Evidence of meeting #143 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cra.
A recording is available from Parliament.
Conservative
Frank Caputo Conservative Kamloops—Thompson—Cariboo, BC
The reality is that when there's a privacy breach, it shouldn't take a law to require a minister to tell the Privacy Commissioner that something bad happened. We can agree on that, certainly.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Well, I would hope. I would hope, but experience shows otherwise. Experience shows that we are not given these formal notifications within the seven-day time.
Conservative
Frank Caputo Conservative Kamloops—Thompson—Cariboo, BC
What I find disappointing, Commissioner, is the impression that I got from the minister's testimony: We did everything we could. There's nothing to see here. This is on someone else or on something else.
Would you agree with that assessment? Would you agree that this was how the minister was portraying things?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I think the testimony will stand for itself. What I am saying is that I understand that departments have lots of pressure, but these notifications are important. If it were a legal obligation in the Privacy Act, with a timeline, I think we would see greater compliance in those notifications.
Conservative
Frank Caputo Conservative Kamloops—Thompson—Cariboo, BC
As I understand it, in your report of findings you made several recommendations that CRA has agreed to implement. Was CRA using best practices at the time to prevent these sorts of privacy breaches?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
That was one of the substantive issues in the investigation. They took the position that they were. Ultimately, we found that the practices were not sufficient. We discussed this in our special report, talking about some of the advice that had started to be made and some of the concerns that were raised.
Certainly, we didn't see situations of bad faith or anything like that, but there is disagreement about the level of risk, the importance and the measures that need to be put in place here. In our report we made recommendations to elevate those security processes.
Conservative
Frank Caputo Conservative Kamloops—Thompson—Cariboo, BC
Unfortunately, incompetence doesn't require bad faith. You don't have to deliberately try to be incompetent, but there could still be incompetence there.
I'm really interested in what you just said, that CRA believed they were doing a good enough job. Am I correct in saying—I'm paraphrasing here—that they weren't doing a good enough job, and that the upshot or the corollary of the fact that they weren't doing a good enough job is that now we have 31,000 breaches? Is that fair to say?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Well, there will be a second report on this other situation, but we found in this first report that there was an underevaluation of the significance of those breaches for individuals, which resulted in an underprotection. We made comments and recommendations on that. We also found that there were information-sharing gaps and accountability gaps. We made a number of recommendations to improve the processes.
Conservative
Frank Caputo Conservative Kamloops—Thompson—Cariboo, BC
Again, from what I'm deducing here, and this is just my summary, CRA and the minister thought they were doing a good job. They weren't. At the end of the day, privacy breaches occurred. Now you have told them what they need to do to fix this in order to prevent this in the future.
Thank you, Chair.
Conservative
The Chair Conservative John Brassard
Thank you, Mr. Caputo.
Mr. Housefather, you have five minutes. Go ahead.
Liberal
Anthony Housefather Liberal Mount Royal, QC
Thank you, Mr. Chair.
I imagine, Mr. Dufresne, it's your job to tell agencies of the government all the time what it is they're doing not well enough and to give them corrective actions to take. Is that correct?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Yes.
Liberal
Anthony Housefather Liberal Mount Royal, QC
Each time you're doing that, you're not necessarily insulting them and telling them they're doing a horrible job and it's the minister's fault, right?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
That's right.
Liberal
Anthony Housefather Liberal Mount Royal, QC
Thank you. I just wanted to correct what Mr. Caputo had said.
Let me come back to multifactor authentication, which I think is a very important question. I read your February analysis. Obviously, multifactor authentication should be almost the most self-evident thing the CRA should do. Has CRA now properly included—as it seems to me from your report that it has—multifactor authentication in all the places it should?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
It has. I think there's still some time for them to finalize some of the recommendations we put in place. Ms. Gervais can correct me, but the multifactor authentication has been put in place. That issue is now resolved.
Liberal
Anthony Housefather Liberal Mount Royal, QC
That's good.
Are you aware of other government departments right now, based on the assessment you made using a three versus a two, that are also underassessing the problems for Canadians if privacy information gets misplaced?
Have you sent a letter to everyone to say they should be using multifactor authentication, based on a revised assessment?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
When we tabled our special report on the GCKey matter in February 2024, we were talking about CRA, ESDC and others. Part of that special report is to be a message to all departments and all of government to say that these are the lessons they should all take.
Any department that is applying this framework should look at this in coordination with Treasury Board and adjust that calibration. My expectation would be that all departments took notice of that decision and would be implementing it.
Liberal
Anthony Housefather Liberal Mount Royal, QC
Are you aware of any other department that has proactively communicated with you about this report and has said that it will now do multifactor authentication?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
We've been in touch with ESDC and the CRA. I don't know if we've been notified by other departments that they are doing this. Again, my expectation is that they are, because we've made this finding public, stating that these are our expectations for the government.
Mrs. Gervais, do you want to add anything?
Isabelle Gervais Deputy Commissioner, Compliance, Office of the Privacy Commissioner of Canada
I was going to very quickly add that as part of the GCKey investigation, 23 other organizations that were using GCKey were also interviewed. They would have been made very well aware. The 23 organizations that we also met are listed in our report.
Liberal
Anthony Housefather Liberal Mount Royal, QC
Thank you.
Have you considered sending a letter to the departments to ask them the question, follow up, talk about the February report and ask them if they realize how serious the situation is and have started the process of ensuring that information is protected?
December 5th, 2024 / 4:40 p.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Yes, we could certainly consider that. In our discussions with them, process improvements and process communications were mentioned.
We are going to follow up to make sure that it is, in fact, done and that people are notified in compliance with procedure.
Liberal
Anthony Housefather Liberal Mount Royal, QC
Excellent.
On the other point that I wanted to raise.... In reading the report, it sounds very much to me like the issue is not necessarily the computer systems themselves, although the computer systems themselves can be compromised by not having things like multifactor authentication. It's more about people who are stealing private information about people on the dark web and creating new accounts for them. It's about getting access to their existing accounts using information that they've circulated, which is different from, for example, the other problems that might exist with Trojan horses and other defects in the system itself.
I have read that in the United States, about nine years ago, such an issue existed. What has happened since then is that private companies that are working with CRA would share information with CRA to work together to safeguard everybody's information. It doesn't seem like that process has started in Canada at all.
Is that something that you have recommended to CRA, and would we need to made changes to our laws to allow those companies and CRA to share information to better create a more secure overall system?
Conservative
The Chair Conservative John Brassard
I do need a fairly quick response, if you don't mind, Mr. Dufresne.