Evidence of meeting #143 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cra.
A recording is available from Parliament.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I think we made our recommendations for the situation we investigated in this one, and we'll be making more recommendations, as the case may be, in this next investigation.
Conservative
The Chair Conservative John Brassard
Thank you both.
Mr. Villemure, you have two minutes and 30 seconds.
Bloc
René Villemure Bloc Trois-Rivières, QC
In your opinion, has telework contributed to the situation at the CRA and could a lack of direct supervision be at fault?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
We have not found that so far in our investigation. In the upcoming investigation, we'll see if that comes out. Our findings focused on the risk assessment and the time it took to detect the problem or contain the breach. We found information and communications, and we saw that the approach was possibly siloed.
We didn't approach the situation from the perspective of whether telework played a role. That said, if telework contributes to creating silos, that is a concern for us. We heard about the importance of communication among stakeholders, accountability and a team approach. Determining which departments are at fault is less important than getting good results for Canadians.
Bloc
René Villemure Bloc Trois-Rivières, QC
It may be the consequence of telework, but telework itself is not the problem.
The CRA believes that its systems were not compromised and that scammers got their hands on information from the dark web. That's what it claimed.
How credible is that?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I won't comment on that.
Our ongoing investigation will verify all that, and then we'll write a report.
Bloc
René Villemure Bloc Trois-Rivières, QC
The CRA said they should have had a reporting process in place.
Isn't it a little late to make that kind of observation?
In today's world, personal information gets compromised. Obviously, privacy is a fundamental right. When I hear that from the CRA, I think it should have been done beforehand.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
As in our previous report, when we investigate a situation, we check what happened and make recommendations.
In our February report, we acted decisively to make a series of recommendations on what we saw as shortcomings. We'll do the same thing in this case, if necessary.
René Villemure Bloc Trois-Rivières, QC
Okay.
In your opening remarks, you mentioned the use of telegram and social media.
I don't know that side of it, so can you explain to me what role telegram plays?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I don't think I mentioned the word “telegram”.
Bloc
René Villemure Bloc Trois-Rivières, QC
Okay, I must have read it somewhere else.
That said, does social media play a role in this type of situation? Does it have repercussions or consequences?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
What we focus on is when departments use social media and providers, and information is published on social media.
This kind of situation has been investigated before. It was not related to the CRA, but to Home Depot. The information would be shared on Facebook, and people would get an electronic receipt instead of a printed one. Social media played a role in that case.
Bloc
René Villemure Bloc Trois-Rivières, QC
I realize I made a mistake when I mentioned telegram.
Thank you, Mr. Dufresne.
Conservative
The Chair Conservative John Brassard
Thank you, Mr. Villemure.
Mr. Green, you have two and a half minutes, please.
NDP
Matthew Green NDP Hamilton Centre, ON
Thank you very much.
Mr. Dufresne, you mentioned that it is the responsibility of the Treasury Board Secretariat to provide notice of material breaches. I'm on the secretariat's website. I don't see any major announcements of the CRA breach. Can you refer to where they would have made this public?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I was having difficulty hearing you, Mr. Green, but I think, if I heard you correctly, that you're asking about the announcement made by Treasury Board of the breach situation. This was made in 2020 vis-à-vis the GCKey breach. It was a statement from the—
NDP
Matthew Green NDP Hamilton Centre, ON
I'm sorry. I believe you mentioned that in your reporting you would have reported the additional 15,000 material breaches. That would have gone to the Treasury Board. Presumably, the Treasury Board would have notified the public. Is that correct?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
In our “Special report to Parliament”, we mentioned the 15,000 cases that we had been informed of at the end of this investigation. This special report was tabled to Parliament, so this special report is public.
NDP
Matthew Green NDP Hamilton Centre, ON
Do you ever take it upon yourself to do press conferences? How do you communicate to the public when big events like this happen? Is it just that you table a report and then it's our responsibility to make it public? What is your mandate to inform the public?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Well, from time to time, we do press conferences. In this instance, we did not. There's no set practice as to—
NDP
Matthew Green NDP Hamilton Centre, ON
What might be an example of a previous press conference that you would have done regarding privacy breaches?
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
We've done press conferences reporting on our investigation into Home Depot with respect to the sharing of email receipts. We did a press conference on our special report on our investigation into Aylo, the owner of the MindGeek pornographic website.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
We made these two special reports in February 2024. We reported this alongside another of our investigations, which normally we would have reported in an annual report. This was a new practice under the Privacy Act—