Public Safety Committee on Feb. 12th, 2024

Thank you, Mr. Chair.

Members of the committee, I am pleased to be here to assist the committee in its study of Bill C-26, an act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other acts.

Cybersecurity is an area of significant importance, in Canada and globally. Digital services that are delivered through cyber-systems and telecommunications networks are central to the ways that we live, work and interact, and impact large volumes of personal information and data. That is why it is critical to protect Canada’s cyber-infrastructure from potential threats.

At the same time, we must ensure that efforts to secure these systems and networks also protect and respect Canadians' fundamental right to privacy. This is not a zero-sum game. Privacy and the public interest are not only compatible; they build on and strengthen each other. I strongly support the objectives of Bill C-26 and believe that it's imperative that we as a society have the necessary tools and the ability to address this important public interest goal.

In my testimony today, I will share ways in which the bill could be strengthened in order to further protect the fundamental right to privacy and address potential privacy implications while achieving its important objectives.

Under Bill C-26, specified persons or entities would be able to collect and analyze a wide range of information, including sensitive personal information that is held by banks, telecommunications operators and energy services providers. The bill would also allow for the sharing of that information with organizations such as intelligence agencies, provincial and foreign governments and organizations established by foreign states.

As drafted, these powers are broad. In order to ensure that personal information is protected and that privacy is treated as a fundamental right, I would recommend that the committee consider making the thresholds for exercising these powers more stringent, and placing stricter limits on the use of those powers. One way of doing so would be to require that any collection, use or disclosure of personal information be both necessary and proportionate. This is a core principle for the handling of personal information that is recognized internationally.

Requiring government institutions to conduct privacy impact assessments, or PIAs, and to consult my office on new programs or initiatives created under the authorities in Bill C-26 would also strengthen privacy protections while supporting the public interest and generating trust. PIAs, which are currently a policy requirement under the Treasury Board Secretariat's directive on PIAs but not a legally binding requirement under privacy legislation, are an important tool for identifying, analyzing, addressing or mitigating privacy issues before initiatives are put in place. They can help reduce inadvertent harms to privacy as initiatives roll out. This is why I've recommended that the preparation of PIAs should be made a legal obligation for the government under the Privacy Act.

Bill C-26 would also allow the Minister of Innovation, Science and Industry to prohibit public disclosures of certain orders and directions made under the proposed act. It's important that any such confidentiality provisions that have the effect of reducing public scrutiny regarding the bill's implementation, including the collection, use and disclosure of personal information, be accompanied by appropriate transparency measures. These could include requiring the government to report to Parliament and/or to my office regularly on the number, nature and purpose of such orders and directions, especially when they involve sensitive personal information. This would reassure Canadians that their privacy is protected at all times.

I would also recommend that the bill be amended to include stronger accountability measures to ensure the protection of personal information that is shared outside Canada. These could include additional oversight mechanisms and established criteria that must be included in information-sharing agreements with foreign jurisdictions, such as restrictions on any onward transfers of the personal information, establishing safeguards that must be applied, and penalties for non-compliance.

Finally, should Bill C-26 be adopted, it will be important that my office have the necessary flexibility to coordinate, as appropriate, with other regulatory and oversight bodies that are involved in responses to cybersecurity incidents in cases that may involve a breach of personal information.

I would be happy to take your questions.

Thank you so much.

Good afternoon, Mr. Chair, and ladies and gentlemen of the committee.

The mandate of the Office of the Superintendent of Financial Institutions, or OSFI, contributes to public confidence in the Canadian financial system by regulating and supervising approximately 400 federally regulated financial institutions. In this role, we ensure that these institutions maintain sound financial conditions, continually assess risks and industry trends, and safeguard against threats to their integrity and security, including cyber-threats.

There’s no question that financial institutions are vulnerable to cyber-attacks. In fact, OSFI has highlighted cyber-risk as a key risk to Canada’s financial stability in our annual risk outlook, which is available online.

Given this, it won't surprise you that we have been, for some time, active as a regulator in expecting our financial institutions to adopt appropriate risk management practices in the face of cyber risks. More specifically, we've taken pains to clarify in our guidelines our expectations for how financial institutions should manage technology and cyber risks to prevent things like outages and data breaches and to improve overall technology and cyber resilience.

This also includes an expectation that financial institutions respond to tech and cybersecurity incidents quickly and effectively and, more importantly, notify us whenever an incident happens. That reporting really helps us to identify areas where individual institutions—or the industry more broadly—need to take steps to prevent issues from arising.

We also provide tools to financial institutions. A good example of this would be our cybersecurity self-assessment, which helps them evaluate their current level of cyber-preparedness and develop effective cybersecurity practices. There is also our I-CRT—that stands for intelligence-led cyber resilience testing—framework, which provides instructions to financial institutions on how to implement a sophisticated approach to what is known as red teaming.

These efforts, and others, are critical, in my opinion, as there's little question that cyber-attacks will continue to increase in frequency and sophistication. Moreover, this is a risk environment that, in our experience, changes rapidly, and failure to protect against it can have serious consequences. A successful cyber-attack could impact the confidentiality, integrity, and availability of data and systems, which in turn could result in loss of public trust, reputational damage and financial loss.

That’s why OSFI is so focused on promoting the sound management of cyber-risks and technology risks generally at all federally regulated financial institutions.

As an identified regulator within a critical sector, OSFI is standing by and ready to support committee members in their reflection around Bill C-26. We want to help to improve the resiliency of Canada’s financial system.

I would be pleased to answer the committee members' questions.

Thank you, Mr. Chair.

Well, we do so at any appropriate time. Ideally, we would hope to be consulted prior to the bill being tabled, but the regular way is for my office and me to be called to committee to give a recommendation on a bill. We can also do the same for regulations and consultations with the government.

I hope so. We're certainly prepared for that. We expect that and we would call on the government to involve us in that.

Certainly in terms of data crossing national boundaries and being shared with other institutions, my recommendation is to make sure we have specific requirements for these information-sharing agreements so that the purpose, the retention and the safeguards regarding that information by our international partners—all of these—are set out and are strict, and there's a dispute resolution mechanism just so we bring in more rigour and guardrails to those exchanges of information. The concepts of necessity and proportionality should also be included when it is being determined whether to share the information in the first place.

The legislation currently doesn't provide a role for my office. The role would be specified under the Privacy Act. We have jurisdiction over the government's handling of information and we have jurisdiction over the private sector's handling of information.

One of our recommendations is to have more transparency mechanisms so that we can know what is happening and so that we can know what type of information is being collected, disclosed and used so that we can exercise our powers in that regard.

With regard to those reports, there's a provision in the bill for an annual report by the minister overall. We're recommending that this be more specific and that there be more details about what is happening.

We would also potentially have a role in working with the regulators in cases of cyber-breaches and cyber-incidents. One of my recommendations is that we be given the ability to collaborate with those regulators and, as needed, exchange information and work collaboratively when cyber-incidents involve personal information. We know that's a big area of concern for Canadians.