Evidence of meeting #67 for Human Resources, Skills and Social Development and the Status of Persons with Disabilities in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was information.
A video is available from Parliament.
NDP
Chris Charlton NDP Hamilton Mountain, ON
Can you please tell me what, in the department's view, is an “unacceptable breach”?
Deputy Minister, Department of Human Resources and Skills Development
I would say, Chair, that any incident involving the compromise of personal information is not acceptable. I cannot imagine, being informed of the situation of even one Canadian's personal information having not been properly handled or having been compromised, that I would say it is acceptable.
NDP
Chris Charlton NDP Hamilton Mountain, ON
Thank you; we certainly agree on that.
However, we know from your testimony that there were 19 data breaches last year alone within your ministry. We know that there is no requirement for data breaches to be reported, so there are clearly a number of breaches that didn't fall into the same category as this, because it is only now that your department is strengthening its policies for the security and storage of personal information, according to the testimony you just gave.
I'm a bit surprised by that. In our community offices, where we have personal information for constituents relating to all kinds of health matters and passport information, we have protocols in place.
This is not the first breach in your ministry, nor in the government, and yet only now you're developing a new protocol. Can you explain why that is?
Deputy Minister, Department of Human Resources and Skills Development
I don't believe, Chair, that I used the words "only now". I explained what we have done in response to this incident. Based on what we have learned from this incident, we have strengthened those policies, procedures, and practices.
I would not agree, respectfully, with any characterization that there were not policies in place in advance. Clearly there were; there are directives and were directives in place before. What we have done is to strengthen the protocols and strengthen the hardware and software rules and provisions in the system to further protect Canadians' personal information.
NDP
Chris Charlton NDP Hamilton Mountain, ON
Let me remind you of another thing you said in your testimony. You said that employees were “asked if they had borrowed the hard drive”. It doesn't seem like a very strict protocol to me, if it's possible for employees just to borrow a hard drive with the personal information of over half a million Canadians.
Would you agree?
Deputy Minister, Department of Human Resources and Skills Development
The questions, Chair, that we put to employees were intended to canvass all possibilities about what may have happened. We included among those possibilities inappropriate handling of the hard drive.
That was in no way intended to suggest that we would find that behaviour acceptable. Indeed, the questions were not intended to assume anything about what had happened. We were simply being exhaustive in our questioning of employees to elicit any information we could about what had happened.
Our priority in that situation was to recover the asset and the information that it contained. That was the purpose of questioning. In no way does it imply that we would regard any such behaviour as acceptable.
NDP
Chris Charlton NDP Hamilton Mountain, ON
In the age of technology, if somebody has access to this information, they can misuse that information in a matter of seconds electronically.
One thing you indicated is that the Privacy Commissioner was contacted a week after you first discovered the breach with respect to the USB key. What is your protocol around how long you will wait to see whether it miraculously turns up somewhere before you think you need to notify someone that the breach has happened?
Deputy Minister, Department of Human Resources and Skills Development
We certainly don't depend on miracles. We were being diligent about the search, and when we came to the conclusion or the strong supposition that the material was not likely to be found, you'll recall that I said we continued even after that to search exhaustively. We informed the Privacy Commissioner at that point.
NDP
Conservative
Deputy Minister, Department of Human Resources and Skills Development
I informed the minister quite early on that we were engaged in this search, and we kept the minister informed about the involvement of the Privacy Commissioner and about every critical step of our investigation and about what we were learning as we went.
Could I ask my colleague whether there's anything that he would want to add to those facts?
Conservative
The Chair Conservative Ed Komarnicki
As I mentioned, the time is up, but go ahead and answer that before we go to the next questioner.
February 14th, 2013 / 11:45 a.m.
Associate Deputy Minister, Department of Human Resources and Skills Development
On the Privacy Commissioner side, we informed the Privacy Commissioner's office on December 14, followed up with a written contact on the next Monday, and have consulted the Office of the Privacy Commissioner throughout the piece to work to find the appropriate ways to manage the incident and to inform Canadians.
Conservative
The Chair Conservative Ed Komarnicki
Thank you.
We'll now move to Mr. Mayes.
Go ahead, for seven minutes.
Conservative
Colin Mayes Conservative Okanagan—Shuswap, BC
Thank you, Mr. Chair.
Thank you to the department for being here today. I appreciated your opening statement that the loss of this information is not acceptable and that your department recognizes that. We totally agree.
One of the issues I have is that you made a decision to inform the RCMP of the loss of this data by the department. Did you consider, after you did the searches, that you had moved from misplaced asset to a missing asset to actually a possible theft of an asset? If so, who made that decision to call on the RCMP?
Deputy Minister, Department of Human Resources and Skills Development
We did not make any assumptions, and even now we have not made assumptions, about precisely what happened. That is why investigations have been undertaken, including our own internal investigation.
We can say—and the committee will appreciate that it's not possible to prove a negative—that we encountered no evidence of malfeasance, and none of the monitoring that has been done since has given us any reason to believe that malicious activity has been undertaken, but that in itself does not deal with the seriousness of the incident. Given the numbers involved, the decision was made—I think not unreasonably—that the RCMP should have that information and be asked to consider their response.
Conservative
Colin Mayes Conservative Okanagan—Shuswap, BC
Thank you.
For these types of breaches of security and procedure by employees, is there a policy in the department on consequences for any breach of the security procedures by the department?
Deputy Minister, Department of Human Resources and Skills Development
Indeed there is. The obligations of employees, Chair, in regard to the handling of personal information are set out in the code of ethics. There's a standard code of ethics for the public service overall, which is in the domain of the Treasury Board, and then each department takes that foundational code and applies it to its own mission, its own circumstances, and makes it precise.
In our case, as I've indicated, protection of personal information is so critical to our mission that it is in our code. Employees are required to abide by the code in all aspects of information and so on. Breaches of the code of ethics are considered on a case-by-case basis, and disciplinary action for breaches can include termination. Should there ever be an incident that involves criminal elements, then obviously penalties outside the department's responsibility for public service discipline would come into play through due process of law, etc.
Conservative
Colin Mayes Conservative Okanagan—Shuswap, BC
The department moved forward quickly to ensure the integrity of the credit and the information of those who had their information compromised. Can you give us an update? Have there been any problems? Have you seen any indication that anybody has used this information? What sort of feedback are you getting from those who have concerns? Have you set up some sort of system to receive calls and reassure those who are included in the numbers that have been compromised?
Associate Deputy Minister, Department of Human Resources and Skills Development
The principal way of dealing with this is through the contract that we have established with Equifax.
About 50,000 affected former students have enrolled in that service. We have no evidence thus far that there has been any fraud or other inappropriate activity. There is a special 1-800 number that is set up for affected clients to phone. We have not had any calls indicating fraud has been observed.
In addition, we have established notations in the social insurance registry so that each social insurance number has a special notation that the client was potentially affected by the incident. In the event that the national identity service's centre receives a request to change the social insurance information or request a card, a special flag will come up and the client will be requested to provide the appropriate identity documents and photo identification.
We have looked back to what has been happening with the social insurance registry prior to and after the loss of the information and there has been no change in the pattern of requests or the nature of requests that have come in.
Conservative
Colin Mayes Conservative Okanagan—Shuswap, BC
There's a lot of information you deal with. Do you have any figures on the volume? It's horrendous and it's a big challenge, and especially with communication today, these challenges.... We're adjusting to them. I'm on the committee for ethics and privacy, and we're going through a study on that and we understand some of the challenges we're facing with breaches of privacy, not only as government but also in society. It's pretty challenging.
In the department, do you have an ongoing program to review all the procedures and information—the firewalls and all those kinds of things—to keep up to date?
Conservative
The Chair Conservative Ed Komarnicki
If you could keep it relatively brief, we'll maybe pick it up a little later. Go ahead.
Associate Deputy Minister, Department of Human Resources and Skills Development
Thank you, Mr. Chair.
Overall in the major programs that HRSDC administers, there are about 28 million clients per year who are in our databases. We deal with roughly 84 million transactions per year across those major groupings, including Canada Student Loans, the Canada education savings program, the Canada Pension Plan, old age security, and employment insurance. We have a lot of transactions and we have a lot of Canadians as clients. In terms of their—
Associate Deputy Minister, Department of Human Resources and Skills Development
Okay. We'll come back to it.