Three federal institutions acknowledged not fulfilling a privacy directive when they appeared before the standing committee on access to information, privacy and ethics on Tuesday.
The committee is looking into the federal government’s use of tools capable of unlocking mobile phones and computers, even when protected by passwords or fingerprints, and accessing even encrypted data.
Shared Services Canada, the Competition Bureau and the Transportation Safety Board (TSB) of Canada all recognized they had been using these tools for several years without carrying out what is called a privacy impact assessment.
A federal directive requires such an assessment for new or substantially modified programs or activities involving the collection and handling of personal information.
“Frankly it’s a best practice that we should have implemented and that’s why we’re doing one now,” said Scott Jones, president of Shared Services Canada.
Scott Jones, president of Shared Services Canada, said the department is now carrying out a privacy impact assessment on its use of data extraction tools. (CBC)The committee launched this study following reporting by Radio-Canada in November that revealed several departments didn’t carry out privacy impact assessments before using the potentially intrusive tools.
“All of this could have been avoided, in my opinion, if these departments had just followed directives,” NDP MP Matthew Green said.
Those three departments explained that since their investigation programs have been in place for many years, they didn’t believe such an assessment was necessary on the tools in question.
“The capacity of today’s tools are very different,” said Bloc Québécois MP René Villemure. He also pointed out that mobile phones now contain much more personal data.
The MPs around the table did not dispute the necessity of certain departments resorting to using data extraction tools for investigations, but some MPs said carrying out a privacy impact assessment beforehand should potentially become a legal obligation.
Shared Services Canada, the Competition Bureau and the TSB said they are now carrying out privacy impact assessments.
Assessments carried out after the factSo far, 12 federal departments have appeared in front of the committee to explain their use of the data extraction tools.
Many of them have also admitted to not carrying out a privacy impact assessment.
That’s the case for the Canada Border Services Agency (CBSA).
The Canada Border Services Agency was among several federal departments and agencies who told the parliamentary committee that they had not carried out the necessary privacy impact assessments. (Jeff McIntosh/The Canadian Press)The CBSA says it used these tools on 712 electronic components — such as phones and SIM cards — during the course of 119 criminal investigations just for the year 2023.
The tools aren’t used at the border, but rather during more in-depth investigations and only after obtaining a warrant, explained Aaron McCrorie, the CBSA’s vice-president of intelligence and enforcement.
According to him, these tools have become indispensable.
“If you’ve got a device that’s locked with the password, we need the technology to open up that device. In another era, we would have got a locksmith to open a box that would have had receipts in it, for example,” he said.
“Now when we’re dealing with firearm smuggling, we’ll have electronic receipts on a cell phone or on a computer.”
“We’re talking about hundreds and hundreds of investigations using this software and not once did your department seek out a PIA, a privacy impact assessment, is that correct?” asked Conservative MP Larry Brock.
McCrorie explained that such an assessment was now being done for CBSA’s entire criminal investigations program, which includes the use of these tools.
“You understand, sir, that the PIA is not optional. It’s a directive by the Treasury Board,” said Brock in response.
Evasive responsesThe absence of clear answers on the part of certain departments resulted in tense moments between MPs and witnesses.
For example, when different MPs asked Department of National Defence (DND) officials if an assessment had been done before these tools were used, acting chief information officer Sophie Martel repeated that the department had “a number of privacy impact assessments on the go right now.”
The Department of National Defence told the standing committee that it uses the data extraction tools to ensure the protection of its computer networks. (Radio-Canada)”Did you or did you not complete a PIA before first using this tool? You did or you didn’t?” insisted Conservative MP Michael Barrett.
“I’m not sure, to be honest with you,” Martel finally answered.
“We did not,” interjected her colleague Brig.-Gen. Dave Yarker, director general of cyber operations.
DND stated in front of the committee that it uses the tools to ensure their computer networks are protected and not being compromised, for instance, by “nation states and criminal actors.”
However, in a response to Radio-Canada last November, DND also mentioned other uses, for instance by the military police. Investigating members of the Canadian Armed Forces accused of military or criminal offences is one of the police’s responsibilities.
Different versions Certain departments and agencies gave answers in front of the committee that differed from responses they provided to Radio-Canada.
For example, Radio-Canada communicated with the Canadian Radio-television and Telecommunications Commission (CRTC) last November to find out if a privacy impact assessment was carried out relating to the tools, and if it was, to provide a copy of the assessment.
The CRTC said that such an assessment had not been necessary.
“The tools mentioned are only used after obtaining a search warrant in accordance with the terms … of Canada’s anti-spam legislation, therefore an additional analysis of the privacy impact is not required,” wrote a CRTC spokesperson.
Despite not carrying out privacy impact assessments, several federal agencies and departments maintained they implemented rigorous protocols to protect and store personal information. (Getty Images/iStock)However, in front of the parliamentary committee, the CRTC cited the existence of privacy impact assessments that date back to 2014 when Canada’s anti-spam legislation came into effect and that personal data collection was expected.
The Canada Revenue Agency (CRA) also had different versions.
In November, the CRA didn’t share any privacy impact assessments requested by Radio-Canada and referred any questions on the topic to Shared Services Canada, the signatory of the contracts with suppliers.
In front of the committee, CRA said the use of the data extraction tools was part of a 2016 privacy impact assessment for its criminal investigations program. The CRA also indicated that an update to this assessment had just been finalized.
For its part, Natural Resources Canada confirmed to the committee that it had obtained this tool but claimed to have never used it, information the department did not share with Radio-Canada.
Even in the absence of such an assessment, all the institutions using these tools say they have implemented rigorous internal protocols that govern the collection and storage of personal information to ensure its protection.