Thank you so much, Mr. Chair.
My name is Jim Alexander, and I'm the deputy chief information officer at Treasury Board Secretariat. I'm accompanied today by Donald Lemieux, who is the executive director of the information and privacy policy division.
On behalf of Treasury Board Secretariat, I would like to begin by thanking the committee for this opportunity to discuss the role of Treasury Board Secretariat with regard to the management of the social insurance number.
We were called here today to talk about the recommendations from the Office of the Auditor General and how Treasury Board Secretariat is progressing in addressing them. I trust that all members of the committee have received copies of the deck that we provided to the clerk earlier.
As shown in slide 2 of the presentation, the OAG recommended that Treasury Board Secretariat should update the policy framework governing the use of the social insurance number by March 31, 2008, and ensure that the policy instruments governing the use of the SIN in the federal government close the gaps identified in the 2003 review.
As TBS indicated in the response to the recommendations, TBS is committed to updating and clarifying the policy requirements governing the use of the SIN in the federal government by March 31, 2008.
I'll discuss TBS's commitments in more detail later in the presentation. However, I'd first like to provide a general overview of the accountability structure for the management of the SIN. This will help to position Treasury Board Secretariat's privacy role with respect to the SIN, and then I'll provide an outline of TBS's policy renewal process as it relates to the SIN policy components.
On slide 3, the President of the Treasury Board, as designated minister under the Privacy Act, is responsible for developing and issuing privacy policy, including those components that govern how federal departments collect and use the SIN. The current policy components on the use of the SIN are part of the policy manual and guidelines on privacy and data protection. TBS privacy policies also provide direction and guidance on data matching, processing of privacy requests, and the conduct of privacy impact assessments. It should also be noted that the Office of the Privacy Commissioner of Canada monitors compliance with the Privacy Act, and as such, monitors SIN use by government institutions that are subject to the Privacy Act.
On slide 4, the SIN was conceived as an efficient tool for facilitating the comparing of data. In other words, the SIN was to be used for data-matching purposes within the federal government. The government's privacy policy components on the SIN were intended to ensure that there would be limits on SIN use at the federal level, as it could easily be used as a tool to link personal information held by various government institutions. The policy was intended to mitigate this risk. The policy components do not, nor were they ever intended to, address the reliability of the social insurance number or the integrity of the social insurance register, or the collection and use of the social insurance number in the private sector or in other jurisdictions.
On slide 5, in 2002, TBS, with the assistance of an interdepartmental committee, initiated a government-wide review of SIN and data matching. The review involved approximately 160 government institutions. The objectives of the review were to determine how and why federal institutions were using the SIN, to identify and review all current uses of the SIN by federal institutions, to propose the necessary revisions to data matching and SIN components of the policy, and to provide a final report with recommendations to the President of the Treasury Board. In 2003, a final report was presented to the then Treasury Board president, who instructed TBS officials to proceed with developing a draft revised policy in accordance with those recommendations.
On slide 6, in 2004, TBS needed to address the immediate privacy concerns related to transborder data flows and risks related to the U.S.A. Patriot Act. TBS launched, therefore, a government-wide review, which culminated in the publishing of the Privacy Matters report and guidance in 2006. This report outlined the results of the review and presented the government's strategy to address possible privacy risks posed by foreign legislation, namely the U.S.A. Patriot Act. The Privacy Commissioner expressed support for this strategy and the resulting documents that came out as guidance.
Despite being pulled on other priorities, TBS remains very committed to clarifying those policy gaps identified in 2003. For example, the current SIN policy was silent on the use of the SIN for purposes related to statistical research, audit, and evaluation purposes. Also, clarification was needed with respect to use of the SIN in the context of cross-jurisdictional personal information sharing agreements.
TBS intends to clarify what constitutes authorized use of the SIN for any new purpose. As indicated in our response to the Auditor General, we are committed to completing this work by March 2008.
On slide 7, the review and renewal of the SIN components of the TBS privacy policy were subsumed under the broader TBS effort to renew its entire policy suite. The objectives of this policy renewal are to clarify management responsibilities and accountabilities; establish a clear distinction between the duties of deputy heads and those of functional experts; create an integrated and streamlined consolidated policy infrastructure that is coherent across the policies; and establish an organizational structure to ensure that the policies, including the SIN policy requirements, remain current, relevant, and clear as changes happen. As such, it was important to align the SIN and data-matching policy work within the broader context of the TBS policy work.
Slide 8 speaks to the renewal process and timelines. In terms of the revision to the SIN and data-matching policy components, we've already undertaken extensive consultations with other federal institutions through a secretariat-led interdepartmental committee. We've also obtained the views of the Office of the Privacy Commissioner on the proposed revisions to the SIN and data-matching policy components, as well as areas of improvement for the privacy impact assessment policy. As indicated in the TBS response to the OAG, Mr. Chair, the secretariat will ensure that the TBS policy requirements governing the use of the SIN in the federal government are updated and clarified by March 31, 2008, to close those gaps identified in the 2003 secretariat review.
I've also included, for reference in the deck, an annex that lists the legislated uses of the SIN as well as other authorized uses of the SIN in the federal government.
Thank you, Mr. Chair, for your attention. I would be pleased to respond to any questions or clarifications.