In Debate: On Government Data Breaches and Canadians Privacy

Ms. Irene Mathyssen (London—Fanshawe, NDP):  Mr. Speaker, I am pleased to be here, even at this late hour, to follow up with the government on the HRSDC data breaches. It is a very important issue and Canadians deserve to hear the answers, no matter what the hour.

    I am hopeful that the Conservative government will finally take the privacy of Canadians seriously and investigate the decade-long data breaches of government departments. The Conservatives owe an explanation to Canadians and have an obligation to ensure that proper rules are put in place to protect the personal information of individuals. The federal government, quite frankly, dropped the ball on this and allowed the release of private information for millions of Canadians. Many questions still remain about how this happened.

    The NDP has been very clear on this issue and has been asking the tough questions. In a written response to the member for Timmins—James Bay, the government admitted to more than a million breaches of personal data over the past decade, with little or no action taken nor any follow-up done with the office of the Privacy Commissioner.

    It remains unclear exactly how many Canadians were affected, nor is it known if any of the data breaches were used in terms of identity theft. This is unacceptable and the government's actions are slow and scattered.

    The Minister of Human Resources and Skills Development admitted that the department lost personal information for more than half a million people when an external hard drive went missing last November, exposing those individuals to the possibility of identity theft.

   The privacy breach is one of the biggest ever seen in Canada. The personal information of 568,000 individuals who took out student loans through the Canada student loan program between 2000 and 2006 is at stake, including names, social insurance numbers, dates of birth, contact information and financial information about loan balances of borrowers, in addition to personal contact information of about 250 HRSDC employees.

   The breach is yet another reminder that the Conservative government refuses to take privacy rights seriously.

   It is imperative that the government take the privacy rights of individuals in Canada seriously. The government needs to offer a more comprehensive, long-term solution to the individuals affected by this privacy breach, such as long-term credit monitoring or identity fraud insurance.

    I would like to add that the response to this breach has been dismal. The government merely expressed concern and offered limited assistance, and still refuses to cover the cost for credit monitoring that those affected have to incur.

    The minister, more than 10 weeks after the breach was discovered, finally announced a policy change in the department so that portable hand-held devices will no longer be used.

    New Democrats will hold this minister to account. I would very much like to hear how the government plans to address the privacy concerns of Canadians who have been affected because of what the government has done. What it has done at this point is nowhere near enough.


Hon. Mike Lake (Parliamentary Secretary to the Minister of Industry, CPC): Mr. Speaker, there is no doubt that the loss of personal information is completely unacceptable.

    Last fall, there were two unfortunate security incidents in the department involving missing portable storage devices containing personal information.

    One incident involved a USB stick containing information on the Canada pension plan disabilities plan. In the second incident, a portable hard drive with information on Canada student loan borrowers went missing. These were two separate incidents and not related to each other in any way.

    Clearly, this kind of incident is unacceptable. The Privacy Commissioner and the Royal Canadian Mounted Police are aware of this case. An official investigation is underway to get to the bottom of how the hard drive went missing.

    The minister has ordered the department to strengthen its protocols on the security and storage of personal information.

    The department is taking action in three areas. With regard to hardware, unapproved portable hard drives are no longer permitted, and unapproved USB keys are not to be connected to the department's network.

    With respect to software, a new technology to prevent data loss will be implemented.

   Finally, on departmental culture, mandatory training for employees will be provided to reinforce the importance of proper handling of personal data. Disciplinary measures are also in place for staff who do not conform to security procedures, including termination. The department has also taken actions to mitigate the impact on the affected Canadians. The department informed the affected clients of the steps they should take to help protect themselves after this incident. Furthermore, we have provided information and support on various government websites. These websites have toll-free numbers that people can call if they are concerned that they were affected.

   The affected social insurance numbers have been flagged in the social insurance register to indicate that the social insurance number was involved in a security breach and to ensure that any requests for modifications undergo an enhanced authentication process. As a further precaution, the department has purchased a customized package from Equifax Canada to protect the credit ratings of the affected people. This is a solution that is tailored specifically to this incident, and it is available free to everyone who may have been affected.

     Credit protection is an appropriate and reliable strategy that will help prevent misuse of personal or credit information.

    The minister has acted quickly to make sure the department takes immediate action to ensure a situation like this does not happen again.

Ms. Irene Mathyssen:   Mr. Speaker, I would like to point out to the member that the NDP has actually drafted legislation that would help to address privacy breaches. The member for Terrebonne—Blainville has introduced Bill C-475. This bill would create mandatory data breach reporting in the event that a data breach causes a risk of harm to an individual. The bill would also increase the enforcement powers of the Office of the Privacy Commissioner to ensure that organizations comply with PIPEDA when handling the personal information of Canadians.

This kind of protection has long been called for by key experts and citizens groups. It is time to act to meet the challenges of the digital age, not just for today but tomorrow as well. Bill C-475 is scheduled for debate at the end of June. I would like to know if the member opposite will support this legislation that will better protect the privacy rights of Canadians.

Hon. Mike Lake: Mr. Speaker, in response to the actual question that was raised that precipitated this interaction today, as I previously stated, this kind of incident is unacceptable. We all agree on that. We have taken action to strengthen the protocols related to the protection, security and handling of personal information.

     Let me be clear, the government takes this issue very seriously. We have carried out thorough investigations and reviewed our internal policies. We also informed the clients affected by this incident as well as the general public.

    We are working diligently to safeguard the personal information entrusted to the government.