HANSARD NOVA SCOTIA HOUSE OF ASSEMBLY COMMITTEE ON PUBLIC ACCOUNTS Wednesday, March 13, 2019 Legislative Chamber Department of Internal Services: Information Access and Privacy Information Technology Projects - January 2019 Report of the Auditor General Printed and Published by Nova Scotia Hansard Reporting Services Public Accounts Committee Eddie Orrell (Chairman) Gordon Wilson (Vice-Chairman) Ben Jessome Suzanne Lohnes-Croft Brendan Maguire Hugh MacKay Tim Halman Lisa Roberts Susan Leblanc In Attendance: Kim Langille Legislative Committee Clerk Gordon Hebb Chief Legislative Counsel Michael Pickup, Auditor General Janet White, Audit Principal WITNESSES Department of Internal Services Jeff Conrad, Deputy Minister Sandra Cascadden, Chief Information Officer Maria Lasheras, Chief Information and Access Officer HALIFAX, WEDNESDAY, MARCH 13, 2019 STANDING COMMITTEE ON PUBLIC ACCOUNTS 9:00 A.M. CHAIRMAN Eddie Orrell VICE-CHAIRMAN Gordon Wilson THE CHAIR: Order, please. I’d like to call the meeting of the Public Accounts Committee to order. Before we start, if I can remind everybody to put their phone on vibrate or silent, and if I could ask the committee members to introduce themselves, beginning with Ms. Leblanc. [The committee members introduced themselves.] THE CHAIR: On today’s agenda, we have officials from the Department of Internal Services with us to discuss the January 2019 Report of the Auditor General, Information Access and Privacy Information Technology Projects. If I could, I would now ask the witnesses to please introduce themselves, beginning with Mr. Conrad. [The witnesses introduced themselves.] THE CHAIR: If we could now have you do some opening comments, Mr. Conrad, we can begin the meeting. 1 2 HANSARD COMM. (PA) WED., MAR. 13, 2019 JEFF CONRAD: Great. Thank you very much for having us, and good morning. I want to thank the committee for inviting us here today to discuss the Auditor General’s Report and to provide an update on the steps our department has taken to address the causes of the privacy breach that occurred last April. I am pleased to be joined today - as you have just heard - by Sandra Cascadden, our associate deputy minister and the province’s chief information officer; and Maria Lasheras, chief information and access officer and privacy lead for the Province of Nova Scotia. I’d like to begin by acknowledging that the information breach that took place last Spring was a serious one. As our minister has said publicly, we fully recognize the role we had in this incident, and we’re committed to making the changes needed to better protect the information of Nova Scotia. To that end, we have accepted the recommendations made in the Auditor General’s Report and also from the Information and Privacy Commissioner. To achieve the objectives of the recommendations, we have publicly released an action plan outlining the steps that we have already taken and will continue to take to strengthen our processes and better protect the personal information of Nova Scotia. From the first day, our top concern has been containing the information, learning from the incident, and applying those learnings to our other processes and our future work. I’d like to begin by providing a bit of an update on our containment efforts, specifically with regard to the 11 downloads that we referenced in our April 30th news release - the second series of downloads. Through the course of our investigation, we were able to confirm that all of those took place at the Atlantic School of Theology. Following the recommendation that was in Ms. Tully’s report, we worked with the university on containment of the files that were downloaded in their network. Last week, they informed us they had completed their investigation that they had underway. I’d like to thank them publicly for their co-operation and for proactively involving us in their work and sharing with us their findings. AST has indicated to us that there is a very high probability that the 600 files downloaded there have been contained, and they confirmed that there were no files found on their equipment that were private in nature. AST also advised us that their investigation has concluded that the laptop used to access the 600 files, and the information that was on that laptop, has now been destroyed. Based on this new information, we are discussing with the Information and Privacy Commissioner and with our own internal legal counsel what, if any, additional steps we should take to confirm that containment has taken place. Once again, in terms of the overall process, I’d just like to thank Mr. Pickup and his staff - and indeed Ms. Tully - for their investigations and reports. The reports offered us important insights and recommendations that support our efforts to strengthen our work as we go forward. WED., MAR. 13, 2019 HANSARD COMM. (PA) 3 You may have also seen in our action plan that we have completed a post-incident debrief process facilitated by Deloitte. Their report, which is also posted to the department’s website, provides feedback that was received from employees in responding to the breach. Our action plan has been updated to reflect the steps that we’re taking to respond to what we learned from that internal review as well as the two other reviews. Our department is committed to continuous improvement and we’re always looking for ways to broaden access to information and the protection of privacy of Nova Scotians’ personal information. Since the creation of the Department of Internal Services, we have been investing in cybersecurity, risk management, and technology to act on that commitment. Our response efforts since the breach are examples of this ongoing commitment to improvement that is at the heart of the mandate and vision of the department. Our actions since the breach, including the action plan we have produced, demonstrate that we continue to lead on working on improving the protection of Nova Scotians’ information to build on our ongoing work as a department and to strengthen our approaches to contract management and project management. This is a commitment that is shared at every level of the department, starting at the level of the minister and continuing through us, as I hope you hear today, and on the part of the operational staff who are working on the front lines every day to serve the interests of Nova Scotia. We know mistakes were made in this instance and we have accepted our role in what happened. We’re actively working to complete the recommendations of the Auditor General, the commissioner, and implement insights from internal review. As always, we’re committed to finding better ways to work better and smarter to serve the interests of Nova Scotia and we are happy to take questions from the panel. Thank you. THE CHAIR: Thank you very much, Mr. Conrad. We’ll open the floor now to questions, beginning with the PC caucus and Mr. Halman. TIM HALMAN: Good morning everyone. Welcome to the Public Accounts Committee. I want to thank you for your opening remarks. Just by way of summary, I think we all recognize that the freedom of information breaches ended up exposing 7,000 documents containing personal information, such as social insurance numbers, personal addresses, child custody documents, medical information, and proprietary business information. The Information and Privacy Commissioner of our province, Catherine Tully, concluded that the breaches were preventable and were caused by a serious failure of due diligence and, certainly, I believe the Office of the Auditor General concurs that this is fundamentally what it comes down to. To summarize it: it was a failure of due diligence by the province when deploying a new technology. 4 HANSARD COMM. (PA) WED., MAR. 13, 2019 The Information and Privacy Commissioner questioned and stressed the concern of why even months after the breach, employees in the department still have “erroneous understandings about the nature of the breaches, their root cause and how to prevent them from occurring again.” Still concerning to Nova Scotians, I think, there are more than 600 documents containing personal information which were downloaded onto an unknown computer and have not yet been recovered or secured. In the previous committee meeting, Ms. Tully stated that there was a scheduled meeting that was to take place between her and the department regarding the status and update of Internal Services’ implementation of the recommendations she made. Has this meeting taken place between the department and the Information and Privacy Commissioner? JEFF CONRAD: That meeting is actually scheduled for next week, March 20th. TIM HALMAN: Thank you. Do you think allowing the Information and Privacy Commissioner to have order-making powers would make a process like this better? JEFF CONRAD: When you look at the work in the province around Freedom of Information and Protection of Privacy, it’s really split into two fundamental pieces. There’s a piece of the Act which is about administration of the processes. That’s the piece that Internal Services is responsible for: requesting information, having that information reviewed, receiving that information, and working with our staff to get access to that information. Then there’s a piece of the Act around the powers of the Information and Privacy Commissioner and the work that she takes on. That piece of work is actually the responsibility of the Department of Justice, so issues around order-making power and the orders in authority of the commissioner don’t fall under the Department of Internal Services. TIM HALMAN: At this stage, what are some of the updates that you’ve communicated to Ms. Tully regarding implementation? If a meeting is forthcoming, up to that meeting, what updates have you provided thus far? JEFF CONRAD: The most recent conversation that I’ve had with her has been around the work that we’ve been doing with the Atlantic School of Theology; she and I spoke last week.