Back to top
13 mars 2019
Comités permanents
Comptes publics
Sommaire de la réunion: 

Legislative Chamber
Province House
1726 Hollis Street
Halifax
 
Witness/Agenda:
Department of Internal Services: Information Access and Privacy Information Technology Projects (January 2019 Report of the Auditor General)
 
Department of Internal Services
Mr. Jeff Conrad – Deputy Minister

Sujet(s) à aborder: 

 

 

 

 

HANSARD

 

 

NOVA SCOTIA HOUSE OF ASSEMBLY

 

 

COMMITTEE

                                                               

ON

 

PUBLIC ACCOUNTS

 

 

Wednesday, March 13, 2019

 

Legislative Chamber

 

 

 

Department of Internal Services:

Information Access and Privacy Information Technology Projects -

January 2019 Report of the Auditor General

 

 

 

 

 

 

 

 

Printed and Published by Nova Scotia Hansard Reporting Services

 

 

Public Accounts Committee

 

Eddie Orrell (Chairman)

Gordon Wilson (Vice-Chairman)

Ben Jessome

Suzanne Lohnes-Croft

Brendan Maguire

Hugh MacKay

Tim Halman

Lisa Roberts

Susan Leblanc

 

 

In Attendance:

 

Kim Langille

Legislative Committee Clerk

 

Gordon Hebb

Chief Legislative Counsel

 

Michael Pickup,

Auditor General

 

Janet White,

Audit Principal

 

 

 

WITNESSES

 

Department of Internal Services

 

Jeff Conrad,

Deputy Minister

 

Sandra Cascadden,

Chief Information Officer

 

Maria Lasheras,

Chief Information and Access Officer

 

 

 

 

 

 

 

HALIFAX, WEDNESDAY, MARCH 13, 2019

 

STANDING COMMITTEE ON PUBLIC ACCOUNTS

 

9:00 A.M.

 

CHAIRMAN

Eddie Orrell

 

VICE-CHAIRMAN

Gordon Wilson

 

 

            THE CHAIR: Order, please. I’d like to call the meeting of the Public Accounts Committee to order.

 

            Before we start, if I can remind everybody to put their phone on vibrate or silent, and if I could ask the committee members to introduce themselves, beginning with Ms. Leblanc.

 

            [The committee members introduced themselves.]

 

            THE CHAIR: On today’s agenda, we have officials from the Department of Internal Services with us to discuss the January 2019 Report of the Auditor General, Information Access and Privacy Information Technology Projects.

 

            If I could, I would now ask the witnesses to please introduce themselves, beginning with Mr. Conrad.

 

            [The witnesses introduced themselves.]

 

            THE CHAIR: If we could now have you do some opening comments, Mr. Conrad, we can begin the meeting.

 

            JEFF CONRAD: Great. Thank you very much for having us, and good morning. I want to thank the committee for inviting us here today to discuss the Auditor General’s Report and to provide an update on the steps our department has taken to address the causes of the privacy breach that occurred last April.

 

            I am pleased to be joined today - as you have just heard - by Sandra Cascadden, our associate deputy minister and the province’s chief information officer; and Maria Lasheras, chief information and access officer and privacy lead for the Province of Nova Scotia.

 

            I’d like to begin by acknowledging that the information breach that took place last Spring was a serious one. As our minister has said publicly, we fully recognize the role we had in this incident, and we’re committed to making the changes needed to better protect the information of Nova Scotia. To that end, we have accepted the recommendations made in the Auditor General’s Report and also from the Information and Privacy Commissioner.

 

To achieve the objectives of the recommendations, we have publicly released an action plan outlining the steps that we have already taken and will continue to take to strengthen our processes and better protect the personal information of Nova Scotia. From the first day, our top concern has been containing the information, learning from the incident, and applying those learnings to our other processes and our future work.

 

I’d like to begin by providing a bit of an update on our containment efforts, specifically with regard to the 11 downloads that we referenced in our April 30th news release - the second series of downloads. Through the course of our investigation, we were able to confirm that all of those took place at the Atlantic School of Theology.

 

            Following the recommendation that was in Ms. Tully’s report, we worked with the university on containment of the files that were downloaded in their network. Last week, they informed us they had completed their investigation that they had underway. I’d like to thank them publicly for their co-operation and for proactively involving us in their work and sharing with us their findings. AST has indicated to us that there is a very high probability that the 600 files downloaded there have been contained, and they confirmed that there were no files found on their equipment that were private in nature.

 

            AST also advised us that their investigation has concluded that the laptop used to access the 600 files, and the information that was on that laptop, has now been destroyed. Based on this new information, we are discussing with the Information and Privacy Commissioner and with our own internal legal counsel what, if any, additional steps we should take to confirm that containment has taken place.

 

            Once again, in terms of the overall process, I’d just like to thank Mr. Pickup and his staff - and indeed Ms. Tully - for their investigations and reports. The reports offered us important insights and recommendations that support our efforts to strengthen our work as we go forward.

 

You may have also seen in our action plan that we have completed a post-incident debrief process facilitated by Deloitte. Their report, which is also posted to the department’s website, provides feedback that was received from employees in responding to the breach. Our action plan has been updated to reflect the steps that we’re taking to respond to what we learned from that internal review as well as the two other reviews.

 

            Our department is committed to continuous improvement and we’re always looking for ways to broaden access to information and the protection of privacy of Nova Scotians’ personal information. Since the creation of the Department of Internal Services, we have been investing in cybersecurity, risk management, and technology to act on that commitment. Our response efforts since the breach are examples of this ongoing commitment to improvement that is at the heart of the mandate and vision of the department.

 

            Our actions since the breach, including the action plan we have produced, demonstrate that we continue to lead on working on improving the protection of Nova Scotians’ information to build on our ongoing work as a department and to strengthen our approaches to contract management and project management. This is a commitment that is shared at every level of the department, starting at the level of the minister and continuing through us, as I hope you hear today, and on the part of the operational staff who are working on the front lines every day to serve the interests of Nova Scotia.

 

            We know mistakes were made in this instance and we have accepted our role in what happened. We’re actively working to complete the recommendations of the Auditor General, the commissioner, and implement insights from internal review. As always, we’re committed to finding better ways to work better and smarter to serve the interests of Nova Scotia and we are happy to take questions from the panel. Thank you.

 

            THE CHAIR: Thank you very much, Mr. Conrad. We’ll open the floor now to questions, beginning with the PC caucus and Mr. Halman.

 

            TIM HALMAN: Good morning everyone. Welcome to the Public Accounts Committee. I want to thank you for your opening remarks. Just by way of summary, I think we all recognize that the freedom of information breaches ended up exposing 7,000 documents containing personal information, such as social insurance numbers, personal addresses, child custody documents, medical information, and proprietary business information.

 

            The Information and Privacy Commissioner of our province, Catherine Tully, concluded that the breaches were preventable and were caused by a serious failure of due diligence and, certainly, I believe the Office of the Auditor General concurs that this is fundamentally what it comes down to. To summarize it: it was a failure of due diligence by the province when deploying a new technology.

 

The Information and Privacy Commissioner questioned and stressed the concern of why even months after the breach, employees in the department still have “erroneous understandings about the nature of the breaches, their root cause and how to prevent them from occurring again.” Still concerning to Nova Scotians, I think, there are more than 600 documents containing personal information which were downloaded onto an unknown computer and have not yet been recovered or secured.

 

            In the previous committee meeting, Ms. Tully stated that there was a scheduled meeting that was to take place between her and the department regarding the status and update of Internal Services’ implementation of the recommendations she made. Has this meeting taken place between the department and the Information and Privacy Commissioner?

 

            JEFF CONRAD: That meeting is actually scheduled for next week, March 20th.

 

            TIM HALMAN: Thank you. Do you think allowing the Information and Privacy Commissioner to have order-making powers would make a process like this better?

 

            JEFF CONRAD: When you look at the work in the province around Freedom of Information and Protection of Privacy, it’s really split into two fundamental pieces. There’s a piece of the Act which is about administration of the processes. That’s the piece that Internal Services is responsible for: requesting information, having that information reviewed, receiving that information, and working with our staff to get access to that information.

 

Then there’s a piece of the Act around the powers of the Information and Privacy Commissioner and the work that she takes on. That piece of work is actually the responsibility of the Department of Justice, so issues around order-making power and the orders in authority of the commissioner don’t fall under the Department of Internal Services.

 

            TIM HALMAN: At this stage, what are some of the updates that you’ve communicated to Ms. Tully regarding implementation? If a meeting is forthcoming, up to that meeting, what updates have you provided thus far?

 

            JEFF CONRAD: The most recent conversation that I’ve had with her has been around the work that we’ve been doing with the Atlantic School of Theology; she and I spoke last week. We both received separate updates from the school in terms of the work they’ve done on containment, and then she and I followed up the next day with a call to talk about what we had heard - what was the perspective on containment, did we have reason to believe that we had achieved containment?

 

I believe that both of us - and I don’t want to speak on behalf of Ms. Tully - are very hopeful and believe that we have containment. We talked about some of the options we might pursue to document that and how we might move forward, and we agreed that we would update again when we meet next week.

 

            TIM HALMAN: What do you mean by containment? What does that look like? Can you describe that?

 

            JEFF CONRAD: Sure, and I may ask Maria to speak a little bit to kind of the concept of containment in a broader sense. What we’re trying to achieve here - specifically to the material that was disclosed - we’re looking for a way to be able to say that, to the best of our knowledge, that material has not been further distributed and is not publicly available or likely to become available. For example, we’re looking at Halifax Regional Police. They’ve seized the equipment of one individual and they’ve assured us that that equipment will not be returned unless they’ve destroyed the material that was downloaded from our site. We would consider that’s now contained.

 

Now, in the case of AST, their message to us is that, for example, that piece of equipment used there has been destroyed and they believe they have a credible statement that it has not been further distributed or posted or placed anywhere.

 

            I don’t know if you would like Ms. Lasheras to speak in general terms about the concept of containment and breaches?

 

            TIM HALMAN: No, that’s sufficient, thank you very much. Catherine Tully stated there was “. . . no requirement the government conduct risk assessments for new projects and programs to ensure that they identify and mitigate the privacy risks before pushing go.” Since she stated that, is there anything concrete in place that solves this issue raised?

 

            JEFF CONRAD: Maybe I’ll say a few words and then I’ll ask Sandra to talk a little bit about new processes that we’re putting in place.

 

            I would say with regard to risk, we regularly talk with the Auditor General, and you’ll see his reports carrying a theme of risk over the last number of years around how we work on risk in a broader sense, and what government needs to do to get better at risk, whether that’s fraud risk, project risk or other types of risks. We certainly do risk processes within projects within government and what we’re looking at now is - again, not just for the FOI breach, but when we look across all of the department, how do we think differently about risk.

 

            In the department, for example, we’re just entering into our piece of work on fraud risk. We’ve just agreed across our department to put in place a risk framework and to build for the department a risk tolerance piece which is a recommendation that Michael’s made to us a number of times. But specific to IT projects, maybe I’ll let Sandra talk a little bit and reference to some of the work we’re doing and maybe the COBIT framework that we’re working on.

 

            SANDRA CASCADDEN: There are a number of things that we’re doing in order to strengthen our ability to do risk assessments and follow up on risk.

 

            One of those very specific things is, I issued a directive across the entire department with regard to risk assessments, privacy assessments and vulnerability assessments. In addition to that risk, we’ve also created a number of documents - we actually didn’t have to create the documents, but we did update documents to provide the templates and the guidelines for our project managers to use in order to make sure they are assessing the right risks for the various projects and initiatives.

 

So we’ve put in a number of processes to help project managers assess risks, both from a documentation templating perspective, as well as, the guidelines to when and how you complete these risk assessments.

 

            We’ve also put in some additional policies and enhanced existing policies, because we had a number of things in place as well. But you take the opportunity here to learn and enhance and improve. We put in policies that state no new developments are going into place unless they have followed certain processes to verify that they’ve achieved a certain level of acceptable risk.

 

There will always be risk. The question is, what are those acceptable levels of risk? We work with, not just IT making that assessment, it’s IT working with the businesses who own the applications and the support. We work together to understand what the level of acceptable risk is.

 

            We’ve put in many policies and enhanced a number of our policies. We’re really helping educate and support our project managers in risk assessments. We’re also growing our cyber security team, so that they can participate, and there’s more resources to participate in those threat risk analysis that we are doing.

 

            Some of the documentation that we have around threat risk - we have a template that people fill in and the template starts at 30 pages and it’s not filled in yet. It’s 30 pages of checks and balances that people have to go through from a threat risk perspective.

 

We are absolutely communicating the significance associated with risk - creating the culture, a risk-based culture. We have taken the steps to communicate to senior staff within my group about both reports and creating the awareness of what the recommendations are, coming from both reports at my senior leadership level; as well as all staff meetings where we have gone through each report and every recommendation one by one at all staff meetings.

 

[9:15 a.m.]

 

            TIM HALMAN: Am I correct in saying that with any new projects and programs, essentially you’re saying they will now undergo mandatory risk assessments. Is that correct?

 

            SANDRA CASCADDEN: That is correct.

 

            TIM HALMAN: Another concern of Ms. Tully’s was, and I’m going to quote her, “There is no requirement that government consult the privacy oversight body when sensitive personal information may be at risk.” Since that statement was made, is there anything concrete in place that solves this issue raised?

 

            JEFF CONRAD: One of the things we have agreed to, as you referenced yourself earlier on, is that we would undertake a series of regular meetings with Ms. Tully to talk about what projects are under way - both within our department and more broadly, ones we are aware of that are under way within government. Our intent is to hold those meetings on a quarterly basis and provide an opportunity for us to give a bit of an update on things that are upcoming, projects that we’re working on, an opportunity for her to provide us with thoughts on those projects and things we might pay attention to.

 

            I guess I would say that in addition to that formalized meeting schedule, there already exists a relationship between Ms. Tully’s office and Ms. Lasheras’s office in terms of the ongoing work of our department and their organization where those overlap, how we can work differently together, that sort of thing.

 

            TIM HALMAN: The freedom of information website wasn’t submitted to the Architecture Review Board or ARB, because it was apparently a change and not a new application. The AG remarked that if the whole process was to start again, it would still not be submitted to the ARB. Is that the case currently?

 

            SANDRA CASCADDEN: As a result of the Auditor General’s report, we have some consultants in working with us to understand what is the best way for us to structure the ARB, from a governance perspective, a membership perspective, and the activities they undertake.

 

            The ARB is a group of IT people, ranging all across the various areas of IT. That committee actually started around 2012 and has morphed many times and grown many times. At this point, they have a responsibility to review all new applications as well as all major changes to major systems.

 

            Because this application would have been assumed to be similar to some of the existing applications that we have - it’s by the same vendors and things like that - it would not have been reviewed in the past. It will be reviewed in the future because we have added to and changed existing systems.

 

            TIM HALMAN: So based on the role of the ARB, or non-existent role, has the system really changed?

 

            SANDRA CASCADDEN: My perspective is the system has absolutely changed significantly. One of the metrics I would use to validate and justify my response to that is the fact that we now have over 50 TRAs or threat risk assessments in the queue - looking for vendors to help us do those threat risk assessments. We didn’t do 50 TRAs last fiscal year. The requirement for TRAs, the visibility for the ARB and the members there absolutely have increased multiple-fold.

 

            TIM HALMAN: One of the things Ms. Tully mentioned that I really believe is near and dear to the hearts of Nova Scotians - I think they feel frustrated when this breach occurred and there was a lack of accountability, a lack of individuals facing consequences for failing to abide by privacy standards. As a matter of fact, the European Union’s General Data Protection Regulation sets down meaningful standards with real consequences. I’ll table that document, Mr. Chair.

 

            At this moment has anything changed - or is there anything planned to be changed - regarding the government establishing meaningful standards with serious consequences, like they have with the European Union, for failures to abide by privacy standards?

 

            JEFF CONRAD: Again, those sections of the Act which speak to things like offences and potential penalties related to offences are requirements of the structure of the Act itself, which fall within the Department of Justice. I’m really not in a position to speak to whether those are being contemplated or not; that’s not something that’s within the prevue of the department.

 

            TIM HALMAN: The Information and Privacy Commissioner stated that there is a serious culture issue within the department. As well as the act of changing culture, we all know it can be a challenge in itself, with certain practices that are in place. I think for those of us in different work environments over the years, we know it can take time to change that work culture, that attitude that can set in. I think we all recognize that.

 

            I’m curious as to what your comments are in relation to the department’s plan in eliminating the culture within the department that both the Information and Privacy Commissioner and the Auditor General indicated was a fundamental factor in leading to this breach - what is the plan to eliminate that culture?

 

            JEFF CONRAD: I’ll make a couple of opening remarks and then I’ll let Maria make a few remarks. I think one of the things that I’m conscious of is that while we acknowledge that there were definitely mistakes here and there were issues, there were definitely issues around how we coordinated, around how we did some of the risk work - there is no question about that - how we ensured that follow-up was happening on some of the things that we identified as having mitigation plans.

 

            I think within the department, if you look beyond freedom of information, culture is really about much more than how we deal with FOIPOP. Culture is really the protection of privacy side of the House. It’s really, again, as you stated well, a big piece of work to move. This is work that has been under way in our department since we were first created. It goes from bringing together experts into a like- and a common-minded group to their kinds of education and communications materials that we’ve been producing over the last four or five years.

 

Maybe I’ll let Maria make a few brief comments about what we’ve been doing in that regard and some of the things that she’s been leading.

 

            THE CHAIR: Ms. Lasheras.

 

            MARIA LASHERAS: The Information Act and Privacy Unit was established in 2015. During these three or four years, we have not only managed the FOIPOP Act and placed a lot of work in actually bringing up consistency, et cetera, but immediately we realized that there were certain practices and culture, as you say, that needed to be brought into the fold to understand how we could best serve the interests of Nova Scotians.

 

            One of the things that we immediately did was - and this goes back to September 2016 - to develop an education program that included awareness for the whole civil service, education for managers, how can we actually support privacy and protect information - and the third part, the training of our IAP professionals.

 

            We have learned a lot from the breach. We regret the breach, but we had started working on the culture, as you call it, way before the breach occurred. We have all of the documents that we can share with you - and we can table them. At the time we did not have a privacy program; it was a generic FOIPOP shop. We now have a formal privacy program lead by a manager with five other privacy specialists. They are all well-educated; they all have a real interest in protecting the privacy of Nova Scotians, and most important, we are really focusing on changing this culture that has been identified as in need of doing so.

 

            TIM HALMAN: I’m certainly curious as to how effective that fight against the culture was when essentially - and I say this with all due respect - it lead to the biggest security breach in the history of our province. I don’t think that attempt to eradicate or eliminate that culture - it didn’t bear any fruit.

 

            Time check, Mr. Chair?

 

            THE CHAIR: Twenty seconds.

 

            TIM HALMAN: With respect to that culture, it is my understanding from the reports that a lot of folks felt rushed. I am curious as to where that sense of urgency just to get this done, where did that sense of urgency come from? I will return to that when I get the floor again.

 

            THE CHAIR: Order please. You can return to that later.

 

            We turn now to the New Democratic Party caucus. Ms. Roberts.

 

            LISA ROBERTS: In fact, I’m also curious about the cause of that tight timeline for the rollout of this portal, so I will allow an answer to that.

 

            JEFF CONRAD: I guess what I would say is that any project we put it place, you put a start and an end on a project. That’s the way to make sure that you are setting some reasonable goals, that you are trying to move forward, and that you have some outcomes that you deliver in a reasonable time.

 

            This project really was initiated from within the group - within our own team. We set some goals for ourselves in terms of the go-forward.

           

            You saw through the reports that were done that one of the things that had happened was as we came near to the end of our original project timeline, we realized we didn’t have the project to the state we wanted it and we extended the end time in order to give ourselves more time. So, in fact, the project - there is always a sense of urgency on projects to try and get things done and move them forward, but I would quite comfortably say that was driven internally by our interests in making this thing happen.

 

            LISA ROBERTS: One thing I noticed in Ms. Tully’s report was that she relates how she was given a demonstration of the portal shortly before it launched to the public, but there was a note in internal communications that if she wanted any changes to it, that was not actually possible; that there was no time allowed to actually get constructive feedback.

           

            In that meeting she raised the concerns about the lack of a threat risk assessment having been done for the portal. How do you explain that?

 

            JEFF CONRAD: So again, you know, I guess one of the things I would say is that these types of projects and processes are iterative in nature. You launch, you make changes, and you do things as you go forward. They tend to be evergreen-type projects, so I recognize that some of the language in that communication perhaps was a little abrupt and not as respectful as it might have been, and I acknowledge that.

 

            Certainly we demonstrate things to partners and colleagues and as part of that we take into account the material that they share with us - the ideas that they generate. While it may have been, at the point that she saw it, that we were getting close enough to launch that it would have been a challenge, certainly there was good intent in sharing with her. I wasn’t at the meeting where it was shared with her, but my understanding is that there was good conversation, she was overall pleased with what she saw, and she liked the way the site functioned overall.

 

            She had some thoughts and comments that she offered to us, but beyond that it’s a case of, again, trying to get projects moved forward, taking into account all the people who have comments to make. How do we manage those and what do we do with them?

 

            LISA ROBERTS: I do appreciate that everything is easy in retrospect; I do appreciate that. At the same time, given that the person most responsible to Nova Scotians for defending the interests of Nova Scotians for the protection of their privacy raised concerns that there was not a threat risk assessment conducted on this product - did that conversation get reported back to you as deputy minister? That, to me, seems like a red flag when she is looking at this and asking if you have done this major thing that ought to be done.

 

            JEFF CONRAD: Right. Again in the context of those kinds of meetings, as you can appreciate, there’s a pretty wide ranging and broad group of discussions that take place. I don’t recall specifically that someone came back to me with that comment.

 

            What I would say is that when you go back to some of the conversations and some of the observations raised by the Auditor General around how we did the risk assessment and, in part, the timing of when we did the risk assessment versus when we did the contracting - we now realize some of those things may have played against us in this context.

 

            For example, maybe just to be a little bit more specific, one of the things that we were having conversations about is that we knew that as we moved forward in time we would be going more and more to the Cloud and that there was a likelihood we would go to Cloud-based vending, even with this particular vendor.

 

One of the conversations that we were having was, do we do a small project risk-based assessment knowing that we’re going to do a much larger, more robust, more complex risk assessment of going to the Cloud with this vendor in very short order? Again, the way in which we had assessed the risks and undertaken some of those risks, the conversations I would’ve been involved in would’ve been around, do we want to use the small example or do we want to do a much bigger, more robust, more complete process?

 

That’s one of the areas where, in hindsight, obviously we should’ve done things differently because we were saying, well we’re going to do a threat risk assessment, but we’re going to do it on the bigger piece rather than do it on this subset piece, but then we launched the subset before it was done, which clearly was in error when we look back.

 

[9:30 a.m.]

 

LISA ROBERTS: Okay, thank you. The report by the Office of the Information and Privacy Commissioner states that the system’s design flaw created a well-known and foreseen vulnerability, that the privacy breach was preventable, and that a full security assessment revealed more than two dozen other vulnerabilities.

 

I appreciated the answer that you just gave, but is there anything else you can share in terms of how you account for the fact that the sight was launched, and the data was held on this site when it had that known and foreseeable vulnerability? Can you walk me through what else contributed to that failure, recognizing that this site did not only hold publicly disclosed intentionally open-to-the-public information, but also some of the most intimate information about Nova Scotian citizens that, frankly, one can imagine?

 

            JEFF CONRAD: Maybe I’ll start and then I’ll let Miss Cascadden say a few words. From my perspective, it’s an excellent question. I think it goes to the two key themes that I take from the work that the Auditor General and his team did here: both the way in which we do risk assessments, which Sandra spoke to our efforts to improve that process, and also the way in which we select and work with vendors and the degree to which we do independent work and the degree to which we put trust in the vendors.

 

I don’t in any way mean to imply that this is not a trustworthy vendor but, for example, we had significant conversations - including conversations that I was a party to - with the vendor about the importance of not having inadvertent disclosure of this information. That was certainly well known to the team on both sides - here were two vendors involved, so to all three of us, that was an important component.

 

When we spoke at the go/no-go meeting, the meeting where we make the decision, are we ready to launch, I was at that meeting and I raised the issue around inappropriate disclosure and unauthorized access. The majority of the conversation was around how do we avoid human error, so we had fairly extensive processes in place to make sure that we didn’t post to the database things that shouldn’t have been in the database at all. For example, there were no unredacted documents in the database; raw data, prior to us doing the review, was not in the database - unfortunately, in the database was material which clearly should not have been distributed to anyone other than the person to whom it was being released.

 

Our conversations were around one of the processes by which we make sure those kinds of things happen, and we placed a fair bit of trust in our previous relationships and experiences and having a contract in which certain types of reviews were supposed to have happen around how the system was structured and the design of the system and that kind of thing. Again, in part, I think raised by the Auditor General, we put too much faith in the fact that we had long history and had done multiple projects and things with this vendor - not that the vendor isn’t a good vendor and trustworthy, but that we should have taken an extra step, and due diligence, which we failed to take.

 

LISA ROBERTS: Just following up on something I heard earlier, that right now there are a large number of threat risk assessments looking for vendors. I was a little surprise at that language because what I took away from the Auditor General’s Report was that vendors are responsible for doing what they do, and the government’s responsibility is for protecting the private information of Nova Scotians. Is that the normal course, that threat risk assessments are actually conducted by vendors and not by a unit within Internal Services?

 

            SANDRA CASCADDEN: We actually can conduct both privacy impact assessments and threat risk assessments in multiple different ways. When we have the resources available, we will conduct them internally.

 

            What happens is there are more projects and more initiatives, and this is a much higher profile - we are doing more of them these days. We don’t have all the resources required to do these assessments.

 

We actually don’t go out to get the vendors to do it, so my mistake in using that term - we actually get consultants who are experts in completing privacy impact analysis or threat risk assessments. They are not connected to a software company. A lot of them actually, especially on the PIA side of the House, are lawyers, so there is a business out there for folks to help organizations actually put together really solid documentation. We do have to go out and get additional resources to help us.

 

THE CHAIR: Mr. Conrad?

 

            JEFF CONRAD: I was looking to acknowledge the good work that Michael and his team do and the advice they give us. One of the things I would say that again was raised in terms of the comfort that we have with some of our vendors, just as Sandra said, is to be thoughtful about when we do use our own resources, when we do use the resources of the company that is providing the service, and when we might do it through an independent source.

 

I think that might be part of what I saw you raising your head was, ‘hold on, so the vendor who is going to provide this, is also going to do their own threat risk assessment?’ I think that was one of the issues, for example, we were doing things like using project managers from the company that was providing us services and we should be more thoughtful about when do we use our own resources, when do we bring in an external support to help us, when do we use those. That’s all not just for the FOI work but for all of our work. Something we’ve become more thoughtful around is how we assign project management, and assign roles and responsibilities to do these various elements.

 

            LISA ROBERTS: The department’s Accountability Report lists one of its key initiatives as Service Delivery Modernization (Digital Government), and the report says that the department is transitioning from in-person service delivery to a digital by default approach.

 

            The procurement process has been started for online services to support the delivery of services to clients in child, youth and Family Services, disability support program and income assistance. These are clearly programs that work with sensitive information and potentially vulnerable individuals.

 

            Can you tell me what threat risk assessments and threat analyses have been conducted for these projects? What is being done to ensure that the department does not have a failure in our future?

 

            SANDRA CASCADDEN: With regard to any of the new projects that are underway, the project manager will be taking the department through the three phases of both threat risk assessments as well as PIAs.

 

            One of the other recommendations that we’ve received was, you just can’t do one assessment at the beginning of the project because you learn things through the different phases. We have a multiple-phased approach where the first part of the phase is starting to put together information in Phase 1 for the PIA and TRA about your idea, what are you planning on doing, then starting to classify the type of data that you are going to be using.

 

            Once you have chosen a vendor - actually there’s a part in between there - the RFP process, actually when you’re going out to the street, we have sections in the RFP which outline the security and the privacy requirements that each vendor must complete and agree to, from a mandatory perspective.

 

            Then once you get past the RFP and you get into contract negotiations, those clauses carry through into the negotiations. You then update your PIA and TRA as a result of who the vendor is, what they’ve committed to, what you’re looking for, and then you’re going into the implementation.

 

The more you learn about the project, the more you learn about the vendor, the more you learn about the solution. You continue to update your PIA and TRA at that phase. Then before you go live, you have a completed PIA and TRA that you have learned all the way through, from ‘I have an idea’, all the way through to contracting and implementation. So it is a progressive approach. With regard to this particular initiative, the process that I have explained is exactly what’s happening.

 

            LISA ROBERTS: Can I be totally frank? No offence intended at all, but at this moment, I have more confidence in the Auditor General’s Office and the Office of the Information and Privacy Commissioner than I do in your department.

 

That process sounds great. Are there kind of fly-in checks from those two offices that have just provided us with these reports, which are frankly full of really concerning information?

 

            JEFF CONRAD: I appreciate your frankness, although I would assure you that we’re certainly working to overcome the concern that you and Nova Scotians have. Again, when I would talk to you about the work that we do, the work that was done here is somewhat unique. It’s a single project in the context of a very large department. It’s not representative of the kinds of work that are done in our department.

 

Thank you for being frank. I appreciate that.

 

            I guess one of the things I would say is that when I look at the role of these two agencies, one of the reasons, for example - I’ll speak specifically to the Auditor General, knowing that he’s here, and he’s free to rebut me. One of the things that these agencies provide to us is independent review and investigation. It’s my understanding in conversations that we’ve had with Michael and his team that they’re not in a position to provide us with advice and guidance because it then impacts their ability down the road - say, did we or didn’t we do what we should have done? So while we have commitments with both parties that we will check in in terms of the work that we’re doing to respond to the audit and the investigation, we don’t have a check-and-balance process specific to these two entities, as you’ve described.

 

What we do have, though, is great respect for the fact that it’s been recommended that we improve the professionalization and the ability. You’ve heard Maria talk to things like how we’ve added staff, we’ve undertaken training, we’ve created processes, we’re engaging the right consultants, and we’re getting the right independent review from other entities to help us understand and to raise issues in the go-forward to make sure that we have that kind of site.

 

But the Acts really provide for these or agencies that are designed to be able to come in and do things like investigations, to do things like overviews and oversight and to follow up on complaints and those kinds of things. So respecting those two players, it’s very difficult to do that when they’ve been asked to provide how do we operationalize this and then also be the auditor or the investigator to oversee the operation where they told us what to do should something go wrong.

 

I don’t know if that’s very clear, but I hope it is.

 

LISA ROBERTS: I appreciate that answer, yes. Thank you.

 

Regarding the breach or the leak that happened through the AST, Ms. Tully recommended that the department search the Internet to determine if the documents had been shared or posted in other locations, and if so, investigate the posting and work to scrub, to delete, and that this be repeated periodically for a period of time. Can you tell me if you’ve taken that recommendation, if you’re operationalizing that?

 

SANDRA CASCADDEN: Yes. Immediately after the breach, we did a scour of the Internet to see if any documents had been released. We found no documents being released. We then recently did another assessment on the Internet. Again, we found no documents that were released as a result of this breach. We have committed to do quarterly assessments for the next year just to make sure nothing appears on the Internet, just to make sure that we’re doing our due diligence there.

 

LISA ROBERTS: Thank you. Back in the Spring, when this all came to light, the Premier described the downloading of information from the freedom of information portal as stealing. As we now know, what actually happened was that the government posted confidential files on a website without security protection.

 

In the Deloitte report from January, there is a document detailing common attack vectors in cyber incidents. Does the department understand that this privacy breach was not an attack or a hack but a failure by the department?

 

[9:45 a.m.]

 

            JEFF CONRAD: Yes, it’s clear to us that this was not a hack in the traditional sense of a cyber attack. It was a design failure that allowed material to be shared or to be accessed that should not have been able to be accessed this easily.

 

            THE CHAIR: Thank you, very much. That concludes the time with NDP. We will now move over to the Liberal caucus. Mr. Wilson.

 

            GORDON WILSON: Thank you very much for being here today. This is the third time that we have had a conversation in Public Accounts around this. I think just saying that emphasizes the seriousness that this has, not only with government but with your department. It’s nice to have you in here at the end, to be able to clean up a lot of the unanswered questions that we have.

 

I also just want to say how encouraging it has been to hear, in some of the questions that have been asked, the relationship between your department and the Auditor General and the Information and Privacy Commissioner’s office. I think that is definitely one of the biggest messages that we need to get to all of government, that that relationship and what the Auditor General brings is paramount for us in dealing with these.

 

            In saying that, I did also have a chance to have a good look at the action plan that was created. I note in the action plan that it’s not just activities around the Auditor General reports, but it is also activities around the privacy commissioner, and also I think Deloitte did some work. Can you tell me how you molded those three different things into this action plan, if there were similarities or crossovers in that, and how you are going to be able to track all that?

 

            JEFF CONRAD: Maybe I’ll make a couple opening remarks, and then I will let Sandra speak in a little bit more detail.

 

            What you have here is an action plan, obviously, that we are sharing publicly as a way to follow and recognize the recommendations that have been made, whether they’re internal ones or ones that have come from the two reviews. There were certainly some overlaps. For example, if you read the Deloitte report, you’ll see that there’s a few things in there that didn’t make the action plan. In part that was because they’re already there in Auditor General recommendations or in recommendations of the privacy commissioner. You certainly see some direct overlap in terms of the work of the commissioner and the work of the Auditor General. We have acknowledged in one or two places where the work for one recommendation will address the work of the other.

 

            Really, behind this is a much more detailed project plan. When we say Activity No. 1 within Recommendation No. 3, what does that look like, and what are the steps that are involved in that? There is a project manager who’s tracking in the background to make sure these various elements are covered on a go-forward basis.

 

            Maybe I’ll let Sandra just speak to how you do project tracking on something the size of this within an organization like ours.

 

            SANDRA CASCADDEN: We have a much larger and more detailed document that has multiple activities that we believe we need to do in order to close some of these recommendations. It’s not just one activity that will close many of them, it’s multiple activities.

 

            We have the document that is tracking each one of those individual activities. It’s assigned to someone. As well, everyone who is the owner of that particular activity has to provide an update and a report on that activity every two weeks. We are making sure that we do track the progress. We may, as we move through, find out that there are other activities that we would like to do in order to support that particular recommendation, and we will add activities over time as well.

 

            At some point, working with the Auditor General and the Information and Privacy Commissioner, we will decide if we have completed enough activities to satisfy them - not satisfy us but satisfy them - that we can actually close the recommendation and that we have done due diligence.

 

            On a number of these activities, it’s continuous improvement as well. We’ll have to be looking at how many of the activities would constitute a good response, a response going in the right direction. We know that the PIA documents that we have today and the TRA documents we have today are going to evolve overtime as we learn more, and they will just get better and better.

 

            We’re very conscious that we’re tracking it, it has ownership, we’re reporting on it, and it’s also continuous improvement.

 

            GORDON WILSON: Also, just to make sure everybody is aware, that is available on the Internet so I would encourage anybody to access that document.

 

            I have a question for Ms. Lasheras. I’ve always been intrigued, I’ve been involved with FOIPOP for quite a while. It’s a very challenging world to understand, Freedom of Information and Protection of Privacy. It’s two ends of the spectrum - getting that information out there yet protecting the privacy. In light of the changes that we’re seeing - technological, social media, all these different things - can you tell me what you’ve learned and what the biggest challenges you see in that world of finding that balance between protection of privacy and freedom of information, and what you’re doing with that?

 

            MARIA LASHERAS: I have been in this field of Freedom of Information and Protection of Privacy since 1999. I love what I do. I think that there is a very tight balance between the access to information and the protection of privacy.

 

            It is very critical to understand under what circumstances all of the personal information must or could - must be protected, and in what instances it is possible or in the public interest to actually be able to disclose it. In the current world, I think it would be fair to say that it is not just in the context of privacy that we are trying to catch up with the technological developments. Technology is changing overnight; what was really current a few months ago is perhaps obsolete today.

 

            Maintaining that perspective about protection of personal information is about the individual’s right to manage their own personal information that is going to keep us above the challenges that are coming along in the digital world. It is the concept of ownership of the information that is going to allow us to actually protect the information in a way that is going to be as required by the expectations and to handle the technological developments.

 

            GORDON WILSON: I think that’s one of the biggest concerns that Nova Scotians have is to try to know what’s being done to keep ahead. I think it’s a common theme that we hear, and it’s a big concern that a lot of us have, how you keep ahead, and it’s something we should all keep our eye on.

 

            Just one other quick question before I turn it over to my colleague. We’ve heard a lot about privacy impact assessment and threat risk assessment, and I think from what I understand, they are both equally important, but I am a little unclear on the difference between the two. I don’t know if this is for Mr. Conrad or who it would be, but it’s important for me to better understand the difference between those. Can you give us an overview of what would be in each document in that regard?

 

            JEFF CONRAD: I’m actually going to turn it over to Maria, because I’m quite sure if I tried to speak to what a privacy impact assessment is and how it works, she would come over here and kick me. Really, we have lots of expertise at the table, and I say that facetiously, but certainly in terms of privacy impact assessment and how it works, what it is, Maria’s team has done some tremendous work. We can table some documents today in terms of some of the work we’ve been working on. Then Sandra can speak a bit to the TRA side of it and what that is. Again, we can table some descriptive documents that might help the committee understand into the future.

 

            MARIA LASHERAS: I will speak about the PIA and then Sandra will do the TRA.

 

In general, the PIA is the fine tool that allows us to manage and to put controls around the personal information, and to make sure that we are compliant, safe and secure and according to privacy laws. In a nutshell, this is what a PIA is.

 

            The PIA looks not only to the personal information in the context of managing it, but also looks at the legal authority of this department to collect X-amount of information; do they have the authority to do that?

 

So it is not yes and we define the system. We determine who is going to be using this system, what type of access the users are going to have, do they have to have access to all of the collected information or do they have to have limited access to information, depending on the role that they have in the organization?

 

            The PIA also includes an analysis of the technical safeguards. Those technical safeguards that are contemplated under the FOIPOP Act have three parts. They are: administrative, physical and technical.

 

The technical ones are the ones that are really in the purview of the TRA. It’s where the PIA and the TRA should align. The TRA should fit into the PIA so that we can actually make sure that those security arrangements for technical components for the architecture, for the data flows - where is the data going to go from here to there - that those are all contemplated in the PIA, and that the PIA and the TRA are aligned.

 

            After we do all this exhaustive analysis - and PIAs are pretty comprehensive, or they should be, and they are different whether we are doing a PIA on infrastructure in our service or they are Cloud-based. They are comprehensive, and they are also including risks that may have been identified.

 

Not all risks are equal, and nothing is risk-free. The risks are classified depending on high, medium and low; what the mitigation strategies are going to be; and how we’re going to monitor those strategies that will allow us to say the risks are handled.

 

            The PIA is done when there is a change to our system - a significant change to a program or a new system. By policy that was implemented and came into effect in May 2018, we have mandatory PIAs. The policy does inform the new world. We are developing all of the education components to spread across the civil service and the departments on how to do the PIAs, what that means for you as a manager, for you as a user, et cetera.

 

            I just want to mention that PIAs are not always necessary, contrary to TRAs. PIAs are only to be done when there is personal information in the system. For example, if we are going to develop a system that is going to register all of the highways in Nova Scotia and secondary roads et cetera, that database may contain very critical information for handling and managing highways but doesn’t contain personal information. PIA is not required. On the contrary, there might be requirements in other instances.

 

            GORDON WILSON: I note from previous questions, and I didn’t realize this, there are 50 new threat risk assessments being done this year, which is, I’m sure quite a challenge administratively and on your resources. That completes my questions. I turn it over to Ms. Lohnes-Croft.

 

            THE CHAIR: Ms. Lohnes-Croft.

 

            SUZANNE LOHNES-CROFT: How much time do I have?

 

            THE CHAIR: Five minutes.

 

            SUZANNE LOHNES-CROFT: I usually don’t get into IT too deeply; I let my sons explain things and fix things for me. I’m finding myself a little interested in some of the conversations here, the details and whatnot. I appreciate, I thought, here we go again, but I’m learning a few new things today.

 

            I want to talk about the FOIPOP website. It isn’t up presently?

 

            JEFF CONRAD: The site essentially has two components to it. There’s a component to it that is a release of information. That has been re-established, so there is a site up. If Nova Scotians want to know what freedom of information requests have been made and what has been released, that site is now up and running. You can access that through our existing website.

 

            The portal piece - which is how you ask for a freedom of information request, pay for a freedom of information request, provide the detail, and then receive the documents back - has not been brought up yet. We are in the process of redefining what we want within that site and exactly how that will work to make sure we don’t experience these kinds of issues again. We’ll be going out to market for that sometime probably next month, in terms of getting a vendor to build a new site to replace that piece of the portal. That piece is not back up yet and won’t be for some time.

 

[10:00 a.m.]

 

            SUZANNE LOHNES-CROFT: What are you expecting to be different about this new portal that was not in the former portal?

 

            JEFF CONRAD: Maybe I’ll let Maria say a few words about the difference between the manual process and the portal process.

 

            Really, the issue in terms of the new portal process is that in many ways it will recreate some of the functionality of the previous portal, but obviously with a much stronger protection regime. The requesting side - even when you make a request, you provide personal information to government, in terms of the request that goes forward, so making sure that’s very secure in terms of how you make the request. Then obviously when you get the material back, making sure that the way that material is distributed and stored is clearly very important. What we have now is a more manual process by which you apply compared to what would happen on the portal.

 

Does that get to your question, or do you want Maria to speak a minute about how you would currently make a request, for example? That might be helpful.

 

            THE CHAIR: Ms. Lasheras.

 

            MARIA LASHERAS: Yes. Requests haven’t stopped coming, so the system is working. The way it works is that anyone can file a FOIPOP request, via email or by snail mail, and then pay the fee - if it is a request that requires the $5 application fee - by cheque to the Minister of Finance and Treasury Board, like in the old days. The most common way of receiving the questions today is via email, so it is continuing, yes.

 

            SUZANNE LOHNES-CROFT: I just want to confirm that people can still get FOIPOP requests. I think there’s a misunderstanding out in the public that you cannot file a request, but you can, through email and by phoning the department.

 

            MARIA LASHERAS: Oh, absolutely, yes.

 

            SUZANNE LOHNES-CROFT: I’m just a little curious about the roles you have. You are both chief information officers, except Ms. Lasheras, you have “access officer” attached to yours. How do you work together? How are you different? How do you work with the role of the deputy minister in all of this?

 

            MARIA LASHERAS: Of course, we have the deputy minister, the associate deputy minister. My role is coordination and to set the strategy and the vision for the access to information and privacy protection program for the province. It is very focused on the FOIPOP Act or any other Act that relates to access to information or protection of privacy, and it sets the program.

 

            SUZANNE LOHNES-CROFT: And more on personal privacy?

 

            MARIA LASHERAS: Yes.

 

            SUZANNE LOHNES-CROFT: Rather than corporate privacies?

 

            MARIA LASHERAS: No, it is a corporate role, yes.

 

            JEFF CONRAD: Sorry, you’re asking about business privacy?

 

            SUZANNE LOHNES-CROFT: Yes.

 

            THE CHAIR: Mr. Conrad.

 

            JEFF CONRAD: Your role includes personal and business and economic, all the things covered under the Act.

 

            MARIA LASHERAS: It’s - oh, sorry.

 

            THE CHAIR: Ms. Lasheras, go ahead.

 

            MARIA LASHERAS: So, any information about corporate, business, people, business of government, et cetera, that is subject to the FOIPOP Act - that is the role that is of my responsibility to set the strategies, division, mandate, how we are going to operationalize the FOIPOP Act to make sure that information is protected or disclosed as it is outlining the law.

 

            SUZANNE LOHNES-CROFT: So, you’re keeping a close eye . . .

 

            THE CHAIR: Order, please. That concludes the Liberals’ time. We’ll go back to the PC caucus and Mr. Halman for 13 minutes.

 

            TIM HALMAN: I’d like to go back to the culture that’s within the department and this sense of urgency which both reports have indicated was a leading factor in this breach. We know that there was a sense of urgency to get this project done quickly. Am I correct in saying that basically at this stage not a single person can be narrowed down to be held accountable in terms of where this sense of urgency came from? It had to come from somewhere. Could you comment on that?

 

            JEFF CONRAD: Maybe there’s a follow-up question here. I’m not sure that a sense of urgency on a project is a bad thing. It may be that a sense of urgency may cause some poor decisions to be made in which case it would be a bad thing, but a sense of urgency on a project - when I look, for example, at the Information and Privacy Commissioner’s report where she says that this website significantly advanced transparency in the Province of Nova Scotia, folks on my team like Maria, Sandra and the colleagues that they work with would have a sense of urgency around - we have an access to information requirement, we have an interest as you’ve seen on a number of fronts.

 

We’ve done open data. This government has done disclosure of travel fees. We’ve done a number of things around disclosing new information. We have a mandate to share information with Nova Scotians. We want to move that forward. We don’t want to be years in the making around how we make information available that would be of benefit to Nova Scotians. A sense of urgency in the sense of, is this important work, is it fundamental to the work that we’ve been asked to do, do we want to move it forward and see it move forward - I would hope most of our projects in that sense are imbued with a sense of urgency. A sense of urgency that would cause us not to do things properly clearly would be a different issue.

 

So that might be what you’re getting at but who’s accountable for a sense of urgency - I had a sense of urgency. Maria, I think, had a sense of urgency. Sandra had a sense of urgency in terms of this is important work that we do. This fundamentally advances the transparency of the Government of Nova Scotia in terms of making citizens more aware of what goes on. I think that’s important work and I have a sense of urgency to say what can we do in that area, how can we move those things, and how do we get that stuff out there so people can take benefit of it. So, there may be a follow-up question that gets to a different sense of urgency.

 

TIM HALMAN: That’s an interesting remark. I think certainly a sense of urgency has its place but if a sense of urgency comes at the cost of a team doing their due diligence then that is problematic - certainly what we saw as the end result of that sense of urgency, from both reports, was the fact that due diligence was not followed and that resulted in this privacy breach.

 

So, again, am I correct in saying that at this stage in the analysis no one is being held accountable? Essentially, am I correct in saying that those that oversaw this privacy breach are now responsible for correcting it? Is that a fair statement?

 

JEFF CONRAD: So again, I’m not sure that I would agree that a sense of urgency was the prime contributor to some of the mistakes that were made. There may in fact have been some folks who said I felt a sense of urgency but, as I said earlier, one of the things we saw was that as the project approached its original set end date one of the mitigations that we took to make sure that we had things done was to move the end date to further out which we did internally within our own team and we certainly had mechanisms to address the ability to give ourselves more time in terms of the project.

 

            In terms of accountability, when we think about accountability in terms of the work of a group like this and we think about being held accountable, obviously Public Accounts is a pretty significant accountability measure. We have to come here and sit and explain to yourselves, and through you to the citizens of Nova Scotia. Through the House, the minister explains to the citizens of Nova Scotia what we did. We put out there in pretty frank terms - through the support of folks like Michael whom we invited in to help us clarify and bring out the things that we did wrong - a responsibility to say clearly we did some things wrong; we’ve accepted that.

 

            Are we the right group to move this forward? I think that’s a great question. A couple of things from my perspective - you’ve heard us talk this morning about certainly predating this sight and certainly in the go-forward we’ve done lots of work much more broadly than just the FOI site that lead us to be in a good position to do this.

 

For example, previous to 2016 the province did not have a head of cybersecurity at the executive director level. In 2016, within the department, Sandra did a reorganization, found some resources, created a cybersecurity unit, brought in a head of cybersecurity and we’ve grown that unit relatively significantly over the last three years. Unfortunately, it was happening in parallel with a project like this, and it would have been wonderful in hindsight if the province had done that three years earlier, or five years earlier, or whatever. It’s in state now, it’s been beefed up, and we continue to grow it every year. It provides us another resource in terms of the go-forward on why we are the right organization.

 

You’ve heard conversation from Ms. Lasheras about growing and professionalizing the staff in the IOP team, who are incredibly dedicated, hard-working people who take this very much to heart, and I think you heard Ms. Tully acknowledge that in spite of the mistakes that we made, she acknowledged the intent and nature of the people.

 

            I’ve been in a number of rooms in the last year where there were tears shed over the impact this had on citizens and the degree to which people took that personally. So there is a lot of commitment from the team. Also, one of the things we have done in terms of things like the Deloitte report, is really dig in deep on what did we do, how did we do it, why did do it, and how would we do it differently in the future.

 

Those things have been taken very much to heart by my organization, by the people in this organization, by the folks who sit here and, certainly, by the minister. This is absolutely a consistent issue. Every time we meet with the minister, she wants an update on where we are with this. She’s taking this very seriously; she’s committed to meeting with Ms. Tully in the future on this issue to make sure that we are in fact doing what we said we would do.

 

            There’s a strong level of commitment and there is a level of professionalism here, and we certainly are doing things structurally to put ourselves in the right position to do better at all of this work.

 

            TIM HALMAN: I appreciate those comments. Let’s also remember though that, as the Auditor General has pointed out, this is a clear demonstration of what can go wrong when controls are in place. That’s certainly been put out there by the Auditor General, and it’s been put out there by the Information and Privacy Commissioner.

 

            With the recommendations of the Auditor General, I’ve noticed there’s always a lot of talk about the future. Certainly, when you look at his reports, it talks about a path forward. What I want to know, and I think what Nova Scotians want to know, is to find out what the changes are now. That is to say, if we were to do a portal system today, what would Nova Scotians see that would be done differently and better?

 

            JEFF CONRAD: I think that has in fact been part of the conversation this morning, that we are in the process of trying to establish this portal today. I think one of the comments that’s in Ms. Tully’s report was there was a bit of surprise when they asked someone: Would you do this again? Their response was yes. In fact, we’re trying to do this again; we’re trying to establish a portal right now that will recreate what we did before - in the right way.

 

[10:15 a.m.]

 

            Changes like the ARB changes that Sandra spoke to earlier, like mandatory PIA policy that Maria spoke to, like the way in which we do project management into the future, and project tracking so that we have mechanisms that ask if the mitigations actually have been put in place - those are serious changes in terms of the way that we address this business and in terms of what we do in the future. So the launch of a system like this today is going to be and will be, is very different.

 

            One of the things you do see in the response to the Auditor General is again trying to think about how we make sure we put our resources in the right place and do the right risk-based kind of approach. To the example that Maria gave earlier, we don’t want to be spending on privacy people doing reviews of every single project of government when we have projects that don’t include personal or business information.

 

We need to look at each project and say, does it need a TRA? Does it need a PIA? Does it need a different kind of review, does it need more/less, heavier/stronger? All of those things are part of process changes that we’re making. In today’s environment, this type of portal project is going through a very different lens and a very different management structure than it did in 2016.

 

            TIM HALMAN: What issues would still persist in the department with respect to the culture that the Auditor General has identified? Where are the challenges and what steps are you taking to address that?

 

            JEFF CONRAD: I’m a believer that changing our culture is the fundamentally important part of how we make these kinds of changes - not just within the departments. Sandra spoke about some of the things we’ve done in the department. She’s reviewed both of these reports in person, in detail, with her entire team of more than 600 people. She has gone through all the recommendations, reviewed what that means to us and the kinds of changes we need to make. I’ve shared the reports internally with all of the staff in the department and asked them to read them. We’ve done updates in terms of sharing within the department some of the work that we’re working on.

 

            The broader culture question, I think, is at least equally important. When we speak of something like the privacy training that we designed and was launched, unrelated to this work-related FOI portal, more than 4,000 Nova Scotia employees have now taken that online privacy training, within government, that talks about ‘how do you do privacy protection’ and ‘how do we do access to information, what does that look like?’ We see a very significant effort underway.

 

            We’ve done things like recently sharing a practise bulletin on snooping. We don’t wait for a recommendation to come to us. When we see that there’s a recommendation or report from the Information and Privacy Commissioner that relates to snooping, we develop a document of a couple of pages for inside of government, which I can table here, and send it to every civil servant in the Province of Nova Scotia. It is to say, what are the lessons we’re learning from what’s going on elsewhere in government and in organizations that should apply to all of us? How do we proactively get ahead of some of these kinds of things?

 

            To me, that’s what gets to the heart of culture. How do you change how people think and breathe and move around this kind of work?

 

            TIM HALMAN: With respect to the One Person One Record program, have you consulted, or plan to consult, with the Information and Privacy Commissioner on the program, during and before the program is launched and made public?

 

            JEFF CONRAD: I’ll let Sandra say a few words in terms of One Person One Record as she’s more involved in the actual construction of the project. But, in general, as we spoke about one of the things we’ll be doing is having quarterly meetings with Ms. Tully and we’ll talk about large scale projects, the kinds of things that are coming our way, how the processes work and what we’re working on.

 

            THE CHAIR: Order, please. That ends the time for the PC caucus. We will now turn it over to the NDP. Ms. LeBlanc

 

            SUSAN LEBLANC: A quick question: How many people work in the information access and privacy section of the department?

 

            THE CHAIR: Ms. Lasheras

 

            MARIA LASHERAS: There are 24.

 

            SUSAN LEBLANC: Are there any current vacant positions?

 

            MARIA LASHERAS: We have one.

 

            SUSAN LEBLANC: I’m wondering if you can provide the information of that position, that vacancy, to the committee? You can table it later or you can tell us now.

 

            MARIA LASHERAS: I can tell you very quickly because there was one retirement of a manager. There was a competition, it was filled from a team lead jump. The team lead was left vacant and now we have conducted the competition for that team lead. I don’t know the outcome, but it would be just the one and we will proceed to fill it if anyone is internal.

 

            SUSAN LEBLANC: Given what Ms. Cascadden said earlier about looking to outside consultants when you don’t have the internal resources available, I’m wondering if you can table how much money is spent each year on outside consultants for that purpose? Again, you can talk about it now or you can table the information for us.

 

            SANDRA CASCADDEN: I would have to table that information. I can gather that information for you.

 

            SUSAN LEBLANC: That would be great, thank you. The Deloitte report that my colleague was referring to earlier is based in part on interviews with five people in the department: you three as well as Rob Samuel, who is the Executive Director of Cybersecurity and Risk Management; and Donna Chislett, the Director of Communications. Can one of you talk about why these five people, including you, were the ones interviewed and who decided who would participate in those interviews?

 

            THE CHAIR: Mr. Conrad.

 

            JEFF CONRAD: Sorry, the five interviews?

 

            SUSAN LEBLANC: For the Deloitte report.

 

            JEFF CONRAD: Maybe I can speak to a bit of that. The Deloitte report had three phases. The phase that you’re speaking of in terms of the process was when we really wanted to do an internal review that looked at what we as practitioners thought and what we had observed. Not only what went poorly or that went well, but what we realized we could have done that better, or how we would have reacted differently had the scenario been slightly different. What are the learnings in this?

 

Phase 1 was really to frame up what the review was going to look like, what things we wanted to focus on, and how that worked. The five of us were selected as folks who had been fairly heavily involved in the largest pieces - the technology piece of it, the privacy piece of it, the communication piece of it, the cyber protection piece of it, and me as kind of the oversight piece of the response.

 

            Then we moved to a survey process. There was a survey of 20 folks, I believe, so we broadened it out amongst people that we worked with. Then there was an in-person debrief session, an in-person meeting, that around 20 of us took part in for half a day. We worked through, based on the interviews and based on survey, these kinds of things that came out as things we should explore further, things we should understand better, and things where people had thoughts. The conglomeration of those three phases led to the report.

 

            SUSAN LEBLANC: In the government’s privacy policy, Section 4.11 states that, “Employees of government entities who prepare or manage contracts that involve the collection, use, storage or access of personal information by any third party shall consult with legal counsel, and shall ensure that privacy protection provisions recommended by counsel are included in such contracts.” 

 

However, the Auditor General’s report found that when the FOIA website was implemented in 2016, there was no amendment, change order, or contract created. Can you explain how it is that the project was able to move forward with no contract in place?

 

            JEFF CONRAD: The project that we did in this case was an addition to an existing contract that we already had. There was no separated contract related specifically to this project. To the Auditor General’s comment around going back and requiring the main contract to be amended in order to handle specific things that were unique to this project, that is certainly one of the lessons learned in the future. We have actually created a new contracting tool, a new appendix to the contract process, that provides a much more significant level of detail around how contracts will treat this kind of stuff in the future.

 

            SUSAN LEBLANC: Also, in the government’s privacy policy is the requirement that all employees of a government entity shall complete mandatory privacy awareness training once every two years. Can you provide to us a report on how many employees within the department are up to date on their training?

 

            JEFF CONRAD: We could provide it for the department. It’s the number that I referred to earlier. Within government, it’s just over 4,000. As of last week, it was 4,100 and some. I don’t have the number for our own department, but I would be glad to provide that if you would like.

 

            SUSAN LEBLANC: That’s the online training that you referred to earlier. How do you make sure that people are doing it every two years? Is there a way to check that?

 

            THE CHAIR: Ms. Lasheras.

 

            MARIA LASHERAS: Yes, it is a one-hour training with three e-modules. Everyone who finishes the training gets a certificate. They have to print it off and the system registers who has completed it.

 

            SUSAN LEBLANC: I think it’s fair to say that members of the public have a healthy amount of concern about the way private companies handle their personal information. It’s clearly a responsibility of government to maintain a higher standard of care with their handling of Nova Scotians’ personal information.

 

            Before I ask this question, I’m just going to refer to something that happened in the House in the last couple of days. Here’s an example of what we’re talking about. The government has put forward the Credit Union Act, which is amendments to the Credit Union Act. The privacy commissioner has flagged that she has real concerns about the Act and the way it is worded, in terms of things being able to be - I might be confusing this with the Nova Scotia Museum Act - but in any case, the privacy commissioner has concerns that have not been addressed, in her office’s opinion . . .

 

            GORDON WILSON: We’re not allowed to discuss bills before the House in committees.

 

            SUSAN LEBLANC: I’ll let the Chair stop me if he needs to stop me.

 

So given that the government is taking this piece of legislation back without amendments . . .

 

            THE CHAIR: Just hold on a second. (Interruption) Legislative Counsel says it’s okay. Go ahead.

 

            SUSAN LEBLANC: Thank you. So given the government’s current practices around these things, can you speak to how confident you are about the safety and security of government systems where personal information is stored?

 

            JEFF CONRAD: Clearly I don’t have any role in the Act or the legislation you are referencing, so I can’t speak in terms of referring to that scenario, that piece of work that you are talking about. That’s in the hands of another department.

 

Generally, in terms of the security of information, I’ll let Sandra speak to that. We have a pretty robust system when you think about the kinds of structures and processes we have in place. Nova Scotians should have comfort that government is treating their information very carefully and it is very secure.

 

I’ll let Sandra speak in a little bit more detail on how that works.

 

            SANDRA CASCADDEN: There are multiple mechanisms we have in play, some of them from a technology perspective, others from an awareness around privacy - which doesn’t have anything to do with technology. It has to do with how you treat people’s information, whether it’s on paper or in electronic formats.

 

            From a technology perspective, we have multiple different mechanisms with which we monitor systems. We have logs associated with systems and we do scans on systems and technologies to watch how systems are being used and how systems perform.

 

            We do get audited by the Auditor General. We do have controls around things like access and passwords and expiries of passwords and access to systems, so there are many controls in place. They are all at various levels: they can be at a technical level, they can be at an educational level. It’s fairly robust.

 

            SUSAN LEBLANC: Do you know if the risks that have been identified in the freedom of information system also exist in other systems in government?

 

            SANDRA CASCADDEN: Certainly as a result of what we learned about the FOIA application itself, we did consult with our software vendor. We hired our own cyber expert and we did do assessments on that vendor’s product suite, and we do know the status of that product. We know what the issues were with the product, and those issues have been remediated through patching of the software, so we do have a sense of that particular application from that vendor. We know what the status of that is.

 

            We also know the status of many other applications at different levels. We know the status of applications that may be sitting on servers and the status of the servers, like have they been patched? Are the most up-to-date patches available on the servers? A server is a point of vulnerability.

 

            We assess the new applications coming in very strongly - they have to pass vulnerability assessments before they even come in the door. If someone is developing a new application that is externally facing, it has to pass vulnerability scans. Once it passes the scans, then we will put it in our environment and bring it into production. If it does not pass those scans, then remediation has to happen with whoever is developing it before it comes in - so again, happening at multiple levels.

 

            SUSAN LEBLANC: Finally, a number of people have come to me about concerns around the drug information system. I’m wondering if your department manages that software or that system, and if you can speak to how confident you are in the privacy of people’s information being protected?

 

[10:30 a.m.]

 

            SANDRA CASCADDEN: Certainly I can talk to it from a technical perspective that that system is housed within our data centre; it is housed on our servers. Our team manages the application from a technical perspective; it is behind our firewalls. If anyone is trying to get into that particular system from the external world, we have that system protected.

 

            That system is managed by the Department of Health and Wellness, so they are the ones who are watching the activities inside the system and have a purview over who has access to the system and the tracking of those accesses.

 

            I am responsible for one level of that system, and the Department of Health and Wellness and the Nova Scotia Health Authority are responsible for yet another level of that system. That’s why the governance of IT in health care is complex, because there are multiple owners of multiple different parts of the solution.

 

            THE CHAIR: Thank you very much. That concludes the time for the NDP.

 

            We will now move to the Liberal caucus. Mr. Jessome.

 

            BEN JESSOME: Thank you all for your time here this morning. Over the course of the meeting today there has been an expression of, I guess, an ongoing appetite to revisit this and learn from it and some scheduled added measures of accountability that have been expressed, but I want to focus my questions around an initial comment I heard earlier with respect to satisfying the recommendations that are in this report.

 

            While we have cited a number of instances that reference some ongoing oversight or some scheduled additional oversight, I’d like to focus on any specific, embedded policy or oversight changes that will be consistent. Is there anything available to the department and to Nova Scotians that will outlast any of our time here? Are there policy changes that have been made?

           

            I’ll use a couple of examples that I will be referring to - the plan that the department has presented to respond to the particular recommendations, but I believe there are lines that can be directly drawn to perhaps other examples, if you so choose.

 

            Firstly, can you reference any specific policy change that is embedded, regardless of, I guess, the RFP processes that the department will conduct moving forward?

            JEFF CONRAD: There are obviously things here that are embedded and will outlast us. That is the nature of how these things work. Also recognizing that part of what needs to happen here is the ability to adjust in the future as we go forward.

 

            As you can appreciate, this is an ever-changing kind of context, but maybe a couple of examples might be useful. Perhaps Sandra could speak to some of the things we’ve done in terms of the policy changes and the work we’ve done around maybe the ARB or project management. She probably has a better sense then.

 

            Maria could speak to what the impact is of doing things like making PIAs mandatory in terms of the movement forward of future projects.

 

            SANDRA CASCADDEN: Some very tactical things that have been done are that we have certainly strengthened the clauses for security and privacy that go into our RFPs when we are looking for vendors to bid on our products.

 

            There were always clauses in those RFPs but based on the learnings that we have from this event - plus the learnings that we had between 2016 and these reports - we have strengthened those clauses in our RFP. Everything that we’re procuring on a go-forward basis will be procured under modern terms associated with privacy and security.

 

            I am sure, when we look back in a year and we look at these, they will have evolved as well. This will provide a really good foundation on a go-forward basis for the RFPs. Those clauses actually constitute the clauses in the contracts, so you don’t lose what you put in an RFP once you actually have a contract. Those clauses are put in a contract, and those clauses are jointly written between subject matter experts and our legal counsel, so we have legally engaged in a lot of those conversations. Contractually, the whole procurement process strengthened that, so that will carry us forward.

 

            Other things that we’re doing as well - one of the observations from the Auditor General was around project management. From an organization structure perspective, we actually had two separate project management offices, and we are combining those project management offices so that we are able to create consistency across project management. Those two project management offices will be combined, they will be led by one project manager, and that will enhance our project management policies, processes, and standards.

 

            The other thing that we are doing is we are making sure that our best practices that we’ve had in place before are actually documented. I say that we have a strong oral tradition sometimes where people know what to do, and what we’re doing is we’re documenting those processes, and those documents will also carry through time and support us as we move forward.

 

            BEN JESSOME: Thank you, I appreciate that approach. That covered my second example as well, so I appreciate that.

            Back to the action plan with respect to RO5 and taking in the request to do an inventory of tech solutions, devices, and applications - perhaps you can talk a little bit about the ongoing measures that are taken to take stock of what’s out there and how things are looked at.

 

            SANDRA CASCADDEN: We have many inventories. We have inventories of cell phones; we have inventories of desktop devices; we have inventories of tablets; we have inventories of switches, servers, applications. We have a fairly significant number of inventories. Those inventories are used for multiple purposes. For example, on the inventories associated with desktops and computers of any sense, we use those inventories to flag to departments when devices are getting older.

 

            One of the issues with older devices is they can’t be protected as well as the newer devices, so we have a process to work with the departments to get those devices out. So we use that type of inventory that way.

 

            We also have inventories of applications - all the applications that we use in government. Those inventories are used to do a risk assessment associated with which applications are older, which ones should be replaced - and they can be replaced both from a functionality perspective or they can be replaced because in some cases the vendor has declared they’re going out of business, so that puts them up as a higher priority application. We use the application inventories for multiple things.

 

            Those applications help us manage both the information as well as the assets that we have within government, both from a renewal perspective, as well as from - these applications are cusping on needing to be replaced, and we have to start putting in a strategy to get funding and to get the replacement of those devices.

 

            The other thing that we have is, we have an inventory of the applications that actually contain personal information as well, so we dig down to the next level - after we have the inventory, the applications, we have an inventory of the applications that contain personal information.

 

            BEN JESSOME: That’s helpful; thank you for that.

 

My final question, before the member for Halifax Atlantic jumps in here: Aside from Deloitte, the AG’s Office and the Information and Privacy Commissioner’s services, has the department added any additional resources internally, such as new personnel or new expertise?

 

            MARIA LASHERAS: In the IAP unit, we have increased the FTEs to actually be able to meet the requirements of the policy that became effective May 2018.

 

            BEN JESSOME: Sorry, can you clarify IAP?

            MARIA LASHERAS: Oh, sorry, Information Access and Privacy unit.

 

            BEN JESSOME: Okay, thank you.

 

            THE CHAIR: Ms. Cascadden.

 

SANDRA CASCADDEN: Over the last number of years, we’ve also been increasing the strength of our cyber security team. In the 2015-2016 fiscal year, we had a budget that was under $1 million and about seven staff who were directly associated with cyber security. At the end of this year, we had a budget that was just under $2.8 million and 16 people dedicated to cyber security and we intend to continue to grow that group - us and the rest of the world, right, because cyber security is key for organizations these days.

 

In the industry, the assumption is that cyber security is growing at a rate of at least 20 per cent. I mean, it’s outgrowing almost everything else, so we need to keep up and we will be dedicating resources to this.

 

            THE CHAIR: Mr. Maguire.

 

            BRENDAN MAGUIRE: Thank you for your presentation today and for taking the time to answer questions. It’s a very unique situation and you don’t see it very often where issues like this, especially on the private sector, become so big publicly. A lot of times, this stuff is dealt with internally - this became very public. It became an issue that Nova Scotians were concerned about.

 

How do you feel you’ve grown and learned from this process? Every issue whether it’s good or bad is a learning process and it helps you grow as an organization and it helps you grow as a department. We’ve heard a lot of great things today and I think this definitely helps restore a lot of confidence that we have in you, and that the public has in you, but how do you feel like you’ve grown from this issue.

 

            JEFF CONRAD: I suspect any one of us could answer with regard to our own responsibility. I guess when I think about as an organization, both in the sense of Internal Services and as a broader public sector, in addition to everything we’ve talked about today, there have been numerous conversations amongst my colleagues, for example, at the deputy minister’s table. There have been conversations at the national level that Sandra would be having with her counterparts, around what did you experience, what did we go through.

 

It is a cultural and awareness piece for me in terms of thinking about things like risk management and how we do a better job in terms of recognizing these very complex factors. I know there’s been a lot of dialogue about ‘was this easy, was it complicated,’ was it whatever.

For me, I think one of the things we’ve learned is that when you have a big, diverse organization and you have the ARB doing a piece, project management doing a piece, the implementer doing a piece, two different private-sector partners doing a piece, and Maria’s team doing a piece - the ability to integrate that, to bring together the overall view and say how on any given time do we integrate all of those smaller pieces to say, “Oh, we’ve got 10 yellow lights which leads us to a red light”, is one of the big learnings I think for me. That ability to make the roles of project managers and the ARB broader so that it looks across all of our groups and takes a more integrated kind of picture, would be a big learning for me.

 

            BRENDAN MAGUIRE: And I think that the nail was kind of hit on the head earlier where it was said that, what is new today is not new six months from now. We think back just to a few years ago and no one had even heard of the Cloud. Now that’s being seen as one of the main storages for most large organizations, and governments are now starting to use it.

 

So what are you doing to keep up with this ever-growing technology? I’m sure by the time we are all fully familiar with the Cloud, there’ll be something else. But in the interim, what are we doing to keep up?

 

            THE CHAIR: Order, please. That concludes time for questioning. Would witnesses like to make some closing remarks before we adjourn the meeting?

 

            JEFF CONRAD: Why don’t I let Sandra make a closing remark and she can answer that question in her closing remark? What are we doing to keep up would be a great way to wrap the session I think.

 

            THE CHAIR: Ms. Cascadden.

 

            SANDRA CASCADDEN: So, what are we doing to keep up? We certainly are working with our counterparts in government across the country because government is very, very different than private business. We do have multiple different groups working at different levels; for example, my team who is heading up the ARB has counterparts that they talk to across the country. There is a public sector CIO group that I am the co-chair of with the federal CIO and we talk. A major part of our conversation is about cyber security inside government.

 

            We do educate ourselves both technically, by sending our folks to technical conferences, like with Cisco. We send our folks to conferences on vendor solutions. We go to general conferences where the top 10 trends in technology are talked about. You talk about artificial intelligence and you talk about all those things that are coming down the pipe. You think the world is going to change now - wait until artificial intelligence starts coming into play, from a government perspective.

 

            We do multiple things. We encourage people to do online training. We encourage people to get technical courses, so there’s lots of training and opportunity. There is a lot of that conversation across the jurisdictions, too. As I say, the business community is very different than the government community and we really do need from each other.

 

            We’re trying not to reinvent the wheel across the country because we need to move faster but at the same time, we need to respect privacy and security. If we can learn from each other that will help us move the government into the digital age, which is what our citizens are looking for us to do.

 

            THE CHAIR: Thank you very much. We do have some committee business, so we’ll carry on with that. Thank you for your presentation.

 

            Committee business: Under correspondence we have the IWK Health Centre information that was requested at the February 26, 2019 meeting. Do we have any comments on that information? No. We’ll table that information as presented. Ms. Leblanc.

 

            SUSAN LEBLANC: I have a motion to make. I move the committee not call Ms. Amanda Whitewood, the Chief Operating Officer of the IWK, to appear as a witness for the April 10th meeting.

 

            THE CHAIR: Question? Ms. Leblanc.

 

            SUSAN LEBLANC: Mr. Chair, the decision to call Ms. Whitewood was a decision made at the February 6th meeting of this committee. As committee members will remember, Ms. Whitewood was scheduled to attend the meeting with her colleagues from the IWK and the NSHA but was ill on the day of the meeting.

 

            At the meeting the motion was made by Mr. Halman, the PC member on the committee, and was amended by myself, the member for Dartmouth North. In sort of thinking about the results of that meeting and the answers we were provided with, we in the NDP caucus are satisfied by the information provided by the witnesses. Therefore, we don’t feel the urgency around hearing from Ms. Whitewood at a further meeting.

 

            THE CHAIR: Further discussion, Mr. Halman.

 

            TIM HALMAN: I disagree with that assessment. We have Dr. Jangaard who indicated the testimony on February 6th would be impacted with the absence of the Chief Operating Officer, Ms. Amanda Whitewood. Let’s not forget this committee voted in favour of that.

 

            We are now in a situation where it seems like every meeting we come to, the rules are changing. It’s like they are being made up as we go along. Definitely, it is in the provincial interest to have the chief accounting officer here and I believe we must continue with that meeting as scheduled, as voted by this committee.

 

            THE CHAIR: Mr. Wilson.

 

            GORDON WILSON: First off, I appreciate the heads up on the motion; it gives us a chance to digest it a bit. I am also kind of out of curiosity - I was going through my notes Monday morning and I saw we had been scheduled for an upcoming meeting. I did reach out to the Chair and the Clerk just to clarify why we were bringing them back in, so there was a little bit on our radar.

 

            I don’t have my notes in front of me. I did refer to my notes from that meeting at the time, earlier this week, and didn’t see any outstanding things myself there. In saying that, we would like to just call a quick recess just to go over the comments my colleague has made and the motion itself.

 

            I would like to have a clarification though - is this to not have the actual meeting with the IWK?

 

            THE CHAIR: Ms. Leblanc.

 

            SUSAN LEBLANC: Well, we’ve already had the meeting with the IWK, so this is not to cancel the meeting. My idea would not be to cancel the meeting, but rather use that meeting to call a different subject.

 

            MR. WILSON: Okay, just in saying that, I do see that the follow-up for the 2015-2016 is potentially one that we could bring forward. I would ask if that is possible, because I think that is an extremely fruitful meeting.

 

            THE CHAIR: Mr. Halman.

 

            TIM HALMAN: Again, Mr. Chair, I believe that meeting must proceed with Ms. Amanda Whitewood. Again, this committee voted in favour of that; this committee agreed to that. When they appeared February 6th, Dr. Jangaard indicated that critical pieces of information would be absent because the chief accounting officer is not present. Let us not forget that, and let us not forget that this committee agreed to that.

 

            I believe that it is critical. Nova Scotians are waiting to get the full answers on the IWK and we have someone who has said - Dr. Jangaard - that the meeting should have been postponed on February 6th. Yet we continued with the understanding that the Chief Operating Officer would come in and answer our follow-up questions to an issue that is very important to Nova Scotians.

 

            So, Mr. Chair, again, I disagree with this motion. I am prepared obviously, to work with my colleagues on the topics that I know that they wish to advance. I want to discuss that with them, but it cannot come at the cost of this very important topic.

 

            THE CHAIR: Ms. Leblanc.

 

            SUSAN LEBLANC: Mr. Chair, I’m wondering if we could - I want to clarify Mr. Wilson’s comments and just ask the Auditor General. If I’m understanding what Mr. Wilson is proposing, the Auditor General follow-up reports would possibly be able to be presented and we would discuss them at the April meeting. Could the Auditor General speak to the possibility of that?

 

            THE CHAIR: Mr. Pickup.

 

            MICHAEL PICKUP: Sure. We tabled the follow-up report on the 2015 and 2016 audits on March 26th, so if the committee wishes, I would be available to come in April 10th and talk about the follow-up report. That’s up to the committee of course.

 

            THE CHAIR: Mr. Wilson.

 

            GORDON WILSON: Yes, thank you for that information. Can we take just a quick two-minute recess? I know we’re getting close to the hour and, if everyone is in agreement, we would go over the time allotted.

 

            THE CHAIR: Is everybody okay with that?

 

            Yes, we will have a quick five-minute recess.

 

            [10:53 a.m. The committee recessed.]

 

[10:56 a.m. The committee reconvened.]

 

            THE CHAIR: Order, please. We’ll bring the meeting of the Public Accounts Committee back to order.

 

We have a motion on the floor that the committee not call Ms. Amanda Whitewood, the chief operating officer of the IWK, to appear as a witness for the April 10th meeting.

 

Is there any further discussion? Mr. Halman.

 

            TIM HALMAN: For the life of me, I don’t know why the NDP and the Liberals are trying to prevent a key witness coming forward. I don’t know what happened at the IWK. Nova Scotians don’t know what happened at the IWK. Dr. Jangaard indicated that it was very important that she was present. We agreed as a committee. We voted to have the chief accounting officer present.

 

I don’t know why these two Parties are working together to block a key witness on a topic that matters to Nova Scotians, so I disagree with this.

 

            THE CHAIR: Ms. Roberts.

 

            LISA ROBERTS: I’m very mindful of the work that this committee is tasked with doing, and I’m aware of the Auditor General coming forward with his follow-up report, as well as with his Spring report, and with the desire to not delay hearing from those reports, which will be new and which will be based on months of work within the Auditor General’s Office.

 

We did hear from the IWK in a full session. Yes, there was a witness missing. However, I feel like we did examine that issue fulsomely. I think that the best use of our time would be to hear from the Auditor General and examine the follow-up report. Otherwise it is sitting for a month and some until we have it scheduled. That will allow us to then make the best use of our scheduled meetings following that to do the follow-up, to hear from departments and so forth.

 

            TIM HALMAN: There was a reason why that meeting was requested to be postponed. Dr. Jangaard indicated that key testimony would be absent. We voted to have that meeting rescheduled, and it was agreed upon. So are we now at the point where we’re breaking our own rules? (Interruptions)

 

            No, this is serious. If we’re going to move forward with this, then the Liberals who have imposed these rules - they’re now breaking their own rules, and the end result is basically hiding the IWK expense scandal. That’s what this motion means. Stop and think, right?

 

            We have Dr. Jangaard saying we should have the Chief Operating Officer present. Why not move forward? Why not honour what was agreed upon? For the life of me, I can’t understand this motion.

 

            SUSAN LEBLANC: When we were informed of that meeting, that Ms. Whitewood would be missing from the meeting, in an email exchange in advance of the meeting, I voted to postpone the meeting because I agree that it would have been an excellent combination of witnesses to hear from at the same time. Dr. Jangaard did flag that Ms. Whitewood would be an important witness to be there in advance of the meeting in the email that let us know that Ms. Whitewood was sick.

 

Following the meeting and looking at the transcription of the meeting, we have since discussed and feel that we have adequately heard from the IWK on the expense scandal. In no way do I believe that our motion today is, as Mr. Halman is putting it, being put in an effort to cover up an expense scandal.

 

            I love an expense scandal as much as everyone and if there is one to be explored, then I’m all for it. However, I don’t think that calling Ms. Whitewood would answer that question and I think we need to hear from the Auditor General on the follow-up reports. We have limited meetings - we have to make the best of the meetings that we have.

 

            TIM HALMAN: It is certainly my position that the meeting that was agreed upon with Ms. Whitewood is in the public’s interest. As I have indicated, I don’t know fully what’s happened at the IWK, key pieces of information are missing. There are a few occasions where the witnesses that day can only take us so far in their responses. I believe Nova Scotians want to know what transpired, so I believe this motion is so unnecessary. I think we should be honouring that meeting, that meeting should be going forward, and I will not support this motion.

 

            GORDON WILSON: I guess there’s not much for me to say other than what’s been said by the NDP. I do agree with every point they’ve brought forward. I would also like to note that in our earlier committee business there was only one unanswered question from that, and that question did get answered in the form of correspondence that we received. We’re very supportive of this and move forward.

 

            TIM HALMAN: Look at the jam we’re in now. This is the result of the Liberals limiting the meetings. This was my biggest fear, that we can’t have meaningful discussions in this committee because now we’re so limited in scope. It’s going to be problematic moving forward.

 

This motion, again, we’re now at a point where the Liberals are breaking their own rules, supporting this. I can’t be in favour of this. Let’s keep in mind please, that the witnesses recommended the chief operating officer to be present and we agreed that this would happen. And now we get this motion coming forward. I can’t support that.

 

            THE CHAIR: There will be no further discussion. Would all those in favour of the motion not to call Ms. Whitewood. There has been a call for a recorded vote. 

 

Mr. Hebb.

 

            GORDON HEBB: I couldn’t hear what his question was.

 

            THE CHAIR: Mr. Jessome

 

            BEN JESSOME: I would like clarification through the Chair, to our counsel, on whether or not the Chair supports the recorded vote or there are two members required, that sit on this bench in the committees, to initiate a recorded vote.

            GORDON HEBB: It’s sufficient for one member to request the recorded vote in the committee.

 

            BEN JESSOME: Thank you very much, Mr. Hebb.

 

            THE CHAIR: We’ll now have a recorded vote, beginning with Mr. MacKay.

 

            YEAS                                     NAYS

 

            Mr. MacKay                           Mr. Halman

            Mr. Maguire

            Mr. Jessome

            Ms. Lohnes-Croft

            Mr. Wilson

            Ms. Roberts

            Ms. Leblanc

 

            The motion is carried. Ms. Whitewood will not appear on the IWK meeting on the 10th.

 

            Ms. Roberts.

 

            LISA ROBERTS: I just want to clarify with the Clerk before we leave. So the

follow-up report will be scheduled for April, leaving us an opportunity to schedule something else in May, possibly arising from that report? Okay.

 

            THE CHAIR: If that is the wish of the committee, that’s what we’ll ask the Clerk to do.

 

            The next meeting will be April 10th and, if possible, the follow-up to the Auditor General’s Report, 2015-2016.

 

            The meeting is adjourned.

 

            [The committee adjourned at 11:06 a.m.]