Back to top
9 juin 2021
Comités permanents
Comptes publics
Sommaire de la réunion: 

Par vidéoconférence
 
Témoin/Ordre du jour :
Fraud Risk Management and Cybersecurity
Rapport de 2020 du vérificateur général
 
Ministère des Finances et du Conseil du Trésor
Geoff Gatien, sous-ministre associé
 
Ministère de Service Nouvelle-Écosse et des services internes
Joanne Munro, sous-ministre
 
Commission de la fonction publique
Andrea Anderson, commissaire
 
Fraud Risk Management Committee
Ted Doane, directeur général, Internal Audit Centre

Sujet(s) à aborder: 

 

 

 

HANSARD

 

NOVA SCOTIA HOUSE OF ASSEMBLY

 

 

COMMITTEE

 

ON

 

PUBLIC ACCOUNTS

 

Wednesday, June 9, 2021

 

Video Conference

 

 

Fraud Risk Management and Cybersecurity

Re: 2020 Financial Report of the Auditor General

 

 

 

 

 

 

 

 

 

 

Printed and Published by Nova Scotia Hansard Reporting Services

 

 

 

Public Accounts Committee

Elizabeth Smith-McCrossin (Chair)

Hon. Gordon Wilson (Vice-Chair)

Hon. Karen Casey

Hon. Leo Glavine

Bill Horne

Rafah DiCostanzo

Tim Halman

Lisa Roberts

Susan Leblanc

 

[Hon. Gordon Wilson was replaced by Hon. Geoff MacLellan.]

[Hon. Karen Casey was replaced by Hon. Kelly Regan.]

 

 

 

In Attendance:

 

Kim Langille

Legislative Committee Clerk

 

Gordon Hebb

Chief Legislative Counsel

 

Kim Adair-MacPherson,

Auditor General

 

Morgan McWade,

Assistant Auditor General

 

Janet White

Audit Principal

 

 

 

 

WITNESSES

 

Department of Finance and Treasury Board

Geoff Gatien,

Associate Deputy Minister

Robert Bourgeois,

Executive Director - Government Accounting

Jennifer Sanford,

Director - Capital Markets

 

Department of Service Nova Scotia and Internal Services

Joanne Munro,

Deputy Minister

Natasha Clarke,

Associate Deputy Minister and Chief Digital Officer

 

Public Service Commission

Andrea Anderson,

Commissioner

Suzanne Ley,

Executive Director - Corporate Services

 

Fraud Risk Management Committee

Ted Doane,

Executive Director - Internal Audit,

Service Nova Scotia and Internal Services

 

 

 

 

 

 

 

 

HALIFAX, WEDNESDAY, JUNE 9, 2021

 

STANDING COMMITTEE ON PUBLIC ACCOUNTS

 

9:00 A.M.

 

CHAIR

Elizabeth Smith-McCrossin

 

VICE-CHAIR

Hon. Gordon Wilson

 

 

THE CHAIR: I’d like to call to order the Public Accounts Committee this morning. My name is Elizabeth Smith-McCrossin. I’m the MLA for Cumberland North and I will be chairing the meeting today.

 

A few reminders before we start, even though we have all been doing these Zoom meetings for a while. Please keep your video on during the meeting. Keep your microphones muted until you are called upon to speak. Please wait until I have recognized you to unmute your microphone, and indicate your wish to speak by please raising your hand.

 

Finally, just a reminder to keep our phones on silent or vibrate during the meeting.

 

I will now ask all of our committee members to please introduce themselves. We will start with Mr. Glavine.

 

[The committee members introduced themselves.]

 

THE CHAIR: On today’s agenda, we have some special guests with us from the Department of Service Nova Scotia and Internal Services, the Department of Finance and Treasury Board, the Public Service Commission, and the Fraud Risk Management Committee to discuss fraud risk management and cybersecurity from the 2020 Financial Report of the Auditor General’s Office.

 

Also, just a reminder before we get started that it was polled among the committee and agreed to have Associate Deputy Minister Geoff Gatien attend on behalf of Deputy Minister Dean for today’s meeting.

 

Now I’d like to go ahead and ask our witnesses to please introduce themselves and I’ll begin with asking Associate Deputy Minister Gatien to introduce.

 

[The witnesses introduced themselves.]

 

THE CHAIR: Before we go into opening remarks, I’d just like to welcome Minister Geoff MacLellan with us here this morning. Would you like to introduce yourself?

 

HON. GEOFF MACLELLAN: Hi, Madam Chair. Yes, thanks. Good morning. Geoff MacLellan, MLA for Glace Bay.

 

THE CHAIR: Great. Thank you for joining us today. Now I’d like to invite Deputy Munro to make her opening comments, and she’ll be followed by Mr. Doane. Go ahead.

 

JOANNE MUNRO: Thank you and good morning, Madam Chair and committee members. I’d first like to acknowledge that though we’re attending this session virtually, we are in Mi’kma’ki, the traditional territory of Mi’kmaw people. I’m looking forward to our time with you this morning.

 

Before we start, though, I do want to mention that Natasha Clarke, our Associate Deputy Minister and Chief Digital Officer, leads the Nova Scotia Digital Service, a division within Service Nova Scotia and Internal Services. Ted Doane, the Executive Director for Internal Audit, reports to the Deputy Minister’s Audit Committee, of which I am the Chair.

 

We’re very pleased to join you this morning and we are looking forward to today’s discussion and the opportunity to answer questions about fraud risk management and cybersecurity relating to the December 2020 Financial Report of the Auditor General. We will answer your questions to the best of our ability. For any question that we cannot answer, we commit to providing you with the information in a timely manner.

 

As the Deputy Minister of the Department of Service Nova Scotia and Internal Services, I assumed the responsibility of both fraud risk management and cybersecurity about two years ago, when the Office of Service Nova Scotia merged with the Department of Internal Services. Our department is now one of the largest departments in government. We are a team of more than 1,500 employees. Collectively, the department brings together the end-to-end expertise needed to achieve a unified and coordinated approach to client service and the technology and processes that support it, with a focus on excellence and innovation.

 

Madam Chair, I was pleased to see the Auditor General Report’s recognition of the department’s achievements to date related to cybersecurity and the progress being made with fraud risk management. These are both important areas of our department’s work. We recognize there is more work to do in these areas and welcome the opportunity to talk about some of the specifics today.

 

Cybersecurity and managing risk are global realities. We face it at work and we face it in our personal lives. Every citizen, government office, private business, et cetera across the globe has a role to mitigate risk. From the Province’s perspective, we are constantly monitoring and updating systems. We work closely with our partners, both internal and external to government, including our health colleagues.

 

We have a dedicated team of experts. They are diligent, talented, motivated to doing all they can do to protect us against risk. Keeping our provincial IT systems and assets safe is their priority. We also work closely with the Canadian Centre for Cyber Security and learn from and collaborate with other jurisdictions on how best to respond and to react to threats.

 

We also look forward to speaking with you today about how we support our colleagues across government in the area of fraud risk management through fraud reporting, awareness training, and conducting investigations.

 

Thank you for the invitation to join you today. I’ll now turn you over to Mr. Doane for his opening remarks.

 

THE CHAIR: Thank you, Ms. Munro. Go ahead, Mr. Doane.

 

TED DOANE: Good morning. My name is Ted Doane, I’m the Executive Director for the Province of Nova Scotia’s Internal Audit Centre. In addition to the delivery of internal audit services, our team supports fraud risk management at a corporate level for government departments and certain Public Service units.

 

I’m also Chair of the Fraud Risk Management Committee and I’m representing them at this meeting. This committee includes members from across government and supports the Deputy Ministers’ Audit Committee in overseeing and providing direction for the Fraud Risk Management Program. Both committees are committed to a strong ethical workforce and culture.

 

The Fraud Risk Management Program is comprehensive and follows leading practices. It’s supported by experienced and qualified staff, and an effective governance structure. The program includes the fraud policy, reporting and investigation procedures, and mandatory fraud awareness courses, which we established in 2017.

 

The program also includes fraud risk assessments to identify and assess fraud risk scenarios, to evaluate internal controls, and to implement recommendations that reduce fraud risk. We work with government departments and organizations, providing them with consulting services and resources to help them complete assessments as part of their work to oversee their own fraud risk management programs.

 

In November 2020, the Province launched its fraud reporting service that allows employees to report fraud to a third party. The system should reduce the Province’s losses and allow for quicker detection of fraud.

 

Year over year, our program continues to evolve and improve, and the program’s currently receiving a lot of positive interest and feedback from other Canadian jurisdictions.

 

We appreciate the interest from the Office of the Auditor General in the importance of fraud risk management across all government departments and agencies. We welcome this morning’s opportunity to talk about our role and how we support departments and organizations with their fraud risk management programs.

 

THE CHAIR: We’ll now open the floor for questions. Just a reminder when asking your question to please indicate which one of the witnesses you would like to respond. We’ll start with 20 minutes of questioning from the PC caucus. Please ago ahead, Mr. Halman.

 

TIM HALMAN: Mr. Doane, Deputy Minister Munro, thank you very much for your opening remarks. To all staff with us here today at Public Accounts Committee, thank you for the ongoing work you are doing to support the residents of Nova Scotia. I’d also like to reiterate Deputy Minister Munro’s statement that we are on the unceded and traditional territory of the Mi’kmaw.

 

This is a very timely, relevant topic that is before our committee today. As was outlined in your opening remarks, Deputy Minister Munro, fundamentally the question that I think is on the minds of Nova Scotians is how are we managing and mitigating risk? Fraud risk management, cybersecurity. It is a very relevant topic and quite frankly, in the two and a half years I’ve served on this committee, I believe this is one of the most common topics we’ve had before Public Accounts, which just shows how relevant this topic is.

 

Certainly, in the last 15 months during the pandemic, we’ve seen a lot of issues emerge with fraud risk management. We know the Canadian Centre for Cyber Security issued an alert about elevated risk faced by health organizations in response to the national response to COVID. There has been a rise in attacks targeting the health sector. Here in Nova Scotia a recent example includes phishing emails from individuals purporting to be the CEO of Nova Scotia Health Authority. Back in March of 2021, we saw Nova Scotia health care workers, their personal data, there was a security breach there.

 

I actually had to spend a Saturday morning filling out an application to Equifax because my late wife was a Nova Scotia Health Authority employee, and my family receives her pension. Talk about it becoming real for me, the breaches that have happened. We have seen in Ontario, a senior public servant charged after allegedly embezzling $11 million from the government that was intended for COVID-19 relief. We’ve seen at the federal level $9 million being sent out to deceased Canadians as part of the CERB.

 

[9:15 a.m.]

 

We know, as you’ve said, as a nation, as a province, globally, that cybersecurity and fraud risk management are major issues. Given the amount of money that’s been spent during the COVID-19 relief programs here in Nova Scotia and at all levels of government, I think we’re all agreed it’s extremely troubling that a majority of government departments and Public Service units here in Nova Scotia are yet to complete a fraud risk assessment. We know 59 per cent have not completed the fraud risk assessment from the Office of the Auditor General.

 

Deputy Munro, could you provide the rationale of why this would be - that 59 per cent have not completing the fraud risk assessment - since the Office of the Auditor General had identified this as an issue in 2019?

 

JOANNE MUNRO: The importance of our Fraud Risk Management Program is key obviously, and the completion of fraud risk assessments is one portion of how we shore up our efforts regarding fraud in the Public Service.

 

I do know that part of the program, and I’ll let Ted speak to the fraud risk assessment portion and the program around that, is also the education and training. I am pleased to say that as part of shoring up our efforts around fraud risk management, we are now in 80 per cent as of May 2021 for employees completing mandatory fraud risk assessment training, and 84 per cent for our managers. Understanding that the Fraud Risk Management Program has lots to do with policy, process, procedures, and controls, the assessments that we have put in place are helping our department be aware of the abilities for fraud to occur.

 

On the completion, we have made progress in this last year. I know we need to do more, and I defer to my colleague, Mr. Doane, to talk to the specifics of what we’re doing around fraud risk assessment. I do want to share that we get a quarterly update at the Deputy Ministers’ Internal Audit Committee around our progress on investigations, on fraud risk assessment completion, on training, and that reporting is robust and provided to us on a quarterly basis. That certainly brings awareness to departments’ accountability in completing not only the mandatory training, but also the fraud risk assessment, and from there we can continue to follow up with our colleagues, which I like to do, on a regular basis.

 

We certainly understand the importance of the fraud risk assessment completion, and there are some nuances to that. If I could ask my colleague Ted to add on to my comments.

 

TED DOANE: Just to build on that. Fraud risk assessments are an important component of our Fraud Risk Management Program, and as the deputy mentioned, there are a number of elements to supporting fraud risk.

 

A lot of people don’t necessarily know what a fraud risk assessment is, so it’s important to understand what it is we’re actually encouraging departments and other government units to do. If you consider your home and security around your home, we have windows and doors with locks, we could have security systems, and we could have lighting. Those are really controls that we have and measures that we’re taking to prevent somebody from breaking into our homes.

 

When we are doing a fraud risk assessment, it’s the same thing. We’re trying to assess our risk and look for fraud risk scenarios in the departments or in other government units. So we go to the front lines. We are very interested in talking to the people who are actually on the front lines, because they understand where a lot of those fraud risks are. We try to build an inventory of what the scenarios could be and then we rank the risks, looking at the impact and likelihood of a fraud occurring. Then we could take the results of that and they can use that to build controls in the areas that are at highest risk for their units.

 

Right now, we are currently working on five fraud risk assessments. We recently, in the last year, completed three. What we do is support departments at their request and we can do fraud risk assessment within our team. We have people who are certified fraud examiners and they have the appropriate experience to complete those assessments. We have a fraud risk assessment framework that we use so that all of our assessments are consistent with each other and could be comparable and follow standards. As well, we have a firm on standing offer - a third party - because we don’t have the resources to do all of the fraud risk assessments ourselves, and we can reach out to them and ask them to support us as well. We do that regularly.

 

We’re pleased with where things are going. It’s also good to understand that fraud risk assessment does take time. It probably takes four to six months from start to finish to plan, execute, and complete a fraud risk assessment. Once it’s completed, the process is not over. We still have to manage the risks that are identified. In addition to that, a fraud risk assessment needs to be refreshed on a regular basis, so perhaps every two to three years, you have to go back in and reassess those risks and reassess the controls that are supporting those risks.

 

From our perspective, we’re continuing to support fraud risk assessment. We feel we’ve got a very competent team to support that effort and are really pleased with the momentum and progress that we have in place.

 

TIM HALMAN: With respect to those departments that are lacking fraud risk assessments, can you provide an update - either Mr. Doane or Deputy Munro - on what controls are in place now to ensure that funds intended to provide supports to Nova Scotians during COVID have not been misappropriated?

 

TED DOANE: From what we understand, there is an increased risk of fraud related to COVID, and COVID is something that we need to remain aware of. Controls are changing. We have people who are working from home and there could be other changes in control we need to be aware of. We’re supporting fraud risk management at a corporate level, so we’re actually available to departments and other government units to support them if they want to proceed with a fraud risk assessment and provide them with those resources.

 

We actually don’t have the specific details of their internal controls for managing COVID, but we have made ourselves available and we are currently working, as I said, with five specific areas completing fraud risk assessment where we will build a strong inventory of controls that they can be managing into the future.

 

That’s the important thing about internal audit: being available and being a resource for others within government who would like to pursue those types of investigations further.

 

TIM HALMAN: I appreciate that response, Mr. Doane, because my understanding is not all government agencies are mandated to implement fraud policy. Certainly, I think that begs the question: to what degree do we need a unified and coordinated approach to fraud risk management and cybersecurity?

 

Mr. Doane, would you be able to tell us which government departments have approached you and the committee to seek advice on how best to mitigate and manage these risks? What government departments have approached you for that advice?

 

TED DOANE: I’d just like to clarify. Do you mean over the last 10 years, or are you referring to . . .

 

TIM HALMAN: The last 15 months, with respect to COVID expenditures. Has the Department of Finance and Treasury Board approached you, for example, to say, hey, how do we best mitigate and manage the potential for fraud here?

 

TED DOANE: Finance and Treasury Board actually has a fraud risk assessment completed, and I know that they have people within their team, actually even others probably on the call today, who are keeping their eye on that and keeping that updated.

 

There are departments that we’re looking at now. We’ve got some in progress. We completed some work recently for the Department of Immigration and Population Growth, and I know that we’re working with others such as the Department of Agriculture, the Department of Fisheries and Aquaculture, and then we’re working with some other government areas as well to complete their fraud risk assessments.

 

We’re also always in communication with departments, because there are other areas of government that may complete their own fraud risk assessments, so I know that there’s planning happening in the Public Service Commission for them looking at completing the fraud risk assessment, and there are regular discussions in the other departments too, as well as when they might want to complete those in the future.

 

We try to line them up based on the resources we have available to support them, both ourselves, and if we can reach out to a third party. There are also other departments - I think it’s the Department of Lands and Forestry have their own team on the ground who are willing to complete the fraud risk assessment and reached out to us to help them with their fraud risk assessment framework. We would be supporting them in how they could use their experienced people to complete fraud risk assessment.

 

TIM HALMAN: As I indicated in my opening remarks, I think many of us here in Nova Scotia have seen reports from elsewhere in Canada in which funds may not have been used for their intended purposes. I cited some examples. The federal government sending out over $9 million to individuals who were deceased. We know there’s a case of a senior bureaucrat in Ontario accused of embezzling $11 million of COVID support funds.

 

I’d like this question now to go to Associate Deputy Minister Geoff Gatien at Finance and Treasury Board. Can you outline for Nova Scotians, can you tell us what measures have been put in place to mitigate and manage fraud with respect to the COVID expenditures in the last 15 months? To what degree of confidence can you say that there haven’t been any similar occurrences here as I outlined in my opening remarks?

 

GEOFF GATIEN: I can certainly say with a high degree of confidence that I have a lot of faith in the processes that we have in place. There’s been an acknowledgement of heightened focus on our controls. I think there has been a heightened focus that many of the controls that we’ve had in place for a number of years have to take a slightly different form when we have employees who have now had to start working from home rather than going into the office. There have been a little bit more approvals by electronic process.

 

One of the things that I’m quite proud of from the Finance and Treasury Board perspective, but building on some of your earlier questions as well - with our completed fraud risk assessment, with the fraud training that has been available, our staff have had a very high completion rate. On the fraud training, I think we’re 88 to 90 per cent complete. We’ve also enhanced the employee code of conduct for Finance and Treasury Board for all staff, so there’s an annual sign-off that they have to abide by the code of conduct. There’s a lot of information that comes through, a lot of transactions, so it’s something that we’ve taken very seriously.

 

Through this, the other structure that we have with Finance and Treasury Board is, we have executive directors and what we call financial advisory services units that support all of the departments and the offices. We have representation at senior management tables at all of these departments. They’re among the people who have completed the training, deciding the code of conduct under our umbrella of our completed fraud risk assessment.

 

[9:30 a.m.]

 

Fraud is always a risk. I can’t say that there haven’t been instances of fraud, but I can say that we have heightened focus. We have regular monthly forecasting that goes on. We have the Treasury Board office involved with reviewing departmental submissions. We have finance staff and deputy ministers signing off on their forecasts. So we have a lot of regular controls, I would say, that function well.

 

When people are attuned to these risks and the circumstances that we have been experiencing for the last 15 months, I have a very high degree of confidence that Finance and Treasury Board has been engaged. We have been met with nothing but co-operation with the departments we serve, working with Ted Doane when there are some questions that come up. I know there has been some back and forth.

 

I’m going to pause there and see if that has answered your question.

 

TIM HALMAN: I appreciate that response. Certainly, as you’ve outlined, there are regular controls at Finance and Treasury Board. My follow-up to this flows from the report from the Auditor General that not all government agencies are mandated to implement a fraud policy. I don’t know who is best to answer this so I’ll let you decide.

 

To what extent do we need a unified and coordinated approach to fraud risk management? It sounds like there is a bit of patchwork here, if I’m understanding this correctly. Various departments have this standard and that standard. Should we have a coordinated and unified approach to fraud risk?

 

JOANNE MUNRO: I’ll certainly start off, because departments and offices are required under Manual 200 to have a fraud risk management policy and we have what I would call our centre of excellence or our coach, if you will, in the Internal Audit Committee to help put those frameworks in place and make sure that they are working through their actual Fraud Risk Management Program.

 

We certainly don’t have oversight or authority with other government agencies, boards or commissions, but I do know that we have supported and helped on a regular basis when they’ve come in to ask questions or looked to use our tools.

 

I do know that we have had some work most recently with the IWK and maybe I could ask my colleague Ted just to share that with you so that you understand that we do have a helping hand in other areas of government bodies.

 

TED DOANE: That’s right, we do have a structured Fraud Risk Management Program. That helps us in a very structured way to work with other areas of government around their fraud risk management. With the IWK, certainly we listen to their needs and we’re supporting them with the development of an internal audit function and we’re putting two people in place to support their internal audit function into the future.

 

Again, it just shows our ability to work with other areas of government to support their needs beyond just the departments and Public Service Commission, which has traditionally been our area of focus.

 

THE CHAIR: Thank you very much, Mr. Doane. Now we’ll move on for 20 minutes of questioning with the NDP caucus. Ms. Roberts.

 

LISA ROBERTS: Thank you all for being here with us today. I may ask some questions about fraud risk later but I’m going to start with a focus on cybersecurity.

 

Three years ago, in the Spring of 2018, the Department of Service Nova Scotia and Internal Services was responsible for a system that resulted in a very large data breach with more than 7,000 documents, including some containing very personal information, exposed.

 

The Auditor General found that the department’s IT risk management process was inadequate, obvious risks were not identified in that process that’s used to develop and implement new software, and the public Freedom of Information website was poorly managed.

 

The report by the Office of the Information and Privacy Commissioner stated that the system’s design flaw created a “well-known and foreseeable vulnerability”, and that a full security assessment revealed more than two dozen other vulnerabilities that the department was unaware of. When the commissioner was speaking on the day that report was released, Ms. Tully indicated that in order for this to happen, there would have had to be quite a few people doing quite a poor job.

 

The Auditor General’s Report from December 2020 found that Service Nova Scotia and Internal Services still had not finalized regulations regarding cybersecurity and that the government-wide cybersecurity risk register is still under development. My question to Deputy Minister Munro: Why have these critical tasks not yet been completed, and what is the update on the timeline?

 

JOANNE MUNRO: There’s a lot in that question. I’m going to start with really the learnings I guess from the breach in 2018 and what we’ve done to shore up on the go-forward.

 

Certainly we know it was a significant event and an opportunity for us to get better and to learn from it. We accepted all recommendations from the Auditor General and the Office of the Information and Privacy Commissioner. Certainly there were three areas that they focused in on that we needed to look at and shore up: risk management, project management, and contract management. We needed to strengthen those areas.

 

There has been a lot of work. We launched the new FOIA service in January of 2021, and there was a lot of work associated with those recommendations put into place and are living and breathing and will now carry on into all our regular work when it relates to new systems and new implementation.

 

If I could ask my colleague Natasha Clarke to speak specifically about this one around the process protocols and the strengthening of those three areas, and then we can move into those other two questions that you had, Ms. Roberts - if that’s okay with you and Madam Chair.

 

THE CHAIR: Ms. Clarke.

 

NATASHA CLARKE: Just to speak to some of the controls that have been put in place, certainly we don’t want to experience a breach that has had that type of impact on the citizens of Nova Scotia again in the future.

 

There is one body in particular that we have that is essentially a gate that decides whether or not a new system will go live to be accessible for use by Nova Scotians, called the Architecture Review Board. Really that’s actually just a committee, if we want to think about it that way, made up of a multi-disciplinary group of people from a number of parts of the business and organization.

 

The two critical parts that came out of again the learnings from this particular incident was the final sign-off from our privacy folks and our security folks. They have to feel that the due diligence has taken place in terms of the type of assessments, but also testing before a system goes live - that didn’t exist previously. The types of things that the committee now will look for is, have we completed that privacy impact assessment and have all the mitigations been made? Have we completed a threat risk assessment, which is a security assessment that looks at data and any other vulnerabilities, has that been completed?

 

Then a step further: have we also completed things like vulnerability testing and penetration testing, which is essentially where it’s like that white-hat hacking, where we pay people or we have team members that really try to attack the system as if they were the bad guys. Again, those were some of the things that perhaps hadn’t happened fulsomely in the past.

 

Those pieces now are a part of that rigorous process to ensure that when we are delivering a service, those considerations are taken into effect and that we are aware and have closed the vulnerabilities that have been drawn to our attention from those processes.

 

We have also tightened up our contracting. When we contract with external vendors to include additional security and privacy requirements, now there are obligations around them to meet certain levels of security requirements, especially if they are hosting the service in their environment or in their infrastructure in the Cloud, as well as expectations around privacy or potentially in auditing so that we can ensure that the standards that we’ve asked them to adhere to are being upheld.

 

LISA ROBERTS: One of the findings in the Auditor General’s Report on that data breach was that an expert group within the department was not adequately consulted on potential risks or mitigation strategies. I’m wondering if you could just speak a little bit more to not just processes and structures but also culture within the department to ensure that expert advice is sought and appropriately addressed when projects are being undertaken.

 

THE CHAIR: Ms. Roberts, who would you like that question directed to?

 

LISA ROBERTS: I think we can start with Deputy Munro again and she might defer to one of her colleagues.

 

THE CHAIR: Thank you. Ms. Munro.

 

JOANNE MUNRO: I think you’re referring to the Architecture Review Board, which is where the experts would sit, and the broadening of that, so I will let Natasha speak to that more specifically.

 

I would like to add to your other question related to where we are with the recommendations, and I’d like to say that all are completed with OIPC and we had regular update meetings with that office. There was one outstanding that related to inventories of solutions and applications across government, and that’s really ongoing work and we have plans, obviously, within our department to be ongoing and to identify the risks and address those risks with continuous improvement activity. So I am pleased to know that we have completed the OIPC’s recommendations and one is an ongoing operational continuous improvement.

 

Back to the ARB, which is where the work of that recommendation landed. Natasha.

 

NATASHA CLARKE: Ms. Roberts, the question about culture really hits at my heart strings. As Nova Scotia’s first Chief Digital Officer - and I point that out because I think it’s an important nuance in terms of what this role really means - this role is focused on not just technology.

 

Digital isn’t just about tech. It’s actually about building a stronger and trusted relationship with the people we serve by putting humans and the people we serve and provide services to at the heart of everything that we do. Why that’s important is that we are in a transition to being more of an internet-era organization. What that means is that we have teams of people who are multidisciplinary.

 

To your point - again, I wasn’t in the seat when the event happened, but what I can say to you is that we are building a culture and a practice in the organization where we bring all of the disciplines to the table to make sure that we’re driving the best solutions for the user. In this case, it could be the citizen. It could also be for other public servants.

 

Security and privacy are critical and they are brought in at the beginning. It’s not an afterthought. It’s not something we try to bolt on at the end, right? Perhaps that was some of what was happening in the past. What we usually call that is security and privacy by design. As we’re understanding the needs of the user, what’s the minimum viable solution that somebody needs to meet their program outcomes or to achieve or get access to a service or the really important things that they need? Are we making sure that we’re taking those considerations of privacy and security at the same time that we’re looking at policy and legal and the technical pieces, all at the same time, all building it towards a best solution for the user, for the people who are using our services, for the humans?

 

I think for me it’s also about empowered teams, that they are empowered to make good decisions. They know what the rules of the road are. We’ve given them good principles and approaches so that they can make the best judgment calls for the user, taking into consideration those security and privacy experts’ views, and then pairing that with the control of an ARB, or Architecture Review Board.

 

It can’t be just about controls. We want to make sure that everybody is thinking about security of the services we’re building right from the beginning, whether I’m the cybersecurity expert, whether I’m the developer, or whether I’m a privacy person. We’re thinking about all those things as we’re designing excellent public services.

 

LISA ROBERTS: I am not entirely clear what the relationship is between the Architecture Review Board and the cybersecurity risk register, and I wonder if Ms. Clarke could explain how those two pieces interrelate.

 

[9:45 a.m.]

 

NATASHA CLARKE: Our cybersecurity team, as I talked about, complete activities when we’re building new projects or we’re making alterations to existing systems, so again, pointing to that was also a change that was made because of an FOI breach. We aren’t just looking at new things, but also when we are making alterations to existing services.

 

When that work is undertaken and that multidisciplinary team starts to do their work, they have to complete things like threat risk assessment. Through that risk assessment, we identify those risks that we need to track and mitigate and then minimize the impact of. That is where that cybersecurity risk register comes into play. That’s where we are monitoring and tracking those risks, as well as other risks that we’ve identified, whether it be in our infrastructure or other mechanisms that we need to track to make sure that we have a secure foundation.

 

That risk register would play into the decision processes of the ARB, so they are very linked because they are the same people, the same decision makers that are a part of that process.

 

LISA ROBERTS: That helps me a little bit. Then the risk register, which I’m understanding is in some earlier age, some non-digital age, like a registry might have actually been a book where you would write down all the different risks - I’m understanding this as more of a committee and maybe a database. I’m not the most digital person at all, I know I would be a bit lost in your particular role, but I’m just trying to understand it.

 

Is it a place where risks are noted and there is then a process with timelines and check-backs? As a corollary to that, I’m just thinking about with what happened with government in the past 16 months in the COVID era, where so many things that were not possible online became possible online, including these meetings. How were those bodies engaged in real-time assessment and mitigation of risk?

 

NATASHA CLARKE: To answer the first part of the question, I think your analogy is perfect. It’s a place in which we’re tracking those identified risks, what actions we think are needed, or what are the actions that are needed to minimize or actually eliminate the risk.

 

Sometimes it might be that a different type of coding or a different type of technical piece needs to change and then the risk goes away, because maybe the hole is closed. If we’ve got a hole, we’ve identified that there’s a hole in the solution, we’ve got a way that we can either technically fix that, or we can fix it through a process, and then we close the hole, it doesn’t exist, and that vulnerability goes away.

 

That register helps us to understand if there’s anything outstanding, and it’s used in the decision process of going live or not going live with something. If the security team does not feel comfortable with the strategies that have been put in place or the closing of the holes, then the service is not allowed. It’s not approved to go live. That answers that first part of the question.

 

In terms of the COVID response, part of the work that we’re doing at the Nova Scotia Digital Service - and we are a new organization, formed a year and a half ago where we merged together two teams - what we’re focused on is bringing internet-era ways of working into government. Internet-era ways of working aren’t new to the rest of the globe but they are a shift from what I would say is a traditional IT organization to adopting new ways of doing things.

 

I’ll give you an example. Through COVID, why we were able to move so quickly is that we had technology and technical spaces that were already security-pre-approved. Security and privacy, we had already done all of those due diligences in advance: the threat risk assessment, the privacy impact assessment, the vulnerability testing, the penetration testing.

 

If you think about it, it’s a Lego block that we’ve already made sure is secure and there are no holes in it. Then our development team is able to go inside of that Lego block and build their pieces and they don’t have to do any of that security work which can sometimes take time. They just have to do the new piece around whatever software they’re building.

 

For instance, our 811 assessment tool that citizens are using to determine whether or not they need to quarantine or as part of booking a test - we were able to deliver that in 48 hours because of the fact that we had these already-vetted and pre-approved environments that were very secure. Usually that would take a longer period of time to do that.

 

This is part of this new way of doing things: how can we deliver services that meet the needs of citizens in a timely way but yet are still very security-respecting and privacy-respecting so that these things don’t have to be a zero-sum game? It is really about a win-win-win.

 

LISA ROBERTS: Back just for a moment to Deputy Munro. Are there any outstanding recommendations from the Auditor General related to that data breach?

 

JOANNE MUNRO: As I said, we’re pleased to share that we have completed the recommendations through OIPC and the Auditor General except the one that I talked about - inventories of solutions and applications across government. That is ongoing and we have obviously plans with the NSDS to address the risks that are identified as we continue to do that work.

 

We are pleased with the completion of the recommendations and feel confident of the processes and governance that we’ve put in place to go forward as we continue to evolve the new NSDS organization and services that they provide.

 

THE CHAIR: We’ll now move to the Liberal caucus and we’ll start with Ms. DiConstanzo.

 

RAFAH DICOSTANZO: I’ll just make a little - it’s DiCostanzo. I have ten letters. I really don’t want another N. So DiCostanzo. I get a lot of DiCostanza or DiConstanzo, so I’m just trying to clarify that.

 

I believe Ms. Clarke just touched on a bit of the question that I was going to ask to Ms. Munro and she can decide who it goes to. The Digital Service that we have - this is a new digital service organization. Can you elaborate how it came about? What was the history and what does “digital service” actually mean to the average person?

 

JOANNE MUNRO: I’ll just kick it off because it was an exciting time when Service Nova Scotia and Internal Services came together at the time and now we have the Nova Scotia Digital Service within our broader department of 1,500 employees.

 

As I said in my opening remarks, we are - I’ll call us a team that’s really glued around the service agenda. It goes through every one of our divisions and there are many of them, whether it be Procurement or the Nova Scotia Digital Service or Internal Audit or citizen services or financial services or government services. The list goes on. We are connected, and because we’re now together, we have end-to-end expertise, which is needed to achieve client service, I think, along with all the technical and the processes that come in behind to build out great services.

 

Our culture, that we’re driving across our 1,500 organizations, is around excellence and innovation. I’m excited about that, because now all being under the one umbrella just gives us so many opportunities that we might not have had before.

 

I do want to ask my colleague Natasha Clarke to join in. This is something we’re very passionate about and very excited about around the new NSDS.

 

NATASHA CLARKE: Maybe what I can do is set a little tiny bit of context. The first thing I’m going to do is actually provide a definition of what I mean by digital. I think it is actually important, because if I went around this entire table, I suspect we all have a slightly different variation on that, and I think it’s important to ground us.

 

The best definition that we’ve seen out there is by a gentleman by the name of Tom Loosemore. Tom actually was one of the original founders of the first government digital service, and it’s out of the U.K., so the U.K. government digital service. His definition is, “Applying the culture, processes, business models and technologies of the internet era to respond to people’s raised expectations.”

 

You’ll notice that I talked about culture, processes, and business models. If you think about it, Netflix didn’t stay in the business of just renting VHSs and DVDs through the mail; they decided to reimagine their entire operating model, and then just so happens they completely disrupted the entertainment industry.

 

I’m not here to talk about disrupting government. We aren’t here to move fast and break things, because the services we provide to citizens are the most important services. We are serving some of the most vulnerable people, so we need to make sure we take the due diligence.

 

I think what’s important about the Nova Scotia Digital Service is that we are focused on different things. We are focused at putting humans at the centre of everything we do, so that means we’ve had to bring some new disciplines to our approach, like human-centred service design, which is really focused on empathy, working collaboratively, and co-creating services with the people that we serve, taking that very human approach, and being in their context and understanding what they need.

 

Historically, organizations would often spend hours and hours building requirements, spend two years doing procurements, maybe you’d buy something, and then four years later you implement it and hopefully it works. Typically what that meant is that we’ve built a Ferrari rocket ship, but perhaps all the user really needed was a bicycle and a ramp to get their outcome and to achieve what they needed to do.

 

This is really about taking a very different approach to the work that we’re doing. For me, it all comes down to that my most important deliverable as a public servant is trust. This is about us working in new ways to get lower-risk ways to program outcomes that our ministers and politicians can see their policies working in weeks and months and not in years.

 

This is going to take a different approach, while at the same time we have things that we have to keep operating and working in the way that we always have. I have to say, I’m incredibly proud of the work of this 650-person team. They are truly a secret weapon of awesomeness, and not my words - these are words from global experts that also have good government digital services. It’s been quoted as saying we have the best government digital service in the country of Canada, here in Nova Scotia. I think that’s something that we should really be proud of in terms of being able to deliver excellent services to citizens.

 

We have lots of work to do, I’m not going to sit here and say that we don’t, but I’m really excited and feel very passionate about this agenda and the kind of trust and relationships that we can build with the people that we serve.

 

[10:00 a.m.]

 

RAFAH DICOSTANZO: That is wonderful to hear, how advanced we are, and it always makes me so proud to see that Nova Scotia is starting different programs and that we can be a model for the rest of the country and maybe other countries as well.

 

The other question I had is: When cybersecurity attacks happen, what is the process and how do you deal with breaches? Just the steps that are taken once you hear that there’s an issue.

 

JOANNE MUNRO: I think this would be one that would be advantageous for my colleague Natasha to answer, who lives this process every day with her colleagues. I’ll ask her to respond.

 

NATASHA CLARKE: It would be important for me to share that yes, we have absolutely had cyber events. I would love to live in a world where we didn’t have to think about these things and that we didn’t have to think about organized crime or perhaps other countries that would be interested in benefiting from impacting our services and systems.

 

I will say certainly that to the best of my knowledge, in the time I’ve been in my seat, there has been no personal information of people compromised nor have we lost critical services. That’s an excellent thing and I’m going to knock on wood today, because unfortunately, organized crime and other nation states have bigger budgets than we will ever see here in Nova Scotia to attack us. However, in saying that, what’s most important - from my perspective as the leader of the NSDS - is that when we are experiencing any type of cyber event is the quick response and minimizing any impacts.

 

With that, we do have an incident response program. We have a major incident program. That major incident program is a well-oiled machine. People understand their roles and responsibilities, and when a major incident is called, everybody knows what part that they need to do and what communication needs to start happening and what action needs to be taken. In cyber events in particular, there are other specific steps that we take as part of that major incident process.

 

The first and most important thing is that we have identified that there is an issue. That can be that our monitoring has made us aware that there is an issue at hand. It could be that we’ve had a software vendor that has had a piece of their software compromised so they may let us know, and it could be that we’ve had an employee report a phishing event. I wish the phishing event was that I got to go to my hometown in the Valley and catch some fish, but unfortunately that’s not the case. Phishing is essentially when bad guys are sending you emails that look like a real thing and you click on the link and that downloads bad software.

 

Those are some of the ways in which we can be identifying that there is a potential attack or an issue that’s happening. Immediately we then go into a containment step, and what that means, it could be that we remove your computer right off of our network, it could be that we turn off servers or shut down applications so that we immediately contain wherever this little bad thing might be or this bad software might be.

 

Then our next step is to eradicate that software or the bad guys. We might then do things like install software that is basically like a bloodhound. It goes through our network and our servers to then track down the bad software and contain it, and then we can start to destroy and clean it.

 

Then the next piece for us is recovery. That might be restoring systems. We have backups of all of our data that we have in a separate location so that we’re able to recover any data if we need to. It could be installing what we call software patches, so that’s software that helps us to close gaps or holes, especially if we’ve had a vendor tell us that there’s a patch or a vulnerability in their software. We see it all the time on our Apple devices. We always get told to download the latest software upgrade. Usually it’s not just new features; sometimes it’s because they’ve identified vulnerabilities.

 

We could do things like password resets and then every event, no matter the size of it, once we’ve recovered, we then go into a lessons-learned. What’s really critical about that is it allows us to continuously improve our processes but it may also give us insights on how to tighten our security. So we do have a very robust process that again is well-understood and well-executed.

 

To keep Nova Scotians’ information and systems safe is the most critical thing. And as the leader of this team, it is certainly the thing that keeps me up at night.

 

RAFAH DICOSTANZO: Thank you for all that explanation. It is wonderful and it makes me feel really in good hands under your leadership, Ms. Clarke. I think my colleague Mr. Horne had a question and I may have something in the second round. You can pass it on to Mr. Horne if he has a question.

 

THE CHAIR: Mr. Horne.

 

BILL HORNE: Very intriguing, this whole concept of fraud and security risks and controlling those issues. It sounds insurmountable. My question is more not all about process, but now how much can you tell me about the estimates for resources? That includes money and staff. How many people in the province are working directly on this? You may say everybody has to work towards it. What kind of time limits are you trying to be able to control and prevent fraud? I guess it’s a money issue and staff issue. Maybe the deputy minister could talk about that.

 

JOANNE MUNRO: Are you specifically talking about fraud or cyber or both?

 

BILL HORNE: Both, I guess.

 

JOANNE MUNRO: Both. Okay. I’ll jump in. On the cyber front, I think Natasha would have said we can’t have a budget big enough, because the bad guys are funded on the criminal side of things and there are countries as well that are deep into this space. We have a team of 23 FTEs within the NSDS and a budget of around $6 million, I think, but really it’s not that. It’s everybody in the organization has a responsibility to mitigate risk in cyber. As well, within the NSDS team proper, it’s about our processes that support our securing the foundations, as we like to say.

 

But everybody in the organization has an accountability, and that’s why the training is so very important when it comes to cyber and we do have an intention of going broad-based across government over the next year or two years on training for all civil servants. Right now, obviously, our folks within the NSDS are trained and we’ll also look to support Health and Wellness, but from a budget perspective, it can’t be big enough. It’s about how we support the critical processes and build the culture and awareness through our training. I would say that’s the answer on cyber.

 

Then on fraud, for both of them, the most effective deterrent, if you will, is the training component and I know Ted would support this. The training within our Fraud Risk Management Program is an absolute key to preventing fraud and increasing awareness. I know it’s one factor of a few, but that training is critical and I’m pleased to say that we are at 80-plus per cent on mandatory fraud risk training. We have to look at 100 per cent is likely is not possible because there are folks who retire and new folks who come in and there are folks who don’t have connection into the learning management system.

 

We’re actually doing things and working with our NSDS colleagues to find what platform or program we can use so that the snowplow operator can actually access the fraud risk management training. I’m also pleased to say that we’re in the process now of expanding our accessibility features in the fraud risk management training, so voice-to-text, text-to-voice, JAWS or Job Access With Speech - a number of other very important accessibility factors for all government employees to be able to take.

 

From a budget perspective on the fraud risk management side of things in Ted’s shop, really it’s baked into all factors within his operations. I can certainly let him speak to the number specifically of certified fraud investigators and so forth, but his budget of around $2.3 million is really to support all of our fraud risk management and help in support of other government departments and offices.

 

I’m hoping that answers your question. We all have a part to play in this. It’s not under the NSDS or Internal Audit Committee. It’s all our employees understanding the threat and understanding what their role is to mitigate. Thank you for the question. Ted, did you have anything to add or did I cover it?

 

TED DOANE: I think you covered it quite well, deputy. Just the key point is the Internal Audit Centre reports to the Deputy Ministers’ Audit Committee, and we’re structured with 21 experienced auditors. What we’re trying to do for our Fraud Risk Management Program is provide enough resources to appropriately support fraud risk management. We have certified fraud examiners on staff as the deputy mentioned. We actually have three people who are experienced and qualified to do that. We always have people who are dedicated to the Fraud Risk Management Program, and then we have other staff who are supporting it.

 

The funny thing is if a fraud arises in government, it’s all staff on board to support that. So we would move our budget resources across to support that investigation and that effort, and the team would make sure that that concluded with an appropriate effort. That’s what we’re doing and our costs really are for the fraud reporting service, our staffing, our professional development of staff to ensure they retain the top-quality abilities to support fraud. That’s my response.

 

BILL HORNE: Not really a question but just a comment. This is something that’s going to be with us forever, I guess, since it’s going to be very difficult to control and you need the expertise to look at it and have a team that really are looking at all different aspects of it. So I see this as one of the major costs of doing business in the province of Nova Scotia. I assume that’s probably fairly true. Any comments from Ms. Munro?

 

JOANNE MUNRO: I’ll let Natasha talk about the percentage of budget but I would say that yes, ongoing efforts to secure our foundations and to deal with our legacy systems is where we have to look to update and improve and refresh over the course of time, and get ahead of the risk as best we can. We’re excited about the go-forward and our new way of working. Also we need to make sure that we have our eye on the ball regarding legacy systems and how they continue to mature and have to continue - we call it care and feeding.

 

Our systems need care and feeding - and Natasha is famous for her analogies - and it’s about the farmland: if we don’t till it and feed it and nourish it, it’s going to go fallow. So from our perspective, it’s about that ongoing continuous feed and caring and that aligns to the new digital agenda, but maybe I could ask Natasha to also contribute to that question, if there’s time.

 

THE CHAIR: Unfortunately, that concludes our time for the Liberal caucus questioning, but there will be an additional 10 minutes for each caucus. I love your analogy to farming, by the way, Ms. Munro. Very timely.

 

Now we’ll move to Mr. Halman from the PC caucus for 10 minutes.

 

TIM HALMAN: Thank you, Madam Chair, and I’ll certainly pick up on the themes that have been raised with respect to cybersecurity, because definitely I think this conversation needs to keep going. I appreciate what Mr. Horne said: this situation with cybersecurity and fraud risk management is going to be with us forever. As such, obviously it’s very reassuring to hear that there’s ongoing care and actions taken to update and improve.

 

Let’s home in on, say for example, the relationship between the Nova Scotia Health Authority and Service Nova Scotia and Internal Services. My understanding is the Nova Scotia Health Authority relies extensively on SNS-IS for cybersecurity services. I guess the question is: Who is responsible to ensure there is a level of proper understanding regarding cybersecurity responsibilities among these two organizations?

 

[10:15 a.m.]

 

JOANNE MUNRO: The relationship with health care and our colleagues there is very important - not just as our partner, but because the health care system is critical to every Nova Scotian. It’s a very important relationship and partnership.

 

There are four partners in this relationship: ourselves, the Department of Health and Wellness, IWK, and the Nova Scotia Health Authority team. We have to stay close and have shared services principles. We have a common set of priorities, and our communication and collaboration among our organizations is really key to operating successfully.

 

I’m going to speak to a very robust governance structure that we have with our partners, and then I’ll certainly ask Natasha to weigh in on some of the specifics that we have around the roles and responsibilities, because I think that will provide some clarity for you.

 

On the governance side of things, there are four levels of governance, and the top level of governance is the oversight committee with our minsters and the board chairs of our four partners. There’s the governance committee, which is where I sit as a deputy, so the deputies and the CEOs of both the IWK and Nova Scotia Health Authority. Then there’s the IMIT - the Information Management Information Technology Steering Committee - and those are senior-level officials like chief operating officers and ADMs who sit around that table.

 

Then we have four working groups that feed up into the steering committee, and that’s day-to-day management, privacy working groups, IT working groups, and data governance working groups. You can see that there’s an ongoing, regular cadence when it comes to governance, and that we are all linked with an ongoing commitment to communication and collaboration and sharing.

 

If I could now defer to my colleague Natasha to go through some of the roles and responsibilities within the governance structures.

 

NATASHA CLARK: Just to add on to what’s already been discussed, obviously robust governance is in place, but I think what’s important - to get crunchy in terms of the realities - obviously shared service happened five or six years ago prior to my time. There was a decision made at that time that the clinical applications used to provide direct patient care would stay with the NSHA and the IWK, but that all of the underpinning and supporting pieces would come to what would have been ISD at the time, but is now the Nova Scotia Digital Service.

 

My famous analogy is how I like to look at it is the NSDS is responsible for making sure the road is in place and the road is in really great shape as an underpinning infrastructure. The NSHA has the cars that drive on that road, and they are responsible for making sure that the cars stay in really good maintenance. To use that as a bit of a pairing, in order for the car to work, it needs a really good road, and in order for the road to have a use, we need to have cars that are operating really well.

 

What that means on the ground is that we have to work really tightly in terms of our operations. When I talked earlier about our major incident process, NSHA and IWK are a part of that process. If it has anything to do with the health system, if there’s a major incident that involves the health system, those teams come together and work really closely together. The same would be if there was a cyber incident, as I outlined through the incident process. On the ground, those teams are really one team in making sure that we’re minimizing any impacts to citizens and especially in that high-priority area of health care.

 

The other thing I want to just point out is that when we launched the Nova Scotia Digital Service last November, or November 2019 - my apologies, I feel like I’ve lost an entire year sometimes with COVID. When we launched the Nova Scotia Digital Service, we made a priority focus on health care, and we have a specific leader of chief health partnerships, because it is such an important area of focus for us and we want to make sure that that relationship continues to evolve and mature, and it’s a high area of focus for us.

 

At the end of the day, this is a very tight relationship, and we both depend on each other for our successful delivery of services to Nova Scotians.

 

TIM HALMAN: Certainly, you’ve outlined a lot of moving parts to that government oversight committee, and a lot of moving parts among various organizations that do collaborate, and that’s fantastic. Cybersecurity is a shared responsibility, and you’ve certainly outlined that.

 

This question is about diffusion of responsibility. If one organization in that governance model didn’t do their due diligence, could that put another respective area at risk to be exposed to a cyberattack? There are a lot of moving parts you’ve outlined there. It’s certainly robust. What mechanism is in place to ensure all of these moving parts are functioning? Where does the buck stop?

 

NATASHA CLARKE: As Deputy Munro outlined and detailed the governance structure, those tables also set priorities and joint priorities and collaboration on those efforts. You’re absolutely right. I like to think of our environment as a bit of a layer cake. No surprise, I love to eat sweets, so when I think about our environment, it’s a seven-layer delicious cake. Everything starting from people to devices, networks, servers, applications, operation systems and data - it’s a diverse layer cake. We have to look at each one of those layers and prioritize the work that we need to do.

 

This is a journey, Mr. Halman, as you’ve outlined. It isn’t something that we can snap our fingers, throw a bunch of money at, and it’s over and done with. As Deputy Munro talked about, it is like a farmer’s field. We can’t leave that unattended. When I think about cybersecurity, when I think about the investments and things and the activities that we need to make, we need to focus in on those high-priority areas, those higher-risk areas, and then do our diligence and do our work to make sure those are always continuously improving.

 

That only comes with collaboration and having that strong governance and those strong commitments of those partnerships, and understanding each other in terms of our priorities is very important to making sure that we continue to do the work that we need to do to secure our foundations.

 

TIM HALMAN: And to that end, securing our foundations - as you know, there was a breach in March with the personal data for health care workers. Information may have been leaked through their pension plan. As I indicated in my opening remarks, I had to fill out an Equifax application. Can you share your perspective on how the Nova Scotia Health Authority has coped with the risk of cyberattacks throughout the pandemic?

 

NATASHA CLARKE: I certainly can’t speak to NSHA and the specifics that they might be doing day-to-day, but I know in terms of our partnership, we are constantly in communication and working together through COVID, as I think was pointed out earlier perhaps by yourself. The Canadian Centre for Cyber Security had certainly flagged that health care was now an even hotter area of focus for cyberattacks, so again, working in partnership with our colleagues at the Nova Scotia Health Authority.

 

We’ve increased our monitoring. That’s a big focus for us. When I think about that underlying infrastructure, that road in which their applications can safely run and work on, that is certainly in our domain, to make sure that we are protecting that environment. We raised our focus on monitoring and extra attention. We increased our phishing campaigns - again, not about fishing licensing to do the fun fishing - but making sure that public servants, especially health care workers, understood that bad guys are getting smarter and they might get you to do unfortunate things by clicking links.

 

We continue to emphasize that due diligence through COVID and certainly didn’t lower our game. If anything, it made us focus our game, especially because we knew health care services were such critical services during this pandemic time.

 

THE CHAIR: This concludes the time for the PC caucus questioning, and we’re going to move now to the NDP and Ms. Leblanc.

 

SUSAN LEBLANC: I could listen to you speak all day. I love your analogies. It’s very helpful for someone who doesn’t have a sweet clue about what actually happens inside a computer, so that’s really super helpful. But I am going to change the subject just for a second. I may come back, because if I have time, I have a question about the CANImmunize program.

 

I wanted to ask about tendering processes for a second. We’ve talked about this before at the Public Accounts Committee and other places, but I just wanted to bring the committee’s attention and Deputy Munro’s attention to the two examples of when Nova Scotia went aside from a tendering process to procure work. One of those was, of course, the Newbridge Academy purchase, when Newbridge Academy was purchased for the CSAP in Dartmouth North. The purchase was for $28.5 million and then there was a $10 million contract to DORA Construction to do the renovations on the building.

 

Of course, this is not about that purchase or that decision, because I think it was a good one, but I wonder why that $10 million renovation contract did not need to go through a procurement process and I’m going to B-part that with the very recent procurement of the Maple virtual health care services. We heard an announcement that the government is doing a pilot project with Maple Health Care for folks who are not attached to primary care. The pilot project is a $2 million contract awarded to Maple and was untendered.

 

I know Service Nova Scotia and Internal Services has to sign off on procurement and tendering, so I’m wondering if the deputy can speak to those things. I know it may seem unrelated to what we’re talking about, but in fact I’m assuming that when a procurement process happens that all of the cybersecurity and the digital - all of those risk assessments are done in that process, and so that’s why I’d like to ask about it here.

 

JOANNE MUNRO: I’m not prepared to be able to answer that question, and I’ll have to take it back and get the information back to the committee, so I’m happy to do that. I do know that, in some instances, and I’m not sure about the Maple deal, whether that’s part of the health procurement, because Nova Scotia Lands is very much involved there with our procurement team supporting kind of on the outside.

 

Unfortunately, I’m not able to speak to those two procurement processes but I’m happy to come back and share with the committee information that would answer your question, if that’s acceptable.

 

SUSAN LEBLANC: Yes. I know that the Health and Wellness Minister publicly said that the reason why the Maple procurement was done without tendering is because he wanted to make sure it happened quickly, but I would argue that we can’t just set aside procurement processes when they’re inconvenient for time. So yes, I would love for you to get that information and report it back to the committee. That would be great.

 

Madam Chair, how much time do we have?

 

THE CHAIR: We have about six and a half minutes.

 

SUSAN LEBLANC. Okay. I’ll quickly ask one more question then before I pass it back over to my colleague. I was wondering, Ms. Clarke, if you could talk about the CANImmunize program or portal that we’ve been using to book our vaccines. I personally think it’s a great system but it does ask of Nova Scotians quite a lot of personal information.

 

I’m wondering if you could take us through how that program would have been vetted to make sure that it’s safe for Nova Scotians to use - really quickly, because I know that Ms. Roberts has another question.

 

[10:30 a.m.]

 

NATASHA CLARKE: Just quickly on that, CANImmunize is a piece of software and a solution that actually is managed by the Department of Health and Wellness. In terms of lots of puts and takes, I can’t speak to some of it but I agree, as a citizen I’ve really appreciated how easy that has been to use and I’m looking forward to getting my second dose.

 

What I can speak to in terms of how we provided support at the Nova Scotia Digital Service - earlier I talked about threat risk assessments and those security assessments. We would have worked with them in supporting them to do that work from a security piece. They had their own privacy officers because of, obviously, the volume of information and work that they do at the Department of Health and Wellness.

 

Again, I can’t speak to the specifics, but certainly there are standard privacy impact assessments that we would follow in the NSDS. I don’t want to make any assumptions about what they would have or wouldn’t have done, but they also have very strong rules around the protection of health information.

 

Unfortunately I think some of the questions, as much as I would love to be able to answer, I’m not in a position to because that work would have actually fallen with the Department of Health and Wellness. I can say that we have supported them in the security aspects of making sure from a cybersecurity and a security perspective they have met the standards that are needed to keep Nova Scotians’ information safe.

 

THE CHAIR: Thank you, Ms. Clarke. Ms. Roberts.

 

LISA ROBERTS: I too have really enjoyed hearing Ms. Clarke speak, and at the same time, I’m just having this niggling of misgiving. While obviously there’s a lot of innovation and good leadership and a team of 650 people working on digital government, we still have in rural Nova Scotia some people who don’t have access to internet and also in my constituency, which is very close to downtown Halifax, many people who can’t afford internet.

 

In this period of COVID where library access has been severely curtailed, I’m wondering if this is a live conversation in your team? We’ve tried to engage Develop Nova Scotia in being interested in creating access that is affordable for all Nova Scotians and that hasn’t fit with that project. And yet I really worry that we could end up having inequality layered upon inequality, frankly. I would appreciate your thoughts on that.

 

JOANNE MUNRO: Thank you, Ms. Roberts, for that question and comment, I guess, because I think Develop Nova Scotia and the Inclusive Economic Growth Department certainly are leading on the broadband, and then the other conversation around equity and access. But I hear you, and I would say that there are conversations with our colleagues at Community Services, and more broadly across the Public Service and at the deputies’ table as to how we can.

 

Certainly, in supporting the government’s agenda, which at this point they talk about equity and inclusion and diversity, I would say that we have to look at so many different parts of equity and inclusion, including fair access, because it is - and I’ve heard this at the national level - the human right for access to internet. I can’t speak to any of the specifics of that. It’s really outside of our specific space, but to understand equity, diversity and inclusion and access to the internet, I would agree that it’s an area for further discussion.

 

LISA ROBERTS: I’ll just say that as far as I can tell, nobody is taking ownership of access for urban residents who cannot afford internet, although I appreciate that there may be conversations happening with Community Services that I’m not aware of entirely.

 

Really quickly, the Access to Information site which came back - a new FOI portal - I’m wondering if we could just get some brief comments on how it functions now. Part of the data breach, as I came to understand, was a result of having one portal that was serving two really different interests. One was access to information requested by journalists or caucuses that was really intended to open government information to the public. The other was information that was very personal and private to an individual that they were seeking for themselves from government.

 

How is the new portal designed to deal with those two different kinds of buckets of information?

 

THE CHAIR: Unfortunately, it’s a beautiful question, but we are out of time for the NDP caucus, so we’ll move now. We have 10 minutes for the Liberal caucus.

 

The member for Clayton Park West - and I would like to apologize for mispronouncing your last name. At the next committee meeting, I’ll have it right.

 

RAFAH DICOSTANZO: I’m so used to it. Do not worry. I was just trying to make a joke. I have enough letters in my last name. I just didn’t want any extra, that’s all. No problem whatsoever.

 

As I’m listening here, I remember becoming an MLA and I was given the fraud course online to go through it. I’m thinking here, did I do it since then? What are you doing in reaching all the employees, the government employees, and how often? This has been such an interesting information session today that I wish a lot of the employees get to hear what you guys are doing and how you’re reaching our employees.

 

Maybe you can enlighten me on the process. Do employees get the fraud training just when they’re first hired? Do they get updated? How mandatory is it? Start with Ms. Munro and she can hand it on to whoever would like to comment.

 

JOANNE MUNRO: It’s a mandatory training for all employees, so that would be part of the on-boarding, so my colleagues at the Public Service Commission can certainly speak to the on-boarding. Then there’s ongoing reporting that I talked about earlier on a quarterly basis that comes to the Deputy Internal Audit Committee, and then is obviously shared with deputies. They’re actually able to go to division levels, branch levels, and right down through. There’s a robust reporting requirement there on the training.

 

Ted can speak to the specifics, but we have Fraud Prevention Awareness Month, we have ongoing communication through our employee communication channels, and there’s obviously, as well, input from the Fraud Risk Management Committee, which oversees a lot of this work. We do a lot to communicate and of course bring it to the attention of our senior leadership about how important it is.

 

I’ll ask Ted to just elaborate a little bit around his program to help employees understand the importance and maybe what’s involved in it and the awareness, that would be great. I am pleased with the uptake and our numbers, around 80 per cent-plus of employees who have taken the fraud risk management course.

 

TED DOANE: The Fraud Risk Management Program has been governed by the Fraud Risk Management Committee. This committee is actually represented by people across government. We have representatives from the Department of Finance and Treasury Board, we have people from the Public Service Commission, and security folks.

 

As part of that, we developed a couple of things. Everybody rolled their sleeves up and we developed a fraud policy, and we developed reporting and investigation procedures. The plan was to have those on the government site for people to use, what we refer to as Category 1 organizations: departments and a number of Public Service units. It’s also encouraged that others outside of that group could use that.

 

As part of the release of that in 2017, we wanted to make sure that we had fraud awareness training for employees to build on the fraud policy and fraud investigation and reporting procedures. What we did is reach out to a third-party service provider and they developed the training for us - the Nova Scotia Community College. They worked with us to develop the training, and that’s since gone through a number of iterations, and we’re now into another refresh on the training.

 

What we’ve done since then is brought the training in house. We have people within our own group who are using software to develop the training and to issue that. What we find is that fraud awareness training will help in reporting a fraud, so we should see an increase in reporting of fraud. That’s what we see from the industry stats, and as well it should reduce the amount of fraud that we might bump into. The Association of Certified Fraud Examiners has seen examples of that where if you have training and reporting services, that they work well together to reduce the amount of fraud that could result.

 

Anyway, we do have the fraud awareness training, and that’s been available as the deputy said, and we’re reporting to the departments quarterly on the uptake on the training, and we’re really pleased to see that we’re now above 80 per cent in the participation rates of that training.

 

There are departments that have employees who are seasonal and may not have access to computers, so it’s been a bit of a challenge for them to participate in fraud awareness training. We’re exploring ways that we can provide the training to them through different means other than just looking at it through the internet. That’s going to help, I think, in the future, and we’re going to work with them to ensure that we can get the participation rates as high as possible, but we’re very happy with where they’re at now.

 

RAFAH DICOSTANZO: As I understand, there is training as soon as what is called on-boarding. Are there updates? For example, if you discover different things, do you send information to the same employees that they have to update their training, or is it just the one time for all employees?

 

TED DOANE: It is just one time for employees. We have two training programs. There’s one for staff and then there’s an additional one for management, so the managers would take the regular fraud training, and then they would also take management fraud training. It’s available on the system, so if anybody feels that they need to refresh their training, they can certainly go in and use it. It’s accessible to them at any time.

 

RAFAH DICOSTANZO: How much time do I have left, Madam Chair?

 

THE CHAIR: You have three and a half minutes.

 

RAFAH DICOSTANZO: Wonderful. I just had one question actually to the Department of Finance and Treasury Board. How do they help mitigate fraud? What’s the kind of relationship there?

 

GEOFF GATIEN: I think a lot of what we do does work very well with what Ted’s described. I think we work hand in hand with the fraud committee and Internal Audit Centre in helping set that tone amongst our senior leaders and the broader financial community, which also are connected throughout government through our financial advisory services units and some of our corporate units, government accounting, Treasury Board Office, and others. I think when we achieve the high rates of training, we have the policies, we have the reporting, we have a lot of natural communication channels that filter through and update our senior members, who then can carry the messages back out to the departments.

 

[10:45 a.m.]

 

I think leading by example and helping set the tone is a critical function of what we do at Finance and Treasury Board. When we get into things like the annual reporting to our public accounts, we have management inquiry questionnaires, where annually we have the deputies and the senior financial leads sign off on a variety of items, but it includes compliance with legislation. It includes: Are there any instances of fraud that you are aware of or suspected? We cover a lot through those sorts of documents.

 

We also look at our overarching control environment. We have a lot of procedure around tangible capital assets, payroll controls, revenue controls, a number of items where we look at the overarching control environment, we look at the cycles, we look at the controls, mitigations, where there are risks, and make sure we have things managed down to a tolerable level.

 

Again, like we’ve said, we can’t eliminate the risk of fraud. It will always be present. Virtually every organization on Earth, if not all - they have the risk, but you have to manage it. We need senior leadership. We participate on the Deputy Ministers’ Audit Committee - I and the deputy minister are on that committee as well.

 

We do work quite closely with the whole organization as well as the organizations that do wrap up under the consolidation. We’re made aware of key risks that come in through their audits and if there are major risks there, we work with them to make sure that appropriate action is being taken. It is their responsibility, so we really hold ourselves out. We hold Ted’s group out. If they need support, we are here to support.

 

I’ll pause there and I hope that answered your question.

 

THE CHAIR: That concludes the time for questioning for all three caucuses. I would like to invite Ms. Munro and Mr. Gatien for any brief closing remarks.

 

JOANNE MUNRO: I just want to extend my genuine thanks to all of the members today for your thoughtful questions and your openness to listen. I appreciate the time this morning.

 

GEOFF GATIEN: I will share that. Thank you guys for the time, the follow-up, the interesting conversation. I enjoyed listening to the cybersecurity sides as well. I would put a thanks out to all the staff that are behind what we do that control the processes, the communication channels, the efforts that we’re describing today. There’s a lot of effort. I think the organization is really well focused on this, and again, I would thank the focus and leadership of not only Deputy Munro but the Deputy Ministers’ Audit Committee for the support that lets us all take the message out and do our best in this ever-changing environment. On that, thank you and I’ll now be quiet.

 

THE CHAIR: Thank you very much for your closing comments. Now we’ll conclude this portion of Public Accounts Committee. I would like to thank each and every one of the witnesses who joined with us here today. Thank you for your contribution. Thank you for your work for the people of Nova Scotia. Also, I would like to just acknowledge and thank the Auditor General’s Office, the Auditor General and the staff as well who were with us today and your incredible work for our province.

 

We’ll close this portion of the meeting and invite our witnesses to close off and the committee members will continue on with committee business.

 

TIM HALMAN: Madam Chair, if I may, before we get to the next piece of business, I’d like to introduce a motion.

 

THE CHAIR: I’m going to ask our clerk, Ms. Langille, if now is the appropriate time for a motion before committee business.

 

KIM LANGILLE: Yes, that’s fine.

 

THE CHAIR: Thank you very much. Go ahead, Mr. Halman.

 

TIM HALMAN: Thank you, Madam Chair, and I will get a copy of this motion to the clerk to disperse to members of this committee.

 

Two recent resignations from the Liberal caucus, along with yesterday’s announcement from the MLA for Halifax Armdale, have fundamentally changed the composition of the Legislature from a majority Parliament to a minority government. In the interest of fairness and equity, I believe the composition of this committee should mirror the minority situation of the Legislature.

 

Therefore, I move that the composition of the Standing Committee on Public Accounts be adjusted in the following manner: the Liberal caucus would hold the Vice-Chair position plus three members, the PC caucus would hold the Chairperson position and two members, and the NDP caucus would retain two members.

 

As we know, traditionally, the makeup of committees is a reflection of the makeup of the Legislature. Certainly, if you have a majority in the Legislature, it’s a fair argument that you should have a majority on the committees. However, once you’re in a minority situation, committees need to change as well, and I believe that we should begin that process today here at Public Accounts.

 

THE CHAIR: We have a motion on the floor. Before we vote, is there any discussion?

 

The honourable member from Clayton Park West.

 

RAFAH DICOSTANZO: I’d like to ask for a five-minute recess so we can look at it and discuss it between all our members.

 

TIM HALMAN: I certainly respect that request. However, I think given that five-minute recess, I think before we do that we should get extended time by 20 minutes, because I believe we’re going to have a very important, robust conversation.

 

THE CHAIR: I saw Ms. Leblanc had her hand up.

 

SUSAN LEBLANC: I also wanted to ask for an extension of time.

 

THE CHAIR: At this point I will go ahead and ask for an extension of 20 minutes for the Public Accounts Committee today. All those in favour? Contrary minded?

 

RAFAH DICOSTANZO: Sorry, Madam Chair, I was raising my hand as a question as well. I believe we have other appointments. I don’t think we need more than 10 minutes.

 

THE CHAIR: Just to clarify, I’m going to ask for a raise of hands. All those in favour of extending Public Accounts Committee today by 20 minutes? Contrary minded? Thank you.

 

The motion is defeated.

 

There has been a request for a five-minute recess. Maybe I’ll ask for the vote for that recess.

 

All those in favour? Contrary minded? Thank you.

 

The motion is carried.

 

It looks like we do have a vote in favour of a five-minute recess. It’s going to push us for close to time. I’m just going to ask Ms. Langille for clarification. A five-minute recess is permissible?

 

KIM LANGILLE: If the committee has agreed, yes.

 

THE CHAIR: We’ll go ahead and have a five-minute recess. At 10:58 a.m., we will resume the Public Accounts Committee and vote on the motion.

 

[10:53 a.m. The committee recessed.]

 

[10:58 a.m. The Committee reconvened.]

 

THE CHAIR: We do have a motion on the floor. Before we start, I am going to ask, given the fact that we do still have committee business to address, could I have an agreement by everyone to extend the committee meeting by 10 minutes?

 

Is it agreed?

 

It is agreed.

 

Great, we do have a majority, so we will extend Public Accounts by 10 minutes today.

 

We have a motion on the floor. Is there any discussion?

 

The honourable member for Clayton Park West.

 

RAFAH DICOSTANZO: I believe I heard Mr. Hebb saying something about this is not permitted at this time? If he could explain that to us if possible, if this motion is a possibility or is not possible at this time.

 

GORDON HEBB: The committee has no power to change the respective membership of the Committee vis-à-vis each party. You can do substitutions, but you can’t change the numbers. That was done by the Striking Committee of the House and I believe confirmed by the House. Unless the House would decide otherwise, the committee cannot change the relative membership of the committee.

 

TIM HALMAN: I find that analysis interesting, given the fact that in the Fall of 2018, a Liberal motion changed the scope of topics that are permitted to be brought to the Public Accounts Committee. In February of 2019, it was a Liberal motion that changed the amount of time in which we can meet in Public Accounts, changing it from weekly meetings to monthly meetings. If memory serves, neither of those changes were brought before the Legislature to be approved by the Legislature.

 

[11:00 a.m.]

 

Again, I reiterate the argument that committees must be a reflection of the standing in the Legislature, and here’s an opportunity for us to do that now. Madam Chair, I call for a recorded vote.

 

THE CHAIR: I’m going to ask Mr. Hebb, based on his legal counsel: Can we still move forward with a vote on this motion?

 

GORDON HEBB: That’s up to you to rule. My opinion is that such a motion has no effect, and therefore it would be a nullity. If the committee chooses to vote on it, that’s up to the committee, but I think the motion has no effect.

 

The other things that Mr. Halman raised are all within the power of the committee.

 

THE CHAIR: While I certainly respect your legal counsel, I am going to allow the committee to vote, and then depending on the outcome of the vote, we can move forward with further legal advice. Ms. Regan.

 

HON. KELLY REGAN: I actually think if you’re going to do that, then the committee should vote on whether we should vote - whether we should even be having a vote. I don’t think that this is something that we should - Legislative Counsel has been clear this is not within our purview.

 

THE CHAIR: That would be a separate motion, and we already have a motion on the floor. Any other discussion before we vote? We will have a recorded vote.

 

YEAS NAYS

Tim Halman Hon. Kelly Regan

Susan Leblanc Hon. Geoff MacLellan

Bill Horne

Rafah DiCostanzo

Hon. Leo Glavine

 

The motion is defeated.

 

We’ll move on to committee business. We do have [Inaudible].

 

RAFAH DICOSTANZO: It seems we lost the Chair.

 

KIM LANGILLE: It looks like we did lose the Chair. I think she’s trying to come back in right now, actually.

 

She said her computer just crashed. Gordon, in this instance, the Vice-Chair is not here today, so am I able to just ask for agreement to have someone chair the meeting at this point?

 

GORDON HEBB: Yes, if you ask for a motion for someone to propose a new Chair for the rest of the meeting. And then you would conduct the vote, or ask for agreement to make it.

 

KIM LANGILLE: I don’t think she’s coming back in. According to Gordon, perhaps someone could put a motion forward to have someone chair the meeting today?

 

LISA ROBERTS: I will move that.

 

KIM LANGILLE: Oh, she’s back. (Laughter)

 

THE CHAIR: Apologies, everyone. I’m logging in from a different computer. My other computer just completely crashed on me. Did I miss anything, Ms. Clerk?

 

KIM LANGILLE: No, we’re just ready to go into committee business, and we have six minutes left, so we’re at the correspondence portion.

 

THE CHAIR: For some reason, I’m not able to hear you, so maybe this computer - it’s fate.

 

RAFAH DICOSTANZO: Madam Chair, I can - if you’d like me or if you have your colleague to chair on your behalf?

 

TIM HALMAN: The Liberal caucus holds the Vice-Chair. Is there someone from the Liberal caucus, just to keep the formality?

 

RAFAH DICOSTANZO: I can take care of it. I’ve done a few of those by now. Am I allowed, Ms. Langille?

 

KIM LANGILLE: I was going to say I think the committee has to agree, because Gordon had mentioned about having a motion, so if there’s agreement I think.

 

RAFAH DICOSTANZO: Do we agree that I continue the business? All right, hands up. I believe we all are in favour and I have the notes in front of me, so I should be okay to do it. Thank you.

 

[11:06 a.m. Rafah DiCostanzo took the Chair.]

 

THE CHAIR: So we have correspondence from the Department of Lands and Forestry, information requested at the April 14th meeting. We all received that, correct? Any discussion? I see none.

 

I move on to the next one. Department of Finance and Treasury Board, information requested at the May 12th meeting. I received that as well. Any discussion? I see none.

 

We move on to the third item for correspondence. It’s the Office of the Auditor General 2021-22 Business Plan and 2020-21 Report on Performance. We all received that correspondence as well, correct? No discussion? Thank you.

 

The Subcommittee on Agenda and Procedures record of decision - I don’t know what that is, Kim, if you can enlighten me.

 

KIM LANGILLE: All members would have been provided with their documents this morning, the record of decision from the subcommittee, which is basically what they decided for topics from their meeting on June 2nd. I can send it around to members again if that’s helpful, but it was provided this morning along with the links.

 

THE CHAIR: And we’ll accept that we all have seen this? I do have things printed right here. I bet you that’s what it is. I just haven’t had the chance. Are we okay to move on with that one as well?

 

KIM LANGILLE: Well, a motion has to be put forward on that to agree to the topics that were put forward by the subcommittee, so hopefully everyone has that at their fingertips. If not, I can send it again.

 

THE CHAIR: Ms. Roberts, go ahead.

 

LISA ROBERTS: Just really briefly, this is coming out of the last Auditor General’s Report and there’s a Plan A and a Plan B to allow for some flexibility in scheduling so that the scheduled July meeting of the Public Accounts Committee would be an effective use of time.

 

THE CHAIR: Fantastic, thank you. So this is the main update for that one, Ms. Roberts, correct? Thank you. Everybody is in agreement? Wonderful.

 

The next thing is the next meeting, as I see it, is July 14, 2021. We have the 8:30 to 9:00 a.m. in camera briefing followed by the regular meeting from 9:00 to 11:00 a.m. and the witness will be the Office of the Auditor General tentatively, right now. The May 2021 Report of the Auditor General on the Nova Scotia Liquor Corporation Phase II is the topic for the next meeting. Ms. Roberts.

 

LISA ROBERTS: Sorry, I think we need a motion to accept the record of decision, so could we have a vote on that?

 

THE CHAIR: I apologize. That’s for the subcommittee, correct?

 

LISA ROBERTS: Yes, which will affect the July meeting, so . . .

 

THE CHAIR: Would you like to put a motion?

 

LISA ROBERTS: I move that the committee accept the record of decisions of the Subcommittee on Agenda and Procedures.

 

THE CHAIR: All those in favour? Contrary minded? Thank you.

 

I’ve done the next step, which is the next meeting. Is there any other business before I adjourn? Ms. Langille.

 

KIM LANGILLE: There was one other item on the agenda, and that was in-person meetings, so I don’t know if there’s time to discuss that or not but that was on the agenda.

 

THE CHAIR: I did see that but maybe we can discuss that in the next meeting. Is that agreed? Thank you, everyone and I hope I did a good job for you, Ms. McCrossin.

 

ELIZABETH SMITH-MCCROSSIN: Thank you. So sorry. I just logged in on my phone. Thank you for pinch-hitting. I appreciate it. Thank you, everyone.

 

THE CHAIR: My pleasure. Thank you, everyone, for the meeting today.

 

[The committee adjourned at 11:10 a.m.]