Thank you, Madam Chair. I'm very pleased to be taking part in your work on this very relevant issue.
My name is Chantal Bernier. I'm a lawyer who specializes in privacy and cybersecurity law.
You invited me here today to outline the information security considerations associated with a potential virtual sitting of the House of Commons. I understand your concerns, particularly in light of media reports regarding security risks related to certain platforms. However, these risks must be put into context. First, they apply only to certain types of information. Second, they apply only to confidential debates. I'll address these distinctions.
In relation to the types of information you must protect by law as a public institution, there are two that are most relevant to your work.
The first category of protected information I will mention is information received in confidence in relation to the affairs of the Government of Canada, or received from another government, because the disclosure of that information would be injurious to the interests of the Government of Canada.
This type of information would never arise in the House of Commons. Should it arise in committee meetings, the committee should go in camera, and then the chair should ensure additional information security measures are applied, proportionate to the sensitivity of the information involved. The chair should not proceed to an in camera meeting unless there is assurance from the technology experts of the House of Commons that it can proceed securely online.
As a former senior public servant who had to lock her device in a little box every time she attended cabinet meetings, I can assure you that the Government of Canada has a long tradition of information security.
The second category of protected information I will mention is personal information. Personal information is defined as information that relates to an identified or identifiable individual, meaning that even if the information can be related to an individual only indirectly, it is still personal information, and you must, by law, protect it.
However, there are exceptions that are relevant to your work. These are types of personal information that you do not have to protect.
The first is information about an individual who is or was an officer or employee of the government institution where the information involved relates to the function of that employee or office. You also do not have to protect the fact that an individual is or was a ministerial adviser or a member of ministerial staff, as well as the individual’s name and title. As well, you do not have to protect information about an individual who is or was performing services under contract for a government institution when, again, the information relates to that contract. Finally, information relating to any discretionary benefit of a financial nature to an individual, such as the granting of a licence or permit, is also not subject to protection and can be disclosed.
In other words, the protection of personal information cannot undermine government accountability.
Moving, then, to the type of proceedings that call for security measures, sittings of the House of Commons and meetings of House committees, except when they must go in camera, do not create security risks. It's quite the opposite. Because House debates are always public and are accessible directly from anyone's computer at any time, moving online preserves the transparency of Parliament more than it creates information security risks.
While I'm here, I would like to bring to your attention real information security risks that have not made the news. I am referring to telework. Working remotely from our houses raises information security risks. I speak on the basis of practical cases I have seen.
The main risks are these. The first one comes from the fact that many of us share a home. Telework means that the arrangements must provide physical protection of confidential information. Not everyone has a house big enough to allow a separate room to work in. Measures must therefore be adapted to each physical setting to protect information on both paper and screen.
Government documents should never be transferred to personal electronic devices. These devices are not configured in accordance with government information security standards. Government electronic devices should also not be made accessible to anyone except the government employee to whom the device has been assigned, even for temporary use. The devices are most likely to contain documents protected by law, and access by an unauthorized person constitutes a breach.
While passwords are the basis of security on electronic devices, they become even more important in the context of telework, an environment where you are around people who know you very well and, therefore, could guess your password. It's not necessarily for nefarious reasons, perhaps only because they want to use the computer. Still, it constitutes a security risk.
Without the entry-exit controls of Parliament offices, screens should be set to lock automatically when they are not used for a set period. That set period should be as short as necessary, according to the circumstances. Privacy filters on a computer can be used to hide the screen or make it invisible to others.
Finally, I would caution you against the accidental use of one's personal email for professional use. In the home environment this confusion risk is higher.
In short, I want to both reassure you and caution you.
I can reassure you by putting into context the issue of information security as it relates to your work. Apart from when you must deliberate in camera, the Internet maintains the level of transparency that we all want in the House of Commons rather than creating an information security risk.
When you need to sit in camera, Madam Chair and your fellow committee chairs, you must ensure that all safeguards proportionate to the sensitivity of the information involved are applied.
Regarding my cautionary note, I strongly encourage you to speak to all the members of your team about the measures that they've taken to ensure the protection of information while teleworking.
Thank you for your attention. I look forward to answering your questions.