thank you.
Conservative
The Chair Conservative John Brassard
Thank you, Ms. Damoff.
Mr. Light, I want to thank you for appearing before the committee today with your testimony.
The next panel needs to be set up, so we'll suspend for a couple of minutes. We'll be back soon.
Thank you.
Conservative
The Chair Conservative John Brassard
Welcome back for our second hour. That took a little longer than a couple of minutes, but let's get started here.
Welcome to our witnesses for the second hour today. From the Canadian Association of Professional Employees, we have Nathan Prier, president, and Laura Shantz, senior adviser, advocacy and campaigns. From the Professional Institute of the Public Service of Canada, Jennifer Carr is here.
I want to welcome all three of you and thank you for being here today. You have up to five minutes to address the committee.
We'll start with the Canadian Association of Professional Employees. Go ahead, sir.
Nathan Prier President, Canadian Association of Professional Employees
Good afternoon, and thank you for the opportunity to appear before the committee today.
My name's Nathan Prier. I'm the president of the Canadian Association of Professional Employees, where I represent over 25,000 public sector workers in the economics and social sciences services and translation groups, as well as employees of the Library of Parliament, the Office of the Parliamentary Budget Officer, and civilian members of the RCMP.
We're shocked and dismayed to learn that spyware has been used in multiple federal departments, on federal devices used by public sector workers, without following the government's own policies. The use of this spyware was uncovered, as we just heard, through an access to information request submitted by Dr. Light, and public sector workers learned of the potential breach of their rights from the press instead of through mandated privacy assessments or any sort of proactive disclosure by the employer.
This kind of secretive behaviour damages the trust between public sector workers and their employer. Dr. Light described the use of this spyware as “overkill” and “ridiculous, but also dangerous”, and we just heard some examples of why he feels that way. In our estimation, the use of such software is pretty heavy-handed and is a breach of our members' trust.
The government's directive on privacy impact assessment is in place to ensure that any data collection is done through the least intrusive methods possible, and the government's own Privacy Commissioner has indicated that assessments are warranted whenever privacy-infringing tools are used, even when there is judicial authorization in place that some measure be used. The 13 departments in question here didn't perform privacy impact assessments before using this spyware, despite their own policies requiring such an assessment to be done, and for us that's completely unacceptable.
Federal public sector workers should enjoy the same rights to privacy and due process as all other Canadians. Their employer should treat them in a way that builds trust, so that they can deliver quality service to Canadians. In order to rebuild this trust and ensure that government workers maintain their rights to privacy and due process, we call on the federal government to make a plan to update and consistently follow its digital policy framework.
CAPE, my union, is here to present three specific requests.
First, we're calling on the government to stop the use of spyware on federal devices outside of its own established rules, and to use the least invasive measures necessary. All public sector workers deserve due process during investigations.
Second, we want to know when the government plans to conduct privacy impact assessments at all affected departments and to publicly release the results of these assessments to help public workers rebuild trust in their employer after these breaches. Spyware use represents an erosion of privacy rights that no public worker should accept on its face.
Finally, we call on the government to conduct a thorough review of all its digital policies to ensure that the existing policy framework is adequately robust to protect employees' digital rights, including their right to reasonable privacy, their right to be informed about any digital surveillance tools being used in the workplace and their right to disconnect from work at the end of the day.
CAPE members deliver sound policy advice for the government, and they can only do their best work when the employer demonstrates willingness to be open, transparent and respectful of the public sector.
Conservative
The Chair Conservative John Brassard
Thank you, Mr. Prier.
Ms. Carr, you have five minutes. Go ahead.
Jennifer Carr President, The Professional Institute of the Public Service of Canada
Thank you, Mr. Chair.
Thank you for the invitation to speak with you today.
My name is Jennifer Carr, and I'm the proud president of the Professional Institute of the Public Service of Canada. We represent 75,000 federal public servants and some in the provincial sphere as well. We also represent IT workers.
I want to start today by making our position very clear. Employees' privacy rights must be protected. Government employees, our members, are Canadian citizens just like you and me. We all have the right to know when our information is being accessed, what information is being gathered, how it's going to be used, who has it and who will have access to it, and how it's being stored and protected. I hope we can all agree that, as one of the largest employers, the federal government should set the example for all other employers and be held to the highest standard.
Sadly, as you have heard, it appears that many government departments and agencies have not done so. They have failed to abide by the government's own policies and rules. They've apparently disregarded the Treasury Board directive requiring that privacy impact assessments be carried out before using these kinds of tools.
We're talking about federal departments and agencies potentially using these tools to obtain access to text messages, emails, photos and travel history, to access cloud-based data and reveal Internet search histories, deleted content and social media activities, and possibly to recover encrypted or password-protected information.
Think about all the information that you have right now on your phone, your tablets, your watch or your computer: health data, financial information, deleted messages from friends and family, or cloud-based information like your family photos stored on Dropbox, Google or OneDrive. The idea that using an employer-supplied phone or computer means that you are giving up all your rights to privacy is absurd.
We are deeply concerned to learn that some employers, like Fisheries and Oceans Canada, claimed that the use of these tools was justified because the data belongs to the department.
Your employer may own the device, but that does not mean they own your personal data on it. The Privacy Commissioner and legal experts have been crystal clear on this. The commissioner also made it clear that, even when there is a legal authorization, it doesn't mean that the departments are exempt from doing the privacy impact assessment. These assessments are critical to identifying potential privacy risks and figuring out how those risks can be mitigated and/or eliminated.
The Privacy Commissioner should make it clear that his office must be consulted before these tools are used, and not learn about it in the media stories after the fact.
We also need transparency around how often assessments are required to be done and what should trigger one if we need to do a new one. Technology is evolving at a rate faster than we've ever seen before. This means that our privacy laws, regulations and practices need to evolve just as fast.
Moreover, government departments and agencies should be required to consult the Privacy Commissioner prior to adopting any new privacy rules, especially when they pertain to the use of intrusive software tools. Failing this, MPs should amend the Privacy Act to make this a requirement under the law.
The employees we represent are also concerned about the testimony you have heard by some of their departments. Health Canada first said that they had purchased but never used these tools, before admitting that they had used them, but wouldn't say for what. Defence officials testified that it was unclear whether the privacy impact assessments were completed or not. RCMP officials told you that they were using the tools, but would only do the impact assessment later this year.
As the union representing tens of thousands of federal employees, these mixed messages heighten our concerns about electronic surveillance in our workplaces.
In closing, I want to thank you, committee members, for launching this study. Our members appreciate your decision to look into this issue. We urge you to make strong and clear recommendations on how government employees' personal data should be better protected. These recommendations should include the following.
Government departments and agencies should be required by law to conduct privacy impact assessments before using any of these tools, regardless of whether legal authorizations exist, as the Privacy Commissioner recommended, and less intrusive methods should be used to gather information, as required by the privacy impact assessment directive.
When departments and agencies fail to abide by Treasury Board directives, there should be clear repercussions and actions to ensure that they have further compliance.
The second is that clearer guidelines be provided around what new or modified programs will require new privacy assessments and that current ones be updated. Technology is moving at a fast pace, and our practices need to reflect that reality.
Finally, the government must acknowledge that the use of an employee's device does not give it ownership of people’s personal data on it. As the tools that this study has been asked to investigate become more powerful and invasive, privacy protections must be improved to keep pace.
We urge all MPs to come together to ensure that the government maintains the highest standards when it comes to employees’ privacy. Let’s make our government a shining example as an employer across the country when it comes to protecting privacy in the workplace.
Thank you.
Conservative
The Chair Conservative John Brassard
Thank you.
I want to thank both of you for your opening statements and, more so, for providing solutions. It's not often that we have witnesses who come with these types of solutions and recommendations to the committee, so I appreciate that you both have done that.
Mr. Kurek, you have six minutes in the opening round. Go ahead, please.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
Thanks very much.
Thank you to our witnesses for being here.
Now, I want to pre-empt what seems to have been the argument from the government on a number of cases. First—and it addresses this specifically, so I want to give you a chance to answer this—the government has said, “Oh, don't worry. It's not spyware.” It's troubling because these are incredibly powerful tools that have access to that personal information.
I'll direct that question to Mr. Prier. However, I'll ask my second one as well, which will be for Ms. Carr. It's surrounding the fact that it's a government device and, therefore, you basically have no rights. That's a paraphrase of even the questions that we heard from a parliamentary secretary in the last hour, and I think you were here for that. So, I'd like to ask for your opinion on that and whether you could provide some context as to why you referred to it as those things in your opening statement. Then I have a couple more questions that I'd like to get to.
We'll start with Mr. Prier.
President, Canadian Association of Professional Employees
I would say that whether or not we call it spyware, by definition—we could argue over the definition—it is technology that is infringing on our members' privacy rights. I think that's the basic line that was crossed here.
The proactive disclosure of the use of this technology, even though the Treasury Board directives state that this should have happened, did not happen. We learned about it after the fact.
I'll just speak to the issue of whether the fact that it's a government device means that it's able to suspend all members' privacy rights as such. The federal government is one of the biggest employers in this country. It needs to be setting a high bar and a high example for how we expect all employers to behave toward all Canadian citizens and their privacy rights as such. We feel that, in this case and in many other cases, it seems that we're slowly learning that basic policy wasn't followed.
The Privacy Commissioner was very clear that when new tools are developed that pose privacy risks, as we've seen here, this merits a privacy impact assessment and proactive disclosure. I think there are very easy ways to communicate proactive disclosure of these technologies in plain language that will make workers in a workplace, our members, federal public servants, much more able to not just abide by basic standards of what is to be shared on a government device but be aware of their privacy rights and the potential violations of them, so that this discussion can happen before these technologies are installed.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
I hate to cut you off, but as you know, we have limited time.
You may have heard my not-so-subtle advice to department heads and whatnot to pick up the phone and call the Privacy Commissioner. It needs to be done so that we can start to restore that trust, both with Canadians and with the hard-working men and women in our public service.
Ms. Carr.
President, The Professional Institute of the Public Service of Canada
I'll be concise.
You may not know that there is already a policy on using digital devices. In that policy, it says that you can actually use the government devices for personal use if it does not interfere with your work, if it is done on your own time. I'm not sure that this was brought up before by anyone else.
There are a lot of policy suites that exist within the government sphere, but as we leave them to be decentralized and applied by individual departments instead of centralized through Treasury Board and oversight, that's where we get into trouble.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
I appreciate that. I think it's important, especially because cellphones and mobile devices have become such powerful communications tools. No longer are they just a cellphone or just an email device. They're so much more than that.
I am curious—and I want to hear your opinion first—if you could offer any examples of when these investigative tools have been used to find whistle-blowers or people who have been targeted because of their actions within a particular department. Specifically in terms of finding a whistle-blower, I'm wondering if there are any examples—if you've heard that or can cite them. I'd also just ask for your opinion about how this could infringe on a worker's ability to call out what could be misconduct within the department, agency or otherwise.
President, The Professional Institute of the Public Service of Canada
One thing that concerns me about some of the testimony is that they say they have the software but they don't use it; they send it off to another department. If the technology exists and we don't know how it's being used, and if they don't have to disclose when and how it's being used, that's very concerning.
I can't point to a specific example, but having technology and not having any kind of disclosure on when you need to use it, any director or DG signing off, that is very concerning. No oversight means it can be used without us knowing.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
Mr. Prier, was there anything you wanted to add to that? There's about a minute left.
President, Canadian Association of Professional Employees
No, I just wanted to say that I agree with Jennifer on the points that she made. Also, the employer has a strong track record here of being reactive instead of proactive when it comes to digital policy and privacy. A lot of Treasury Board policies are in desperate need of updating for the digital world and probably need to be constantly refreshed as we go.
I think the policy framework we have is strong enough; it just needs to be followed more closely.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
I appreciate that. The proactive versus reactive, that's the message I think it would behoove the government departments to follow.
When it comes to the use of these tools and the idea of consent by employees, we heard in testimony from the last hour about the power imbalance.
Can you provide brief context?
President, The Professional Institute of the Public Service of Canada
That's a great question.
Because of when these policies were put in place.... What is the consent? I don't think that when the original policy.... When it was just your cellphone, they would have access to whom you'd called and for how long. They haven't done it, when we're using these tools, for cloud-based things. These tools will allow you to go into those clouds. They will allow you to go into encrypted, password-protected...they have all your history.
That was not contemplated way back. We need to have updated policies. I hope you can agree that with the unlimited potential for them to use this tool to find anything, it's absurd that we would think that they [Inaudible—Editor] privacy.
Conservative
The Chair Conservative John Brassard
Thank you, Ms. Carr.
We did go a little over. I'm trying to keep the tight timelines, respecting everyone's time.
Mr. Bains, you have six minutes. Go ahead, please.
Liberal
Parm Bains Liberal Steveston—Richmond East, BC
Thank you, Chair.
Thank you to our witnesses for joining us today. Thank you for sharing your recommendations. Part of our work as a committee is to make recommendations. Thank you for sharing those off the top, from both organizations.
We did hear from the Privacy Commissioner about the use of the term “spyware” specifically. This is a quote from the testimony the Privacy Commissioner gave us. He said, “Initial reports referred to them as covert surveillance or spyware. Since then, it has been clarified that the tools are digital forensic tools, which are distinct from spyware.” He also said, “Digital forensics tools are distinct from spyware in that spyware is typically installed remotely on a person's device without their knowledge.”
We've heard that these devices are used within regulations, a warrant, and the knowledge of employees. We've heard from several agencies when we asked them about.... I think I specifically asked if you can remotely access people's information with these tools and they say, no, you have to get a warrant and physically obtain the device, connect to it, and then you can extract the information that we've been talking about.
Do you have any thoughts on that, Ms. Carr?
President, The Professional Institute of the Public Service of Canada
We have this testimony, but it's not clear. Every department has come in and given you a different version of how they're using it. If it is true that you're handing your device off to a third party, why do the departments actually buy and procure this software and have it in-house? I have some concerns about the testimony that they've given that it cannot be done remotely.
The other thing is, what are they pulling? Can they pull everything? Is a warrant all-inclusive or are they specifically gathering certain information?
Liberal
Parm Bains Liberal Steveston—Richmond East, BC
We did hear from several agencies that are investigating something. Many of them have an enforcement piece to those departments. It would be specific to what the investigation is, and the warrant would be specific to that. They would only be able to obtain the information specific to whatever the investigation is. That was the testimony that we heard.
Are employees made aware when using these devices that they are for professional use and not personal use? For example, we have two devices.
President, The Professional Institute of the Public Service of Canada
Again, I referred to a policy. I will get you the actual name of the policy, but it does say that work devices can be used for personal use if it doesn't interfere with the work they are doing, if it's done on personal time. The misconception is that it is only an employer device. It is encouraged by certain departments—and it has been for a long time—that you can use your work devices as personal devices as well.